Merge pull request #36 from nwops/sensitive_type

Sensitive type

.sync.yml

@@ -5,3 +5,10 @@ Gemfile:
   required:
     ':development':
       - gem: autosign
+spec/default_facts.yml:
+  extra_facts:
+    pe_server_version: null
+    pe_logpath: null
+    pe_journalpath: null
+    pe_configpath: null
+    pe_build: null    

README.md

@@ -145,7 +145,8 @@ Users wishing to generate tokens this way should run the task against the Puppet
 
 `manage_logfile`: Weather or not to manage the logfile
 
-`config`: Hash of config to use.
+`config`: Hash of config to use.  This can optionally be a Sensitive type as well but you must wrap the entire hash in Sensitive.  `Sensitive.new({config goes here})`.  The config will by default always be
+redacted even if not passing in Sensitive value. 
 
 
 ## Development

manifests/config.pp

@@ -7,13 +7,24 @@
       /(absent|purged)/ => 'absent',
       default           => 'file',
   }
+  # due to maintaining backwards compatability 
+  # we need to conditionally unwrap the sensitive value
+  # before we goto merge it with another hash.
+  if $::autosign::config =~ Sensitive {
+    $unwrapped_config = $::autosign::config.unwrap
+  } else {
+    $unwrapped_config = $::autosign::config
+  }
+  # merge the two unwrapped values together
+  $settings = deep_merge($::autosign::params::config.unwrap, $unwrapped_config)
 
-  $settings = deep_merge($::autosign::params::config, $::autosign::config)
+  $sensitive_config = Sensitive(epp('autosign/autosign.conf.epp', {settings => $settings}))
 
+  # Ensure we set the value to Sensitive so the secrets don't get revealed
   file {$::autosign::configfile:
     ensure  => $config_ensure,
     mode    => '0640',
-    content => template('autosign/autosign.conf.erb'),
+    content => $sensitive_config,
     owner   => $::autosign::user,
     group   => $::autosign::group,
   }

manifests/init.pp

@@ -53,7 +53,7 @@
   Boolean              $manage_journalfile = $::autosign::params::manage_journalfile,
   Boolean              $manage_logfile     = $::autosign::params::manage_logfile,
   Boolean              $manage_package     = $::autosign::params::manage_package,
-  Hash                 $config             = {},
+  Variant[Sensitive[Hash], Hash] $config   = {},
 ) inherits ::autosign::params {
   contain ::autosign::install
   contain ::autosign::config

manifests/params.pp

@@ -53,7 +53,7 @@
   $manage_journalfile = true
   $manage_logfile     = true
   $manage_package     = true
-  $config             = {
+  $config             = Sensitive.new({
     'general'   => {
       'loglevel' => 'INFO',
       'logfile'  => "${logpath}/autosign.log",
@@ -67,6 +67,6 @@
       # correctly, all the more reason to override it.
       'secret'      => fqdn_rand_string(30),
     },
-  }
+  })
 
 }

metadata.json

@@ -40,7 +40,7 @@
   "requirements": [
     {
       "name": "puppet",
-      "version_requirement": ">= 4.0.0 < 7.0.0"
+      "version_requirement": ">= 4.6.0 < 7.0.0"
     }
   ],
   "template-url": "file:///opt/puppetlabs/pdk/share/cache/pdk-templates.git",

spec/default_facts.yml

@@ -2,7 +2,12 @@
 #
 # Facts specified here will override the values provided by rspec-puppet-facts.
 ---
-concat_basedir: "/tmp"
+pe_server_version: null
+pe_logpath: null
+pe_journalpath: null
+pe_configpath: null
+pe_build: null
 ipaddress: "172.16.254.254"
+ipaddress6: "FE80:0000:0000:0000:AAAA:AAAA:AAAA"
 is_pe: false
 macaddress: "AA:AA:AA:AA:AA:AA"

templates/autosign.conf.erb → templates/autosign.conf.epp

@@ -1,5 +1,6 @@
+<%- | 
+Hash $settings
+| -%>
 # autosign configuration is managed by Puppet
 # manual modifications to this file will be overrwitten
-<% require 'yaml' -%>
-<%= @settings.to_yaml %>
-
+<%= $settings.to_yaml %>