From 08e1facb060fa4f0f8386296df60329db61ce5f8 Mon Sep 17 00:00:00 2001 From: Alexander Fisher Date: Wed, 21 Jan 2026 15:11:51 +0000 Subject: [PATCH] Support `Sensitive` values in more functions Support for Sensitive values inside data passed to `to_json_pretty` was added in e7fa6751e3a256772b856d138bbd427bcffbbd8b This commit uses the same `rewrap_sensitive_data` function to add support for nested Sensitive data to `to_json`, `to_yaml` and `to_toml`. --- lib/puppet/functions/stdlib/to_json.rb | 4 +++- lib/puppet/functions/stdlib/to_toml.rb | 6 ++++-- lib/puppet/functions/stdlib/to_yaml.rb | 4 +++- spec/functions/to_json_spec.rb | 4 ++++ spec/functions/to_toml_spec.rb | 4 ++++ spec/functions/to_yaml_spec.rb | 4 ++++ 6 files changed, 22 insertions(+), 4 deletions(-) diff --git a/lib/puppet/functions/stdlib/to_json.rb b/lib/puppet/functions/stdlib/to_json.rb index 1f1d74d27..bc9615789 100644 --- a/lib/puppet/functions/stdlib/to_json.rb +++ b/lib/puppet/functions/stdlib/to_json.rb @@ -19,6 +19,8 @@ end def to_json(data) - data.to_json + call_function('stdlib::rewrap_sensitive_data', data) do |unwrapped_data| + unwrapped_data.to_json + end end end diff --git a/lib/puppet/functions/stdlib/to_toml.rb b/lib/puppet/functions/stdlib/to_toml.rb index c94b6ea4a..a25b10a67 100644 --- a/lib/puppet/functions/stdlib/to_toml.rb +++ b/lib/puppet/functions/stdlib/to_toml.rb @@ -13,10 +13,12 @@ # } dispatch :to_toml do required_param 'Hash', :data - return_type 'String' + return_type 'Variant[String, Sensitive[String]]' end def to_toml(data) - PuppetX::Stdlib::TomlDumper.new(data).toml_str + call_function('stdlib::rewrap_sensitive_data', data) do |unwrapped_data| + PuppetX::Stdlib::TomlDumper.new(unwrapped_data).toml_str + end end end diff --git a/lib/puppet/functions/stdlib/to_yaml.rb b/lib/puppet/functions/stdlib/to_yaml.rb index 22b134017..ab162cd8b 100644 --- a/lib/puppet/functions/stdlib/to_yaml.rb +++ b/lib/puppet/functions/stdlib/to_yaml.rb @@ -27,6 +27,8 @@ end def to_yaml(data, options = {}) - data.to_yaml(options.transform_keys(&:to_sym)) + call_function('stdlib::rewrap_sensitive_data', data) do |unwrapped_data| + unwrapped_data.to_yaml(options.transform_keys(&:to_sym)) + end end end diff --git a/spec/functions/to_json_spec.rb b/spec/functions/to_json_spec.rb index 06de89658..14c38c63c 100644 --- a/spec/functions/to_json_spec.rb +++ b/spec/functions/to_json_spec.rb @@ -22,4 +22,8 @@ it { is_expected.to run.with_params('竹').and_return('"竹"') } it { is_expected.to run.with_params('Ü').and_return('"Ü"') } it { is_expected.to run.with_params('∇').and_return('"∇"') } + + context 'with data containing sensitive' do + it { is_expected.to run.with_params('key' => sensitive('value')).and_return(sensitive('{"key":"value"}')) } + end end diff --git a/spec/functions/to_toml_spec.rb b/spec/functions/to_toml_spec.rb index 7347e0f2d..514f0caea 100644 --- a/spec/functions/to_toml_spec.rb +++ b/spec/functions/to_toml_spec.rb @@ -26,4 +26,8 @@ it { is_expected.to run.with_params(foo: ['bar', 'baz']).and_return("foo = [\"bar\", \"baz\"]\n") } it { is_expected.to run.with_params(foo: [{ bar: {}, baz: {} }]).and_return("[[foo]]\n[foo.bar]\n[foo.baz]\n") } end + + context 'with data containing sensitive' do + it { is_expected.to run.with_params('key' => sensitive('value')).and_return(sensitive("key = \"value\"\n")) } + end end diff --git a/spec/functions/to_yaml_spec.rb b/spec/functions/to_yaml_spec.rb index 3d8dfcd5d..edaceb877 100644 --- a/spec/functions/to_yaml_spec.rb +++ b/spec/functions/to_yaml_spec.rb @@ -22,4 +22,8 @@ it { is_expected.to run.with_params('∇').and_return("--- \"∇\"\n") } it { is_expected.to run.with_params({ 'foo' => { 'bar' => true, 'baz' => false } }, 'indentation' => 4).and_return("---\nfoo:\n bar: true\n baz: false\n") } + + context 'with data containing sensitive' do + it { is_expected.to run.with_params('key' => sensitive('value')).and_return(sensitive("---\nkey: value\n")) } + end end