Mark passwords as Sensitive to prevent leaking credentials

gfa · gfa · commit 2e0a4d71993c · 2020-12-29T14:22:15.000+01:00
diff --git a/manifests/database/postgresql.pp b/manifests/database/postgresql.pp
@@ -1,15 +1,15 @@
 # Class for creating the PuppetDB postgresql database. See README.md for more
 # information.
 class puppetdb::database::postgresql(
-  $listen_addresses     = $puppetdb::params::database_host,
-  $database_name        = $puppetdb::params::database_name,
-  $database_username    = $puppetdb::params::database_username,
-  $database_password    = $puppetdb::params::database_password,
-  $database_port        = $puppetdb::params::database_port,
-  $manage_database      = $puppetdb::params::manage_database,
-  $manage_server        = $puppetdb::params::manage_dbserver,
-  $manage_package_repo  = $puppetdb::params::manage_pg_repo,
-  $postgres_version     = $puppetdb::params::postgres_version,
+  $listen_addresses    = $puppetdb::params::database_host,
+  $database_name       = $puppetdb::params::database_name,
+  $database_username   = $puppetdb::params::database_username,
+  $database_password   = $puppetdb::params::database_password,
+  $database_port       = $puppetdb::params::database_port,
+  $manage_database     = $puppetdb::params::manage_database,
+  $manage_server       = $puppetdb::params::manage_dbserver,
+  $manage_package_repo = $puppetdb::params::manage_pg_repo,
+  $postgres_version    = $puppetdb::params::postgres_version,
 ) inherits puppetdb::params {
 
   if $manage_server {
@@ -41,7 +41,7 @@
     # create the puppetdb database
     postgresql::server::db { $database_name:
       user     => $database_username,
-      password => $database_password,
+      password => Sensitive($database_password),
       grant    => 'all',
     }
   }
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -110,7 +110,7 @@
     database_host                     => $database_host,
     database_port                     => $database_port,
     database_username                 => $database_username,
-    database_password                 => $database_password,
+    database_password                 => Sensitive($database_password),
     database_name                     => $database_name,
     manage_db_password                => $manage_db_password,
     jdbc_ssl_properties               => $jdbc_ssl_properties,
@@ -138,7 +138,7 @@
     read_database_host                => $read_database_host,
     read_database_port                => $read_database_port,
     read_database_username            => $read_database_username,
-    read_database_password            => $read_database_password,
+    read_database_password            => Sensitive($read_database_password),
     read_database_name                => $read_database_name,
     manage_read_db_password           => $manage_read_db_password,
     read_database_jdbc_ssl_properties => $read_database_jdbc_ssl_properties,
@@ -177,7 +177,7 @@
       listen_addresses    => $database_listen_address,
       database_name       => $database_name,
       database_username   => $database_username,
-      database_password   => $database_password,
+      database_password   => Sensitive($database_password),
       database_port       => $database_port,
       manage_server       => $manage_dbserver,
       manage_database     => $manage_database,
diff --git a/manifests/params.pp b/manifests/params.pp
@@ -24,18 +24,18 @@
   } else {
     $manage_pg_repo            = false
   }
-  $postgres_version          = '9.6'
+  $postgres_version            = '9.6'
 
   # The remaining database settings are not used for an embedded database
-  $database_host          = 'localhost'
-  $database_port          = '5432'
-  $database_name          = 'puppetdb'
-  $database_username      = 'puppetdb'
-  $database_password      = 'puppetdb'
-  $manage_db_password     = true
-  $jdbc_ssl_properties    = ''
-  $database_validate      = true
-  $database_max_pool_size = undef
+  $database_host               = 'localhost'
+  $database_port               = '5432'
+  $database_name               = 'puppetdb'
+  $database_username           = 'puppetdb'
+  $database_password           = 'puppetdb'
+  $manage_db_password          = true
+  $jdbc_ssl_properties         = ''
+  $database_validate           = true
+  $database_max_pool_size      = undef
 
