Skip to content

Commit 24d44fe

Browse files
authored
Merge pull request #148 from deric/sensitive
Support Sensitive strings
2 parents 97f9e11 + 86b9126 commit 24d44fe

File tree

11 files changed

+132
-25
lines changed

11 files changed

+132
-25
lines changed

.github/workflows/test.yml

+1
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,7 @@ jobs:
2727
with:
2828
ruby-version: ${{ matrix.ruby }}
2929
bundler-cache: true
30+
rubygems: 3.2.3
3031

3132
- name: Rubocop
3233
run: bundle exec rake rubocop

README.md

+8-4
Original file line numberDiff line numberDiff line change
@@ -161,7 +161,11 @@ The zone records can be managed through the powerdns\_record resource. As an exa
161161
rcontent => '127.0.0.1'
162162
}
163163
```
164-
Remark: if the target\_zone is not managed with powerdns\_zone resource, powerdns\_record does not change anything !
164+
Remark: if the target\_zone is not managed with powerdns\_zone resource, powerdns\_record does not change anything!
165+
166+
### Sensitive secrets
167+
168+
Passwords can be passed either as plain-text strings or as [Puppet's Sensitive type](https://www.puppet.com/docs/puppet/7/lang_data_sensitive.html) when appropriate encrypted backend is configured on Puppet server.
165169

166170
## Reference
167171

@@ -200,15 +204,15 @@ Defaults to true.
200204
##### `db_root_password`
201205

202206
If you set `backend_install` to true you are asked to specify a root
203-
password for your database.
207+
password for your database. Accepts either `String` or `Sensitive` type.
204208

205209
##### `db_username`
206210

207211
Set the database username. Defaults to 'powerdns'.
208212

209213
##### `db_password`
210214

211-
Set the database password. Default is empty.
215+
Set the database password. Accepts either `String` or `Sensitive` type. Default is empty.
212216

213217
##### `db_name`
214218

@@ -245,7 +249,7 @@ Path to the object to authenticate against. Defaults to undef.
245249

246250
##### `ldap_secret`
247251

248-
Password for simple authentication against ldap_basedn. Defaults to undef.
252+
Password for simple authentication against ldap_basedn. Accepts either `String` or `Sensitive` type. Defaults to undef.
249253

250254
##### `custom_repo`
251255

manifests/backends/ldap.pp

+6-1
Original file line numberDiff line numberDiff line change
@@ -31,10 +31,15 @@
3131
type => 'authoritative',
3232
}
3333

34+
$_ldap_secret = $::powerdns::ldap_secret =~ Sensitive ? {
35+
true => $::powerdns::ldap_secret.unwrap,
36+
false => $::powerdns::ldap_secret
37+
}
38+
3439
powerdns::config { 'ldap-secret':
3540
ensure => present,
3641
setting => 'ldap-secret',
37-
value => $::powerdns::ldap_secret,
42+
value => $_ldap_secret,
3843
type => 'authoritative',
3944
}
4045

manifests/backends/mysql.pp

+15-5
Original file line numberDiff line numberDiff line change
@@ -29,11 +29,16 @@
2929
type => 'authoritative',
3030
}
3131

32-
if $powerdns::db_password {
32+
$_db_password = $powerdns::db_password =~ Sensitive ? {
33+
true => $powerdns::db_password.unwrap,
34+
false => $powerdns::db_password
35+
}
36+
37+
if $_db_password {
3338
powerdns::config { 'gmysql-password':
3439
ensure => present,
3540
setting => 'gmysql-password',
36-
value => $::powerdns::db_password,
41+
value => $_db_password,
3742
type => 'authoritative',
3843
}
3944
}
@@ -56,8 +61,13 @@
5661
if $::powerdns::backend_install {
5762
# mysql database
5863
if ! defined(Class['::mysql::server']) {
64+
$_db_root_password = $powerdns::db_root_password =~ Sensitive ? {
65+
true => $powerdns::db_root_password.unwrap,
66+
false => $powerdns::db_root_password
67+
}
68+
5969
class { '::mysql::server':
60-
root_password => $::powerdns::db_root_password,
70+
root_password => $_db_root_password,
6171
create_root_my_cnf => true,
6272
}
6373
}
@@ -67,11 +77,11 @@
6777
}
6878
}
6979

70-
if $::powerdns::backend_create_tables and $powerdns::db_password {
80+
if $::powerdns::backend_create_tables and $_db_password {
7181
# make sure the database exists
7282
mysql::db { $::powerdns::db_name:
7383
user => $::powerdns::db_username,
74-
