Use Sensitive data type to prevent leaking credentials

Author: gfa

manifests/database/postgresql.pp

@@ -1,15 +1,15 @@
 # Class for creating the PuppetDB postgresql database. See README.md for more
 # information.
 class puppetdb::database::postgresql(
-  $listen_addresses     = $puppetdb::params::database_host,
-  $database_name        = $puppetdb::params::database_name,
-  $database_username    = $puppetdb::params::database_username,
-  $database_password    = $puppetdb::params::database_password,
-  $database_port        = $puppetdb::params::database_port,
-  $manage_database      = $puppetdb::params::manage_database,
-  $manage_server        = $puppetdb::params::manage_dbserver,
-  $manage_package_repo  = $puppetdb::params::manage_pg_repo,
-  $postgres_version     = $puppetdb::params::postgres_version,
+  $listen_addresses            = $puppetdb::params::database_host,
+  $database_name               = $puppetdb::params::database_name,
+  $database_username           = $puppetdb::params::database_username,
+  Sensitive $database_password = $puppetdb::params::database_password,
+  $database_port               = $puppetdb::params::database_port,
+  $manage_database             = $puppetdb::params::manage_database,
+  $manage_server               = $puppetdb::params::manage_dbserver,
+  $manage_package_repo         = $puppetdb::params::manage_pg_repo,
+  $postgres_version            = $puppetdb::params::postgres_version,
 ) inherits puppetdb::params {
 
   if $manage_server {

manifests/init.pp

@@ -29,7 +29,7 @@
   $database_host                           = $puppetdb::params::database_host,
   $database_port                           = $puppetdb::params::database_port,
   $database_username                       = $puppetdb::params::database_username,
-  $database_password                       = $puppetdb::params::database_password,
+  Sensitive $database_password             = $puppetdb::params::database_password,
   $database_name                           = $puppetdb::params::database_name,
   $manage_db_password                      = $puppetdb::params::manage_db_password,
   $jdbc_ssl_properties                     = $puppetdb::params::jdbc_ssl_properties,
@@ -55,7 +55,7 @@
   $read_database_host                      = $puppetdb::params::read_database_host,
   $read_database_port                      = $puppetdb::params::read_database_port,
   $read_database_username                  = $puppetdb::params::read_database_username,
-  $read_database_password                  = $puppetdb::params::read_database_password,
+  Sensitive $read_database_password        = $puppetdb::params::read_database_password,
   $read_database_name                      = $puppetdb::params::read_database_name,
   $manage_read_db_password                 = $puppetdb::params::manage_read_db_password,
   $read_database_jdbc_ssl_properties       = $puppetdb::params::read_database_jdbc_ssl_properties,

manifests/params.pp

@@ -24,18 +24,18 @@
   } else {
     $manage_pg_repo            = false
   }
-  $postgres_version          = '9.6'
+  $postgres_version            = '9.6'
 
   # The remaining database settings are not used for an embedded database
-  $database_host          = 'localhost'
-  $database_port          = '5432'
-  $database_name          = 'puppetdb'
-  $database_username      = 'puppetdb'
-  $database_password      = 'puppetdb'
-  $manage_db_password     = true
-  $jdbc_ssl_properties    = ''
-  $database_validate      = true
-  $database_max_pool_size = undef
+  $database_host               = 'localhost'
+  $database_port               = '5432'
+  $database_name               = 'puppetdb'
+  $database_username           = 'puppetdb'
+  $database_password           = 'puppetdb'
+  $manage_db_password          = true
+  $jdbc_ssl_properties         = ''
+  $database_validate           = true
+  $database_max_pool_size      = undef
 
