Skip to content

Use Puppet-Datatype Sensitive for Passwords #1279

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 20, 2021
Merged

Use Puppet-Datatype Sensitive for Passwords #1279

merged 1 commit into from
Sep 20, 2021

Conversation

cocker-cc
Copy link
Contributor

  • add Parameter "sensitive" to Function postgresql_password to decide if its Returnvalue should be of Datatype Sensitive
  • let defined Type postgresql::server::role accept Datatype Sensitive for $password_hash
  • let defined Type postgresql::server::db accept Datatype Sensitive for $password
  • let Class postgresql::server accept Datatype Sensitive for $postgres_password
  • let defined Type postgresql::validate_db_connection accept Sensitive for $database_password

@cocker-cc cocker-cc requested a review from a team as a code owner June 12, 2021 21:34
@puppet-community-rangefinder
Copy link

postgresql::postgresql_password is a function

Breaking changes to this file WILL impact these 8 modules (exact match):
Breaking changes to this file MAY impact these 1 modules (near match):

postgresql::server is a class

Breaking changes to this file WILL impact these 38 modules (exact match):
Breaking changes to this file MAY impact these 15 modules (near match):

postgresql::server::db is a type

Breaking changes to this file WILL impact these 37 modules (exact match):
Breaking changes to this file MAY impact these 16 modules (near match):

postgresql::server::passwd is a class

that may have no external impact to Forge modules.

postgresql::server::role is a type

Breaking changes to this file WILL impact these 20 modules (exact match):
Breaking changes to this file MAY impact these 5 modules (near match):

postgresql::validate_db_connection is a type

Breaking changes to this file WILL impact these 3 modules (exact match):
Breaking changes to this file MAY impact these 2 modules (near match):

This module is declared in 71 of 576 indexed public Puppetfiles.

These results were generated with Rangefinder, a tool that helps predict the downstream impact of breaking changes to elements used in Puppet modules. You can run this on the command line to get a full report.

Exact matches are those that we can positively identify via namespace and the declaring modules' metadata. Non-namespaced items, such as Puppet 3.x functions, will always be reported as near matches only.

@ekohl ekohl mentioned this pull request Jun 21, 2021
Merged
ekohl
ekohl reviewed Jun 21, 2021
View reviewed changes
manifests/server.pp Outdated
@@ -83,7 +83,7 @@
# @param extra_systemd_config Adds extra config to systemd config file, can for instance be used to add extra openfiles. This can be a multi line string
#
class postgresql::server (
$postgres_password = undef,
Optional[Variant[String, Sensitive[String]]] $postgres_password = undef,
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just thinking about compatibility here: could a user specify an integer password?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You mean Compatibility to postgresql::postgresql_password?

    required_param 'Variant[String[1], Sensitive[String[1]], Integer]', :password

I don't see Integer as valid there neither.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Due to other work I didn't have time to look into this for a while. How is it not valid?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In my Understanding a Password is a String, not an Integer. But anyway, I adapted your Suggestion:

Optional[Variant[String[1], Sensitive[String[1]], Integer]] $postgres_password = undef,

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just for your understanding, you can have a numeric password and if you don't quote it in YAML (with Hiera for example) it becomes Integer. I agree it's not that likely, but it can happen and we should be consistent.

@cocker-cc cocker-cc force-pushed the Use_Puppet-Datatype_Sensitive branch 3 times, most recently from a3f2b12 to ff0b4ae Compare June 22, 2021 23:28
ekohl
ekohl reviewed Jun 23, 2021
View reviewed changes
Copy link
Collaborator

@ekohl ekohl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given what we've seen in theforeman/foreman, I think a function stdlib::unwrap_sensitive may actually make sense, given how common it is that you need to unwrap something. What do you think?

@cocker-cc
Copy link
Contributor Author

Given what we've seen in theforeman/foreman, I think a function stdlib::unwrap_sensitive may actually make sense, given how common it is that you need to unwrap something. What do you think?

I have this PR pending. If and when this is accepted, your suggested Function is not needed anymore. Perhaps You could vote for this PR.

@cocker-cc cocker-cc force-pushed the Use_Puppet-Datatype_Sensitive branch from ff0b4ae to 4ec009d Compare June 29, 2021 18:19
@david22swan
Copy link
Member

@ekohl Now that the associated pr has been merged what are your thoughts on this?
Everything LGTM but don't want to step on your toes since you've got an open comment on it.

ekohl
ekohl reviewed Aug 16, 2021
View reviewed changes
Use Puppet-Datatype Sensitive for Passwords
d878d13 
- add Parameter "sensitive" to Function postgresql_password to decide if its Returnvalue should be of Datatype Sensitive
- let defined Type postgresql::server::role accept Datatype Sensitive for $password_hash
- let defined Type postgresql::server::db accept Datatype Sensitive for $password
- let Class postgresql::server accept Datatype Sensitive for $postgres_password
- let defined Type postgresql::validate_db_connection accept Sensitive for $database_password
@cocker-cc cocker-cc force-pushed the Use_Puppet-Datatype_Sensitive branch from 4ec009d to d878d13 Compare August 16, 2021 09:54
@CLAassistant
Copy link

CLAassistant commented Sep 1, 2021
edited
Loading

CLA assistant check
All committers have signed the CLA.

david22swan
david22swan reviewed Sep 20, 2021
View reviewed changes
@david22swan
Copy link
Member

david22swan commented Sep 20, 2021
edited
Loading

@cocker-cc Everything LGTM so gonna go ahead and merge once the test's go green.
Thank you for all the work you have put in and I look forward to seeing more from you in the future :)

@david22swan david22swan reopened this Sep 20, 2021
@puppet-community-rangefinder
Copy link

postgresql::postgresql_password is a function

that may have no external impact to Forge modules.

postgresql::server is a class

that may have no external impact to Forge modules.

postgresql::server::db is a type

that may have no external impact to Forge modules.

postgresql::server::default_privileges is a type

that may have no external impact to Forge modules.

postgresql::server::passwd is a class

that may have no external impact to Forge modules.

postgresql::server::role is a type

that may have no external impact to Forge modules.

postgresql::validate_db_connection is a type

that may have no external impact to Forge modules.

This module is declared in 70 of 578 indexed public Puppetfiles.

These results were generated with Rangefinder, a tool that helps predict the downstream impact of breaking changes to elements used in Puppet modules. You can run this on the command line to get a full report.

Exact matches are those that we can positively identify via namespace and the declaring modules' metadata. Non-namespaced items, such as Puppet 3.x functions, will always be reported as near matches only.

@david22swan
Copy link
Member

Just quickly closed and reopened to rekick the test's. No need to worry

@david22swan david22swan merged commit 9d0aa99 into puppetlabs:main Sep 20, 2021
cegeka-jenkins pushed a commit to cegeka/puppet-postgresql that referenced this pull request Feb 3, 2022
@david22swan
Merge pull request puppetlabs#1279 from cocker-cc/Use_Puppet-Datatype…
1934cfc 
…_Sensitive

Use Puppet-Datatype Sensitive for Passwords
@smortex smortex mentioned this pull request Feb 8, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ekohl ekohl ekohl left review comments

@david22swan david22swan david22swan approved these changes

Assignees
No one assigned
Labels
feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@cocker-cc @david22swan @CLAassistant @ekohl