From 0fe3ae75cf8c27130db30a0e57f3b42135b883a4 Mon Sep 17 00:00:00 2001 From: Cocker Koch Date: Fri, 18 Jun 2021 00:01:14 +0200 Subject: [PATCH] Accept Puppet-Datatype Sensitive - let the Hash containing the Secrets for the Keystore accept Secrets of Datatype Sensitive - fix a 15-Months-old Typo-Bug - let api_basic_auth_password also be of Type Sensitive --- manifests/config.pp | 6 ++++- manifests/index.pp | 30 ++++++++++++++---------- manifests/init.pp | 2 +- manifests/license.pp | 30 ++++++++++++++---------- manifests/pipeline.pp | 30 ++++++++++++++---------- manifests/snapshot_repository.pp | 40 ++++++++++++++++++-------------- manifests/template.pp | 32 ++++++++++++++----------- 7 files changed, 102 insertions(+), 68 deletions(-) diff --git a/manifests/config.pp b/manifests/config.pp index 63975a10e..e654c7705 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -212,10 +212,14 @@ # Add secrets to keystore if $elasticsearch::secrets != undef { + # unwrap Secrets of Datatype Sensitive + $secrets = $elasticsearch::secrets.reduce( {}) |Hash $memo, Array $value| { + $memo + { $value[0] => if $value[1] =~ Sensitive { $value[1].unwrap } else { $value[1] } } + } elasticsearch_keystore { 'elasticsearch_secrets': configdir => $elasticsearch::configdir, purge => $elasticsearch::purge_secrets, - settings => $elasticsearch::secrets, + settings => $secrets, notify => $elasticsearch::_notify_service, } } diff --git a/manifests/index.pp b/manifests/index.pp index 1d8b07e66..8eb1d3069 100644 --- a/manifests/index.pp +++ b/manifests/index.pp @@ -43,18 +43,24 @@ # @author Tyler Langlois # define elasticsearch::index ( - Enum['absent', 'present'] $ensure = 'present', - Optional[String] $api_basic_auth_password = $elasticsearch::api_basic_auth_password, - Optional[String] $api_basic_auth_username = $elasticsearch::api_basic_auth_username, - Optional[Stdlib::Absolutepath] $api_ca_file = $elasticsearch::api_ca_file, - Optional[Stdlib::Absolutepath] $api_ca_path = $elasticsearch::api_ca_path, - String $api_host = $elasticsearch::api_host, - Integer[0, 65535] $api_port = $elasticsearch::api_port, - Enum['http', 'https'] $api_protocol = $elasticsearch::api_protocol, - Integer $api_timeout = $elasticsearch::api_timeout, - Hash $settings = {}, - Boolean $validate_tls = $elasticsearch::validate_tls, + Enum['absent', 'present'] $ensure = 'present', + Optional[Variant[String, Sensitive[String]]] $api_basic_auth_password = $elasticsearch::api_basic_auth_password, + Optional[String] $api_basic_auth_username = $elasticsearch::api_basic_auth_username, + Optional[Stdlib::Absolutepath] $api_ca_file = $elasticsearch::api_ca_file, + Optional[Stdlib::Absolutepath] $api_ca_path = $elasticsearch::api_ca_path, + String $api_host = $elasticsearch::api_host, + Integer[0, 65535] $api_port = $elasticsearch::api_port, + Enum['http', 'https'] $api_protocol = $elasticsearch::api_protocol, + Integer $api_timeout = $elasticsearch::api_timeout, + Hash $settings = {}, + Boolean $validate_tls = $elasticsearch::validate_tls, ) { + $api_basic_auth_password_unsensitive = if $api_basic_auth_password =~ Sensitive { + $api_basic_auth_password.unwrap + } else { + $api_basic_auth_password + } + es_instance_conn_validator { "${name}-index-conn-validator": server => $api_host, port => $api_port, @@ -68,7 +74,7 @@ port => $api_port, timeout => $api_timeout, username => $api_basic_auth_username, - password => $api_basic_auth_password, + password => $api_basic_auth_password_unsensitive, ca_file => $api_ca_file, ca_path => $api_ca_path, validate_tls => $validate_tls, diff --git a/manifests/init.pp b/manifests/init.pp index 55fc4e0f1..2a8234765 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -325,7 +325,7 @@ # class elasticsearch ( Enum['absent', 'present'] $ensure, - Optional[String] $api_basic_auth_password, + Optional[Variant[String, Sensitive[String]]] $api_basic_auth_password, Optional[String] $api_basic_auth_username, Optional[String] $api_ca_file, Optional[String] $api_ca_path, diff --git a/manifests/license.pp b/manifests/license.pp index 866b85775..1a032447f 100644 --- a/manifests/license.pp +++ b/manifests/license.pp @@ -42,18 +42,24 @@ # @author Tyler Langlois # class elasticsearch::license ( - Enum['absent', 'present'] $ensure = 'present', - Optional[String] $api_basic_auth_password = $elasticsearch::api_basic_auth_password, - Optional[String] $api_basic_auth_username = $elasticsearch::api_basic_auth_username, - Optional[Stdlib::Absolutepath] $api_ca_file = $elasticsearch::api_ca_file, - Optional[Stdlib::Absolutepath] $api_ca_path = $elasticsearch::api_ca_path, - String $api_host = $elasticsearch::api_host, - Integer[0, 65535] $api_port = $elasticsearch::api_port, - Enum['http', 'https'] $api_protocol = $elasticsearch::api_protocol, - Integer $api_timeout = $elasticsearch::api_timeout, - Variant[String, Hash] $content = $elasticsearch::license, - Boolean $validate_tls = $elasticsearch::validate_tls, + Enum['absent', 'present'] $ensure = 'present', + Optional[Variant[String, Sensitive[String]]] $api_basic_auth_password = $elasticsearch::api_basic_auth_password, + Optional[String] $api_basic_auth_username = $elasticsearch::api_basic_auth_username, + Optional[Stdlib::Absolutepath] $api_ca_file = $elasticsearch::api_ca_file, + Optional[Stdlib::Absolutepath] $api_ca_path = $elasticsearch::api_ca_path, + String $api_host = $elasticsearch::api_host, + Integer[0, 65535] $api_port = $elasticsearch::api_port, + Enum['http', 'https'] $api_protocol = $elasticsearch::api_protocol, + Integer $api_timeout = $elasticsearch::api_timeout, + Variant[String, Hash] $content = $elasticsearch::license, + Boolean $validate_tls = $elasticsearch::validate_tls, ) { + $api_basic_auth_password_unsensitive = if $api_basic_auth_password =~ Sensitive { + $api_basic_auth_password.unwrap + } else { + $api_basic_auth_password + } + if $content =~ String { $_content = parsejson($content) } else { @@ -80,7 +86,7 @@ port => $api_port, timeout => $api_timeout, username => $api_basic_auth_username, - password => $api_basic_auth_password, + password => $api_basic_auth_password_unsensitive, ca_file => $api_ca_file, ca_path => $api_ca_path, validate_tls => $validate_tls, diff --git a/manifests/pipeline.pp b/manifests/pipeline.pp index 64a3c72c7..655e003ea 100644 --- a/manifests/pipeline.pp +++ b/manifests/pipeline.pp @@ -45,18 +45,24 @@ # @author Tyler Langlois # define elasticsearch::pipeline ( - Enum['absent', 'present'] $ensure = 'present', - Optional[String] $api_basic_auth_password = $elasticsearch::api_basic_auth_password, - Optional[String] $api_basic_auth_username = $elasticsearch::api_basic_auth_username, - Optional[Stdlib::Absolutepath] $api_ca_file = $elasticsearch::api_ca_file, - Optional[Stdlib::Absolutepath] $api_ca_path = $elasticsearch::api_ca_path, - String $api_host = $elasticsearch::api_host, - Integer[0, 65535] $api_port = $elasticsearch::api_port, - Enum['http', 'https'] $api_protocol = $elasticsearch::api_protocol, - Integer $api_timeout = $elasticsearch::api_timeout, - Hash $content = {}, - Boolean $validate_tls = $elasticsearch::validate_tls, + Enum['absent', 'present'] $ensure = 'present', + Optional[Variant[String, Sensitive[String]]] $api_basic_auth_password = $elasticsearch::api_basic_auth_password, + Optional[String] $api_basic_auth_username = $elasticsearch::api_basic_auth_username, + Optional[Stdlib::Absolutepath] $api_ca_file = $elasticsearch::api_ca_file, + Optional[Stdlib::Absolutepath] $api_ca_path = $elasticsearch::api_ca_path, + String $api_host = $elasticsearch::api_host, + Integer[0, 65535] $api_port = $elasticsearch::api_port, + Enum['http', 'https'] $api_protocol = $elasticsearch::api_protocol, + Integer $api_timeout = $elasticsearch::api_timeout, + Hash $content = {}, + Boolean $validate_tls = $elasticsearch::validate_tls, ) { + $api_basic_auth_password_unsensitive = if $api_basic_auth_password =~ Sensitive { + $api_basic_auth_password.unwrap + } else { + $api_basic_auth_password + } + es_instance_conn_validator { "${name}-ingest-pipeline": server => $api_host, port => $api_port, @@ -70,7 +76,7 @@ port => $api_port, timeout => $api_timeout, username => $api_basic_auth_username, - password => $api_basic_auth_password, + password => $api_basic_auth_password_unsensitive, ca_file => $api_ca_file, ca_path => $api_ca_path, validate_tls => $validate_tls, diff --git a/manifests/snapshot_repository.pp b/manifests/snapshot_repository.pp index cf0e2e0a8..a246a7cc9 100644 --- a/manifests/snapshot_repository.pp +++ b/manifests/snapshot_repository.pp @@ -60,23 +60,29 @@ # @author Tyler Langlois # define elasticsearch::snapshot_repository ( - String $location, - Enum['absent', 'present'] $ensure = 'present', - Optional[String] $api_basic_auth_password = $elasticsearch::api_basic_auth_password, - Optional[String] $api_basic_auth_username = $elasticsearch::api_basic_auth_username, - Optional[Stdlib::Absolutepath] $api_ca_file = $elasticsearch::api_ca_file, - Optional[Stdlib::Absolutepath] $api_ca_path = $elasticsearch::api_ca_path, - String $api_host = $elasticsearch::api_host, - Integer[0, 65535] $api_port = $elasticsearch::api_port, - Enum['http', 'https'] $api_protocol = $elasticsearch::api_protocol, - Integer $api_timeout = $elasticsearch::api_timeout, - Boolean $compress = true, - Optional[String] $chunk_size = undef, - Optional[String] $max_restore_rate = undef, - Optional[String] $max_snapshot_rate = undef, - Optional[String] $repository_type = undef, - Boolean $validate_tls = $elasticsearch::validate_tls, + String $location, + Enum['absent', 'present'] $ensure = 'present', + Optional[Variant[String, Sensitive[String]]] $api_basic_auth_password = $elasticsearch::api_basic_auth_password, + Optional[String] $api_basic_auth_username = $elasticsearch::api_basic_auth_username, + Optional[Stdlib::Absolutepath] $api_ca_file = $elasticsearch::api_ca_file, + Optional[Stdlib::Absolutepath] $api_ca_path = $elasticsearch::api_ca_path, + String $api_host = $elasticsearch::api_host, + Integer[0, 65535] $api_port = $elasticsearch::api_port, + Enum['http', 'https'] $api_protocol = $elasticsearch::api_protocol, + Integer $api_timeout = $elasticsearch::api_timeout, + Boolean $compress = true, + Optional[String] $chunk_size = undef, + Optional[String] $max_restore_rate = undef, + Optional[String] $max_snapshot_rate = undef, + Optional[String] $repository_type = undef, + Boolean $validate_tls = $elasticsearch::validate_tls, ) { + $api_basic_auth_password_unsensitive = if $api_basic_auth_password =~ Sensitive { + $api_basic_auth_password.unwrap + } else { + $api_basic_auth_password + } + es_instance_conn_validator { "${name}-snapshot": server => $api_host, port => $api_port, @@ -95,7 +101,7 @@ port => $api_port, timeout => $api_timeout, username => $api_basic_auth_username, - password => $api_basic_auth_password, + password => $api_basic_auth_password_unsensitive, ca_file => $api_ca_file, ca_path => $api_ca_path, validate_tls => $validate_tls, diff --git a/manifests/template.pp b/manifests/template.pp index 3f1e07232..ef615c685 100644 --- a/manifests/template.pp +++ b/manifests/template.pp @@ -53,19 +53,25 @@ # @author Tyler Langlois # define elasticsearch::template ( - Enum['absent', 'present'] $ensure = 'present', - Optional[String] $api_basic_auth_password = $elasticsearch::api_basic_auth_password, - Optional[String] $api_basic_auth_username = $elasticsearch::api_basic_auth_username, - Optional[Stdlib::Absolutepath] $api_ca_file = $elasticsearch::api_ca_file, - Optional[Stdlib::Absolutepath] $api_ca_path = $elasticsearch::api_ca_path, - String $api_host = $elasticsearch::api_host, - Integer[0, 65535] $api_port = $elasticsearch::api_port, - Enum['http', 'https'] $api_protocol = $elasticsearch::api_protocol, - Integer $api_timeout = $elasticsearch::api_timeout, - Optional[Variant[String, Hash]] $content = undef, - Optional[String] $source = undef, - Boolean $validate_tls = $elasticsearch::validate_tls, + Enum['absent', 'present'] $ensure = 'present', + Optional[Variant[String, Sensitive[String]]] $api_basic_auth_password = $elasticsearch::api_basic_auth_password, + Optional[String] $api_basic_auth_username = $elasticsearch::api_basic_auth_username, + Optional[Stdlib::Absolutepath] $api_ca_file = $elasticsearch::api_ca_file, + Optional[Stdlib::Absolutepath] $api_ca_path = $elasticsearch::api_ca_path, + String $api_host = $elasticsearch::api_host, + Integer[0, 65535] $api_port = $elasticsearch::api_port, + Enum['http', 'https'] $api_protocol = $elasticsearch::api_protocol, + Integer $api_timeout = $elasticsearch::api_timeout, + Optional[Variant[String, Hash]] $content = undef, + Optional[String] $source = undef, + Boolean $validate_tls = $elasticsearch::validate_tls, ) { + $api_basic_auth_password_unsensitive = if $api_basic_auth_password =~ Sensitive { + $api_basic_auth_password.unwrap + } else { + $api_basic_auth_password + } + if $content =~ String { $_content = parsejson($content) } else { @@ -92,7 +98,7 @@ port => $api_port, timeout => $api_timeout, username => $api_basic_auth_username, - password => $api_basic_auth_password, + password => $api_basic_auth_password_unsensitive, ca_file => $api_ca_file, ca_path => $api_ca_path, validate_tls => $validate_tls,