Allow to hide config values from Puppet logs

Hide configuration value from Puppet logs if the secret parameter is set to true. Fixes: bug #1173322 Change-Id: I380a86b834c2f6cb6f347cade6137ee2e757f091
2013-04-26 12:37:14 -04:00 · 2013-04-26 12:37:14 -04:00 · 9686bb830b
parent e72156313c
commit 9686bb830b
8 changed files with 63 additions and 10 deletions
--- a/lib/puppet/type/cinder_api_paste_ini.rb
+++ b/lib/puppet/type/cinder_api_paste_ini.rb
@ -14,6 +14,29 @@ Puppet::Type.newtype(:cinder_api_paste_ini) do
      value.capitalize! if value =~ /^(true|false)$/i
      value
    end
+
+    def is_to_s( currentvalue )
+      if resource.secret?
+        return '[old secret redacted]'
+      else
+        return currentvalue
+      end
+    end
+
+    def should_to_s( newvalue )
+      if resource.secret?
+        return '[new secret redacted]'
+      else
+        return newvalue
+      end
+    end
  end

+  newparam(:secret, :boolean => true) do
+    desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
+
+    newvalues(:true, :false)
+
+    defaultto false
+  end
 end
--- a/lib/puppet/type/cinder_config.rb
+++ b/lib/puppet/type/cinder_config.rb
@ -14,6 +14,29 @@ Puppet::Type.newtype(:cinder_config) do
      value.capitalize! if value =~ /^(true|false)$/i
      value
    end
+
+    def is_to_s( currentvalue )
+      if resource.secret?
+        return '[old secret redacted]'
+      else
+        return currentvalue
+      end
+    end
+
+    def should_to_s( newvalue )
+      if resource.secret?
+        return '[new secret redacted]'
+      else
+        return newvalue
+      end
+    end
  end

+  newparam(:secret, :boolean => true) do
+    desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
+
+    newvalues(:true, :false)
+
+    defaultto false
+  end
 end
--- a/manifests/api.pp
+++ b/manifests/api.pp
@ -60,7 +60,7 @@ class cinder::api (
      'filter:authtoken/auth_port':         value => $keystone_auth_port;
      'filter:authtoken/admin_tenant_name': value => $keystone_tenant;
      'filter:authtoken/admin_user':        value => $keystone_user;
-      'filter:authtoken/admin_password':    value => $keystone_password;
+      'filter:authtoken/admin_password':    value => $keystone_password, secret => true;
    }
  }

--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -69,7 +69,7 @@ class cinder (
    }

    cinder_config {
-      'DEFAULT/rabbit_password':     value => $rabbit_password;
+      'DEFAULT/rabbit_password':     value => $rabbit_password, secret => true;
      'DEFAULT/rabbit_userid':       value => $rabbit_userid;
      'DEFAULT/rabbit_virtual_host': value => $rabbit_virtual_host;
    }
@ -99,7 +99,7 @@ class cinder (
      'DEFAULT/qpid_hostname':               value => $qpid_hostname;
      'DEFAULT/qpid_port':                   value => $qpid_port;
      'DEFAULT/qpid_username':               value => $qpid_username;
-      'DEFAULT/qpid_password':               value => $qpid_password;
+      'DEFAULT/qpid_password':               value => $qpid_password, secret => true;
      'DEFAULT/qpid_reconnect':              value => $qpid_reconnect;
      'DEFAULT/qpid_reconnect_timeout':      value => $qpid_reconnect_timeout;
      'DEFAULT/qpid_reconnect_limit':        value => $qpid_reconnect_limit;
@ -113,7 +113,7 @@ class cinder (
  }

  cinder_config {
-    'DEFAULT/sql_connection':      value => $sql_connection;
+    'DEFAULT/sql_connection':      value => $sql_connection, secret => true;
    'DEFAULT/verbose':             value => $verbose;
    'DEFAULT/debug':               value => $debug;
    'DEFAULT/api_paste_config':    value => $api_paste_config;
--- a/manifests/volume/netapp.pp
+++ b/manifests/volume/netapp.pp
@ -14,7 +14,7 @@ class cinder::volume::netapp (
    'DEFAULT/volume_driver':                 value => 'cinder.volume.netapp.NetAppISCSIDriver';
    'DEFAULT/netapp_wsdl_url':               value => $netapp_wsdl_url;
    'DEFAULT/netapp_login':                  value => $netapp_login;
-    'DEFAULT/netapp_password':               value => $netapp_password;
+    'DEFAULT/netapp_password':               value => $netapp_password, secret => true;
    'DEFAULT/netapp_server_hostname':        value => $netapp_server_hostname;
    'DEFAULT/netapp_storage_service':        value => $netapp_storage_service;
    'DEFAULT/netapp_server_port':            value => $netapp_server_port;
--- a/spec/classes/cinder_api_spec.rb
+++ b/spec/classes/cinder_api_spec.rb
@ -50,7 +50,8 @@ describe 'cinder::api' do
        :value => 'cinder'
      )
      should contain_cinder_api_paste_ini('filter:authtoken/admin_password').with(
-        :value => 'foo'
+        :value  => 'foo',
+        :secret => true
      )
    end
  end
--- a/spec/classes/cinder_spec.rb
+++ b/spec/classes/cinder_spec.rb
@ -20,7 +20,8 @@ describe 'cinder' do
        :value => 'cinder.openstack.common.rpc.impl_kombu'
      )
      should contain_cinder_config('DEFAULT/rabbit_password').with(
-        :value => 'guest'
+        :value => 'guest',
+        :secret => true
      )
      should contain_cinder_config('DEFAULT/rabbit_host').with(
        :value => '127.0.0.1'
@ -41,7 +42,8 @@ describe 'cinder' do
        :value => 'guest'
      )
      should contain_cinder_config('DEFAULT/sql_connection').with(
-        :value => 'mysql://user:password@host/database'
+        :value  => 'mysql://user:password@host/database',
+        :secret => true
      )
      should contain_cinder_config('DEFAULT/verbose').with(
        :value => false
@ -81,7 +83,7 @@ describe 'cinder' do
        :value => 'rabbit1:5672,rabbit2:5672'
      )
      should contain_cinder_config('DEFAULT/rabbit_ha_queues').with(
-          :value => true
+        :value => true
      )
    end
  end
@ -101,7 +103,7 @@ describe 'cinder' do
    it { should contain_cinder_config('DEFAULT/qpid_hostname').with_value('localhost') }
    it { should contain_cinder_config('DEFAULT/qpid_port').with_value('5672') }
    it { should contain_cinder_config('DEFAULT/qpid_username').with_value('guest') }
-    it { should contain_cinder_config('DEFAULT/qpid_password').with_value('guest') }
+    it { should contain_cinder_config('DEFAULT/qpid_password').with_value('guest').with_secret(true) }
    it { should contain_cinder_config('DEFAULT/qpid_reconnect').with_value(true) }
    it { should contain_cinder_config('DEFAULT/qpid_reconnect_timeout').with_value('0') }
    it { should contain_cinder_config('DEFAULT/qpid_reconnect_limit').with_value('0') }
--- a/spec/classes/cinder_volume_netapp_spec.rb
+++ b/spec/classes/cinder_volume_netapp_spec.rb
@ -30,6 +30,10 @@ describe 'cinder::volume::netapp' do
        should contain_cinder_config("DEFAULT/#{config}").with_value( value )
      end
    end
+
+    it 'marks netapp_password as secret' do
+      should contain_cinder_config('DEFAULT/netapp_password').with_secret( true )
+    end
  end