From a0c5c271effa0d613a0436646bf240ef9be27d2b Mon Sep 17 00:00:00 2001 From: Stefano Zilli Date: Wed, 11 Jun 2014 10:36:39 +0200 Subject: [PATCH] Hide secrets from puppet logs Currently secrets like rabbit_password or admin_password are displayed in puppet logs when changed. This commit changes glance_*_config and glance_*_ini types adding a new parameter that triggers obfuscation of the values in puppet logs. Change-Id: I31f974a9afadef42939ee092ecba3b8f4333bb8b Closes-Bug: #1328448 --- lib/puppet/type/glance_api_config.rb | 24 ++++++++++++++++++++ lib/puppet/type/glance_api_paste_ini.rb | 24 ++++++++++++++++++++ lib/puppet/type/glance_cache_config.rb | 24 ++++++++++++++++++++ lib/puppet/type/glance_registry_config.rb | 24 ++++++++++++++++++++ lib/puppet/type/glance_registry_paste_ini.rb | 24 ++++++++++++++++++++ manifests/api.pp | 6 ++--- manifests/notify/qpid.pp | 2 +- manifests/notify/rabbitmq.pp | 2 +- manifests/registry.pp | 4 ++-- spec/classes/glance_api_spec.rb | 5 ++++ spec/classes/glance_notify_qpid_spec.rb | 1 + spec/classes/glance_notify_rabbitmq_spec.rb | 1 + spec/classes/glance_registry_spec.rb | 1 + 13 files changed, 135 insertions(+), 7 deletions(-) diff --git a/lib/puppet/type/glance_api_config.rb b/lib/puppet/type/glance_api_config.rb index d7bd10f9..80c7f6cc 100644 --- a/lib/puppet/type/glance_api_config.rb +++ b/lib/puppet/type/glance_api_config.rb @@ -14,6 +14,30 @@ Puppet::Type.newtype(:glance_api_config) do value.capitalize! if value =~ /^(true|false)$/i value end + + def is_to_s( currentvalue ) + if resource.secret? + return '[old secret redacted]' + else + return currentvalue + end + end + + def should_to_s( newvalue ) + if resource.secret? + return '[new secret redacted]' + else + return newvalue + end + end + end + + newparam(:secret, :boolean => true) do + desc 'Whether to hide the value from Puppet logs. Defaults to `false`.' + + newvalues(:true, :false) + + defaultto false end end diff --git a/lib/puppet/type/glance_api_paste_ini.rb b/lib/puppet/type/glance_api_paste_ini.rb index 740f2bbc..daf4cc49 100644 --- a/lib/puppet/type/glance_api_paste_ini.rb +++ b/lib/puppet/type/glance_api_paste_ini.rb @@ -14,6 +14,30 @@ Puppet::Type.newtype(:glance_api_paste_ini) do value.capitalize! if value =~ /^(true|false)$/i value end + + def is_to_s( currentvalue ) + if resource.secret? + return '[old secret redacted]' + else + return currentvalue + end + end + + def should_to_s( newvalue ) + if resource.secret? + return '[new secret redacted]' + else + return newvalue + end + end + end + + newparam(:secret, :boolean => true) do + desc 'Whether to hide the value from Puppet logs. Defaults to `false`.' + + newvalues(:true, :false) + + defaultto false end end diff --git a/lib/puppet/type/glance_cache_config.rb b/lib/puppet/type/glance_cache_config.rb index ae0254e1..5f801fd7 100644 --- a/lib/puppet/type/glance_cache_config.rb +++ b/lib/puppet/type/glance_cache_config.rb @@ -14,6 +14,30 @@ Puppet::Type.newtype(:glance_cache_config) do value.capitalize! if value =~ /^(true|false)$/i value end + + def is_to_s( currentvalue ) + if resource.secret? + return '[old secret redacted]' + else + return currentvalue + end + end + + def should_to_s( newvalue ) + if resource.secret? + return '[new secret redacted]' + else + return newvalue + end + end + end + + newparam(:secret, :boolean => true) do + desc 'Whether to hide the value from Puppet logs. Defaults to `false`.' + + newvalues(:true, :false) + + defaultto false end end diff --git a/lib/puppet/type/glance_registry_config.rb b/lib/puppet/type/glance_registry_config.rb index 3b08e6a6..3291be39 100644 --- a/lib/puppet/type/glance_registry_config.rb +++ b/lib/puppet/type/glance_registry_config.rb @@ -14,6 +14,30 @@ Puppet::Type.newtype(:glance_registry_config) do value.capitalize! if value =~ /^(true|false)$/i value end + + def is_to_s( currentvalue ) + if resource.secret? + return '[old secret redacted]' + else + return currentvalue + end + end + + def should_to_s( newvalue ) + if resource.secret? + return '[new secret