diff --git a/lib/puppet/provider/foreman_config_entry/cli.rb b/lib/puppet/provider/foreman_config_entry/cli.rb index 36d7e68a2..7efa044d9 100644 --- a/lib/puppet/provider/foreman_config_entry/cli.rb +++ b/lib/puppet/provider/foreman_config_entry/cli.rb @@ -65,6 +65,8 @@ def value def value=(value) return if resource[:dry] + + value = value.unwrap if value.respond_to?(:unwrap) run_foreman_config("-k '#{name}' -v '#{value}'", :combine => true, :failonfail => true) @property_hash[:value] = value end diff --git a/manifests/cli.pp b/manifests/cli.pp index 3e9ead0e7..48e3ee8cd 100644 --- a/manifests/cli.pp +++ b/manifests/cli.pp @@ -30,7 +30,7 @@ String $version = $foreman::cli::params::version, Boolean $manage_root_config = $foreman::cli::params::manage_root_config, Optional[String] $username = $foreman::cli::params::username, - Optional[String] $password = $foreman::cli::params::password, + Optional[Variant[String, Sensitive[String]]] $password = $foreman::cli::params::password, Boolean $use_sessions = $foreman::cli::params::use_sessions, Boolean $refresh_cache = $foreman::cli::params::refresh_cache, Integer[-1] $request_timeout = $foreman::cli::params::request_timeout, diff --git a/manifests/database.pp b/manifests/database.pp index e5f850e38..41488cdf4 100644 --- a/manifests/database.pp +++ b/manifests/database.pp @@ -14,7 +14,7 @@ if $foreman::db_manage_rake { $seed_env = { 'SEED_ADMIN_USER' => $foreman::initial_admin_username, - 'SEED_ADMIN_PASSWORD' => $foreman::initial_admin_password, + 'SEED_ADMIN_PASSWORD' => if $foreman::initial_admin_password =~ Sensitive {$foreman::initial_admin_password.unwrap} else {$foreman::initial_admin_password}, 'SEED_ADMIN_FIRST_NAME' => $foreman::initial_admin_first_name, 'SEED_ADMIN_LAST_NAME' => $foreman::initial_admin_last_name, 'SEED_ADMIN_EMAIL' => $foreman::initial_admin_email, diff --git a/manifests/init.pp b/manifests/init.pp index 82f26cb82..3f173726c 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -215,7 +215,7 @@ Variant[Undef, Enum['UNSET'], Stdlib::Port] $db_port = 'UNSET', Optional[String] $db_database = 'UNSET', Optional[String] $db_username = $foreman::params::db_username, - Optional[String] $db_password = $foreman::params::db_password, + Optional[Variant[String, Sensitive[String]]] $db_password = $foreman::params::db_password, Optional[String] $db_sslmode = 'UNSET', Optional[String] $db_root_cert = undef, Integer[0] $db_pool = $foreman::params::db_pool, @@ -234,11 +234,11 @@ Stdlib::Absolutepath $client_ssl_key = $foreman::params::client_ssl_key, Boolean $oauth_active = $foreman::params::oauth_active, Boolean $oauth_map_users = $foreman::params::oauth_map_users, - String $oauth_consumer_key = $foreman::params::oauth_consumer_key, - String $oauth_consumer_secret = $foreman::params::oauth_consumer_secret, + Variant[String, Sensitive[String]] $oauth_consumer_key = $foreman::params::oauth_consumer_key, + Variant[String, Sensitive[String]] $oauth_consumer_secret = $foreman::params::oauth_consumer_secret, String $oauth_effective_user = $foreman::params::oauth_effective_user, String $initial_admin_username = $foreman::params::initial_admin_username, - String $initial_admin_password = $foreman::params::initial_admin_password, + Variant[String, Sensitive[String]] $initial_admin_password = $foreman::params::initial_admin_password, Optional[String] $initial_admin_first_name = $foreman::params::initial_admin_first_name, Optional[String] $initial_admin_last_name = $foreman::params::initial_admin_last_name, Optional[String] $initial_admin_email = $foreman::params::initial_admin_email, @@ -265,7 +265,7 @@ Optional[Stdlib::Fqdn] $email_smtp_domain = $foreman::params::email_smtp_domain, Enum['none', 'plain', 'login', 'cram-md5'] $email_smtp_authentication = $foreman::params::email_smtp_authentication, Optional[String] $email_smtp_user_name = $foreman::params::email_smtp_user_name, - Optional[String] $email_smtp_password = $foreman::params::email_smtp_password, + Optional[Variant[String, Sensitive[String]]] $email_smtp_password = $foreman::params::email_smtp_password, Optional[String] $email_reply_address = $foreman::params::email_reply_address, Optional[String] $email_subject_prefix = $foreman::params::email_subject_prefix, String $telemetry_prefix = $foreman::params::telemetry_prefix, diff --git a/manifests/plugin.pp b/manifests/plugin.pp index 07b4ede29..6d28f89e6 100644 --- a/manifests/plugin.pp +++ b/manifests/plugin.pp @@ -27,7 +27,7 @@ String[1] $config_file_owner = 'root', String[1] $config_file_group = $foreman::group, Stdlib::Filemode $config_file_mode = '0640', - Optional[String] $config = undef, + Optional[Variant[String, Sensitive[String]]] $config = undef, ) { # Debian gem2deb converts underscores to hyphens case $facts['os']['family'] { diff --git a/manifests/plugin/supervisory_authority.pp b/manifests/plugin/supervisory_authority.pp index 562e56a53..d46492f96 100644 --- a/manifests/plugin/supervisory_authority.pp +++ b/manifests/plugin/supervisory_authority.pp @@ -30,7 +30,7 @@ # class foreman::plugin::supervisory_authority ( Stdlib::HTTPUrl $server_url, - String $secret_token, + Variant[String, Sensitive[String]] $secret_token, Pattern[/^[a-zA-Z0-9 _-]+$/] $service_name, Integer[0,5] $log_level = 1, Integer[0] $pool_size = 1, diff --git a/spec/classes/foreman_spec.rb b/spec/classes/foreman_spec.rb index 49bf6655f..0131dfa08 100644 --- a/spec/classes/foreman_spec.rb +++ b/spec/classes/foreman_spec.rb @@ -263,6 +263,20 @@ end end + describe 'with all parameters and Sensitive for Secrets' do + let :params do + { + db_password: sensitive('secret'), + oauth_consumer_key: sensitive('random'), + oauth_consumer_secret: sensitive('random'), + initial_admin_password: sensitive('secret'), + email_smtp_password: sensitive('secret'), + } + end + + it { is_expected.to compile.with_all_deps } + end + context 'with journald logging' do let(:params) { super().merge(logging_type: 'journald') } it { is_expected.to compile.with_all_deps } diff --git a/spec/classes/plugin/supervisory_authority_spec.rb b/spec/classes/plugin/supervisory_authority_spec.rb index aeafe9225..022f1b135 100644 --- a/spec/classes/plugin/supervisory_authority_spec.rb +++ b/spec/classes/plugin/supervisory_authority_spec.rb @@ -1,13 +1,27 @@ require 'spec_helper' describe 'foreman::plugin::supervisory_authority' do - let(:params) do - { - 'server_url' => 'https://example.com', - 'secret_token' => 'secret_example', - 'service_name' => 'foreman prod', - } + context 'with Standard-Parameters' do + let(:params) do + { + 'server_url' => 'https://example.com', + 'secret_token' => 'secret_example', + 'service_name' => 'foreman prod', + } + end + include_examples 'basic foreman plugin tests', 'supervisory_authority' + it { is_expected.to contain_foreman__plugin('supervisory_authority').with_config(%r{^---\n:foreman_supervisory_authority:\n server_url: https://example\.com\n}) } + end + + context 'with Sensitive secret_token' do + let(:params) do + { + 'server_url' => 'https://example.com', + 'secret_token' => sensitive('secret_example'), + 'service_name' => 'foreman prod', + } + end + include_examples 'basic foreman plugin tests', 'supervisory_authority' + it { is_expected.to contain_foreman__plugin('supervisory_authority').with_config(%r{^---\n:foreman_supervisory_authority:\n server_url: https://example\.com\n}) } end - include_examples 'basic foreman plugin tests', 'supervisory_authority' - it { is_expected.to contain_foreman__plugin('supervisory_authority').with_config(%r{^---\n:foreman_supervisory_authority:\n server_url: https://example\.com\n}) } end diff --git a/templates/hammer_root.yml.epp b/templates/hammer_root.yml.epp index 2962a3a4d..17ff9f899 100644 --- a/templates/hammer_root.yml.epp +++ b/templates/hammer_root.yml.epp @@ -1,8 +1,8 @@ <%- | Optional[String] $username, - Optional[String] $password, + Optional[Variant[String, Sensitive[String]]] $password, | -%> :foreman: # Credentials. You'll be asked for the interactively if you leave them blank here - :username: '<%= $username %>' - :password: '<%= $password %>' + :username:<%= if $username { " '${username}'" } %> + :password:<%= if $password { " '${password}'" } %>