From 9574607352f35e0eeeeb8d288541fd7c6ebe6d8d Mon Sep 17 00:00:00 2001
From: Ewoud Kohl van Wijngaarden <ewoud@kohlvanwijngaarden.nl>
Date: Thu, 20 Jan 2022 12:51:53 +0100
Subject: [PATCH] Pass potentially Sensitive params as Sensitive

In 699f944c93b8cf3718b16e6b9de7143c1e55bbe8 the parameters started to
accept Sensitive but it didn't default to Sensitive. They also weren't
converting data coming from Hiera. This adds a data-in-modules setup and
sets lookup_options for those. This means Kafo (which heavily relies on
Hiera) will pass sensitive values.

It also changes the data type to accept Sensitive[Undef] which is needed
if Hiera unconditionally converts the value to Sensitive.

Fixes: 699f944c93b8cf3718b16e6b9de7143c1e55bbe8
---
 data/common.yaml    |  9 +++++++++
 hiera.yaml          | 10 ++++++++++
 manifests/cli.pp    |  2 +-
 manifests/init.pp   |  4 ++--
 manifests/params.pp |  8 ++++----
 5 files changed, 26 insertions(+), 7 deletions(-)
 create mode 100644 data/common.yaml
 create mode 100644 hiera.yaml

diff --git a/data/common.yaml b/data/common.yaml
new file mode 100644
index 000000000..3aef7d46c
--- /dev/null
+++ b/data/common.yaml
@@ -0,0 +1,9 @@
+lookup_options:
+  '^foreman::(\w_)+password$':
+    convert_to: "Sensitive"
+  '^foreman::oauth_consumer_(key|secret)$':
+    convert_to: "Sensitive"
+  foreman::cli::password:
+    convert_to: "Sensitive"
+  foreman::plugin::supervisory_authority::secret_token:
+    convert_to: "Sensitive"
diff --git a/hiera.yaml b/hiera.yaml
new file mode 100644
index 000000000..1815cee84
--- /dev/null
+++ b/hiera.yaml
@@ -0,0 +1,10 @@
+---
+version: 5
+
+defaults:  # Used for any hierarchy level that omits these keys.
+  datadir: data         # This path is relative to hiera.yaml's directory.
+  data_hash: yaml_data  # Use the built-in YAML backend.
+
+hierarchy:
+  - name: "common"
+    path: "common.yaml"
diff --git a/manifests/cli.pp b/manifests/cli.pp
index 48e3ee8cd..3832330fb 100644
--- a/manifests/cli.pp
+++ b/manifests/cli.pp
@@ -30,7 +30,7 @@
   String $version = $foreman::cli::params::version,
   Boolean $manage_root_config = $foreman::cli::params::manage_root_config,
   Optional[String] $username = $foreman::cli::params::username,
-  Optional[Variant[String, Sensitive[String]]] $password = $foreman::cli::params::password,
+  Variant[Optional[String], Sensitive[Optional[String]]] $password = $foreman::cli::params::password,
   Boolean $use_sessions = $foreman::cli::params::use_sessions,
   Boolean $refresh_cache = $foreman::cli::params::refresh_cache,
   Integer[-1] $request_timeout = $foreman::cli::params::request_timeout,
diff --git a/manifests/init.pp b/manifests/init.pp
index 3f173726c..6fcf46020 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -215,7 +215,7 @@
   Variant[Undef, Enum['UNSET'], Stdlib::Port] $db_port = 'UNSET',
   Optional[String] $db_database = 'UNSET',
   Optional[String] $db_username = $foreman::params::db_username,
-  Optional[Variant[String, Sensitive[String]]] $db_password = $foreman::params::db_password,
+  Variant[Optional[String], Sensitive[Optional[String]]] $db_password = $foreman::params::db_password,
   Optional[String] $db_sslmode = 'UNSET',
   Optional[String] $db_root_cert = undef,
   Integer[0] $db_pool = $foreman::params::db_pool,
@@ -265,7 +265,7 @@
   Optional[Stdlib::Fqdn] $email_smtp_domain = $foreman::params::email_smtp_domain,
   Enum['none', 'plain', 'login', 'cram-md5'] $email_smtp_authentication = $foreman::params::email_smtp_authentication,
   Optional[String] $email_smtp_user_name = $foreman::params::email_smtp_user_name,
-  Optional[Variant[String, Sensitive[String]]] $email_smtp_password = $foreman::params::email_smtp_password,
+  Variant[Optional[String], Sensitive[Optional[String]]] $email_smtp_password = $foreman::params::email_smtp_password,
   Optional[String] $email_reply_address = $foreman::params::email_reply_address,
   Optional[String] $email_subject_prefix = $foreman::params::email_subject_prefix,
   String $telemetry_prefix = $foreman::params::telemetry_prefix,
diff --git a/manifests/params.pp b/manifests/params.pp
index d661e9392..d532bb01b 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -32,7 +32,7 @@
   $db_username = 'foreman'
   # Generate and cache the password on the master once
   # In multi-puppetmaster setups, the user should specify their own
-  $db_password = extlib::cache_data('foreman_cache_data', 'db_password', extlib::random_password(32))
+  $db_password = Sensitive(extlib::cache_data('foreman_cache_data', 'db_password', extlib::random_password(32)))
   # Default database connection pool
   $db_pool = 5
   # if enabled, will run rake jobs, which depend on the database
@@ -147,13 +147,13 @@
   # We need the REST API interface with OAuth for some REST Puppet providers
   $oauth_active = true
   $oauth_map_users = false
-  $oauth_consumer_key = extlib::cache_data('foreman_cache_data', 'oauth_consumer_key', extlib::random_password(32))
-  $oauth_consumer_secret = extlib::cache_data('foreman_cache_data', 'oauth_consumer_secret', extlib::random_password(32))
+  $oauth_consumer_key = Sensitive(extlib::cache_data('foreman_cache_data', 'oauth_consumer_key', extlib::random_password(32)))
+  $oauth_consumer_secret = Sensitive(extlib::cache_data('foreman_cache_data', 'oauth_consumer_secret', extlib::random_password(32)))
   $oauth_effective_user = 'admin'
 
   # Initial admin account details
   $initial_admin_username = 'admin'
-  $initial_admin_password = extlib::cache_data('foreman_cache_data', 'admin_password', extlib::random_password(16))
+  $initial_admin_password = Sensitive(extlib::cache_data('foreman_cache_data', 'admin_password', extlib::random_password(16)))
   $initial_admin_first_name = undef
   $initial_admin_last_name = undef
   $initial_admin_email = undef