Merge pull request #393 from david22swan/MODULES-5472/main/sensitive_passwords

adrianiurca · web-flow · commit 76a235f3f8a9 · 2021-09-23T12:03:10.000+03:00
(MODULES-5472) Login values can now be passed as sensitive strings
diff --git a/manifests/config.pp b/manifests/config.pp
@@ -6,8 +6,10 @@
 #   The instance name you want to manage.  Defaults to the $title when not defined explicitly.
 # @param admin_user
 #   Only required for SQL_LOGIN type. A user/login who has sysadmin rights on the server
+#   Can be passed as a sensitive value
 # @param admin_pass
 #   Only required for SQL_LOGIN type. The password in order to access the server to be managed.
+#   Can be passed as a sensitive value
 # @param admin_login_type
 #   The type of account use to configure the server.  Valid values are SQL_LOGIN and WINDOWS_LOGIN, with a default of SQL_LOGIN
 #   The SQL_LOGIN requires the admin_user and admin_pass to be set
@@ -20,8 +22,8 @@
 #   }
 #
 define sqlserver::config (
-  Optional[String] $admin_user = '',
-  Optional[String] $admin_pass = '',
+  Optional[Variant[Sensitive[String], String]] $admin_user = '',
+  Optional[Variant[Sensitive[String], String]] $admin_pass = '',
   Enum['SQL_LOGIN', 'WINDOWS_LOGIN'] $admin_login_type = 'SQL_LOGIN',
   String[1,16] $instance_name = $title,
 ) {
diff --git a/manifests/login.pp b/manifests/login.pp
@@ -17,6 +17,7 @@
 #
 # @param password
 #   Plain text password. Only applicable when Login_Type = 'SQL_LOGIN'.
+#   Can be passed through as a sensitive value.
 #
 # @param svrroles
 #   A hash of preinstalled server roles that you want assigned to this login.
@@ -55,7 +56,7 @@
   String[1,16] $instance = 'MSSQLSERVER',
   Enum['SQL_LOGIN', 'WINDOWS_LOGIN'] $login_type = 'SQL_LOGIN',
   Enum['present', 'absent'] $ensure = 'present',
-  Optional[String] $password = undef,
+  Optional[Variant[Sensitive[String], String]] $password = undef,
   Optional[Hash] $svrroles = { },
   String $default_database = 'master',
   String $default_language = 'us_english',
diff --git a/spec/acceptance/sqlserver_config_spec.rb b/spec/acceptance/sqlserver_config_spec.rb
@@ -48,14 +48,14 @@ def ensure_sqlserver_instance(inst_name, ensure_val = 'present')
       pp = <<-MANIFEST
       sqlserver::config{'#{inst_name}':
         instance_name => '#{inst_name}',
-        admin_user    => 'sa',
+        admin_user    => Sensitive('sa'),
         admin_pass    => 'Pupp3t1@',
       }
       sqlserver::login{'#{@admin_user}':
         instance    => '#{inst_name}',
         login_type  => 'SQL_LOGIN',
         login       => '#{@admin_user}',
-        password    => '#{@admin_pass}',
+        password    => Sensitive('#{@admin_pass}'),
         svrroles    => {'sysadmin' => 1},
       }
       MANIFEST
@@ -65,8 +65,8 @@ def ensure_sqlserver_instance(inst_name, ensure_val = 'present')
     it 'Validate New Config WITH using instance_name in sqlserver::config' do
       pp = <<-MANIFEST
       sqlserver::config{'#{inst_name}':
-        admin_user    => '#{@admin_user}',
-        admin_pass    => '#{@admin_pass}',
+        admin_user    => Sensitive('#{@admin_user}'),
+        admin_pass    => Sensitive('#{@admin_pass}'),
         instance_name => '#{inst_name}',
       }
       sqlserver::database{'#{db_name}':
diff --git a/spec/acceptance/sqlserver_database_spec.rb b/spec/acceptance/sqlserver_database_spec.rb
@@ -24,8 +24,8 @@ def run_sql_query_opts(query, expected_row_count)
       # delete created database:
       pp = <<-MANIFEST
         sqlserver::config{'MSSQLSERVER':
-          admin_user    => 'sa',
-          admin_pass    => 'Pupp3t1@',
+          admin_user    => Sensitive('sa'),
+          admin_pass    => Sensitive('Pupp3t1@'),
         }
         sqlserver::database{'#{@db_name}':
           ensure  => 'absent',
@@ -40,8 +40,8 @@ def run_sql_query_opts(query, expected_row_count)
     it 'Test Case C89019: Create a database' do
       pp = <<-MANIFEST
         sqlserver::config{'MSSQLSERVER':
-          admin_user    => 'sa',
-          admin_pass    => 'Pupp3t1@',
+          admin_user    => Sensitive('sa'),
+          admin_pass    => Sensitive('Pupp3t1@'),
         }
         sqlserver::database{'#{@db_name}':
         }
diff --git a/spec/acceptance/sqlserver_login_spec.rb b/spec/acceptance/sqlserver_login_spec.rb
@@ -89,8 +89,8 @@ def create_login_manifest(testcase, login_name, login_password, options = {})
     # Create a database, a simple table and windows accounts fixtures
     pp = <<-MANIFEST
       sqlserver::config{'MSSQLSERVER':
-        admin_user    => 'sa',
-        admin_pass    => 'Pupp3t1@',
+        admin_user    => Sensitive('sa'),
+        admin_pass    => Sensitive('Pupp3t1@'),
       }
       sqlserver::database{'#{db_name}':
       }
@@ -102,7 +102,7 @@ def create_login_manifest(testcase, login_name, login_password, options = {})
       }
 
       user {'#{@windows_user}':
-        password => '#{@login_passwd}',
+        password => Sensitive('#{@login_passwd}'),
         ensure   => 'present',
       }
       group {'#{@windows_group}':

Original file line number	Diff line number	Diff line change
`@@ -89,8 +89,8 @@ def create_login_manifest(testcase, login_name, login_password, options = {})`
`89`	`89`	`# Create a database, a simple table and windows accounts fixtures`
`90`	`90`	`pp = <<-MANIFEST`
`91`	`91`	`sqlserver::config{'MSSQLSERVER':`
`92`		`- admin_user => 'sa',`
`93`		`- admin_pass => 'Pupp3t1@',`
	`92`	`+ admin_user => Sensitive('sa'),`
	`93`	`+ admin_pass => Sensitive('Pupp3t1@'),`
`94`	`94`	`}`
`95`	`95`	`sqlserver::database{'#{db_name}':`
`96`	`96`	`}`
`@@ -102,7 +102,7 @@ def create_login_manifest(testcase, login_name, login_password, options = {})`
`102`	`102`	`}`
`103`	`103`
`104`	`104`	`user {'#{@windows_user}':`
`105`		`- password => '#{@login_passwd}',`
	`105`	`+ password => Sensitive('#{@login_passwd}'),`
`106`	`106`	`ensure => 'present',`
`107`	`107`	`}`
`108`	`108`	`group {'#{@windows_group}':`