Do not reveal sensitive Data

"auth_option" may contain sensitive Data, f.e. LDAP-Password. So let auth_option accept Puppet-Type Sensitive. The consuming EPP is able to handle sensitive Data natively, and will return the rendered Template as Sensitive[String] then, which the Resource "file" also is able to handle.
puppetlabs · Jun 13, 2024 · 6ce2cb1 · 6ce2cb1
1 parent 880a6f7
commit 6ce2cb1
Show file tree

Hide file tree

Showing 6 changed files with 31 additions and 6 deletions.
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -3319,7 +3319,7 @@ Default value: `'none'`
 
 ##### <a name="-postgresql--server--pg_hba_rule--auth_option"></a>`auth_option`
 
-Data type: `Optional[String]`
+Data type: `Optional[Variant[Sensitive[String], String]]`
 
 For certain auth_method settings there are extra options that can be passed. Consult the PostgreSQL pg_hba.conf documentation for
 further details.
@@ -4844,7 +4844,7 @@ Struct[{
     user                         => String,
     Optional[address]            => Optional[Postgresql::Pg_hba_rule_address],
     auth_method                  => String,
-    Optional[auth_option]        => Optional[String],
+    Optional[auth_option]        => Optional[Variant[Sensitive[String], String]],
     Optional[order]              => Variant[String,Integer],
     Optional[target]             => Stdlib::Absolutepath,
     Optional[postgresql_version] => String,

diff --git a/manifests/server/instance/service.pp b/manifests/server/instance/service.pp
@@ -59,7 +59,8 @@
         require          => Service["postgresqld_instance_${name}"],
         before           => Anchor["postgresql::server::service::end::${name}"],
       }
-      Postgresql::Server::Database <| title == $default_database |> -> Postgresql_conn_validator["validate_service_is_running_instance_${name}"]
+      Postgresql::Server::Database <| title == $default_database |>
+      -> Postgresql_conn_validator["validate_service_is_running_instance_${name}"]
     }
   }
 

diff --git a/manifests/server/pg_hba_rule.pp b/manifests/server/pg_hba_rule.pp
@@ -30,7 +30,7 @@
   String[1] $auth_method,
   Optional[Postgresql::Pg_hba_rule_address] $address = undef,
   String[1] $description          = 'none',
-  Optional[String] $auth_option   = undef,
+  Optional[Variant[Sensitive[String], String]] $auth_option = undef,
   Variant[String, Integer] $order = 150,
   Stdlib::Absolutepath $target  = $postgresql::server::pg_hba_conf_path,
   String $postgresql_version    = $postgresql::server::_version

diff --git a/spec/defines/server/pg_hba_rule_spec.rb b/spec/defines/server/pg_hba_rule_spec.rb
@@ -80,6 +80,30 @@ class { 'postgresql::server': }
     end
   end
 
+  context 'test template 3 with sensitive Data' do
+    let :pre_condition do
+      <<-MANIFEST
+        class { 'postgresql::server': }
+      MANIFEST
+    end
+
+    let :params do
+      {
+        type: 'host',
+        database: 'all',
+        user: 'all',
+        address: '0.0.0.0/0',
+        auth_method: 'ldap',
+        auth_option: sensitive('foo=bar'),
+        target: target
+      }
+    end
+
+    it do
+      expect(subject).to contain_concat__fragment('pg_hba_rule_test').with(content: sensitive(%r{host\s+all\s+all\s+0\.0\.0\.0/0\s+ldap\s+foo=bar}))
+    end
+  end
+
   context 'validation' do
     context 'validate supported auth_method' do
       let :pre_condition do

diff --git a/templates/pg_hba_rule.conf.epp b/templates/pg_hba_rule.conf.epp
@@ -7,7 +7,7 @@
   String[1]                                 $user,
   Optional[Postgresql::Pg_hba_rule_address] $address,
   String[1]                                 $auth_method,
-  Optional[String]                          $auth_option,
+  Optional[Variant[Sensitive[String], String]] $auth_option,
 | -%>
 # Rule Name: <%= $name %>
 # Description: <%= $description %>

diff --git a/types/pg_hba_rule.pp b/types/pg_hba_rule.pp
@@ -7,7 +7,7 @@
     user                         => String,
     Optional[address]            => Optional[Postgresql::Pg_hba_rule_address],
     auth_method                  => String,
-    Optional[auth_option]        => Optional[String],
+    Optional[auth_option]        => Optional[Variant[Sensitive[String], String]],
     Optional[order]              => Variant[String,Integer],
     Optional[target]             => Stdlib::Absolutepath,
     Optional[postgresql_version] => String,