From 45ecee290b9580c6a4b5ace72c551b63d61540b9 Mon Sep 17 00:00:00 2001 From: Tobias Urdin Date: Fri, 23 Nov 2018 21:18:38 +0100 Subject: [PATCH] Set show_diff to false on certificates Certificate should be considered secrets and we should not output the diffs. Also fixes up the testing to test all the parameters set on the file resources. Closes-Bug: 1804884 Change-Id: I0db84f4b9d97bf22d06478ded126a1f209c9b69a --- manifests/certificates.pp | 60 ++++----- .../certificate-no-diff-4e4d156963752b6d.yaml | 8 ++ spec/classes/octavia_certificates_spec.rb | 116 ++++++++++-------- 3 files changed, 104 insertions(+), 80 deletions(-) create mode 100644 releasenotes/notes/certificate-no-diff-4e4d156963752b6d.yaml diff --git a/manifests/certificates.pp b/manifests/certificates.pp index 2caa3cae..125c3d68 100644 --- a/manifests/certificates.pp +++ b/manifests/certificates.pp @@ -117,13 +117,14 @@ class octavia::certificates ( tag => 'octavia-certificate', }) file { $ca_certificate: - ensure => file, - content => $ca_certificate_data, - group => $file_permission_owner, - owner => $file_permission_group, - mode => '0755', - replace => true, - tag => 'octavia-certificate', + ensure => file, + content => $ca_certificate_data, + group => $file_permission_owner, + owner => $file_permission_group, + mode => '0755', + replace => true, + show_diff => false, + tag => 'octavia-certificate', } } if $ca_private_key_data { @@ -138,13 +139,14 @@ class octavia::certificates ( tag => 'octavia-certificate', }) file { $ca_private_key: - ensure => file, - content => $ca_private_key_data, - group => $file_permission_owner, - owner => $file_permission_group, - mode => '0755', - replace => true, - tag => 'octavia-certificate', + ensure => file, + content => $ca_private_key_data, + group => $file_permission_owner, + owner => $file_permission_group, + mode => '0755', + replace => true, + show_diff => false, + tag => 'octavia-certificate', } } if $client_ca and $client_ca_data { @@ -156,13 +158,14 @@ class octavia::certificates ( tag => 'octavia-certificate', }) file { $client_ca: - ensure => file, - content => $client_ca_data, - group => $file_permission_owner, - owner => $file_permission_group, - mode => '0755', - replace => true, - tag => 'octavia-certificate', + ensure => file, + content => $client_ca_data, + group => $file_permission_owner, + owner => $file_permission_group, + mode => '0755', + replace => true, + show_diff => false, + tag => 'octavia-certificate', } } if $client_cert_data { @@ -177,13 +180,14 @@ class octavia::certificates ( tag => 'octavia-certificate', }) file { $client_cert: - ensure => file, - content => $client_cert_data, - group => $file_permission_owner, - owner => $file_permission_group, - mode => '0755', - replace => true, - tag => 'octavia-certificate', + ensure => file, + content => $client_cert_data, + group => $file_permission_owner, + owner => $file_permission_group, + mode => '0755', + replace => true, + show_diff => false, + tag => 'octavia-certificate', } } } diff --git a/releasenotes/notes/certificate-no-diff-4e4d156963752b6d.yaml b/releasenotes/notes/certificate-no-diff-4e4d156963752b6d.yaml new file mode 100644 index 00000000..dcf75503 --- /dev/null +++ b/releasenotes/notes/certificate-no-diff-4e4d156963752b6d.yaml @@ -0,0 +1,8 @@ +--- +security: + - | + Certificate changes no longer shows diffs in output. +fixes: + - | + Fixed a bug where certificate changes would show the diffs. + Certificate are now considered secrets and not displayed. diff --git a/spec/classes/octavia_certificates_spec.rb b/spec/classes/octavia_certificates_spec.rb index c1dd1937..06bc78dc 100644 --- a/spec/classes/octavia_certificates_spec.rb +++ b/spec/classes/octavia_certificates_spec.rb @@ -77,37 +77,34 @@ describe 'octavia::certificates' do it 'populates certificate files' do is_expected.to contain_file('/etc/octavia/ca.pem').with({ - 'ensure' => 'file', - 'owner' => 'octavia', - 'group' => 'octavia', - 'mode' => '0755', - 'tag' => 'octavia-certificate', - }) - is_expected.to contain_file('/etc/octavia/ca.pem').with({ - 'content' => 'on_my_authority_this_is_a_certificate', - 'tag' => 