From d7d6adfd5b2148cc5b3dff3fb188b6619f0f1084 Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <tkajinam@redhat.com>
Date: Fri, 24 Jun 2022 01:10:52 +0900
Subject: [PATCH] Ensure key contents are hidden

By default, the file resource shows differences when the file changes.
This change disables that for the key files so that key contents are
not displayed in output.

Closes-Bug: #1979672
Change-Id: Ic0398cfbb14782ce16710a838e5428be50f2a0b3
(cherry picked from commit c76bfbe41f7bdc37a50893609cd4d70a2a7e1a75)
(cherry picked from commit 6a0ca3f0f5730aa5cca683c62117c3f1568ca535)
(cherry picked from commit f5d1daf0b7485b11abf1f372d0d2e9f4910c777d)
(cherry picked from commit bbdbd7aef35ea5477ccfe1b73c3bdeb76abe6b86)
(cherry picked from commit 922083e5ba8955f15ffd7450e6b843d9cd5d2f17)
---
 manifests/init.pp                                    | 2 ++
 releasenotes/notes/bug-1979672-003a5939f3bd6f67.yaml | 5 +++++
 spec/classes/keystone_init_spec.rb                   | 2 ++
 3 files changed, 9 insertions(+)
 create mode 100644 releasenotes/notes/bug-1979672-003a5939f3bd6f67.yaml

diff --git a/manifests/init.pp b/manifests/init.pp
index f289852e8..750958285 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -915,6 +915,7 @@ running as a standalone service, or httpd for being run by a httpd server")
           'group'     => $keystone_group,
           'mode'      => '0600',
           'replace'   => $fernet_replace_keys,
+          'show_diff' => false,
           'subscribe' => 'Anchor[keystone::install::end]',
         }
       )
@@ -950,6 +951,7 @@ running as a standalone service, or httpd for being run by a httpd server")
           'owner'     => $keystone_user,
           'group'     => $keystone_group,
           'mode'      => '0600',
+          'show_diff' => false,
           'subscribe' => 'Anchor[keystone::install::end]',
         }
       )
diff --git a/releasenotes/notes/bug-1979672-003a5939f3bd6f67.yaml b/releasenotes/notes/bug-1979672-003a5939f3bd6f67.yaml
new file mode 100644
index 000000000..df20de984
--- /dev/null
+++ b/releasenotes/notes/bug-1979672-003a5939f3bd6f67.yaml
@@ -0,0 +1,5 @@
+---
+security:
+  - |
+    Content of fernet keys and credential keys are now hidden from output, when
+    these files are updated.
diff --git a/spec/classes/keystone_init_spec.rb b/spec/classes/keystone_init_spec.rb
index e6e9aabe4..f3fe50df7 100644
--- a/spec/classes/keystone_init_spec.rb
+++ b/spec/classes/keystone_init_spec.rb
@@ -587,11 +587,13 @@ describe 'keystone' do
       it { is_expected.to contain_file('/etc/keystone/credential-keys/0').with(
         'content'   => 't-WdduhORSqoyAykuqWAQSYjg2rSRuJYySgI2xh48CI=',
         'owner'     => 'keystone',
+        :show_diff  => false,
         'subscribe' => 'Anchor[keystone::install::end]',
       )}
       it { is_expected.to contain_file('/etc/keystone/credential-keys/1').with(
         'content'   => 'GLlnyygEVJP4-H2OMwClXn3sdSQUZsM5F194139Unv8=',
         'owner'     => 'keystone',
+        :show_diff  => false,
         'subscribe' => 'Anchor[keystone::install::end]',
       )}
     end