Implement a sensitive param for postgresql_psql

DavidS · DavidS · commit 7717c4691023 · 2021-02-19T16:00:40.000Z
diff --git a/lib/puppet/provider/postgresql_psql/ruby.rb b/lib/puppet/provider/postgresql_psql/ruby.rb
@@ -62,7 +62,8 @@ def run_command(command, user, group, environment)
                                                       failonfail: false,
                                                       combine: true,
                                                       override_locale: true,
-                                                      custom_environment: environment)
+                                                      custom_environment: environment,
+                                                      sensitive: resource[:sensitive] == :true)
     [output, $CHILD_STATUS.dup]
   end
 end
diff --git a/lib/puppet/type/postgresql_psql.rb b/lib/puppet/type/postgresql_psql.rb
@@ -124,6 +124,13 @@ def matches(value)
     newvalues(:true, :false)
   end
 
+  newparam(:sensitive, boolean: true) do
+    desc "If 'true', then the executed command will not be echoed into the log. Use this to protect sensitive information passing through."
+
+    defaultto(:false)
+    newvalues(:true, :false)
+  end
+
   autorequire(:class) { ['Postgresql::Server::Service'] }
 
   def should_run_sql(refreshing = false)
diff --git a/manifests/server/role.pp b/manifests/server/role.pp
@@ -3,8 +3,8 @@
 # @param update_password If set to true, updates the password on changes. Set this to false to not modify the role's password after creation.
 # @param password_hash Sets the hash to use during password creation.
 # @param createdb Specifies whether to grant the ability to create new databases with this role.
-# @param createrole Specifies whether to grant the ability to create new roles with this role. 
-# @param db Database used to connect to. 
+# @param createrole Specifies whether to grant the ability to create new roles with this role.
+# @param db Database used to connect to.
 # @param port Port to use when connecting.
 # @param login Specifies whether to grant login capability for the new role.
 # @param inherit Specifies whether to grant inherit capability for the new role.
@@ -76,18 +76,16 @@
     $superuser_sql   = $superuser   ? { true => 'SUPERUSER',   default => 'NOSUPERUSER' }
     $replication_sql = $replication ? { true => 'REPLICATION', default => '' }
     if ($password_hash != false) {
-      $environment  = "NEWPGPASSWD=${password_hash}"
-      $password_sql = "ENCRYPTED PASSWORD '\$NEWPGPASSWD'"
+      $password_sql = "ENCRYPTED PASSWORD '${password_hash}'"
     } else {
       $password_sql = ''
-      $environment  = []
     }
 
     postgresql_psql { "CREATE ROLE ${username} ENCRYPTED PASSWORD ****":
       command     => "CREATE ROLE \"${username}\" ${password_sql} ${login_sql} ${createrole_sql} ${createdb_sql} ${superuser_sql} ${replication_sql} CONNECTION LIMIT ${connection_limit}",
       unless      => "SELECT 1 FROM pg_roles WHERE rolname = '${username}'",
-      environment => $environment,
       require     => undef,
+      sensitive   => true,
     }
 
     postgresql_psql { "ALTER ROLE \"${username}\" ${superuser_sql}":
@@ -136,7 +134,7 @@
       postgresql_psql { "ALTER ROLE ${username} ENCRYPTED PASSWORD ****":
         command     => "ALTER ROLE \"${username}\" ${password_sql}",
         unless      => "SELECT 1 FROM pg_shadow WHERE usename = '${username}' AND passwd = '${pwd_hash_sql}'",
-        environment => $environment,
+        sensitive   => true,
       }
     }
   } else {