'octavia-certificate', + 'ensure' => 'file', + 'content' => 'on_my_authority_this_is_a_certificate', + 'owner' => 'octavia', + 'group' => 'octavia', + 'mode' => '0755', + 'replace' => true, + 'show_diff' => false, + 'tag' => 'octavia-certificate', }) is_expected.to contain_file('/etc/octavia/key.pem').with({ - 'ensure' => 'file', - 'owner' => 'octavia', - 'group' => 'octavia', - 'mode' => '0755', - 'tag' => 'octavia-certificate', - }) - is_expected.to contain_file('/etc/octavia/key.pem').with({ - 'content' => 'this_is_my_private_key_woot_woot', - 'tag' => 'octavia-certificate', + 'ensure' => 'file', + 'content' => 'this_is_my_private_key_woot_woot', + 'owner' => 'octavia', + 'group' => 'octavia', + 'mode' => '0755', + 'replace' => true, + 'show_diff' => false, + 'tag' => 'octavia-certificate', }) is_expected.to contain_file('/etc/octavia/client.pem').with({ - 'ensure' => 'file', - 'owner' => 'octavia', - 'group' => 'octavia', - 'mode' => '0755', - 'tag' => 'octavia-certificate', - }) - is_expected.to contain_file('/etc/octavia/client.pem').with({ - 'content' => 'certainly_for_the_client', - 'tag' => 'octavia-certificate', + 'ensure' => 'file', + 'content' => 'certainly_for_the_client', + 'owner' => 'octavia', + 'group' => 'octavia', + 'mode' => '0755', + 'replace' => true, + 'show_diff' => false, + 'tag' => 'octavia-certificate', }) is_expected.to contain_file('/etc/octavia').with({ 'ensure' => 'directory', @@ -145,26 +142,35 @@ describe 'octavia::certificates' do it 'populates certificate files' do is_expected.to contain_file('/etc/octavia/ca.pem').with({ - 'ensure' => 'file', - 'owner' => 'octavia', - 'group' => 'octavia', - 'mode' => '0755', + 'ensure' => 'file', + 'content' => 'on_my_authority_this_is_a_certificate', + 'owner' => 'octavia', + 'group' => 'octavia', + 'mode' => '0755', + 'replace' => true, + 'show_diff' => false, + 'tag' => 'octavia-certificate', }) - is_expected.to contain_file('/etc/octavia/ca.pem').with_content('on_my_authority_this_is_a_certificate') is_expected.to contain_file('/etc/octavia1/key.pem').with({ - 'ensure' => 'file', - 'owner' => 'octavia', - 'group' => 'octavia', - 'mode' => '0755', + 'ensure' => 'file', + 'content' => 'this_is_my_private_key_woot_woot', + 'owner' => 'octavia', + 'group' => 'octavia', + 'mode' => '0755', + 'replace' => true, + 'show_diff' => false, + 'tag' => 'octavia-certificate', }) - is_expected.to contain_file('/etc/octavia1/key.pem').with_content('this_is_my_private_key_woot_woot') is_expected.to contain_file('/etc/octavia2/client.pem').with({ - 'ensure' => 'file', - 'owner' => 'octavia', - 'group' => 'octavia', - 'mode' => '0755', + 'ensure' => 'file', + 'content' => 'certainly_for_the_client', + 'owner' => 'octavia', + 'group' => 'octavia', + 'mode' => '0755', + 'replace' => true, + 'show_diff' => false, + 'tag' => 'octavia-certificate', }) - is_expected.to contain_file('/etc/octavia2/client.pem').with_content('certainly_for_the_client') is_expected.to contain_file('/etc/octavia').with({ 'ensure' => 'directory', 'owner' => 'octavia', @@ -255,19 +261,25 @@ describe 'octavia::certificates' do it 'populates certificate files' do is_expected.to contain_file('/etc/octavia/ca.pem').with({ - 'ensure' => 'file', - 'owner' => 'octavia', - 'group' => 'octavia', - 'mode' => '0755', + 'ensure' => 'file', + 'content' => 'my_ca_certificate', + 'owner' => 'octavia', + 'group' => 'octavia', + 'mode' => '0755', + 'replace' => true, + 'show_diff' => false, + 'tag' => 'octavia-certificate', }) - is_expected.to contain_file('/etc/octavia/ca.pem').with_content('my_ca_certificate') is_expected.to contain_file('/etc/octavia/client_ca.pem').with({ - 'ensure' => 'file', - 'owner' => 'octavia', - 'group' => 'octavia', - 'mode' => '0755', + 'ensure' => 'file', + 'content' => 'my_client_ca', + 'owner' => 'octavia', + 'group' => 'octavia', + 'mode' => '0755', + 'replace' => true, + 'show_diff' => false, + 'tag' => 'octavia-certificate', }) - is_expected.to contain_file('/etc/octavia/client_ca.pem').with_content('my_client_ca') is_expected.to contain_file('/etc/octavia').with({ 'ensure' => 'directory', 'owner' => 'octavia',