Obfuscate sensitive vals in console

Updates terraform console to show "(sensitive)" when a value is marked as sensitive.
2020-10-05 12:37:36 -04:00 · 2020-10-05 12:37:36 -04:00 · c57ca152e6
parent ee564a5ceb
commit c57ca152e6
4 changed files with 68 additions and 0 deletions
--- a/command/console_test.go
+++ b/command/console_test.go
@ -149,6 +149,47 @@ func TestConsole_unsetRequiredVars(t *testing.T) {
 	}
 }

+func TestConsole_variables(t *testing.T) {
+	tmp, cwd := testCwd(t)
+	defer testFixCwd(t, tmp, cwd)
+
+	p := testProvider()
+	ui := cli.NewMockUi()
+	c := &ConsoleCommand{
+		Meta: Meta{
+			testingOverrides: metaOverridesForProvider(p),
+			Ui:               ui,
+		},
+	}
+
+	commands := map[string]string{
+		"var.foo\n":          "\"bar\"\n",
+		"var.snack\n":        "\"popcorn\"\n",
+		"var.secret_snack\n": "(sensitive)\n",
+		"local.snack_bar\n":  "[\n  \"popcorn\",\n  (sensitive),\n]\n",
+	}
+
+	args := []string{
+		testFixturePath("variables"),
+	}
+
+	for cmd, val := range commands {
+		var output bytes.Buffer
+		defer testStdinPipe(t, strings.NewReader(cmd))()
+		outCloser := testStdoutCapture(t, &output)
+		code := c.Run(args)
+		outCloser()
+		if code != 0 {
+			t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
+		}
+
+		actual := output.String()
+		if output.String() != val {
+			t.Fatalf("bad: %q, expected %q", actual, val)
+		}
+	}
+}
+
 func TestConsole_modules(t *testing.T) {
 	td := tempDir(t)
 	copy.CopyDir(testFixturePath("modules"), td)
--- a/command/testdata/variables/main.tf
+++ b/command/testdata/variables/main.tf
@ -0,0 +1,20 @@
+terraform {
+    experiments = [sensitive_variables]
+}
+
+variable "foo" {
+    default = "bar"
+}
+
+variable "snack" {
+    default = "popcorn"
+}
+
+variable "secret_snack" {
+    default   = "seaweed snacks"
+    sensitive = true
+}
+
+locals {
+    snack_bar = [var.snack, var.secret_snack]
+}
--- a/repl/format.go
+++ b/repl/format.go
@ -37,6 +37,9 @@ func FormatValue(v cty.Value, indent int) string {
 			return fmt.Sprintf("null /* %s */", ty.FriendlyName())
 		}
 	}
+	if v.IsMarked() {
+		return "(sensitive)"
+	}

 	ty := v.Type()
 	switch {
--- a/repl/format_test.go
+++ b/repl/format_test.go
@ -136,6 +136,10 @@ func TestFormatValue(t *testing.T) {
 			cty.SetValEmpty(cty.String),
 			`toset([])`,
 		},
+		{
+			cty.StringVal("sensitive value").Mark("sensitive"),
+			"(sensitive)",
+		},
 	}

 	for _, test := range tests {