Hide passwords from logs and output

gfa · gfa · commit f1d218747b1b · 2020-12-29T14:49:48.000+01:00
diff --git a/manifests/database/postgresql.pp b/manifests/database/postgresql.pp
@@ -1,15 +1,15 @@
 # Class for creating the PuppetDB postgresql database. See README.md for more
 # information.
 class puppetdb::database::postgresql(
-  $listen_addresses     = $puppetdb::params::database_host,
-  $database_name        = $puppetdb::params::database_name,
-  $database_username    = $puppetdb::params::database_username,
-  $database_password    = $puppetdb::params::database_password,
-  $database_port        = $puppetdb::params::database_port,
-  $manage_database      = $puppetdb::params::manage_database,
-  $manage_server        = $puppetdb::params::manage_dbserver,
-  $manage_package_repo  = $puppetdb::params::manage_pg_repo,
-  $postgres_version     = $puppetdb::params::postgres_version,
+  $listen_addresses    = $puppetdb::params::database_host,
+  $database_name       = $puppetdb::params::database_name,
+  $database_username   = $puppetdb::params::database_username,
+  $database_password   = $puppetdb::params::database_password,
+  $database_port       = $puppetdb::params::database_port,
+  $manage_database     = $puppetdb::params::manage_database,
+  $manage_server       = $puppetdb::params::manage_dbserver,
+  $manage_package_repo = $puppetdb::params::manage_pg_repo,
+  $postgres_version    = $puppetdb::params::postgres_version,
 ) inherits puppetdb::params {
 
   if $manage_server {
diff --git a/manifests/params.pp b/manifests/params.pp
@@ -24,18 +24,18 @@
   } else {
     $manage_pg_repo            = false
   }
-  $postgres_version          = '9.6'
+  $postgres_version            = '9.6'
 
   # The remaining database settings are not used for an embedded database
-  $database_host          = 'localhost'
-  $database_port          = '5432'
-  $database_name          = 'puppetdb'
-  $database_username      = 'puppetdb'
-  $database_password      = 'puppetdb'
-  $manage_db_password     = true
-  $jdbc_ssl_properties    = ''
-  $database_validate      = true
-  $database_max_pool_size = undef
+  $database_host               = 'localhost'
+  $database_port               = '5432'
+  $database_name               = 'puppetdb'
+  $database_username           = 'puppetdb'
+  $database_password           = 'puppetdb'
+  $manage_db_password          = true
+  $jdbc_ssl_properties         = ''
+  $database_validate           = true
+  $database_max_pool_size      = undef
 
   # These settings manage the various auto-deactivation and auto-purge settings
   $node_ttl               = '7d'
diff --git a/manifests/server/database.pp b/manifests/server/database.pp
@@ -1,30 +1,30 @@
 # PRIVATE CLASS - do not use directly
 class puppetdb::server::database (
-  $database               = $puppetdb::params::database,
-  $database_host          = $puppetdb::params::database_host,
-  $database_port          = $puppetdb::params::database_port,
-  $database_username      = $puppetdb::params::database_username,
-  $database_password      = $puppetdb::params::database_password,
-  $database_name          = $puppetdb::params::database_name,
-  $manage_db_password     = $puppetdb::params::manage_db_password,
-  $jdbc_ssl_properties    = $puppetdb::params::jdbc_ssl_properties,
-  $database_validate      = $puppetdb::params::database_validate,
-  $database_embedded_path = $puppetdb::params::database_embedded_path,
-  $node_ttl               = $puppetdb::params::node_ttl,
-  $node_purge_ttl         = $puppetdb::params::node_purge_ttl,
-  $report_ttl             = $puppetdb::params::report_ttl,
-  $facts_blacklist        = $puppetdb::params::facts_blacklist,
-  $gc_interval            = $puppetdb::params::gc_interval,
+  $database                   = $puppetdb::params::database,
+  $database_host              = $puppetdb::params::database_host,
+  $database_port              = $puppetdb::params::database_port,
+  $database_username          = $puppetdb::params::database_username,
+  $database_password          = $puppetdb::params::database_password,
+  $database_name              = $puppetdb::params::database_name,
+  $manage_db_password         = $puppetdb::params::manage_db_password,
+  $jdbc_ssl_properties        = $puppetdb::params::jdbc_ssl_properties,
+  $database_validate          = $puppetdb::params::database_validate,
+  $database_embedded_path     = $puppetdb::params::database_embedded_path,
+  $node_ttl                   = $puppetdb::params::node_ttl,
+  $node_purge_ttl             = $puppetdb::params::node_purge_ttl,
+  $report_ttl                 = $puppetdb::params::report_ttl,
+  $facts_blacklist            = $puppetdb::params::facts_blacklist,
+  $gc_interval                = $puppetdb::params::gc_interval,
   $node_purge_gc_batch_limit  = $puppetdb::params::node_purge_gc_batch_limit,
-  $log_slow_statements    = $puppetdb::params::log_slow_statements,
-  $conn_max_age           = $puppetdb::params::conn_max_age,
-  $conn_keep_alive        = $puppetdb::params::conn_keep_alive,
-  $conn_lifetime          = $puppetdb::params::conn_lifetime,
-  $confdir                = $puppetdb::params::confdir,
-  $puppetdb_user          = $puppetdb::params::puppetdb_user,
-  $puppetdb_group         = $puppetdb::params::puppetdb_group,
-  $database_max_pool_size = $puppetdb::params::database_max_pool_size,
-  $migrate                = $puppetdb::params::migrate,
+  $log_slow_statements        = $puppetdb::params::log_slow_statements,
+  $conn_max_age               = $puppetdb::params::conn_max_age,
+  $conn_keep_alive            = $puppetdb::params::conn_keep_alive,
+  $conn_lifetime              = $puppetdb::params::conn_lifetime,
+  $confdir                    = $puppetdb::params::confdir,
+  $puppetdb_user              = $puppetdb::params::puppetdb_user,
+  $puppetdb_group             = $puppetdb::params::puppetdb_group,
+  $database_max_pool_size     = $puppetdb::params::database_max_pool_size,
+  $migrate                    = $puppetdb::params::migrate,
 ) inherits puppetdb::params {
 
   if str2bool($database_validate) {
@@ -95,8 +95,9 @@
 
     if $database_password != undef and $manage_db_password {
       ini_setting {'puppetdb_psdatabase_password':
-        setting => 'password',
-        value   => $database_password,
+        setting   => 'password',
+        value     => $database_password,
+        show_diff => false,
       }
     }
   }
diff --git a/manifests/server/read_database.pp b/manifests/server/read_database.pp
@@ -82,8 +82,9 @@
 
       if $database_password != undef and $manage_db_password {
         ini_setting { 'puppetdb_read_database_password':
-          setting => 'password',
-          value   => $database_password,
+          setting   => 'password',
+          value     => $database_password,
+          show_diff => false,
         }
       }
     }

Original file line number	Diff line number	Diff line change
`@@ -82,8 +82,9 @@`
`82`	`82`
`83`	`83`	`if $database_password != undef and $manage_db_password {`
`84`	`84`	`ini_setting { 'puppetdb_read_database_password':`
`85`		`- setting => 'password',`
`86`		`- value => $database_password,`
	`85`	`+ setting => 'password',`
	`86`	`+ value => $database_password,`
	`87`	`+ show_diff => false,`
`87`	`88`	`}`
`88`	`89`	`}`
`89`	`90`	`}`