Add more sensitive protection and testing

DavidS · DavidS · commit 08a175217adc · 2021-02-19T17:11:41.000Z
diff --git a/manifests/server/role.pp b/manifests/server/role.pp
@@ -82,7 +82,7 @@
     }
 
     postgresql_psql { "CREATE ROLE ${username} ENCRYPTED PASSWORD ****":
-      command     => "CREATE ROLE \"${username}\" ${password_sql} ${login_sql} ${createrole_sql} ${createdb_sql} ${superuser_sql} ${replication_sql} CONNECTION LIMIT ${connection_limit}",
+      command     => Sensitive("CREATE ROLE \"${username}\" ${password_sql} ${login_sql} ${createrole_sql} ${createdb_sql} ${superuser_sql} ${replication_sql} CONNECTION LIMIT ${connection_limit}"),
       unless      => "SELECT 1 FROM pg_roles WHERE rolname = '${username}'",
       require     => undef,
       sensitive   => true,
@@ -132,8 +132,8 @@
         $pwd_hash_sql = "md5${pwd_md5}"
       }
       postgresql_psql { "ALTER ROLE ${username} ENCRYPTED PASSWORD ****":
-        command     => "ALTER ROLE \"${username}\" ${password_sql}",
-        unless      => "SELECT 1 FROM pg_shadow WHERE usename = '${username}' AND passwd = '${pwd_hash_sql}'",
+        command     => Sensitive("ALTER ROLE \"${username}\" ${password_sql}"),
+        unless      => Sensitive("SELECT 1 FROM pg_shadow WHERE usename = '${username}' AND passwd = '${pwd_hash_sql}'"),
         sensitive   => true,
       }
     }
diff --git a/spec/unit/defines/server/role_spec.rb b/spec/unit/defines/server/role_spec.rb
@@ -33,16 +33,16 @@
   it { is_expected.to contain_postgresql__server__role('test') }
   it 'has create role for "test" user with password as ****' do
     is_expected.to contain_postgresql_psql('CREATE ROLE test ENCRYPTED PASSWORD ****')
-      .with('command'     => "CREATE ROLE \"test\" ENCRYPTED PASSWORD '$NEWPGPASSWD' LOGIN NOCREATEROLE NOCREATEDB NOSUPERUSER  CONNECTION LIMIT -1",
-            'environment' => 'NEWPGPASSWD=new-pa$s',
+      .with('command'     => 'Sensitive [value redacted]',
+            'sensitive'   => 'true',
             'unless'      => "SELECT 1 FROM pg_roles WHERE rolname = 'test'",
             'port'        => '5432')
   end
   it 'has alter role for "test" user with password as ****' do
     is_expected.to contain_postgresql_psql('ALTER ROLE test ENCRYPTED PASSWORD ****')
-      .with('command'     => "ALTER ROLE \"test\" ENCRYPTED PASSWORD '$NEWPGPASSWD'",
-            'environment' => 'NEWPGPASSWD=new-pa$s',
-            'unless'      => "SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'md5b6f7fcbbabb4befde4588a26c1cfd2fa'",
+      .with('command'     => 'Sensitive [value redacted]',
+            'sensitive'   => 'true',
+            'unless'      => 'Sensitive [value redacted]',
             'port'        => '5432')
   end
 
