Use Puppet-Datatype Sensitive

- use Puppet-Datatype Sensitive for Users-Array, as it contains Secrets - use EPP instead of ERB, as it is able to handle Sensitive Data
cocker-cc · Jun 23, 2021 · 4287df8 · 4287df8
1 parent 1d2065a
commit 4287df8
Show file tree

Hide file tree

Showing 4 changed files with 45 additions and 21 deletions.
diff --git a/manifests/userlist.pp b/manifests/userlist.pp
@@ -25,7 +25,7 @@
 #   Optional. Path of the config file where this entry will be added.
 #   Assumes that the parent directory exists.
 #   Default: $haproxy::params::config_file
-# 
+#
 # @param instance
 #   Optional. Defaults to 'haproxy'
 #
@@ -34,15 +34,26 @@
 # Jeremy Kitchen <[email protected]>
 #
 define haproxy::userlist (
-  $users = undef,
-  $groups = undef,
-  String $instance = 'haproxy',
-  String $section_name = $name,
-  Optional[Stdlib::Absolutepath] $config_file = undef,
+  Optional[Array[Variant[String, Sensitive[String]]]] $users        = undef,
+  Optional[Array[String]]                             $groups       = undef,
+  String                                              $instance     = 'haproxy',
+  String                                              $section_name = $name,
+  Optional[Stdlib::Absolutepath]                      $config_file  = undef,
 ) {
 
   include ::haproxy::params
 
+  $content = epp(
+    'haproxy/haproxy_userlist_block.epp',
+    {
+      epp_users        => $users,
+      epp_groups       => $groups,
+      epp_section_name => $section_name,
+    },
+  )
+  # we have to unwrap here, as "concat" cannot handle Sensitive Data
+  $_content = if $content =~ Sensitive { $content.unwrap } else { $content }
+
   if $instance == 'haproxy' {
     $instance_name = 'haproxy'
     $_config_file = pick($config_file, $haproxy::config_file)
@@ -51,10 +62,9 @@
     $_config_file = pick($config_file, inline_template($haproxy::params::config_file_tmpl))
   }
 
-  # Template uses $section_name, $users, $groups
   concat::fragment { "${instance_name}-${section_name}_userlist_block":
     order   => "12-${section_name}-00",
     target  => $_config_file,
-    content => template('haproxy/haproxy_userlist_block.erb'),
+    content => $_content,
   }
 }
diff --git a/spec/defines/userlist_spec.rb b/spec/defines/userlist_spec.rb
@@ -19,7 +19,7 @@
         name: 'admins',
         users: [
           'scott insecure-password elgato',
-          'kitchen insecure-password foobar',
+          sensitive('kitchen insecure-password foobar'),
         ],
         groups: [
           'superadmins users kitchen scott',

diff --git a/templates/haproxy_userlist_block.epp b/templates/haproxy_userlist_block.epp
@@ -0,0 +1,26 @@
+<%- |
+  Optional[Array[Variant[String, Sensitive[String]]]] $epp_users,
+  Optional[Array[String]]                             $epp_groups,
+  String                                              $epp_section_name,
+| -%>
+
+userlist <%= $epp_section_name %>
+<%-
+  $epp_groups.each |String $group| {
+    unless $group.empty {
+-%>
+  group <%= $group %>
+<%-
+    }
+  }
+  $epp_users.each |Variant[String, Sensitive[String]] $user| {
+    # TODO: remove this Workaround, as soon as Function empty() can handle
+    # Sensitive (Pullrequest pending)
+    $user_unsensitive = if $user =~ Sensitive { $user.unwrap } else { $user }
+    unless $user_unsensitive.empty {
+-%>
+  user <%= $user_unsensitive %>
+<%-
+    }
+  }
+-%>
diff --git a/templates/haproxy_userlist_block.erb b/templates/haproxy_userlist_block.erb