   # These settings manage the various auto-deactivation and auto-purge settings
   $node_ttl               = '7d'
diff --git a/manifests/server.pp b/manifests/server.pp
@@ -165,7 +165,7 @@
     database_host             => $database_host,
     database_port             => $database_port,
     database_username         => $database_username,
-    database_password         => $database_password,
+    database_password         => Sensitive($database_password),
     database_name             => $database_name,
     manage_db_password        => $manage_db_password,
     database_max_pool_size    => $database_max_pool_size,
@@ -194,7 +194,7 @@
     database_host          => $read_database_host,
     database_port          => $read_database_port,
     database_username      => $read_database_username,
-    database_password      => $read_database_password,
+    database_password      => Sensitive($read_database_password),
     database_name          => $read_database_name,
     manage_db_password     => $manage_read_db_password,
     jdbc_ssl_properties    => $read_database_jdbc_ssl_properties,
diff --git a/manifests/server/database.pp b/manifests/server/database.pp
@@ -1,30 +1,30 @@
 # PRIVATE CLASS - do not use directly
 class puppetdb::server::database (
-  $database               = $puppetdb::params::database,
-  $database_host          = $puppetdb::params::database_host,
-  $database_port          = $puppetdb::params::database_port,
-  $database_username      = $puppetdb::params::database_username,
-  $database_password      = $puppetdb::params::database_password,
-  $database_name          = $puppetdb::params::database_name,
-  $manage_db_password     = $puppetdb::params::manage_db_password,
-  $jdbc_ssl_properties    = $puppetdb::params::jdbc_ssl_properties,
-  $database_validate      = $puppetdb::params::database_validate,
-  $database_embedded_path = $puppetdb::params::database_embedded_path,
-  $node_ttl               = $puppetdb::params::node_ttl,
-  $node_purge_ttl         = $puppetdb::params::node_purge_ttl,
-  $report_ttl             = $puppetdb::params::report_ttl,
-  $facts_blacklist        = $puppetdb::params::facts_blacklist,
-  $gc_interval            = $puppetdb::params::gc_interval,
+  $database                   = $puppetdb::params::database,
+  $database_host              = $puppetdb::params::database_host,
+  $database_port              = $puppetdb::params::database_port,
+  $database_username          = $puppetdb::params::database_username,
+  $database_password          = $puppetdb::params::database_password,
+  $database_name              = $puppetdb::params::database_name,
+  $manage_db_password         = $puppetdb::params::manage_db_password,
+  $jdbc_ssl_properties        = $puppetdb::params::jdbc_ssl_properties,
+  $database_validate          = $puppetdb::params::database_validate,
+  $database_embedded_path     = $puppetdb::params::database_embedded_path,
+  $node_ttl                   = $puppetdb::params::node_ttl,
+  $node_purge_ttl             = $puppetdb::params::node_purge_ttl,
+  $report_ttl                 = $puppetdb::params::report_ttl,
+  $facts_blacklist            = $puppetdb::params::facts_blacklist,
+  $gc_interval                = $puppetdb::params::gc_interval,
   $node_purge_gc_batch_limit  = $puppetdb::params::node_purge_gc_batch_limit,
-  $log_slow_statements    = $puppetdb::params::log_slow_statements,
-  $conn_max_age           = $puppetdb::params::conn_max_age,
-  $conn_keep_alive        = $puppetdb::params::conn_keep_alive,
-  $conn_lifetime          = $puppetdb::params::conn_lifetime,
-  $confdir                = $puppetdb::params::confdir,
-  $puppetdb_user          = $puppetdb::params::puppetdb_user,
-  $puppetdb_group         = $puppetdb::params::puppetdb_group,
-  $database_max_pool_size = $puppetdb::params::database_max_pool_size,
-  $migrate                = $puppetdb::params::migrate,
+  $log_slow_statements        = $puppetdb::params::log_slow_statements,
+  $conn_max_age               = $puppetdb::params::conn_max_age,
+  $conn_keep_alive            = $puppetdb::params::conn_keep_alive,
+  $conn_lifetime              = $puppetdb::params::conn_lifetime,
+  $confdir                    = $puppetdb::params::confdir,
+  $puppetdb_user              = $puppetdb::params::puppetdb_user,
+  $puppetdb_group             = $puppetdb::params::puppetdb_group,
+  $database_max_pool_size     = $puppetdb::params::database_max_pool_size,
+  $migrate                    = $puppetdb::params::migrate,
 ) inherits puppetdb::params {
 
   if str2bool($database_validate) {
@@ -41,7 +41,7 @@
       database_host     => $database_host,
       database_port     => $database_port,
       database_username => $database_username,
-      database_password => $database_password,
+      database_password => Sensitive($database_password),
       database_name     => $database_name,
     }
   }
@@ -96,7 +96,7 @@
     if $database_password != undef and $manage_db_password {
       ini_setting {'puppetdb_psdatabase_password':
         setting => 'password',
-        value   => $database_password,
+        value   => Sensitive($database_password),
       }
     }
   }
diff --git a/manifests/server/read_database.pp b/manifests/server/read_database.pp
@@ -35,7 +35,7 @@
         database_host     => $database_host,
         database_port     => $database_port,
         database_username => $database_username,
-        database_password => $database_password,
+        database_password => Sensitive($database_password),
         database_name     => $database_name,
       }
     }
@@ -83,7 +83,7 @@
       if $database_password != undef and $manage_db_password {
         ini_setting { 'puppetdb_read_database_password':
           setting => 'password',
-          value   => $database_password,
+          value   => Sensitive($database_password),
         }
       }
     }
diff --git a/manifests/server/validate_db.pp b/manifests/server/validate_db.pp
@@ -18,7 +18,7 @@
       database_host     => $database_host,
       database_port     => $database_port,
       database_username => $database_username,
-      database_password => $database_password,
+      database_password => Sensitive($database_password),
       database_name     => $database_name,
     }
   }
diff --git a/manifests/server/validate_read_db.pp b/manifests/server/validate_read_db.pp
@@ -18,7 +18,7 @@
       database_host     => $database_host,
       database_port     => $database_port,
       database_username => $database_username,
-      database_password => $database_password,
+      database_password => Sensitive($database_password),
       database_name     => $database_name,
     }
   }

Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@`
`35`	`35`	`database_host => $database_host,`
`36`	`36`	`database_port => $database_port,`
`37`	`37`	`database_username => $database_username,`
`38`		`- database_password => $database_password,`
	`38`	`+ database_password => Sensitive($database_password),`
`39`	`39`	`database_name => $database_name,`
`40`	`40`	`}`
`41`	`41`	`}`
`@@ -83,7 +83,7 @@`
`83`	`83`	`if $database_password != undef and $manage_db_password {`
`84`	`84`	`ini_setting { 'puppetdb_read_database_password':`
`85`	`85`	`setting => 'password',`
`86`		`- value => $database_password,`
	`86`	`+ value => Sensitive($database_password),`
`87`	`87`	`}`
`88`	`88`	`}`
`89`	`89`	`}`
Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,7 @@`
`18`	`18`	`database_host => $database_host,`
`19`	`19`	`database_port => $database_port,`
`20`	`20`	`database_username => $database_username,`
`21`		`- database_password => $database_password,`
	`21`	`+ database_password => Sensitive($database_password),`
`22`	`22`	`database_name => $database_name,`
`23`	`23`	`}`
`24`	`24`	`}`