password => $::powerdns::db_password,
84+
password => $_db_password,
7585
host => $::powerdns::db_host,
7686
grant => [ 'ALL' ],
7787
sql => [ $::powerdns::mysql_schema_file ],

manifests/backends/postgresql.pp

+15-5
Original file line numberDiff line numberDiff line change
@@ -38,11 +38,16 @@
3838
type => 'authoritative',
3939
}
4040

41-
if $powerdns::db_password {
41+
$_db_password = $powerdns::db_password =~ Sensitive ? {
42+
true => $powerdns::db_password.unwrap,
43+
false => $powerdns::db_password
44+
}
45+
46+
if $_db_password {
4247
powerdns::config { 'gpgsql-password':
4348
ensure => present,
4449
setting => 'gpgsql-password',
45-
value => $::powerdns::db_password,
50+
value => $_db_password,
4651
type => 'authoritative',
4752
}
4853
}
@@ -64,23 +69,28 @@
6469
}
6570
if $::powerdns::backend_install {
6671
if ! defined(Class['::postgresql::server']) {
72+
$_db_root_password = $powerdns::db_root_password =~ Sensitive ? {
73+
true => $powerdns::db_root_password.unwrap,
74+
false => $powerdns::db_root_password
75+
}
76+
6777
class { '::postgresql::server':
68-
postgres_password => $::powerdns::db_root_password,
78+
postgres_password => $_db_root_password,
6979
}
7080
}
7181
}
7282

7383
if $::powerdns::backend_create_tables {
7484
postgresql::server::db { $::powerdns::db_name:
7585
user => $::powerdns::db_username,
76-
password => postgresql_password($::powerdns::db_username, $::powerdns::db_password),
86+
password => postgresql_password($::powerdns::db_username, $_db_password),
7787
require => Package[$::powerdns::params::pgsql_backend_package_name],
7888
}
7989

8090
# define connection settings for powerdns user in order to create tables
8191
$connection_settings_powerdns = {
8292
'PGUSER' => $::powerdns::db_username,
83-
'PGPASSWORD' => $::powerdns::db_password,
93+
'PGPASSWORD' => $_db_password,
8494
'PGHOST' => $::powerdns::db_host,
8595
'PGDATABASE' => $::powerdns::db_name,
8696
}

manifests/config.pp

+10-4
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
# powerdns::config
22
define powerdns::config(
33
String $setting = $title,
4-
Variant[String, Integer, Boolean] $value = '',
4+
Powerdns::ConfigValue $value = '',
55
Enum['present', 'absent'] $ensure = 'present',
66
Enum['authoritative', 'recursor'] $type = 'authoritative'
77
) {
@@ -14,13 +14,19 @@
1414
'local-ipv6'
1515
]
1616
unless $ensure == 'absent' or ($setting in $empty_value_allowed) {
17-
assert_type(Variant[String[1], Integer, Boolean], $value) |$_expected, $_actual| {
17+
assert_type(Variant[String[1], Integer, Boolean, Sensitive[String[1]]], $value) |$_expected, $_actual| {
1818
fail("Value for ${setting} can't be empty.")
1919
}
2020
}
2121

22-
if $setting == 'gmysql-dnssec' { $line = $setting }
23-
else { $line = "${setting}=${value}" }
22+
if $setting == 'gmysql-dnssec' {
23+
$line = $setting
24+
} else {
25+
$line = $value =~ Sensitive ? {
26+
true => "${setting}=${value.unwrap}",
27+
false => "${setting}=${value}"
28+
}
29+
}
2430

2531
if $type == 'authoritative' {
2632
$path = $::powerdns::params::authoritative_config

manifests/init.pp

+6-6
Original file line numberDiff line numberDiff line change
@@ -5,9 +5,9 @@
55
Enum['ldap', 'mysql', 'bind', 'postgresql', 'sqlite'] $backend = 'mysql',
66
Boolean $backend_install = true,
77
Boolean $backend_create_tables = true,
8-
Optional[String[1]] $db_root_password = undef,
8+
Powerdns::Secret $db_root_password = undef,
99
String[1] $db_username = 'powerdns',
10-
Optional[String[1]] $db_password = undef,
10+
Powerdns::Secret $db_password = undef,
1111
String[1] $db_name = 'powerdns',
1212
String[1] $db_host = 'localhost',
1313
Integer[1] $db_port = 3306,
@@ -18,7 +18,7 @@
1818
Optional[String[1]] $ldap_basedn = undef,
1919
String[1] $ldap_method = 'strict',
2020
Optional[String[1]] $ldap_binddn = undef,
21-
Optional[String[1]] $ldap_secret = undef,
21+
Powerdns::Secret $ldap_secret = undef,
2222
Boolean $custom_repo = false,
2323
Boolean $custom_epel = false,
2424
Pattern[/4\.[0-9]+/] $version = $::powerdns::params::version,
@@ -29,17 +29,17 @@
2929
# Do some additional checks. In certain cases, some parameters are no longer optional.
3030
