Implement a sensitive param for postgresql_psql

DavidS · DavidS · commit c73a37b9cd6e · 2021-02-19T16:50:12.000Z
diff --git a/lib/puppet/provider/postgresql_psql/ruby.rb b/lib/puppet/provider/postgresql_psql/ruby.rb
@@ -62,7 +62,8 @@ def run_command(command, user, group, environment)
                                                       failonfail: false,
                                                       combine: true,
                                                       override_locale: true,
-                                                      custom_environment: environment)
+                                                      custom_environment: environment,
+                                                      sensitive: resource[:sensitive] == :true)
     [output, $CHILD_STATUS.dup]
   end
 end
diff --git a/lib/puppet/type/postgresql_psql.rb b/lib/puppet/type/postgresql_psql.rb
@@ -124,6 +124,13 @@ def matches(value)
     newvalues(:true, :false)
   end
 
+  newparam(:sensitive, boolean: true) do
+    desc "If 'true', then the executed command will not be echoed into the log. Use this to protect sensitive information passing through."
+
+    defaultto(:false)
+    newvalues(:true, :false)
+  end
+
   autorequire(:class) { ['Postgresql::Server::Service'] }
 
   def should_run_sql(refreshing = false)
diff --git a/manifests/server/role.pp b/manifests/server/role.pp
@@ -3,8 +3,8 @@
 # @param update_password If set to true, updates the password on changes. Set this to false to not modify the role's password after creation.
 # @param password_hash Sets the hash to use during password creation.
 # @param createdb Specifies whether to grant the ability to create new databases with this role.
-# @param createrole Specifies whether to grant the ability to create new roles with this role. 
-# @param db Database used to connect to. 
+# @param createrole Specifies whether to grant the ability to create new roles with this role.
+# @param db Database used to connect to.
 # @param port Port to use when connecting.
 # @param login Specifies whether to grant login capability for the new role.
 # @param inherit Specifies whether to grant inherit capability for the new role.
@@ -76,18 +76,16 @@
     $superuser_sql   = $superuser   ? { true => 'SUPERUSER',   default => 'NOSUPERUSER' }
     $replication_sql = $replication ? { true => 'REPLICATION', default => '' }
     if ($password_hash != false) {
-      $environment  = "NEWPGPASSWD=${password_hash}"
-      $password_sql = "ENCRYPTED PASSWORD '\$NEWPGPASSWD'"
+      $password_sql = "ENCRYPTED PASSWORD '${password_hash}'"
     } else {
       $password_sql = ''
-      $environment  = []
     }
 
     postgresql_psql { "CREATE ROLE ${username} ENCRYPTED PASSWORD ****":
       command     => "CREATE ROLE \"${username}\" ${password_sql} ${login_sql} ${createrole_sql} ${createdb_sql} ${superuser_sql} ${replication_sql} CONNECTION LIMIT ${connection_limit}",
       unless      => "SELECT 1 FROM pg_roles WHERE rolname = '${username}'",
-      environment => $environment,
       require     => undef,
+      sensitive   => true,
     }
 
     postgresql_psql { "ALTER ROLE \"${username}\" ${superuser_sql}":
@@ -136,7 +134,7 @@
       postgresql_psql { "ALTER ROLE ${username} ENCRYPTED PASSWORD ****":
         command     => "ALTER ROLE \"${username}\" ${password_sql}",
         unless      => "SELECT 1 FROM pg_shadow WHERE usename = '${username}' AND passwd = '${pwd_hash_sql}'",
-        environment => $environment,
+        sensitive   => true,
       }
     }
   } else {
diff --git a/spec/acceptance/postgresql_psql_spec.rb b/spec/acceptance/postgresql_psql_spec.rb
@@ -134,39 +134,25 @@ class { 'postgresql::server': } ->
     apply_manifest(pp_nine, expect_changes: true)
   end
 
-  context 'with secure password passing by environment' do
-    it 'runs SQL that contanins password passed by environment' do
-      select = "select \\'$PASS_TO_EMBED\\'"
-      pp = <<-MANIFEST.unindent
+  context 'when setting sensitive => true' do
+    it 'runs queries without leaking to the log' do
+      select = "select \\'pa$swD\\'"
+      pp = <<~MANIFEST
         class { 'postgresql::server': } ->
-        postgresql_psql { 'password embedded by environment: #{select}':
+        postgresql_psql { 'password protected by sensitive: #{select}':
           db          => 'postgres',
           psql_user   => 'postgres',
+          sensitive   => true,
           command     => '#{select}',
-          environment => [
-            'PASS_TO_EMBED=pa$swD',
-          ],
-        }
-      MANIFEST
-      apply_manifest(pp, catch_failures: true)
-      apply_manifest(pp, expect_changes: false)
-    end
-    it 'runs SQL that contanins password passed by environment in check' do
-      select = "select 1 where \\'$PASS_TO_EMBED\\'=\\'passwD\\'"
-      pp = <<-MANIFEST.unindent
-        class { 'postgresql::server': } ->
-        postgresql_psql { 'password embedded by environment in check: #{select}':
-          db          => 'postgres',
-          psql_user   => 'postgres',
-          command     => 'invalid sql query',
-          unless      => '#{select}',
-          environment => [
-            'PASS_TO_EMBED=passwD',
-          ],
         }
       MANIFEST
+      result = apply_manifest(pp, catch_failures: true, debug: true)
+      expect(result.stdout).not_to contain('pa$swD')
+      expect(result.stderr).not_to contain('pa$swD')
 
-      idempotent_apply(pp)
+      result = apply_manifest(pp, expect_changes: false, debug: true)
+      expect(result.stdout).not_to contain('pa$swD')
+      expect(result.stderr).not_to contain('pa$swD')
     end
   end
 end