redacted]' + else + return newvalue + end + end + end + + newparam(:secret, :boolean => true) do + desc 'Whether to hide the value from Puppet logs. Defaults to `false`.' + + newvalues(:true, :false) + + defaultto false end end diff --git a/lib/puppet/type/glance_registry_paste_ini.rb b/lib/puppet/type/glance_registry_paste_ini.rb index 8c9b956b..1afeafd7 100644 --- a/lib/puppet/type/glance_registry_paste_ini.rb +++ b/lib/puppet/type/glance_registry_paste_ini.rb @@ -14,6 +14,30 @@ Puppet::Type.newtype(:glance_registry_paste_ini) do value.capitalize! if value =~ /^(true|false)$/i value end + + def is_to_s( currentvalue ) + if resource.secret? + return '[old secret redacted]' + else + return currentvalue + end + end + + def should_to_s( newvalue ) + if resource.secret? + return '[new secret redacted]' + else + return newvalue + end + end + end + + newparam(:secret, :boolean => true) do + desc 'Whether to hide the value from Puppet logs. Defaults to `false`.' + + newvalues(:true, :false) + + defaultto false end end diff --git a/manifests/api.pp b/manifests/api.pp index ab46c261..e18e5843 100644 --- a/manifests/api.pp +++ b/manifests/api.pp @@ -258,7 +258,7 @@ class glance::api( fail("Invalid db connection ${database_connection_real}") } glance_api_config { - 'database/connection': value => $database_connection_real; + 'database/connection': value => $database_connection_real, secret => true; 'database/idle_timeout': value => $database_idle_timeout_real; } } @@ -344,13 +344,13 @@ class glance::api( glance_api_config { 'keystone_authtoken/admin_tenant_name': value => $keystone_tenant; 'keystone_authtoken/admin_user' : value => $keystone_user; - 'keystone_authtoken/admin_password' : value => $keystone_password; + 'keystone_authtoken/admin_password' : value => $keystone_password, secret => true; } glance_cache_config { 'DEFAULT/auth_url' : value => $auth_url; 'DEFAULT/admin_tenant_name': value => $keystone_tenant; 'DEFAULT/admin_user' : value => $keystone_user; - 'DEFAULT/admin_password' : value => $keystone_password; + 'DEFAULT/admin_password' : value => $keystone_password, secret => true; } } diff --git a/manifests/notify/qpid.pp b/manifests/notify/qpid.pp index 8e4034e9..af1ab781 100644 --- a/manifests/notify/qpid.pp +++ b/manifests/notify/qpid.pp @@ -15,7 +15,7 @@ class glance::notify::qpid( 'DEFAULT/qpid_port': value => $qpid_port; 'DEFAULT/qpid_protocol': value => $qpid_protocol; 'DEFAULT/qpid_username': value => $qpid_username; - 'DEFAULT/qpid_password': value => $qpid_password; + 'DEFAULT/qpid_password': value => $qpid_password, secret => true; } } diff --git a/manifests/notify/rabbitmq.pp b/manifests/notify/rabbitmq.pp index 4264183d..7f6fcf9f 100644 --- a/manifests/notify/rabbitmq.pp +++ b/manifests/notify/rabbitmq.pp @@ -89,7 +89,7 @@ class glance::notify::rabbitmq( glance_api_config { 'DEFAULT/notification_driver': value => 'messaging'; 'DEFAULT/rabbit_virtual_host': value => $rabbit_virtual_host; - 'DEFAULT/rabbit_password': value => $rabbit_password; + 'DEFAULT/rabbit_password': value => $rabbit_password, secret => true; 'DEFAULT/rabbit_userid': value => $rabbit_userid; 'DEFAULT/rabbit_notification_exchange': value => $rabbit_notification_exchange; 'DEFAULT/rabbit_notification_topic': value => $rabbit_notification_topic; diff --git a/manifests/registry.pp b/manifests/registry.pp index bc3b4679..875889b6 100644 --- a/manifests/registry.pp +++ b/manifests/registry.pp @@ -192,7 +192,7 @@ class glance::registry( fail("Invalid db connection ${database_connection_real}") } glance_registry_config { - 'database/connection': value => $database_connection_real; + 'database/connection': value => $database_connection_real, secret => true; 'database/idle_timeout': value => $database_idle_timeout_real; } } @@ -245,7 +245,7 @@ class glance::registry( glance_registry_config { 'keystone_authtoken/admin_tenant_name': value => $keystone_tenant; 'keystone_authtoken/admin_user' : value => $keystone_user; - 'keystone_authtoken/admin_password' : value => $keystone_password; + 