From 689345ac5cbe30df4722fe63f8e6570b8620ad50 Mon Sep 17 00:00:00 2001
From: Nathan L Smith <smith@chef.io>
Date: Sun, 3 May 2015 23:10:24 -0500
Subject: [PATCH] make password file resource sensitive

---
 recipes/sasl_auth.rb   |  1 +
 spec/sasl_auth_spec.rb | 17 +++++++++++++++++
 2 files changed, 18 insertions(+)
 create mode 100644 spec/sasl_auth_spec.rb

diff --git a/recipes/sasl_auth.rb b/recipes/sasl_auth.rb
index 9c7bee9..519798d 100644
--- a/recipes/sasl_auth.rb
+++ b/recipes/sasl_auth.rb
@@ -49,6 +49,7 @@ execute 'postmap-sasl_passwd' do
 end
 
 template node['postfix']['sasl_password_file'] do
+  sensitive true
   source 'sasl_passwd.erb'
   owner 'root'
   group node['root_group']
diff --git a/spec/sasl_auth_spec.rb b/spec/sasl_auth_spec.rb
new file mode 100644
index 0000000..c84436b
--- /dev/null
+++ b/spec/sasl_auth_spec.rb
@@ -0,0 +1,17 @@
+require 'spec_helper'
+
+describe 'postfix::sasl_auth' do
+  let(:password_file) { '/etc/postfix/sasl_passwd' }
+
+  let(:chef_run) do
+    ChefSpec::Runner.new do |node|
+      node.default['postfix']['sasl_password_file'] = password_file
+    end.converge(described_recipe)
+  end
+
+  describe 'password file template' do
+    it 'does not display sensitive information' do
+      expect(chef_run).to create_template(password_file).with(sensitive: true)
+    end
+  end
+end