From 3caedea97a5eb39e3fc9e50b54cfa5eaa1e222e5 Mon Sep 17 00:00:00 2001
From: Sebastien Badia <sebastien.badia@enovance.com>
Date: Sat, 12 Jul 2014 02:25:12 +0200
Subject: [PATCH] Hide secrets from puppet logs

Currently secrets like rabbit_password or admin_password are laked

puppet logs when changed. This commit changes designate_*_config and
designate_*_ini types adding a new parameter that triggers obfuscation
the values in puppet logs.

Change-Id: I54e7c0bb27e46928db1a7f0125783c02d00d0e69
Closes-Bug: #1328448
---
 lib/puppet/type/designate_config.rb | 23 +++++++++++++++++++++++
 manifests/api.pp                    |  2 +-
 manifests/db.pp                     |  2 +-
 manifests/init.pp                   |  2 +-
 4 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/lib/puppet/type/designate_config.rb b/lib/puppet/type/designate_config.rb
index a8764927..2ea92405 100644
--- a/lib/puppet/type/designate_config.rb
+++ b/lib/puppet/type/designate_config.rb
@@ -14,6 +14,29 @@ Puppet::Type.newtype(:designate_config) do
       value.capitalize! if value =~ /^(true|false)$/i
       value
     end
+
+    def is_to_s( currentvalue )
+      if resource.secret?
+        return '[old secret redacted]'
+      else
+        return currentvalue
+      end
+    end
+
+    def should_to_s( newvalue )
+      if resource.secret?
+        return '[new secret redacted]'
+      else
+        return newvalue
+      end
+    end
   end
 
+  newparam(:secret, :boolean => true) do
+    desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
+
+    newvalues(:true, :false)
+
+    defaultto false
+  end
 end
diff --git a/manifests/api.pp b/manifests/api.pp
index b45ba5b2..d061049e 100644
--- a/manifests/api.pp
+++ b/manifests/api.pp
@@ -46,7 +46,7 @@ class designate::api (
     'keystone_authtoken/auth_protocol'      : value => $keystone_protocol;
     'keystone_authtoken/admin_tenant_name'  : value => $keystone_tenant;
     'keystone_authtoken/admin_user'         : value => $keystone_user;
-    'keystone_authtoken/admin_password'     : value => $keystone_password;
+    'keystone_authtoken/admin_password'     : value => $keystone_password, secret => true;
   }
 
 }
diff --git a/manifests/db.pp b/manifests/db.pp
index 6d28d993..2fde0847 100644
--- a/manifests/db.pp
+++ b/manifests/db.pp
@@ -25,7 +25,7 @@ class designate::db (
   }
 
   designate_config {
-    'storage:sqlalchemy/database_connection': value => $database_connection;
+    'storage:sqlalchemy/database_connection': value => $database_connection, secret => true;
   }
 
   Exec['designate-dbinit'] ~> Exec['designate-dbsync']
diff --git a/manifests/init.pp b/manifests/init.pp
index 73f4b91d..69125051 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -51,7 +51,7 @@ class designate(
     'DEFAULT/rabbit_port'            : value => $rabbit_port;
     'DEFAULT/rabbit_hosts'           : value => "${rabbit_host}:${rabbit_port}";
     'DEFAULT/rabbit_userid'          : value => $rabbit_userid;
-    'DEFAULT/rabbit_password'        : value => $rabbit_password;
+    'DEFAULT/rabbit_password'        : value => $rabbit_password, secret => true;
     'DEFAULT/rabbit_virtualhost'     : value => $rabbit_virtualhost;
   }