From 5390ce7f6899f0c65418545e638c4fa586126daf Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Mon, 1 Apr 2024 11:12:26 -0700 Subject: [PATCH 1/9] (profile::core::ipam) convert password param to Sensitive --- site/profile/manifests/core/ipam.pp | 4 ++-- spec/fixtures/hieradata/common.yaml | 7 +++++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/site/profile/manifests/core/ipam.pp b/site/profile/manifests/core/ipam.pp index 3ae323a62a..7c8f916741 100644 --- a/site/profile/manifests/core/ipam.pp +++ b/site/profile/manifests/core/ipam.pp @@ -8,8 +8,8 @@ # phpIPAM database name # class profile::core::ipam ( - String $database = 'null', - String $password = 'null', + String[1] $database, + Sensitive[String[1]] $password, ) { include profile::core::letsencrypt diff --git a/spec/fixtures/hieradata/common.yaml b/spec/fixtures/hieradata/common.yaml index 2e3eef8674..d455cb73a3 100644 --- a/spec/fixtures/hieradata/common.yaml +++ b/spec/fixtures/hieradata/common.yaml @@ -6,16 +6,19 @@ lookup_options: convert_to: "Sensitive" '^tailscale::auth_key$': convert_to: "Sensitive" + '^profile::core::ipam::password$': + convert_to: "Sensitive" ccs_database::database: "comcamdbprod" ccs_database::password: "foo" -ipa::admin_password: "foofoofoofoo" # ipa master only -ipa::directory_services_password: "foofoofoofoo" # ipa master only foreman_proxy::plugin::dns::route53::aws_access_key: "foo" foreman_proxy::plugin::dns::route53::aws_secret_key: "foo" +ipa::admin_password: "foofoofoofoo" # ipa master only +ipa::directory_services_password: "foofoofoofoo" # ipa master only ipa::domain_join_password: "foofoofoofoo" # 8 char min profile::ccs::file_transfer::s3daemon_env_access: "foo" profile::ccs::file_transfer::s3daemon_env_secret: "foo" profile::ccs::postfix::auth: "foo" +profile::core::ipam::password: "foo" profile::core::monitoring::database: "foo" profile::core::monitoring::password: "foo" profile::core::monitoring::url: "foo" From 90ed700c12f8823ee70ffaa7ac54c6af3901a1b4 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Mon, 1 Apr 2024 11:12:50 -0700 Subject: [PATCH 2/9] (profile::core::puppetboard) add explicit Sensitive type --- site/profile/manifests/core/puppetboard.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/profile/manifests/core/puppetboard.pp b/site/profile/manifests/core/puppetboard.pp index 13b9351d19..8c02907894 100644 --- a/site/profile/manifests/core/puppetboard.pp +++ b/site/profile/manifests/core/puppetboard.pp @@ -5,7 +5,7 @@ # The secret key to use for the puppetboard # class profile::core::puppetboard ( - Sensitive $secret_key, + Sensitive[String[1]] $secret_key, ) { docker::image { 'ghcr.io/voxpupuli/puppetboard': } From 533440e321ea4336e56795693ecd0fbf17f591ba Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Mon, 1 Apr 2024 11:24:57 -0700 Subject: [PATCH 3/9] (profile::core::yum::lsst_ts_private) convert params to Sensitive --- site/profile/manifests/core/yum/lsst_ts_private.pp | 4 ++-- spec/classes/core/yum/lsst_ts_private_spec.rb | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/site/profile/manifests/core/yum/lsst_ts_private.pp b/site/profile/manifests/core/yum/lsst_ts_private.pp index 796a38e272..5c04d7d8f5 100644 --- a/site/profile/manifests/core/yum/lsst_ts_private.pp +++ b/site/profile/manifests/core/yum/lsst_ts_private.pp @@ -12,8 +12,8 @@ # class profile::core::yum::lsst_ts_private ( Optional[Hash] $repos = undef, - Optional[String] $username = undef, - Optional[String] $password = undef, + Optional[String[1]] $username = undef, + Optional[Sensitive[String[1]]] $password = undef, ) { if $repos { $_real_repos = $repos.map |String $k, Hash $h| { diff --git a/spec/classes/core/yum/lsst_ts_private_spec.rb b/spec/classes/core/yum/lsst_ts_private_spec.rb index b45689a1c0..846ab1a7a1 100644 --- a/spec/classes/core/yum/lsst_ts_private_spec.rb +++ b/spec/classes/core/yum/lsst_ts_private_spec.rb @@ -25,7 +25,7 @@ let(:params) do { username: 'foo', - password: 'bar', + password: sensitive('bar'), } end @@ -37,7 +37,7 @@ ensure: 'present', enabled: true, username: 'foo', - password: 'bar', + password: sensitive('bar'), ) end end From 52d719dbb19231b7f2119bdd9e7920bf7d509cde Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Mon, 1 Apr 2024 12:02:55 -0700 Subject: [PATCH 4/9] (Puppetfile) bump lsst/ipa to 37eb701 To allow password params to be Sensitive. --- Puppetfile | 2 +- spec/fixtures/hieradata/common.yaml | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/Puppetfile b/Puppetfile index 683fb728f4..6382ed5001 100644 --- a/Puppetfile +++ b/Puppetfile @@ -24,7 +24,7 @@ mod 'lsst/daq', '2.3.0' mod 'lsst/dellperc', '2.0.0' mod 'lsst/foreman_envsync', '2.1.0' mod 'lsst/helm_binary', '2.1.0' -mod 'lsst/ipa', git: 'https://github.com/lsst-it/puppet-ipa', ref: '8ec66d1' +mod 'lsst/ipa', git: 'https://github.com/lsst-it/puppet-ipa', ref: '37eb701' mod 'lsst/java_artisanal', '3.3.0' mod 'lsst/kubectl', '1.1.0' mod 'lsst/maven', '3.1.0' diff --git a/spec/fixtures/hieradata/common.yaml b/spec/fixtures/hieradata/common.yaml index d455cb73a3..5478b8d8dd 100644 --- a/spec/fixtures/hieradata/common.yaml +++ b/spec/fixtures/hieradata/common.yaml @@ -8,6 +8,12 @@ lookup_options: convert_to: "Sensitive" '^profile::core::ipam::password$': convert_to: "Sensitive" + '^ipa::domain_join_+$': + convert_to: "Sensitive" + '^ipa::directory_services_password$': + convert_to: "Sensitive" + '^ipa::admin_password$': + convert_to: "Sensitive" ccs_database::database: "comcamdbprod" ccs_database::password: "foo" foreman_proxy::plugin::dns::route53::aws_access_key: "foo" From 717e216719b8bebb41dae0bee3a3e6cb41daa306 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Mon, 1 Apr 2024 12:31:48 -0700 Subject: [PATCH 5/9] (profile::ccs::common) convert pkgurl_{user,pass} params to Sensitive --- site/profile/manifests/ccs/cfs.pp | 4 ++-- site/profile/manifests/ccs/common.pp | 12 ++++++------ site/profile/manifests/ccs/el9.pp | 8 ++++---- site/profile/manifests/ccs/file_transfer.pp | 8 ++++---- site/profile/manifests/ccs/graphical.pp | 4 ++-- spec/classes/ccs/file_transfer_spec.rb | 4 ++-- spec/fixtures/hieradata/common.yaml | 4 ++++ 7 files changed, 24 insertions(+), 20 deletions(-) diff --git a/site/profile/manifests/ccs/cfs.pp b/site/profile/manifests/ccs/cfs.pp index 26531622df..f70e9366ed 100644 --- a/site/profile/manifests/ccs/cfs.pp +++ b/site/profile/manifests/ccs/cfs.pp @@ -6,8 +6,8 @@ archive { $cfs_tmp: ensure => present, source => "${profile::ccs::common::pkgurl}/cfs", - username => $profile::ccs::common::pkgurl_user, - password => $profile::ccs::common::pkgurl_pass, + username => $profile::ccs::common::pkgurl_user.unwrap, + password => $profile::ccs::common::pkgurl_pass.unwrap, } file { '/usr/local/bin/cfs': ensure => file, diff --git a/site/profile/manifests/ccs/common.pp b/site/profile/manifests/ccs/common.pp index a0daefcc1d..bcccbc9faf 100644 --- a/site/profile/manifests/ccs/common.pp +++ b/site/profile/manifests/ccs/common.pp @@ -1,22 +1,22 @@ # @summary # Common functionality needed by ccs nodes. # -# @param sysctls -# if `true`, enable `profile::ccs::sysctl` sysctls. -# @param pkgurl -# String specifying URL to fetch sources from # @param pkgurl_user # String specifying username for pkgurl # @param pkgurl_pass # String specifying password for pkgurl +# @param sysctls +# if `true`, enable `profile::ccs::sysctl` sysctls. +# @param pkgurl +# String specifying URL to fetch sources from # @param packages # Optional list of packages to install. # class profile::ccs::common ( + Variant[Sensitive[String[1]],String[1]] $pkgurl_user, + Sensitive[String[1]] $pkgurl_pass, Boolean $sysctls = true, String $pkgurl = 'https://example.org', - String $pkgurl_user = 'someuser', - String $pkgurl_pass = 'somepass', Optional[Array[String[1]]] $packages = undef, ) { include clustershell diff --git a/site/profile/manifests/ccs/el9.pp b/site/profile/manifests/ccs/el9.pp index 27986173e9..fa31b18f36 100644 --- a/site/profile/manifests/ccs/el9.pp +++ b/site/profile/manifests/ccs/el9.pp @@ -15,8 +15,8 @@ 'compat-bin' => 'compat-bin-1.0.0-1.el9.noarch.rpm', }, String $pkgurl = $profile::ccs::common::pkgurl, - String $pkgurl_user = $profile::ccs::common::pkgurl_user, - String $pkgurl_pass = $profile::ccs::common::pkgurl_pass, + Variant[Sensitive[String[1]],String[1]] $pkgurl_user = $profile::ccs::common::pkgurl_user, + Sensitive[String[1]] $pkgurl_pass = $profile::ccs::common::pkgurl_pass, ) { $rpm_opts = { ensure => 'latest', @@ -29,8 +29,8 @@ archive { $file: ensure => present, source => "${pkgurl}/${rpm}", - username => $pkgurl_user, - password => $pkgurl_pass, + username => $pkgurl_user.unwrap, + password => $pkgurl_pass.unwrap, } package { $package: source => $file, diff --git a/site/profile/manifests/ccs/file_transfer.pp b/site/profile/manifests/ccs/file_transfer.pp index 2b8685a653..df61f915ba 100644 --- a/site/profile/manifests/ccs/file_transfer.pp +++ b/site/profile/manifests/ccs/file_transfer.pp @@ -58,8 +58,8 @@ String $secret = "export MC_HOST_oga=localhost\n", String $secret_file = 'mc-secret', String $pkgurl = $profile::ccs::common::pkgurl, - String $pkgurl_user = $profile::ccs::common::pkgurl_user, - String $pkgurl_pass = $profile::ccs::common::pkgurl_pass, + Variant[Sensitive[String[1]],String[1]] $pkgurl_user = $profile::ccs::common::pkgurl_user, + Sensitive[String[1]] $pkgurl_pass = $profile::ccs::common::pkgurl_pass, ) { $parent = "${dirname($directory)}" @@ -209,8 +209,8 @@ archive { "/var/tmp/${binfile}": ensure => present, source => "${pkgurl}/${binfile}", - username => $pkgurl_user, - password => $pkgurl_pass, + username => $pkgurl_user.unwrap, + password => $pkgurl_pass.unwrap, } file { "${directory}/${binfile}": ensure => file, diff --git a/site/profile/manifests/ccs/graphical.pp b/site/profile/manifests/ccs/graphical.pp index 0d313ebea4..2065de52f6 100644 --- a/site/profile/manifests/ccs/graphical.pp +++ b/site/profile/manifests/ccs/graphical.pp @@ -79,8 +79,8 @@ archive { $zoomfile: ensure => present, source => "${profile::ccs::common::pkgurl}/${zoomrpm}", - username => $profile::ccs::common::pkgurl_user, - password => $profile::ccs::common::pkgurl_pass, + username => $profile::ccs::common::pkgurl_user.unwrap, + password => $profile::ccs::common::pkgurl_pass.unwrap, } ## TODO use a local yum repository? diff --git a/spec/classes/ccs/file_transfer_spec.rb b/spec/classes/ccs/file_transfer_spec.rb index 8babdb4498..74ee90c633 100644 --- a/spec/classes/ccs/file_transfer_spec.rb +++ b/spec/classes/ccs/file_transfer_spec.rb @@ -11,8 +11,8 @@ let(:params) do { pkgurl: 'https://example.org', - pkgurl_user: 'user', - pkgurl_pass: 'pass', + pkgurl_user: sensitive('user'), + pkgurl_pass: sensitive('pass'), s3daemon: true, } end diff --git a/spec/fixtures/hieradata/common.yaml b/spec/fixtures/hieradata/common.yaml index 5478b8d8dd..c4841a75ab 100644 --- a/spec/fixtures/hieradata/common.yaml +++ b/spec/fixtures/hieradata/common.yaml @@ -14,6 +14,8 @@ lookup_options: convert_to: "Sensitive" '^ipa::admin_password$': convert_to: "Sensitive" + '^profile::ccs::common::pkgurl_.+$': + convert_to: "Sensitive" ccs_database::database: "comcamdbprod" ccs_database::password: "foo" foreman_proxy::plugin::dns::route53::aws_access_key: "foo" @@ -21,6 +23,8 @@ foreman_proxy::plugin::dns::route53::aws_secret_key: "foo" ipa::admin_password: "foofoofoofoo" # ipa master only ipa::directory_services_password: "foofoofoofoo" # ipa master only ipa::domain_join_password: "foofoofoofoo" # 8 char min +profile::ccs::common::pkgurl_pass: "foo" +profile::ccs::common::pkgurl_user: "foo" profile::ccs::file_transfer::s3daemon_env_access: "foo" profile::ccs::file_transfer::s3daemon_env_secret: "foo" profile::ccs::postfix::auth: "foo" From e73ed64e53ea4d63dc755337106a5833c0ed4c73 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Mon, 1 Apr 2024 12:48:58 -0700 Subject: [PATCH 6/9] (profile::ccs::file_transfer) convert s3daemon_env* params to Sensitive --- site/profile/manifests/ccs/file_transfer.pp | 8 ++++---- .../templates/ccs/file_transfer/s3daemon_envfile.epp | 4 ++-- spec/fixtures/hieradata/common.yaml | 5 +++++ spec/hosts/nodes/lsstcam-dc01.ls.lsst.org_spec.rb | 2 +- spec/hosts/roles/comcam_fp_spec.rb | 2 +- 5 files changed, 13 insertions(+), 8 deletions(-) diff --git a/site/profile/manifests/ccs/file_transfer.pp b/site/profile/manifests/ccs/file_transfer.pp index df61f915ba..85e037bd6f 100644 --- a/site/profile/manifests/ccs/file_transfer.pp +++ b/site/profile/manifests/ccs/file_transfer.pp @@ -41,8 +41,8 @@ # String giving s3daemon secret key # class profile::ccs::file_transfer ( - String[1] $s3daemon_env_access, - String[1] $s3daemon_env_secret, + Sensitive[String[1]] $s3daemon_env_access, + Sensitive[String[1]] $s3daemon_env_secret, Boolean $s3daemon = false, Stdlib::HTTPUrl $s3daemon_repo_url = 'https://github.com/lsst-dm/s3daemon', Optional[String[1]] $s3daemon_repo_rev = undef, @@ -55,7 +55,7 @@ String $repo_directory = '/home/ccs-ipa/file-transfer', String $repo_url = 'https://github.com/lsst-camera-dh/ccs-data-transfer', String $repo_ref = 'main', - String $secret = "export MC_HOST_oga=localhost\n", + Sensitive[String[1]] $secret = "export MC_HOST_oga=localhost\n", String $secret_file = 'mc-secret', String $pkgurl = $profile::ccs::common::pkgurl, Variant[Sensitive[String[1]],String[1]] $pkgurl_user = $profile::ccs::common::pkgurl_user, @@ -196,7 +196,7 @@ } file { "${directory}/${secret_file}": - content => "${secret}\n", + content => "${secret.unwrap}\n", owner => $user, group => $group, mode => '0600', diff --git a/site/profile/templates/ccs/file_transfer/s3daemon_envfile.epp b/site/profile/templates/ccs/file_transfer/s3daemon_envfile.epp index 081ec442bc..21b40c2d04 100644 --- a/site/profile/templates/ccs/file_transfer/s3daemon_envfile.epp +++ b/site/profile/templates/ccs/file_transfer/s3daemon_envfile.epp @@ -1,6 +1,6 @@ <%- | String $url, - String $access, - String $secret + Sensitive[String[1]] $access, + Sensitive[String[1]] $secret | -%> S3_ENDPOINT_URL=<%= $url %> AWS_ACCESS_KEY_ID=<%= $access %> diff --git a/spec/fixtures/hieradata/common.yaml b/spec/fixtures/hieradata/common.yaml index c4841a75ab..186f72860e 100644 --- a/spec/fixtures/hieradata/common.yaml +++ b/spec/fixtures/hieradata/common.yaml @@ -16,6 +16,10 @@ lookup_options: convert_to: "Sensitive" '^profile::ccs::common::pkgurl_.+$': convert_to: "Sensitive" + '^profile::ccs::file_transfer::s3daemon_env_.+$': + convert_to: "Sensitive" + '^profile::ccs::file_transfer::secret$': + convert_to: "Sensitive" ccs_database::database: "comcamdbprod" ccs_database::password: "foo" foreman_proxy::plugin::dns::route53::aws_access_key: "foo" @@ -27,6 +31,7 @@ profile::ccs::common::pkgurl_pass: "foo" profile::ccs::common::pkgurl_user: "foo" profile::ccs::file_transfer::s3daemon_env_access: "foo" profile::ccs::file_transfer::s3daemon_env_secret: "foo" +profile::ccs::file_transfer::secret: "foo" profile::ccs::postfix::auth: "foo" profile::core::ipam::password: "foo" profile::core::monitoring::database: "foo" diff --git a/spec/hosts/nodes/lsstcam-dc01.ls.lsst.org_spec.rb b/spec/hosts/nodes/lsstcam-dc01.ls.lsst.org_spec.rb index 57100a8d31..10dbcbb1f0 100644 --- a/spec/hosts/nodes/lsstcam-dc01.ls.lsst.org_spec.rb +++ b/spec/hosts/nodes/lsstcam-dc01.ls.lsst.org_spec.rb @@ -121,7 +121,7 @@ ) end - it { is_expected.to contain_file('/home/ccs-ipa/bin/mc-secret').with_content(%r{^export MC_HOST_oga=}) } + it { is_expected.to contain_file('/home/ccs-ipa/bin/mc-secret').with_content(%r{^foo$}) } end # on os end # on_supported_os end diff --git a/spec/hosts/roles/comcam_fp_spec.rb b/spec/hosts/roles/comcam_fp_spec.rb index 6ef4ee9a19..364d021822 100644 --- a/spec/hosts/roles/comcam_fp_spec.rb +++ b/spec/hosts/roles/comcam_fp_spec.rb @@ -43,7 +43,7 @@ ) end - it { is_expected.to contain_file('/home/ccs-ipa/bin/mc-secret').with_content(%r{^export MC_HOST_oga=}) } + it { is_expected.to contain_file('/home/ccs-ipa/bin/mc-secret').with_content(%r{^foo$}) } end # host end # lsst_sites end # on os From 54be99f5f470a72ba8727bb54ebe8ce8b991d5d5 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Mon, 1 Apr 2024 12:53:41 -0700 Subject: [PATCH 7/9] (restic) convert id, key, and password params to Sensitive --- spec/fixtures/hieradata/common.