'keystone_authtoken/admin_password' : value => $keystone_password, secret => true; } } diff --git a/spec/classes/glance_api_spec.rb b/spec/classes/glance_api_spec.rb index d890d123..879fa715 100644 --- a/spec/classes/glance_api_spec.rb +++ b/spec/classes/glance_api_spec.rb @@ -115,6 +115,7 @@ describe 'glance::api' do it 'should config db' do should contain_glance_api_config('database/connection').with_value(param_hash[:database_connection]) + should contain_glance_api_config('database/connection').with_value(param_hash[:database_connection]).with_secret(true) should contain_glance_api_config('database/idle_timeout').with_value(param_hash[:database_idle_timeout]) end @@ -138,12 +139,16 @@ describe 'glance::api' do it 'should configure itself for keystone if that is the auth_type' do if params[:auth_type] == 'keystone' should contain('paste_deploy/flavor').with_value('keystone+cachemanagement') + ['admin_tenant_name', 'admin_user', 'admin_password'].each do |config| should contain_glance_api_config("keystone_authtoken/#{config}").with_value(param_hash[config.intern]) end + should contain_glance_api_config('keystone_authtoken/admin_password').with_value(param_hash[:keystone_password]).with_secret(true) + ['admin_tenant_name', 'admin_user', 'admin_password'].each do |config| should contain_glance_cache_config("keystone_authtoken/#{config}").with_value(param_hash[config.intern]) end + should contain_glance_cache_config('keystone_authtoken/admin_password').with_value(param_hash[:keystone_password]).with_secret(true) end end end diff --git a/spec/classes/glance_notify_qpid_spec.rb b/spec/classes/glance_notify_qpid_spec.rb index 6ae87cf5..f6c61583 100644 --- a/spec/classes/glance_notify_qpid_spec.rb +++ b/spec/classes/glance_notify_qpid_spec.rb @@ -18,6 +18,7 @@ describe 'glance::notify::qpid' do it { should contain_glance_api_config('DEFAULT/notifier_driver').with_value('qpid') } it { should contain_glance_api_config('DEFAULT/qpid_username').with_value('guest') } it { should contain_glance_api_config('DEFAULT/qpid_password').with_value('pass') } + it { should contain_glance_api_config('DEFAULT/qpid_password').with_value(params[:qpid_password]).with_secret(true) } it { should contain_glance_api_config('DEFAULT/qpid_hostname').with_value('localhost') } it { should contain_glance_api_config('DEFAULT/qpid_port').with_value('5672') } it { should contain_glance_api_config('DEFAULT/qpid_protocol').with_value('tcp') } diff --git a/spec/classes/glance_notify_rabbitmq_spec.rb b/spec/classes/glance_notify_rabbitmq_spec.rb index aa8e6341..47163fa0 100644 --- a/spec/classes/glance_notify_rabbitmq_spec.rb +++ b/spec/classes/glance_notify_rabbitmq_spec.rb @@ -16,6 +16,7 @@ describe 'glance::notify::rabbitmq' do end it { should contain_glance_api_config('DEFAULT/notification_driver').with_value('messaging') } it { should contain_glance_api_config('DEFAULT/rabbit_password').with_value('pass') } + it { should contain_glance_api_config('DEFAULT/rabbit_password').with_value(params[:rabbit_password]).with_secret(true) } it { should contain_glance_api_config('DEFAULT/rabbit_userid').with_value('guest') } it { should contain_glance_api_config('DEFAULT/rabbit_host').with_value('localhost') } it { should contain_glance_api_config('DEFAULT/rabbit_port').with_value('5672') } diff --git a/spec/classes/glance_registry_spec.rb b/spec/classes/glance_registry_spec.rb index 9e740568..71d759e6 100644 --- a/spec/classes/glance_registry_spec.rb +++ b/spec/classes/glance_registry_spec.rb @@ -112,6 +112,7 @@ describe 'glance::registry' do should contain_glance_registry_config("keystone_authtoken/admin_tenant_name").with_value(param_hash[:keystone_tenant]) should contain_glance_registry_config("keystone_authtoken/admin_user").with_value(param_hash[:keystone_user]) should contain_glance_registry_config("keystone_authtoken/admin_password").with_value(param_hash[:keystone_password]) + should contain_glance_registry_config("keystone_authtoken/admin_password").with_value(param_hash[:keystone_password]).with_secret(true) end end end