if $authoritative {
3131
if ($::powerdns::backend != 'bind') and ($::powerdns::backend != 'ldap') and ($::powerdns::backend != 'sqlite') and $require_db_password {
32-
assert_type(String[1], $db_password) |$expected, $actual| {
32+
assert_type(Variant[String[1], Sensitive[String[1]]], $db_password) |$expected, $actual| {
3333
fail("'db_password' must be a non-empty string when 'authoritative' == true")
3434
}
3535
if $backend_install {
36-
assert_type(String[1], $db_root_password) |$expected, $actual| {
36+
assert_type(Variant[String[1], Sensitive[String[1]]], $db_root_password) |$expected, $actual| {
3737
fail("'db_root_password' must be a non-empty string when 'backend_install' == true")
3838
}
3939
}
4040
}
4141
if $backend_create_tables and $backend == 'mysql' {
42-
assert_type(String[1], $db_root_password) |$expected, $actual| {
42+
assert_type(Variant[String[1], Sensitive[String[1]]], $db_root_password) |$expected, $actual| {
4343
fail("On MySQL 'db_root_password' must be a non-empty string when 'backend_create_tables' == true")
4444
}
4545
}

spec/classes/powerdns_init_spec.rb

+44
Original file line numberDiff line numberDiff line change
@@ -365,6 +365,21 @@
365365
it { is_expected.to contain_file_line('powerdns-config-ldap-method-%{config}' % { config: authoritative_config }) }
366366
end
367367

368+
context 'with Sensitive password' do
369+
let(:params) do
370+
{
371+
ldap_basedn: 'ou=foo',
372+
ldap_binddn: 'foo',
373+
ldap_secret: sensitive('secret_bar'),
374+
backend: 'ldap',
375+
backend_install: false,
376+
backend_create_tables: false
377+
}
378+
end
379+
380+
it { is_expected.to contain_powerdns__config('ldap-secret').with('value' => 'secret_bar') }
381+
end
382+
368383
context 'with backend_install set to true' do
369384
let(:params) do
370385
{
@@ -423,6 +438,35 @@
423438
it { is_expected.not_to contain_powerdns__backends__mysql__create_table('tsigkeys') }
424439
end
425440

441+
context 'powerdns with mysql backend and Sensitive password' do
442+
let(:params) do
443+
{
444+
db_root_password: 'foobar',
445+
db_username: 'foo',
446+
db_password: sensitive('TopSecret'),
447+
backend: 'mysql',
448+
backend_create_tables: true
449+
}
450+
end
451+
452+
it { is_expected.to contain_mysql__db('powerdns').with('user' => 'foo', 'password' => 'TopSecret', 'host' => 'localhost') }
453+
end
454+
455+
context 'powerdns with postgresql backend and Sensitive password' do
456+
let(:params) do
457+
{
458+
db_root_password: 'foobar',
459+
db_username: 'foo',
460+
db_password: sensitive('TopSecret'),
461+
backend: 'postgresql',
462+
backend_create_tables: true
463+
}
464+
end
465+
466+
it { is_expected.to contain_powerdns__config('gpgsql-password').with(value: 'TopSecret') }
467+
it { is_expected.to contain_postgresql__server__db('powerdns').with('user' => 'foo') }
468+
end
469+
426470
# Test the recursor
427471
context 'powerdns class with the recursor enabled and the authoritative server disabled' do
428472
let(:params) do

spec/defines/powerdns_config_spec.rb

+14
Original file line numberDiff line numberDiff line change
@@ -149,6 +149,20 @@
149149
is_expected.to contain_file_line('powerdns-config-webserver-%{config}' % { config: recursor_config }).with_line('webserver=true')
150150
}
151151
end
152+
153+
context 'powerdns::config with Sensitive' do
154+
let(:params) do
155+
{
156+
setting: 'webserver-password',
157+
value: sensitive('S3cr3t'),
158+
type: 'recursor'
159+
}
160+
end
161+
162+
it {
163+
is_expected.to contain_file_line('powerdns-config-webserver-password-%{config}' % { config: recursor_config }).with_line('webserver-password=S3cr3t')
164+
}
165+
end
152166
end
153167
end
154168
end

types/configvalue.pp

+7
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
type Powerdns::ConfigValue = Variant[
2+
String,
3+
Integer,
4+
Boolean,
5+
Sensitive[String[1]]
6+
]
7+

types/secret.pp

+6
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
type Powerdns::Secret = Optional[
2+
Variant[
3+
String[1],
4+
Sensitive[String[1]]
5+
]
6+
]

0 commit comments

Comments
 (0)