From de567154f60c36f8c6e336a7345e027faaad9d7b Mon Sep 17 00:00:00 2001
From: Tobias Urdin <tobias.urdin@binero.com>
Date: Sun, 24 Mar 2024 20:22:01 +0100
Subject: [PATCH] Set show_diff to false when configuring Federation

When we configure federation changes in configuration
files that contain sensitive informatio ncan be leaked
into the output.

Change-Id: I797fc8101837fe344c056a032ba98e5fbc8a2bec
---
 manifests/federation/mellon.pp                      | 4 ++++
 manifests/federation/openidc.pp                     | 4 ++++
 manifests/federation/shibboleth.pp                  | 8 ++++++++
 spec/classes/keystone_federation_mellon_spec.rb     | 4 ++++
 spec/classes/keystone_federation_openidc_spec.rb    | 2 ++
 spec/classes/keystone_federation_shibboleth_spec.rb | 5 +++++
 6 files changed, 27 insertions(+)

diff --git a/manifests/federation/mellon.pp b/manifests/federation/mellon.pp
index 8e4366e69..779f19e22 100644
--- a/manifests/federation/mellon.pp
+++ b/manifests/federation/mellon.pp
@@ -82,4 +82,8 @@ Apache + Mellon SP setups, where a REMOTE_USER env variable is always set, even
     content  => template('keystone/mellon.conf.erb'),
     order    => $template_order,
   }
+
+  Concat<| title == "${keystone::wsgi::apache::priority}-keystone_wsgi.conf" |> {
+    show_diff => false,
+  }
 }
diff --git a/manifests/federation/openidc.pp b/manifests/federation/openidc.pp
index e38be89c3..647c7302f 100644
--- a/manifests/federation/openidc.pp
+++ b/manifests/federation/openidc.pp
@@ -248,4 +248,8 @@ class keystone::federation::openidc (
     content  => template('keystone/openidc.conf.erb'),
     order    => $template_order,
   }
+
+  Concat<| title == "${keystone::wsgi::apache::priority}-keystone_wsgi.conf" |> {
+    show_diff => false,
+  }
 }
diff --git a/manifests/federation/shibboleth.pp b/manifests/federation/shibboleth.pp
index c1e50e713..68f163811 100644
--- a/manifests/federation/shibboleth.pp
+++ b/manifests/federation/shibboleth.pp
@@ -86,6 +86,10 @@ Apache + Shibboleth SP setups, where a REMOTE_USER env variable is always set, e
         content  => template('keystone/shibboleth.conf.erb'),
         order    => $template_order,
       }
+
+      Concat<| title == "${keystone::wsgi::apache::priority}-keystone_wsgi.conf" |> {
+        show_diff => false,
+      }
     }
     'RedHat': {
       if defined(Yumrepo[$yum_repo_name]) or defined(Package['shibboleth']) {
@@ -101,6 +105,10 @@ Apache + Shibboleth SP setups, where a REMOTE_USER env variable is always set, e
           content  => template('keystone/shibboleth.conf.erb'),
           order    => $template_order,
         }
+
+        Concat<| title == "${keystone::wsgi::apache::priority}-keystone_wsgi.conf" |> {
+          show_diff => false,
+        }
       } else {
         if !$suppress_warning {
           warning( 'Can not configure Shibboleth in Apache on RedHat OS. Read the Note on this federation/shibboleth.pp' )
diff --git a/spec/classes/keystone_federation_mellon_spec.rb b/spec/classes/keystone_federation_mellon_spec.rb
index c61b246ce..ddab2fdfb 100644
--- a/spec/classes/keystone_federation_mellon_spec.rb
+++ b/spec/classes/keystone_federation_mellon_spec.rb
@@ -57,6 +57,8 @@ describe 'keystone::federation::mellon' do
         :priority => 10,
         :order    => params[:template_order],
       })}
+
+      it { is_expected.to contain_concat('10-keystone_wsgi.conf').with_show_diff(false) }
     end
 
     context 'with websso enabled' do
@@ -80,6 +82,8 @@ describe 'keystone::federation::mellon' do
         :priority => 10,
         :order    => params[:template_order],
       })}
+
+      it { is_expected.to contain_concat('10-keystone_wsgi.conf').with_show_diff(false) }
     end
   end
 
diff --git a/spec/classes/keystone_federation_openidc_spec.rb b/spec/classes/keystone_federation_openidc_spec.rb
index 9f8aad894..32918d551 100644
--- a/spec/classes/keystone_federation_openidc_spec.rb
+++ b/spec/classes/keystone_federation_openidc_spec.rb
@@ -72,6 +72,8 @@ describe 'keystone::federation::openidc' do
         :order    => params[:template_order],
       })}
 
+      it { is_expected.to contain_concat('10-keystone_wsgi.conf').with_show_diff(false) }
+
       it 'should contain expected config' do
         content = get_param('concat::fragment', 'keystone_wsgi-configure_openidc_keystone', 'content')
         expect(content).to match('OIDCProviderMetadataURL "https://accounts.google.com/.well-known/openid-configuration"')
diff --git a/spec/classes/keystone_federation_shibboleth_spec.rb b/spec/classes/keystone_federation_shibboleth_spec.rb
index 356423153..a7453d3df 100644
--- a/spec/classes/keystone_federation_shibboleth_spec.rb
+++ b/spec/classes/keystone_federation_shibboleth_spec.rb
@@ -88,6 +88,7 @@ describe 'keystone::federation::shibboleth' do
           :priority => 10,
           :order    => params[:template_order],
         })}
+        it { is_expected.to contain_concat('10-keystone_wsgi.conf').with_show_diff(false) }
       end
     end
 
@@ -113,6 +114,7 @@ describe 'keystone::federation::shibboleth' do
           :priority => 10,
           :order    => params[:template_order],
         })}
+        it { is_expected.to contain_concat('10-keystone_wsgi.conf').with_show_diff(false) }
       end
     end
 
@@ -131,12 +133,15 @@ describe 'keystone::federation::shibboleth' do
       let (:params) { default_params }
 
       it { is_expected.to contain_apache__mod('shib2') }
+
       it { is_expected.to contain_apache__vhost__fragment('configure_shibboleth_keystone').with({
         :vhost    => 'keystone_wsgi',
         # This need to change if priority is changed in keystone::wsgi::apache
         :priority => 10,
         :order    => params[:template_order],
       })}
+
+      it { is_expected.to contain_concat('10-keystone_wsgi.conf').with_show_diff(false) }
     end
   end