   # These settings manage the various auto-deactivation and auto-purge settings
   $node_ttl               = '7d'

manifests/server/database.pp

@@ -1,30 +1,30 @@
 # PRIVATE CLASS - do not use directly
 class puppetdb::server::database (
-  $database               = $puppetdb::params::database,
-  $database_host          = $puppetdb::params::database_host,
-  $database_port          = $puppetdb::params::database_port,
-  $database_username      = $puppetdb::params::database_username,
-  $database_password      = $puppetdb::params::database_password,
-  $database_name          = $puppetdb::params::database_name,
-  $manage_db_password     = $puppetdb::params::manage_db_password,
-  $jdbc_ssl_properties    = $puppetdb::params::jdbc_ssl_properties,
-  $database_validate      = $puppetdb::params::database_validate,
-  $database_embedded_path = $puppetdb::params::database_embedded_path,
-  $node_ttl               = $puppetdb::params::node_ttl,
-  $node_purge_ttl         = $puppetdb::params::node_purge_ttl,
-  $report_ttl             = $puppetdb::params::report_ttl,
-  $facts_blacklist        = $puppetdb::params::facts_blacklist,
-  $gc_interval            = $puppetdb::params::gc_interval,
-  $node_purge_gc_batch_limit  = $puppetdb::params::node_purge_gc_batch_limit,
-  $log_slow_statements    = $puppetdb::params::log_slow_statements,
-  $conn_max_age           = $puppetdb::params::conn_max_age,
-  $conn_keep_alive        = $puppetdb::params::conn_keep_alive,
-  $conn_lifetime          = $puppetdb::params::conn_lifetime,
-  $confdir                = $puppetdb::params::confdir,
-  $puppetdb_user          = $puppetdb::params::puppetdb_user,
-  $puppetdb_group         = $puppetdb::params::puppetdb_group,
-  $database_max_pool_size = $puppetdb::params::database_max_pool_size,
-  $migrate                = $puppetdb::params::migrate,
+  $database                    = $puppetdb::params::database,
+  $database_host               = $puppetdb::params::database_host,
+  $database_port               = $puppetdb::params::database_port,
+  $database_username           = $puppetdb::params::database_username,
+  Sensitive $database_password = $puppetdb::params::database_password,
+  $database_name               = $puppetdb::params::database_name,
+  $manage_db_password          = $puppetdb::params::manage_db_password,
+  $jdbc_ssl_properties         = $puppetdb::params::jdbc_ssl_properties,
+  $database_validate           = $puppetdb::params::database_validate,
+  $database_embedded_path      = $puppetdb::params::database_embedded_path,
+  $node_ttl                    = $puppetdb::params::node_ttl,
+  $node_purge_ttl              = $puppetdb::params::node_purge_ttl,
+  $report_ttl                  = $puppetdb::params::report_ttl,
+  $facts_blacklist             = $puppetdb::params::facts_blacklist,
+  $gc_interval                 = $puppetdb::params::gc_interval,
+  $node_purge_gc_batch_limit   = $puppetdb::params::node_purge_gc_batch_limit,
+  $log_slow_statements         = $puppetdb::params::log_slow_statements,
+  $conn_max_age                = $puppetdb::params::conn_max_age,
+  $conn_keep_alive             = $puppetdb::params::conn_keep_alive,
+  $conn_lifetime               = $puppetdb::params::conn_lifetime,
+  $confdir                     = $puppetdb::params::confdir,
+  $puppetdb_user               = $puppetdb::params::puppetdb_user,
+  $puppetdb_group              = $puppetdb::params::puppetdb_group,
+  $database_max_pool_size      = $puppetdb::params::database_max_pool_size,
+  $migrate                     = $puppetdb::params::migrate,
 ) inherits puppetdb::params {
 
   if str2bool($database_validate) {

manifests/server/read_database.pp

@@ -1,22 +1,22 @@
 # PRIVATE CLASS - do not use directly
 class puppetdb::server::read_database (
-  $database               = $puppetdb::params::read_database,
-  $database_host          = $puppetdb::params::read_database_host,
-  $database_port          = $puppetdb::params::read_database_port,
-  $database_username      = $puppetdb::params::read_database_username,
-  $database_password      = $puppetdb::params::read_database_password,
-  $database_name          = $puppetdb::params::read_database_name,
-  $manage_db_password     = $puppetdb::params::manage_read_db_password,
-  $jdbc_ssl_properties    = $puppetdb::params::read_database_jdbc_ssl_properties,
-  $database_validate      = $puppetdb::params::read_database_validate,
-  $log_slow_statements    = $puppetdb::params::read_log_slow_statements,
-  $conn_max_age           = $puppetdb::params::read_conn_max_age,
-  $conn_keep_alive        = $puppetdb::params::read_conn_keep_alive,
-  $conn_lifetime          = $puppetdb::params::read_conn_lifetime,
-  $confdir                = $puppetdb::params::confdir,
-  $puppetdb_user          = $puppetdb::params::puppetdb_user,
-  $puppetdb_group         = $puppetdb::params::puppetdb_group,
-  $database_max_pool_size = $puppetdb::params::read_database_max_pool_size,
+  $database                    = $puppetdb::params::read_database,
+  $database_host               = $puppetdb::params::read_database_host,
+  $database_port               = $puppetdb::params::read_database_port,
+  $database_username           = $puppetdb::params::read_database_username,
+  Sensitive $database_password = $puppetdb::params::read_database_password,
+  $database_name               = $puppetdb::params::read_database_name,
+  $manage_db_password          = $puppetdb::params::manage_read_db_password,
+  $jdbc_ssl_properties         = $puppetdb::params::read_database_jdbc_ssl_properties,
+  $database_validate           = $puppetdb::params::read_database_validate,
+  $log_slow_statements         = $puppetdb::params::read_log_slow_statements,
+  $conn_max_age                = $puppetdb::params::read_conn_max_age,
+  $conn_keep_alive             = $puppetdb::params::read_conn_keep_alive,
+  $conn_lifetime               = $puppetdb::params::read_conn_lifetime,
+  $confdir                     = $puppetdb::params::confdir,
+  $puppetdb_user               = $puppetdb::params::puppetdb_user,
+  $puppetdb_group              = $puppetdb::params::puppetdb_group,
+  $database_max_pool_size      = $puppetdb::params::read_database_max_pool_size,
 ) inherits puppetdb::params {
 
   # Only add the read database configuration if database host is defined.