From c76bfbe41f7bdc37a50893609cd4d70a2a7e1a75 Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <tkajinam@redhat.com>
Date: Fri, 24 Jun 2022 01:10:52 +0900
Subject: [PATCH] Ensure key contents are hidden

By default, the file resource shows differences when the file changes.
This change disables that for the key files so that key contents are
not displayed in output.

Closes-Bug: #1979672
Change-Id: Ic0398cfbb14782ce16710a838e5428be50f2a0b3
---
 manifests/init.pp                                    | 2 ++
 releasenotes/notes/bug-1979672-003a5939f3bd6f67.yaml | 5 +++++
 spec/classes/keystone_init_spec.rb                   | 2 ++
 3 files changed, 9 insertions(+)
 create mode 100644 releasenotes/notes/bug-1979672-003a5939f3bd6f67.yaml

diff --git a/manifests/init.pp b/manifests/init.pp
index df3c2fc7c..3daa30e2b 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -654,6 +654,7 @@ running as a standalone service, or httpd for being run by a httpd server")
           'group'     => $keystone_group,
           'mode'      => '0600',
           'replace'   => $fernet_replace_keys,
+          'show_diff' => false,
           'subscribe' => 'Anchor[keystone::install::end]',
           'tag'       => 'keystone-fernet-key',
         }
@@ -690,6 +691,7 @@ running as a standalone service, or httpd for being run by a httpd server")
           'owner'     => $keystone_user,
           'group'     => $keystone_group,
           'mode'      => '0600',
+          'show_diff' => false,
           'subscribe' => 'Anchor[keystone::install::end]',
         }
       )
diff --git a/releasenotes/notes/bug-1979672-003a5939f3bd6f67.yaml b/releasenotes/notes/bug-1979672-003a5939f3bd6f67.yaml
new file mode 100644
index 000000000..df20de984
--- /dev/null
+++ b/releasenotes/notes/bug-1979672-003a5939f3bd6f67.yaml
@@ -0,0 +1,5 @@
+---
+security:
+  - |
+    Content of fernet keys and credential keys are now hidden from output, when
+    these files are updated.
diff --git a/spec/classes/keystone_init_spec.rb b/spec/classes/keystone_init_spec.rb
index e54c12a69..d32047752 100644
--- a/spec/classes/keystone_init_spec.rb
+++ b/spec/classes/keystone_init_spec.rb
@@ -371,11 +371,13 @@ describe 'keystone' do
       it { is_expected.to contain_file('/etc/keystone/credential-keys/0').with(
         'content'   => 't-WdduhORSqoyAykuqWAQSYjg2rSRuJYySgI2xh48CI=',
         'owner'     => 'keystone',
+        :show_diff  => false,
         'subscribe' => 'Anchor[keystone::install::end]',
       )}
       it { is_expected.to contain_file('/etc/keystone/credential-keys/1').with(
         'content'   => 'GLlnyygEVJP4-H2OMwClXn3sdSQUZsM5F194139Unv8=',
         'owner'     => 'keystone',
+        :show_diff  => false,
         'subscribe' => 'Anchor[keystone::install::end]',
       )}
     end