From abf2deab92672d00831d3495a423601b6bc21f94 Mon Sep 17 00:00:00 2001 From: cocker-cc Date: Fri, 18 Jun 2021 00:01:14 +0200 Subject: [PATCH] Accept Puppet-Datatype Sensitive - let the Hash containing the Secrets for the Keystore accept Secrets of Datatype Sensitive - fix a 15-Months-old Typo-Bug - let api_basic_auth_password also be of Type Sensitive --- REFERENCE.md | 12 +++++----- manifests/config.pp | 6 ++++- manifests/index.pp | 30 ++++++++++++++---------- manifests/init.pp | 2 +- manifests/license.pp | 30 ++++++++++++++---------- manifests/pipeline.pp | 30 ++++++++++++++---------- manifests/snapshot_repository.pp | 40 ++++++++++++++++++-------------- manifests/template.pp | 32 ++++++++++++++----------- 8 files changed, 108 insertions(+), 74 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 3ec71e538..0c486baa7 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -199,7 +199,7 @@ This is a destructive parameter and should be used with care. ##### `api_basic_auth_password` -Data type: `Optional[String]` +Data type: `Optional[Variant[String, Sensitive[String]]]` Defines the default REST basic auth password for API authentication. @@ -854,7 +854,7 @@ Default value: `'present'` ##### `api_basic_auth_password` -Data type: `Optional[String]` +Data type: `Optional[Variant[String, Sensitive[String]]]` HTTP basic auth password to use when communicating over the Elasticsearch API. @@ -1255,7 +1255,7 @@ Default value: `'present'` ##### `api_basic_auth_password` -Data type: `Optional[String]` +Data type: `Optional[Variant[String, Sensitive[String]]]` HTTP basic auth password to use when communicating over the Elasticsearch API. @@ -1510,7 +1510,7 @@ Default value: `{}` ##### `api_basic_auth_password` -Data type: `Optional[String]` +Data type: `Optional[Variant[String, Sensitive[String]]]` HTTP basic auth password to use when communicating over the Elasticsearch API. @@ -1976,7 +1976,7 @@ Default value: `'present'` ##### `api_basic_auth_password` -Data type: `Optional[String]` +Data type: `Optional[Variant[String, Sensitive[String]]]` HTTP basic auth password to use when communicating over the Elasticsearch API. @@ -2134,7 +2134,7 @@ Default value: `'present'` ##### `api_basic_auth_password` -Data type: `Optional[String]` +Data type: `Optional[Variant[String, Sensitive[String]]]` HTTP basic auth password to use when communicating over the Elasticsearch API. diff --git a/manifests/config.pp b/manifests/config.pp index 9aeb2cb10..070a63120 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -226,10 +226,14 @@ # Add secrets to keystore if $elasticsearch::secrets != undef { + # unwrap Secrets of Datatype Sensitive + $secrets = $elasticsearch::secrets.reduce({}) |Hash $memo, Array $value| { + $memo + { $value[0] => if $value[1] =~ Sensitive { $value[1].unwrap } else { $value[1] } } + } elasticsearch_keystore { 'elasticsearch_secrets': configdir => $elasticsearch::configdir, purge => $elasticsearch::purge_secrets, - settings => $elasticsearch::secrets, + settings => $secrets, notify => $elasticsearch::_notify_service, } } diff --git a/manifests/index.pp b/manifests/index.pp index 1d8b07e66..8eb1d3069 100644 --- a/manifests/index.pp +++ b/manifests/index.pp @@ -43,18 +43,24 @@ # @author Tyler Langlois # define elasticsearch::index ( - Enum['absent', 'present'] $ensure = 'present', - Optional[String] $api_basic_auth_password = $elasticsearch::api_basic_auth_password, - Optional[String] $api_basic_auth_username = $elasticsearch::api_basic_auth_username, - Optional[Stdlib::Absolutepath] $api_ca_file = $elasticsearch::api_ca_file, - Optional[Stdlib::Absolutepath] $api_ca_path = $elasticsearch::api_ca_path, - String $api_host = $elasticsearch::api_host, - Integer[0, 