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/spec/fixtures/hieradata/common.yaml b/spec/fixtures/hieradata/common.yaml index 186f72860e..4cce15b088 100644 --- a/spec/fixtures/hieradata/common.yaml +++ b/spec/fixtures/hieradata/common.yaml @@ -20,6 +20,8 @@ lookup_options: convert_to: "Sensitive" '^profile::ccs::file_transfer::secret$': convert_to: "Sensitive" + '^restic::(id|key|password)$': + convert_to: "Sensitive" ccs_database::database: "comcamdbprod" ccs_database::password: "foo" foreman_proxy::plugin::dns::route53::aws_access_key: "foo" From 1ab81bedcb9a5bff4ce1bc9f4b062dd8ba473d3a Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Mon, 1 Apr 2024 14:15:55 -0700 Subject: [PATCH 8/9] (profile::core::letsencrypt) convert aws_credentials param to Sensitive --- site/profile/manifests/core/letsencrypt.pp | 6 +++--- spec/classes/core/letsencrypt_spec.rb | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/site/profile/manifests/core/letsencrypt.pp b/site/profile/manifests/core/letsencrypt.pp index b30c3afc80..753d013b26 100644 --- a/site/profile/manifests/core/letsencrypt.pp +++ b/site/profile/manifests/core/letsencrypt.pp @@ -28,8 +28,8 @@ # @param aws_credentials # `.aws/credentials` format string for aws route53 credentials class profile::core::letsencrypt ( - Optional[Hash[String, Hash]] $certonly = undef, - Optional[String] $aws_credentials = undef, + Optional[Hash[String[1], Hash]] $certonly = undef, + Optional[Sensitive[String[1]]] $aws_credentials = undef, ) { include letsencrypt include letsencrypt::plugin::dns_route53 @@ -68,7 +68,7 @@ ensure => file, mode => '0600', backup => false, - content => $aws_credentials, + content => $aws_credentials.unwrap, ; } diff --git a/spec/classes/core/letsencrypt_spec.rb b/spec/classes/core/letsencrypt_spec.rb index 5ed6c8345d..9c26a8fb6a 100644 --- a/spec/classes/core/letsencrypt_spec.rb +++ b/spec/classes/core/letsencrypt_spec.rb @@ -68,7 +68,7 @@ context 'with aws_credentials param' do let(:params) do { - aws_credentials: 'foo', + aws_credentials: sensitive('foo'), } end From 259c1e85ce32df46dd0511f7a457465a182aa47c Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Mon, 1 Apr 2024 14:28:58 -0700 Subject: [PATCH 9/9] (profile::ccs::postfix) convert auth param to Sensitive --- site/profile/manifests/ccs/postfix.pp | 4 ++-- spec/fixtures/hieradata/common.yaml | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/site/profile/manifests/ccs/postfix.pp b/site/profile/manifests/ccs/postfix.pp index ba92c4e111..8b8fd2a736 100644 --- a/site/profile/manifests/ccs/postfix.pp +++ b/site/profile/manifests/ccs/postfix.pp @@ -8,14 +8,14 @@ # List of postfix packages to install # class profile::ccs::postfix ( - String $auth, + Sensitive[String[1]] $auth, Array[String] $packages, ) { include postfix postfix::hash { '/etc/postfix/sasl_passwd': ensure => 'present', - content => $auth, + content => $auth.unwrap, } ensure_packages($packages) diff --git a/spec/fixtures/hieradata/common.yaml b/spec/fixtures/hieradata/common.yaml index 4cce15b088..32ea6dd0ed 100644 --- a/spec/fixtures/hieradata/common.yaml +++ b/spec/fixtures/hieradata/common.yaml @@ -22,6 +22,8 @@ lookup_options: convert_to: "Sensitive" '^restic::(id|key|password)$': convert_to: "Sensitive" + '^profile::ccs::postfix::auth$': + convert_to: "Sensitive" ccs_database::database: "comcamdbprod" ccs_database::password: "foo" foreman_proxy::plugin::dns::route53::aws_access_key: "foo"