@@ -64,17 +64,17 @@
     it { is_expected.to contain_postgresql__server__role('test') }
     it 'has create role for "test" user with password as ****' do
       is_expected.to contain_postgresql_psql('CREATE ROLE test ENCRYPTED PASSWORD ****')
-        .with_command("CREATE ROLE \"test\" ENCRYPTED PASSWORD '$NEWPGPASSWD' LOGIN NOCREATEROLE NOCREATEDB NOSUPERUSER  CONNECTION LIMIT -1")
-        .with_environment('NEWPGPASSWD=new-pa$s')
+        .with_command('Sensitive [value redacted]')
+        .with_sensitive('true')
         .with_unless("SELECT 1 FROM pg_roles WHERE rolname = 'test'")
         .with_port(5432)
         .with_connect_settings('PGHOST' => 'postgres-db-server', 'DBVERSION' => '9.1', 'PGUSER' => 'login-user', 'PGPASSWORD' => 'login-pass')
         .that_requires('Class[postgresql::server::service]')
     end
     it 'has alter role for "test" user with password as ****' do
       is_expected.to contain_postgresql_psql('ALTER ROLE test ENCRYPTED PASSWORD ****')
-        .with('command' => "ALTER ROLE \"test\" ENCRYPTED PASSWORD '$NEWPGPASSWD'", 'environment' => 'NEWPGPASSWD=new-pa$s',
-              'unless'  => "SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'md5b6f7fcbbabb4befde4588a26c1cfd2fa'", 'port' => '5432',
+        .with('command' => 'Sensitive [value redacted]', 'sensitive' => 'true',
+              'unless'  => 'Sensitive [value redacted]', 'port' => '5432',
               'connect_settings' => { 'PGHOST' => 'postgres-db-server', 'DBVERSION' => '9.1',
                                       'PGUSER' => 'login-user', 'PGPASSWORD' => 'login-pass' })
     end
@@ -99,15 +99,15 @@
     it { is_expected.to contain_postgresql__server__role('test') }
     it 'has create role for "test" user with password as ****' do
       is_expected.to contain_postgresql_psql('CREATE ROLE test ENCRYPTED PASSWORD ****')
-        .with('command'     => "CREATE ROLE \"test\" ENCRYPTED PASSWORD '$NEWPGPASSWD' LOGIN NOCREATEROLE NOCREATEDB NOSUPERUSER  CONNECTION LIMIT -1",
-              'environment' => 'NEWPGPASSWD=new-pa$s', 'unless' => "SELECT 1 FROM pg_roles WHERE rolname = 'test'",
-              'connect_settings' => { 'PGHOST'     => 'postgres-db-server', 'DBVERSION' => '9.1',
-                                      'PGPORT'     => '1234', 'PGUSER' => 'login-user', 'PGPASSWORD' => 'login-pass' })
+        .with('command'   => 'Sensitive [value redacted]',
+              'sensitive' => 'true', 'unless' => "SELECT 1 FROM pg_roles WHERE rolname = 'test'",
+              'connect_settings' => { 'PGHOST' => 'postgres-db-server', 'DBVERSION' => '9.1',
+                                      'PGPORT' => '1234', 'PGUSER' => 'login-user', 'PGPASSWORD' => 'login-pass' })
     end
     it 'has alter role for "test" user with password as ****' do
       is_expected.to contain_postgresql_psql('ALTER ROLE test ENCRYPTED PASSWORD ****')
-        .with('command' => "ALTER ROLE \"test\" ENCRYPTED PASSWORD '$NEWPGPASSWD'", 'environment' => 'NEWPGPASSWD=new-pa$s',
-              'unless'  => "SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'md5b6f7fcbbabb4befde4588a26c1cfd2fa'",
+        .with('command' => 'Sensitive [value redacted]', 'sensitive' => 'true',
+              'unless'  => 'Sensitive [value redacted]',
               'connect_settings' => { 'PGHOST' => 'postgres-db-server', 'DBVERSION' => '9.1',
                                       'PGPORT' => '1234', 'PGUSER' => 'login-user', 'PGPASSWORD' => 'login-pass' })
     end

Original file line number	Diff line number	Diff line change
`@@ -82,7 +82,7 @@`
`82`	`82`	`}`
`83`	`83`
`84`	`84`	`postgresql_psql { "CREATE ROLE ${username} ENCRYPTED PASSWORD ****":`
`85`		`- command => "CREATE ROLE \"${username}\" ${password_sql} ${login_sql} ${createrole_sql} ${createdb_sql} ${superuser_sql} ${replication_sql} CONNECTION LIMIT ${connection_limit}",`
	`85`	`+ command => Sensitive("CREATE ROLE \"${username}\" ${password_sql} ${login_sql} ${createrole_sql} ${createdb_sql} ${superuser_sql} ${replication_sql} CONNECTION LIMIT ${connection_limit}"),`
`86`	`86`	`unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}'",`
`87`	`87`	`require => undef,`
`88`	`88`	`sensitive => true,`
`@@ -132,8 +132,8 @@`
`132`	`132`	`$pwd_hash_sql = "md5${pwd_md5}"`
`133`	`133`	`}`
`134`	`134`	`postgresql_psql { "ALTER ROLE ${username} ENCRYPTED PASSWORD ****":`
`135`		`- command => "ALTER ROLE \"${username}\" ${password_sql}",`
`136`		`- unless => "SELECT 1 FROM pg_shadow WHERE usename = '${username}' AND passwd = '${pwd_hash_sql}'",`
	`135`	`+ command => Sensitive("ALTER ROLE \"${username}\" ${password_sql}"),`
	`136`	`+ unless => Sensitive("SELECT 1 FROM pg_shadow WHERE usename = '${username}' AND passwd = '${pwd_hash_sql}'"),`
`137`	`137`	`sensitive => true,`
`138`	`138`	`}`
`139`	`139`	`}`