65535] $api_port = $elasticsearch::api_port, - Enum['http', 'https'] $api_protocol = $elasticsearch::api_protocol, - Integer $api_timeout = $elasticsearch::api_timeout, - Hash $settings = {}, - Boolean $validate_tls = $elasticsearch::validate_tls, + Enum['absent', 'present'] $ensure = 'present', + Optional[Variant[String, Sensitive[String]]] $api_basic_auth_password = $elasticsearch::api_basic_auth_password, + Optional[String] $api_basic_auth_username = $elasticsearch::api_basic_auth_username, + Optional[Stdlib::Absolutepath] $api_ca_file = $elasticsearch::api_ca_file, + Optional[Stdlib::Absolutepath] $api_ca_path = $elasticsearch::api_ca_path, + String $api_host = $elasticsearch::api_host, + Integer[0, 65535] $api_port = $elasticsearch::api_port, + Enum['http', 'https'] $api_protocol = $elasticsearch::api_protocol, + Integer $api_timeout = $elasticsearch::api_timeout, + Hash $settings = {}, + Boolean $validate_tls = $elasticsearch::validate_tls, ) { + $api_basic_auth_password_unsensitive = if $api_basic_auth_password =~ Sensitive { + $api_basic_auth_password.unwrap + } else { + $api_basic_auth_password + } + es_instance_conn_validator { "${name}-index-conn-validator": server => $api_host, port => $api_port, @@ -68,7 +74,7 @@ port => $api_port, timeout => $api_timeout, username => $api_basic_auth_username, - password => $api_basic_auth_password, + password => $api_basic_auth_password_unsensitive, ca_file => $api_ca_file, ca_path => $api_ca_path, validate_tls => $validate_tls, diff --git a/manifests/init.pp b/manifests/init.pp index e97ad1217..cde73ce7e 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -349,7 +349,7 @@ # class elasticsearch ( Enum['absent', 'present'] $ensure, - Optional[String] $api_basic_auth_password, + Optional[Variant[String, Sensitive[String]]] $api_basic_auth_password, Optional[String] $api_basic_auth_username, Optional[String] $api_ca_file, Optional[String] $api_ca_path, diff --git a/manifests/license.pp b/manifests/license.pp index 866b85775..1a032447f 100644 --- a/manifests/license.pp +++ b/manifests/license.pp @@ -42,18 +42,24 @@ # @author Tyler Langlois # class elasticsearch::license ( - Enum['absent', 'present'] $ensure = 'present', - Optional[String] $api_basic_auth_password = $elasticsearch::api_basic_auth_password, - Optional[String] $api_basic_auth_username = $elasticsearch::api_basic_auth_username, - Optional[Stdlib::Absolutepath] $api_ca_file = $elasticsearch::api_ca_file, - Optional[Stdlib::Absolutepath] $api_ca_path = $elasticsearch::api_ca_path, - String $api_host = $elasticsearch::api_host, - Integer[0, 65535] $api_port = $elasticsearch::api_port, - Enum['http', 'https'] $api_protocol = $elasticsearch::api_protocol, - Integer $api_timeout = $elasticsearch::api_timeout, - Variant[String, Hash] $content = $elasticsearch::license, - Boolean $validate_tls = $elasticsearch::validate_tls, + Enum['absent', 'present'] $ensure = 'present', + Optional[Variant[String, Sensitive[String]]] $api_basic_auth_password = $elasticsearch::api_basic_auth_password, + Optional[String] $api_basic_auth_username = $elasticsearch::api_basic_auth_username, + Optional[Stdlib::Absolutepath] $api_ca_file = $elasticsearch::api_ca_file, + Optional[Stdlib::Absolutepath] $api_ca_path = $elasticsearch::api_ca_path, + String $api_host = $elasticsearch::api_host, + Integer[0, 65535] $api_port = $elasticsearch::api_port, + Enum['http', 'https'] $api_protocol = $elasticsearch::api_protocol, + Integer $api_timeout = $elasticsearch::api_timeout, + Variant[String, Hash] $content = $elasticsearch::license, + Boolean $validate_tls = $elasticsearch::validate_tls, ) { + $api_basic_auth_password_unsensitive = if $api_basic_auth_password =~ Sensitive { + $api_basic_auth_password.unwrap + } else { + $api_basic_auth_password + } + if $content =~ String { $_content = parsejson($content) } else { @@ -80,7 +86,7 @@ port => $api_port, timeout => $api_timeout, username => $api_basic_auth_username, - password => $api_basic_auth_password, + password => $api_basic_auth_password_unsensitive, ca_file => $api_ca_file, ca_path => $api_ca_path, validate_tls => $validate_tls, diff --git a/manifests/pipeline.pp b/manifests/pipeline.pp index 64a3c72c7..655e003ea 100644 --- a/manifests/pipeline.pp +++ b/manifests/pipeline.pp @@ -45,18 +45,24 @@ # @author Tyler Langlois # define elasticsearch::pipeline ( - Enum['absent', 'present'] $ensure = 'present', - Optional[String] $api_basic_auth_password = $elasticsearch::api_basic_auth_password, - Optional[String] $api_basic_auth_username = $elasticsearch::api_basic_auth_username, - Optional[Stdlib::Absolutepath] $api_ca_file = $elasticsearch::api_ca_file, - Optional[Stdlib::Absolutepath] $api_ca_path = $elasticsearch::api_ca_path, - String $api_host = $elasticsearch::api_host, - Integer[0, 65535] $api_port = $elasticsearch::api_port, - Enum['http', 'https'] $api_protocol = $elasticsearch::api_protocol, - Integer $api_timeout = $elasticsearch::api_timeout, - Hash $content = {}, - Boolean $validate_tls = $elasticsearch::validate_tls, + Enum['absent', 'present'] $ensure = 'present', + Optional[Variant[String, Sensitive[String]]] $api_basic_auth_password = $elasticsearch::api_basic_auth_password, + Optional[String] $api_basic_auth_username = $elasticsearch::api_basic_auth_username, + Optional[Stdlib::Absolutepath] $api_ca_file = $elasticsearch::api_ca_file, + Optional[Stdlib::Absolutepath] $api_ca_path = $elasticsearch::api_ca_path, + String $api_host = $elasticsearch::api_host, + Integer[0, 65535] $api_port = $elasticsearch::api_port, + Enum['http', 'https'] $api_protocol = $elasticsearch::api_protocol, + Integer $api_timeout = $elasticsearch::api_timeout, + Hash $content = {}, + Boolean $validate_tls = $elasticsearch::validate_tls, ) { + $api_basic_auth_password_unsensitive = if $api_basic_auth_password =~ Sensitive { + $api_basic_auth_password.unwrap + } else { + $api_basic_auth_password + } + es_instance_conn_validator { "${name}-ingest-pipeline": server => $api_host, port => $api_port, @@ -70,7 +76,7 @@ port => $api_port, timeout => $api_timeout, username => $api_basic_auth_username, - password => $api_basic_auth_password, + password => $api_basic_auth_password_unsensitive, ca_file => $api_ca_file, ca_path => $api_ca_path, validate_tls => $validate_tls, diff --git a/manifests/snapshot_repository.pp b/manifests/snapshot_repository.pp index cf0e2e0a8..a246a7cc9 100644 --- a/manifests/snapshot_repository.pp +++ b/manifests/snapshot_repository.pp @@ -60,23 +60,29 @@ # @author Tyler Langlois # define elasticsearch::snapshot_repository ( - String $location, - Enum['absent', 'present'] $ensure = 'present', - Optional[String] $api_basic_auth_password = $elasticsearch::api_basic_auth_password, - Optional[String] $api_basic_auth_username = $elasticsearch::api_basic_auth_username, - Optional[Stdlib::Absolutepath] $api_ca_file = $elasticsearch::api_ca_file, - Optional[Stdlib::Absolutepath] $api_ca_path = $elasticsearch::api_ca_path, - String $api_host = $elasticsearch::api_host, - Integer[0, 65535] $api_port = $elasticsearch::api_port, - Enum['http', 'https'] $api_protocol = $elasticsearch::api_protocol, - Integer $api_timeout = $elasticsearch::api_timeout, - Boolean $compress = true, - Optional[String] $chunk_size = undef, - Optional[String] $max_restore_rate = undef, - Optional[String] $max_snapshot_rate = undef, - Optional[String] $repository_type = undef, - Boolean $validate_tls = $elasticsearch::validate_tls, + String $location, + Enum['absent', 'present'] $ensure = 'present', + Optional[Variant[String, Sensitive[String]]] $api_basic_auth_password = $elasticsearch::api_basic_auth_password, + Optional[String] $api_basic_auth_username = $elasticsearch::api_basic_auth_username, + Optional[Stdlib::Absolutepath] $api_ca_file = $elasticsearch::api_ca_file, + Optional[Stdlib::Absolutepath] $api_ca_path = $elasticsearch::api_ca_path, + String $api_host = $elasticsearch::api_host, + Integer[0, 65535] $api_port = $elasticsearch::api_port, + Enum['http', 'https'] $api_protocol = $elasticsearch::api_protocol, + Integer $api_timeout = $elasticsearch::api_timeout, + Boolean $compress = true, + Optional[String] $chunk_size = undef, + Optional[String] $max_restore_rate = undef, + Optional[String] $max_snapshot_rate = undef, + Optional[String] $repository_type = undef, + Boolean $validate_tls = $elasticsearch::validate_tls, ) { + $api_basic_auth_password_unsensitive = if $api_basic_auth_password =~ Sensitive { + $api_basic_auth_password.unwrap + } else { + $api_basic_auth_password + } + es_instance_conn_validator { "${name}-snapshot": server => $api_host, port => $api_port, @@ -95,7 +101,7 @@ port => $api_port, timeout => $api_timeout, username => $api_basic_auth_username, - password => $api_basic_auth_password, + password => $api_basic_auth_password_unsensitive, ca_file => $api_ca_file, ca_path => $api_ca_path, validate_tls => $validate_tls, diff --git a/manifests/template.pp b/manifests/template.pp index 3f1e07232..ef615c685 100644 --- a/manifests/template.pp +++ b/manifests/template.pp @@ -53,19 +53,25 @@ # @author Tyler Langlois # define elasticsearch::template ( - Enum['absent', 'present'] $ensure = 'present', - Optional[String] $api_basic_auth_password = $elasticsearch::api_basic_auth_password, - Optional[String] $api_basic_auth_username = $elasticsearch::api_basic_auth_username, - Optional[Stdlib::Absolutepath] $api_ca_file = $elasticsearch::api_ca_file, - Optional[Stdlib::Absolutepath] $api_ca_path = $elasticsearch::api_ca_path, - String $api_host = $elasticsearch::api_host, - Integer[0, 65535] $api_port = $elasticsearch::api_port, - Enum['http', 'https'] $api_protocol = $elasticsearch::api_protocol, - Integer $api_timeout = $elasticsearch::api_timeout, - Optional[Variant[String, Hash]] $content = undef, - Optional[String] $source = undef, - Boolean $validate_tls = $elasticsearch::validate_tls, + Enum['absent', 'present'] $ensure = 'present', + Optional[Variant[String, Sensitive[String]]] $api_basic_auth_password = $elasticsearch::api_basic_auth_password, + Optional[String] $api_basic_auth_username = $elasticsearch::api_basic_auth_username, + Optional[Stdlib::Absolutepath] $api_ca_file = $elasticsearch::api_ca_file, + Optional[Stdlib::Absolutepath] $api_ca_path = $elasticsearch::api_ca_path, + String $api_host = $elasticsearch::api_host, + Integer[0, 65535] $api_port = $elasticsearch::api_port, + Enum['http', 'https'] $api_protocol = $elasticsearch::api_protocol, + Integer $api_timeout = $elasticsearch::api_timeout, + Optional[Variant[String, Hash]] $content = undef, + Optional[String] $source = undef, + Boolean $validate_tls = $elasticsearch::validate_tls, ) { + $api_basic_auth_password_unsensitive = if $api_basic_auth_password =~ Sensitive { + $api_basic_auth_password.unwrap + } else { + $api_basic_auth_password + } + if $content =~ String { $_content = parsejson($content) } else { @@ -92,7 +98,7 @@ port => $api_port, timeout => $api_timeout, username => $api_basic_auth_username, - password => $api_basic_auth_password, + password => $api_basic_auth_password_unsensitive, ca_file => $api_ca_file, ca_path => $api_ca_path, validate_tls => $validate_tls,