From ab0d7ee0f0bc91b19355f77bbd8513bcb3b4ed58 Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <tkajinam@redhat.com>
Date: Mon, 29 Nov 2021 22:13:16 +0900
Subject: [PATCH] Hide credential strings from puppet logs

Change-Id: I2325e0a3521b3b1cc35753142a50a90bc4ea083a
---
 lib/puppet/type/ceph_config.rb                | 24 +++++++++++++++++++
 manifests/rgw/keystone.pp                     |  2 +-
 .../ceph_config-secret-211b7aa50e393b47.yaml  |  6 +++++
 spec/defines/ceph_rgw_keystone_spec.rb        |  4 ++--
 4 files changed, 33 insertions(+), 3 deletions(-)
 create mode 100644 releasenotes/notes/ceph_config-secret-211b7aa50e393b47.yaml

diff --git a/lib/puppet/type/ceph_config.rb b/lib/puppet/type/ceph_config.rb
index 6b36d3a8..dcfaeede 100644
--- a/lib/puppet/type/ceph_config.rb
+++ b/lib/puppet/type/ceph_config.rb
@@ -45,5 +45,29 @@ Puppet::Type.newtype(:ceph_config) do
       value.downcase! if value =~ /^(true|false)$/i
       value
     end
+
+    def is_to_s( currentvalue )
+      if resource.secret?
+        return '[old secret redacted]'
+      else
+        return currentvalue
+      end
+    end
+
+    def should_to_s( newvalue )
+      if resource.secret?
+        return '[new secret redacted]'
+      else
+        return newvalue
+      end
+    end
+  end
+
+  newparam(:secret, :boolean => true) do
+    desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
+
+    newvalues(:true, :false)
+
+    defaultto false
   end
 end
diff --git a/manifests/rgw/keystone.pp b/manifests/rgw/keystone.pp
index 02735a2c..4b88926d 100644
--- a/manifests/rgw/keystone.pp
+++ b/manifests/rgw/keystone.pp
@@ -95,6 +95,6 @@ define ceph::rgw::keystone (
     "client.${name}/rgw_keystone_admin_domain":   value => $rgw_keystone_admin_domain;
     "client.${name}/rgw_keystone_admin_project":  value => $rgw_keystone_admin_project;
     "client.${name}/rgw_keystone_admin_user":     value => $rgw_keystone_admin_user;
-    "client.${name}/rgw_keystone_admin_password": value => $rgw_keystone_admin_password;
+    "client.${name}/rgw_keystone_admin_password": value => $rgw_keystone_admin_password, secret => true;
   }
 }
diff --git a/releasenotes/notes/ceph_config-secret-211b7aa50e393b47.yaml b/releasenotes/notes/ceph_config-secret-211b7aa50e393b47.yaml
new file mode 100644
index 00000000..9669d3d1
--- /dev/null
+++ b/releasenotes/notes/ceph_config-secret-211b7aa50e393b47.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Now the ``ceph_config`` resource type supports the new ``secret`` property.
+    When this property is set to ``true``, value of the parameter is hidden
+    from puppet logs.
diff --git a/spec/defines/ceph_rgw_keystone_spec.rb b/spec/defines/ceph_rgw_keystone_spec.rb
index b411c1e1..210532ca 100644
--- a/spec/defines/ceph_rgw_keystone_spec.rb
+++ b/spec/defines/ceph_rgw_keystone_spec.rb
@@ -46,7 +46,7 @@ describe 'ceph::rgw::keystone' do
       it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_domain').with_value('default') }
       it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_project').with_value('openstack') }
       it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_user').with_value('rgwuser') }
-      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_password').with_value('123456') }
+      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_password').with_value('123456').with_secret(true) }
       it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_url').with_value('http://127.0.0.1:5000') }
       it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_accepted_roles').with_value('member') }
       it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_token_cache_size').with_value(500) }
@@ -84,7 +84,7 @@ describe 'ceph::rgw::keystone' do
       it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_domain').with_value('default') }
       it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_project').with_value('openstack') }
       it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_user').with_value('rgwuser') }
-      it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_password').with_value('123456') }
+      it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_password').with_value('123456').with_secret(true) }
       it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_url').with_value('http://keystone.custom:5000') }
       it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_accepted_roles').with_value('_role1_,role2') }
       it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_token_cache_size').with_value(100) }