From 8d2662c2ba9f70a5a9098821006f28d7e1ea9d7e Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Sun, 3 Jan 2021 18:06:56 +0900 Subject: [PATCH] Ensure service user passwords are secret Change-Id: Ia4aabf358e4e0ef0e7913940b70ba79b1eaa1acf --- .../type/ironic_neutron_agent_config.rb | 24 +++++++++++++++++++ manifests/agents/ml2/networking_baremetal.pp | 2 +- manifests/designate.pp | 2 +- ...on_agents_ml2_networking_baremetal_spec.rb | 2 +- spec/classes/neutron_designate_spec.rb | 4 ++-- 5 files changed, 29 insertions(+), 5 deletions(-) diff --git a/lib/puppet/type/ironic_neutron_agent_config.rb b/lib/puppet/type/ironic_neutron_agent_config.rb index f9fe1a5cf..b24a53bd4 100644 --- a/lib/puppet/type/ironic_neutron_agent_config.rb +++ b/lib/puppet/type/ironic_neutron_agent_config.rb @@ -14,6 +14,30 @@ Puppet::Type.newtype(:ironic_neutron_agent_config) do value.capitalize! if value =~ /^(true|false)$/i value end + + def is_to_s( currentvalue ) + if resource.secret? + return '[old secret redacted]' + else + return currentvalue + end + end + + def should_to_s( newvalue ) + if resource.secret? + return '[new secret redacted]' + else + return newvalue + end + end + end + + newparam(:secret, :boolean => true) do + desc 'Whether to hide the value from Puppet logs. Defaults to `false`.' + + newvalues(:true, :false) + + defaultto false end newparam(:ensure_absent_val) do diff --git a/manifests/agents/ml2/networking_baremetal.pp b/manifests/agents/ml2/networking_baremetal.pp index 7a66bf4fc..08981ae39 100644 --- a/manifests/agents/ml2/networking_baremetal.pp +++ b/manifests/agents/ml2/networking_baremetal.pp @@ -148,7 +148,7 @@ class neutron::agents::ml2::networking_baremetal ( 'ironic/auth_type': value => $auth_type; 'ironic/auth_url': value => $auth_url; 'ironic/username': value => $username; - 'ironic/password': value => $password; + 'ironic/password': value => $password, secret => true; 'ironic/project_domain_name': value => $project_domain_name; 'ironic/project_name': value => $project_name; 'ironic/user_domain_name': value => $user_domain_name; diff --git a/manifests/designate.pp b/manifests/designate.pp index 8e62b29c6..6c77536f9 100644 --- a/manifests/designate.pp +++ b/manifests/designate.pp @@ -73,7 +73,7 @@ class neutron::designate ( neutron_config { 'DEFAULT/external_dns_driver': value => 'designate'; - 'designate/password': value => $password; + 'designate/password': value => $password, secret => true; 'designate/url': value => $url; 'designate/auth_type': value => $auth_type; 'designate/username': value => $username; diff --git a/spec/classes/neutron_agents_ml2_networking_baremetal_spec.rb b/spec/classes/neutron_agents_ml2_networking_baremetal_spec.rb index 0438bda17..1393bc5dd 100644 --- a/spec/classes/neutron_agents_ml2_networking_baremetal_spec.rb +++ b/spec/classes/neutron_agents_ml2_networking_baremetal_spec.rb @@ -44,7 +44,7 @@ describe 'neutron::agents::ml2::networking_baremetal' do should contain_ironic_neutron_agent_config('ironic/auth_type').with_value(p[:auth_type]) should contain_ironic_neutron_agent_config('ironic/auth_url').with_value(p[:auth_url]) should contain_ironic_neutron_agent_config('ironic/username').with_value(p[:username]) - should contain_ironic_neutron_agent_config('ironic/password').with_value(p[:password]) + should contain_ironic_neutron_agent_config('ironic/password').with_value(p[:password]).with_secret(true) should contain_ironic_neutron_agent_config('ironic/project_domain_name').with_value(p[:project_domain_name]) should contain_ironic_neutron_agent_config('ironic/project_name').with_value(p[:project_name]) should contain_ironic_neutron_agent_config('ironic/user_domain_name').with_value(p[:user_domain_name]) diff --git a/spec/classes/neutron_designate_spec.rb b/spec/classes/neutron_designate_spec.rb index 9e726720a..8c1bcdb7d 100644 --- a/spec/classes/neutron_designate_spec.rb +++ b/spec/classes/neutron_designate_spec.rb @@ -15,7 +15,7 @@ describe 'neutron::designate' do it 'configures designate in neutron.conf' do should contain_neutron_config('DEFAULT/external_dns_driver').with_value('designate') should contain_neutron_config('designate/url').with_value('http://ip/designate') - should contain_neutron_config('designate/password').with_value('secret') + should contain_neutron_config('designate/password').with_value('secret').with_secret(true) should contain_neutron_config('designate/username').with_value('neutron') should contain_neutron_config('designate/auth_type').with_value('password') should contain_neutron_config('designate/project_name').with_value('services') @@ -42,7 +42,7 @@ describe 'neutron::designate' do it 'configures designate in neutron.conf' do should contain_neutron_config('DEFAULT/external_dns_driver').with_value('designate') should contain_neutron_config('designate/url').with_value('http://ip/designate') - should contain_neutron_config('designate/password').with_value('secret') + should contain_neutron_config('designate/password').with_value('secret').with_secret(true) should contain_neutron_config('designate/username').with_value('user') should contain_neutron_config('designate/auth_type').with_value('token') should contain_neutron_config('designate/project_id').with_value('id1')