Hide secrets from puppet logs

Currently secrets like rabbit_password or admin_password are laked puppet logs when changed. This commit changes tempest_*_config and tempest_*_ini types adding a new parameter that triggers obfuscation the values in puppet logs. Change-Id: Iba5b111584ddeefafc4aa1e8401f93ace2abd3be Closes-Bug: #1328448
2014-07-12 02:29:28 +02:00 · 2014-07-12 02:29:28 +02:00 · 59fa10e72b
commit 59fa10e72b
parent d4aa6c7487
3 changed files with 30 additions and 3 deletions
--- a/lib/puppet/type/tempest_config.rb
+++ b/lib/puppet/type/tempest_config.rb
@ -14,6 +14,30 @@ Puppet::Type.newtype(:tempest_config) do
      value.capitalize! if value =~ /^(true|false)$/i
      value
    end
+
+    def is_to_s( currentvalue )
+      if resource.secret?
+        return '[old secret redacted]'
+      else
+        return currentvalue
+      end
+    end
+
+    def should_to_s( newvalue )
+      if resource.secret?
+        return '[new secret redacted]'
+      else
+        return newvalue
+      end
+    end
+  end
+
+  newparam(:secret, :boolean => true) do
+    desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
+
+    newvalues(:true, :false)
+
+    defaultto false
  end

  newparam(:path) do
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -138,14 +138,14 @@ class tempest(
    'compute/image_ssh_user':            value => $image_ssh_user;
    'compute/resize_available':          value => $resize_available;
    'compute/allow_tenant_isolation':    value => $allow_tenant_isolation;
-    'identity/admin_password':           value => $admin_password;
+    'identity/admin_password':           value => $admin_password, secret => true;
    'identity/admin_tenant_name':        value => $admin_tenant_name;
    'identity/admin_username':           value => $admin_username;
    'identity/admin_role':               value => $admin_role;
-    'identity/alt_password':             value => $alt_password;
+    'identity/alt_password':             value => $alt_password, secret => true;
    'identity/alt_tenant_name':          value => $alt_tenant_name;
    'identity/alt_username':             value => $alt_username;
-    'identity/password':                 value => $password;
+    'identity/password':                 value => $password, secret => true;
    'identity/tenant_name':              value => $tenant_name;
    'identity/uri':                      value => $identity_uri;
    'identity/username':                 value => $username;
--- a/spec/classes/tempest_spec.rb
+++ b/spec/classes/tempest_spec.rb
@ -155,13 +155,16 @@ describe 'tempest' do
          should contain_tempest_config('compute/resize_available').with(:value => nil)
          should contain_tempest_config('compute/allow_tenant_isolation').with(:value => nil)
          should contain_tempest_config('identity/admin_password').with(:value => nil)
+          should contain_tempest_config('identity/admin_password').with_secret( true )
          should contain_tempest_config('identity/admin_tenant_name').with(:value => nil)
          should contain_tempest_config('identity/admin_username').with(:value => nil)
          should contain_tempest_config('identity/admin_role').with(:value => nil)
          should contain_tempest_config('identity/alt_password').with(:value => nil)
+          should contain_tempest_config('identity/alt_password').with_secret( true )
          should contain_tempest_config('identity/alt_tenant_name').with(:value => nil)
          should contain_tempest_config('identity/alt_username').with(:value => nil)
          should contain_tempest_config('identity/password').with(:value => nil)
+          should contain_tempest_config('identity/password').with_secret( true )
          should contain_tempest_config('identity/tenant_name').with(:value => nil)
          should contain_tempest_config('identity/uri').with(:value => nil)
          should contain_tempest_config('identity/username').with(:value => nil)