From 3750d232761d4ec0e84323d698b05b6aba3ad352 Mon Sep 17 00:00:00 2001 From: David Swan Date: Fri, 10 Sep 2021 09:01:39 +0100 Subject: [PATCH 1/2] (MODULES-5472) Login values can now be passed as sensitive strings admin_user, admin_pass and password can now be passed as sensitive strings in order to prevent them from being leaked within the logs. --- manifests/config.pp | 6 ++++-- manifests/login.pp | 3 ++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/manifests/config.pp b/manifests/config.pp index 64d20008..3cd7c1f6 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -6,8 +6,10 @@ # The instance name you want to manage. Defaults to the $title when not defined explicitly. # @param admin_user # Only required for SQL_LOGIN type. A user/login who has sysadmin rights on the server +# Can be passed as a sensitive value # @param admin_pass # Only required for SQL_LOGIN type. The password in order to access the server to be managed. +# Can be passed as a sensitive value # @param admin_login_type # The type of account use to configure the server. Valid values are SQL_LOGIN and WINDOWS_LOGIN, with a default of SQL_LOGIN # The SQL_LOGIN requires the admin_user and admin_pass to be set @@ -20,8 +22,8 @@ # } # define sqlserver::config ( - Optional[String] $admin_user = '', - Optional[String] $admin_pass = '', + Optional[Variant[Sensitive[String], String]] $admin_user = '', + Optional[Variant[Sensitive[String], String]] $admin_pass = '', Enum['SQL_LOGIN', 'WINDOWS_LOGIN'] $admin_login_type = 'SQL_LOGIN', String[1,16] $instance_name = $title, ) { diff --git a/manifests/login.pp b/manifests/login.pp index 2a6089ff..cf7bd3d3 100644 --- a/manifests/login.pp +++ b/manifests/login.pp @@ -17,6 +17,7 @@ # # @param password # Plain text password. Only applicable when Login_Type = 'SQL_LOGIN'. +# Can be passed through as a sensitive value. # # @param svrroles # A hash of preinstalled server roles that you want assigned to this login. @@ -55,7 +56,7 @@ String[1,16] $instance = 'MSSQLSERVER', Enum['SQL_LOGIN', 'WINDOWS_LOGIN'] $login_type = 'SQL_LOGIN', Enum['present', 'absent'] $ensure = 'present', - Optional[String] $password = undef, + Optional[Variant[Sensitive[String], String]] $password = undef, Optional[Hash] $svrroles = { }, String $default_database = 'master', String $default_language = 'us_english', From 6334ef29e1a0657d24b97a10a78f6851dc4f7d21 Mon Sep 17 00:00:00 2001 From: David Swan Date: Tue, 14 Sep 2021 12:54:57 +0100 Subject: [PATCH 2/2] (maint) - test implementation Have updated several test's throughout the codebase to use the new sensitive value for admin_user, admin_pass and password as proof of concept. --- spec/acceptance/sqlserver_config_spec.rb | 8 ++++---- spec/acceptance/sqlserver_database_spec.rb | 8 ++++---- spec/acceptance/sqlserver_login_spec.rb | 6 +++--- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/spec/acceptance/sqlserver_config_spec.rb b/spec/acceptance/sqlserver_config_spec.rb index 9e9b848a..df42f495 100644 --- a/spec/acceptance/sqlserver_config_spec.rb +++ b/spec/acceptance/sqlserver_config_spec.rb @@ -48,14 +48,14 @@ def ensure_sqlserver_instance(inst_name, ensure_val = 'present') pp = <<-MANIFEST sqlserver::config{'#{inst_name}': instance_name => '#{inst_name}', - admin_user => 'sa', + admin_user => Sensitive('sa'), admin_pass => 'Pupp3t1@', } sqlserver::login{'#{@admin_user}': instance => '#{inst_name}', login_type => 'SQL_LOGIN', login => '#{@admin_user}', - password => '#{@admin_pass}', + password => Sensitive('#{@admin_pass}'), svrroles => {'sysadmin' => 1}, } MANIFEST @@ -65,8 +65,8 @@ def ensure_sqlserver_instance(inst_name, ensure_val = 'present') it 'Validate New Config WITH using instance_name in sqlserver::config' do pp = <<-MANIFEST sqlserver::config{'#{inst_name}': - admin_user => '#{@admin_user}', - admin_pass => '#{@admin_pass}', + admin_user => Sensitive('#{@admin_user}'), + admin_pass => Sensitive('#{@admin_pass}'), instance_name => '#{inst_name}', } sqlserver::database{'#{db_name}': diff --git a/spec/acceptance/sqlserver_database_spec.rb b/spec/acceptance/sqlserver_database_spec.rb index 5e6242af..9de86d9f 100644 --- a/spec/acceptance/sqlserver_database_spec.rb +++ b/spec/acceptance/sqlserver_database_spec.rb @@ -24,8 +24,8 @@ def run_sql_query_opts(query, expected_row_count) # delete created database: pp = <<-MANIFEST sqlserver::config{'MSSQLSERVER': - admin_user => 'sa', - admin_pass => 'Pupp3t1@', + admin_user => Sensitive('sa'), + admin_pass => Sensitive('Pupp3t1@'), } sqlserver::database{'#{@db_name}': ensure => 'absent', @@ -40,8 +40,8 @@ def run_sql_query_opts(query, expected_row_count) it 'Test Case C89019: Create a database' do pp = <<-MANIFEST sqlserver::config{'MSSQLSERVER': - admin_user => 'sa', - admin_pass => 'Pupp3t1@', + admin_user => Sensitive('sa'), + admin_pass => Sensitive('Pupp3t1@'), } sqlserver::database{'#{@db_name}': } diff --git a/spec/acceptance/sqlserver_login_spec.rb b/spec/acceptance/sqlserver_login_spec.rb index e91fe32f..b0682aa5 100644 --- a/spec/acceptance/sqlserver_login_spec.rb +++ b/spec/acceptance/sqlserver_login_spec.rb @@ -89,8 +89,8 @@ def create_login_manifest(testcase, login_name, login_password, options = {}) # Create a database, a simple table and windows accounts fixtures pp = <<-MANIFEST sqlserver::config{'MSSQLSERVER': - admin_user => 'sa', - admin_pass => 'Pupp3t1@', + admin_user => Sensitive('sa'), + admin_pass => Sensitive('Pupp3t1@'), } sqlserver::database{'#{db_name}': } @@ -102,7 +102,7 @@ def create_login_manifest(testcase, login_name, login_password, options = {}) } user {'#{@windows_user}': - password => '#{@login_passwd}', + password => Sensitive('#{@login_passwd}'), ensure => 'present', } group {'#{@windows_group}':