Hide secrets from puppet logs

Currently secrets like rabbit_password or admin_password are laked puppet logs when changed. This commit changes heat_*_config and heat_*_ini types adding a new parameter that triggers obfuscation the values in puppet logs. Change-Id: Ib06a0f967dd5d5f8cc1c4dc7257c0e196786e8ae Closes-Bug: #1328448
2014-07-12 02:27:11 +02:00 · 2014-07-12 02:27:11 +02:00 · 6a89a44f9d
parent b2eec2883c
commit 6a89a44f9d
3 changed files with 31 additions and 3 deletions
--- a/lib/puppet/type/heat_config.rb
+++ b/lib/puppet/type/heat_config.rb
@ -14,6 +14,30 @@ Puppet::Type.newtype(:heat_config) do
      value.capitalize! if value =~ /^(true|false)$/i
      value
    end
+
+    def is_to_s( currentvalue )
+      if resource.secret?
+        return '[old secret redacted]'
+      else
+        return currentvalue
+      end
+    end
+
+    def should_to_s( newvalue )
+      if resource.secret?
+        return '[new secret redacted]'
+      else
+        return newvalue
+      end
+    end
+  end
+
+  newparam(:secret, :boolean => true) do
+    desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
+
+    newvalues(:true, :false)
+
+    defaultto false
  end

 end
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -214,7 +214,7 @@ class heat(

    heat_config {
      'DEFAULT/rabbit_userid'          : value => $rabbit_userid;
-      'DEFAULT/rabbit_password'        : value => $rabbit_password;
+      'DEFAULT/rabbit_password'        : value => $rabbit_password, secret => true;
      'DEFAULT/rabbit_virtual_host'    : value => $rabbit_virtual_host;
      'DEFAULT/rabbit_use_ssl'         : value => $rabbit_use_ssl;
      'DEFAULT/amqp_durable_queues'    : value => $amqp_durable_queues;
@ -244,7 +244,7 @@ class heat(
      'DEFAULT/qpid_hostname'               : value => $qpid_hostname;
      'DEFAULT/qpid_port'                   : value => $qpid_port;
      'DEFAULT/qpid_username'               : value => $qpid_username;
-      'DEFAULT/qpid_password'               : value => $qpid_password;
+      'DEFAULT/qpid_password'               : value => $qpid_password, secret => true;
      'DEFAULT/qpid_heartbeat'              : value => $qpid_heartbeat;
      'DEFAULT/qpid_protocol'               : value => $qpid_protocol;
      'DEFAULT/qpid_tcp_nodelay'            : value => $qpid_tcp_nodelay;
@ -323,7 +323,7 @@ class heat(
    }

    heat_config {
-      'database/connection': value => $sql_connection;
+      'database/connection': value => $sql_connection, secret => true;
      'database/idle_timeout':  value => $database_idle_timeout;
    }

--- a/spec/classes/heat_init_spec.rb
+++ b/spec/classes/heat_init_spec.rb
@ -159,6 +159,7 @@ describe 'heat' do
    it 'configures rabbit' do
      should contain_heat_config('DEFAULT/rabbit_userid').with_value( params[:rabbit_userid] )
      should contain_heat_config('DEFAULT/rabbit_password').with_value( params[:rabbit_password] )
+      should contain_heat_config('DEFAULT/rabbit_password').with_secret( true )
      should contain_heat_config('DEFAULT/rabbit_virtual_host').with_value( params[:rabbit_virtual_host] )
      should contain_heat_config('DEFAULT/rabbit_use_ssl').with_value(false)
      should contain_heat_config('DEFAULT/kombu_ssl_ca_certs').with_ensure('absent')
@ -176,6 +177,7 @@ describe 'heat' do
  shared_examples_for 'rabbit without HA support (without backward compatibility)' do
    it 'configures rabbit' do
      should contain_heat_config('DEFAULT/rabbit_userid').with_value( params[:rabbit_userid] )
+      should contain_heat_config('DEFAULT/rabbit_password').with_secret( true )
      should contain_heat_config('DEFAULT/rabbit_password').with_value( params[:rabbit_password] )
      should contain_heat_config('DEFAULT/rabbit_virtual_host').with_value( params[:rabbit_virtual_host] )
      should contain_heat_config('DEFAULT/rabbit_use_ssl').with_value(false)
@ -195,6 +197,7 @@ describe 'heat' do
    it 'configures rabbit' do
      should contain_heat_config('DEFAULT/rabbit_userid').with_value( params[:rabbit_userid] )
      should contain_heat_config('DEFAULT/rabbit_password').with_value( params[:rabbit_password] )
+      should contain_heat_config('DEFAULT/rabbit_password').with_secret( true )
      should contain_heat_config('DEFAULT/rabbit_virtual_host').with_value( params[:rabbit_virtual_host] )
      should contain_heat_config('DEFAULT/rabbit_use_ssl').with_value(false)
      should contain_heat_config('DEFAULT/kombu_ssl_ca_certs').with_ensure('absent')
@ -230,6 +233,7 @@ describe 'heat' do
      it { should contain_heat_config('DEFAULT/qpid_port').with_value( params[:qpid_port] ) }
      it { should contain_heat_config('DEFAULT/qpid_username').with_value( params[:qpid_username]) }
      it { should contain_heat_config('DEFAULT/qpid_password').with_value(params[:qpid_password]) }
+      it { should contain_heat_config('DEFAULT/qpid_password').with_secret( true ) }
    end

    context("failing if the rpc_backend is not present") do