Merge pull request #50 from lsst-it/IT-3962/no-passphrases-in-logs

prevent passphrases passed to install scripts from printing in logs
Puppet-Finland · Sep 13, 2022 · 92762aa · 92762aa
2 parents a4df4b6 + 159dd3c
commit 92762aa
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 12 deletions.
diff --git a/manifests/install/client.pp b/manifests/install/client.pp
@@ -77,7 +77,7 @@
       timeout   => 0,
       unless    => "cat /etc/ipa/default.conf | grep -i \"${easy_ipa::domain}\"",
       creates   => '/etc/ipa/default.conf',
-      logoutput => 'on_failure',
+      logoutput => false,  # prevent passphrases from appearing in puppet log
       before    => Service['sssd'],
       provider  => 'shell',
       require   => Package['ipa-client'],

diff --git a/manifests/install/server/master.pp b/manifests/install/server/master.pp
@@ -30,7 +30,7 @@
     timeout   => 0,
     unless    => '/usr/sbin/ipactl status >/dev/null 2>&1',
     creates   => '/etc/ipa/default.conf',
-    logoutput => 'on_failure',
+    logoutput => false,  # prevent passphrases from appearing in puppet log
     notify    => Easy_ipa::Helpers::Flushcache["server_${easy_ipa::ipa_server_fqdn}"],
     before    => Service['sssd'],
   }

diff --git a/manifests/install/server/replica.pp b/manifests/install/server/replica.pp
@@ -31,7 +31,7 @@
     timeout   => 0,
     unless    => '/usr/sbin/ipactl status >/dev/null 2>&1',
     creates   => '/etc/ipa/default.conf',
-    logoutput => 'on_failure',
+    logoutput => false,  # prevent passphrases from appearing in puppet log
     notify    => Easy_ipa::Helpers::Flushcache["server_${easy_ipa::ipa_server_fqdn}"],
     before    => Service['sssd'],
   }

diff --git a/spec/classes/ipa_spec.rb b/spec/classes/ipa_spec.rb
@@ -84,8 +84,11 @@
           end
 
           it do
-            is_expected.to contain_exec('server_install_ipa.rpsec.example.lan').with_command(%r{--idstart=10000})
-            is_expected.to contain_exec('server_install_ipa.rpsec.example.lan').with_command(%r{--idmax=20000})
+            is_expected.to contain_exec('server_install_ipa.rpsec.example.lan').with(
+              logoutput: false
+            ).
+              with_command(%r{--idstart=10000}).
+              with_command(%r{--idmax=20000})
           end
         end
 
@@ -95,7 +98,9 @@
           end
 
           it do
-            is_expected.to contain_exec('server_install_ipa.rpsec.example.lan').with_command(%r{--idstart=10000})
+            is_expected.to contain_exec('server_install_ipa.rpsec.example.lan').with(
+              logoutput: false
+            ).with_command(%r{--idstart=10000})
             is_expected.not_to contain_exec('server_install_ipa.rpsec.example.lan').with_command(%r{--idmax})
           end
         end
@@ -114,7 +119,11 @@
               super().merge(configure_ssh: false)
             end
 
-            it { is_expected.to contain_exec('server_install_ipa.rpsec.example.lan').with_command(%r{--no-ssh(?!d)}) }
+            it {
+              is_expected.to contain_exec('server_install_ipa.rpsec.example.lan').with(
+                logoutput: false
+              ).with_command(%r{--no-ssh(?!d)})
+            }
           end
         end
 
@@ -132,7 +141,11 @@
               super().merge(configure_sshd: false)
             end
 
-            it { is_expected.to contain_exec('server_install_ipa.rpsec.example.lan').with_command(%r{--no-sshd}) }
+            it {
+              is_expected.to contain_exec('server_install_ipa.rpsec.example.lan').with(
+                logoutput: false
+              ).with_command(%r{--no-sshd})
+            }
           end
         end
 
@@ -255,7 +268,11 @@
               super().merge(configure_ssh: false)
             end
 
-            it { is_expected.to contain_exec('server_install_ipa.rpsec.example.lan').with_command(%r{--no-ssh(?!d)}) }
+            it {
+              is_expected.to contain_exec('server_install_ipa.rpsec.example.lan').with(
+                logoutput: false
+              ).with_command(%r{--no-ssh(?!d)})
+            }
           end
         end
 
@@ -273,7 +290,11 @@
               super().merge(configure_sshd: false)
             end
 
-            it { is_expected.to contain_exec('server_install_ipa.rpsec.example.lan').with_command(%r{--no-sshd}) }
+            it {
+              is_expected.to contain_exec('server_install_ipa.rpsec.example.lan').with(
+                logoutput: false
+              ).with_command(%r{--no-sshd})
+            }
           end
         end
 
@@ -354,7 +375,11 @@
               super().merge(configure_ssh: false)
             end
 
-            it { is_expected.to contain_exec('client_install_ipa.rpsec.example.lan').with_command(%r{--no-ssh(?!d)}) }
+            it {
+              is_expected.to contain_exec('client_install_ipa.rpsec.example.lan').with(
+                logoutput: false
+              ).with_command(%r{--no-ssh(?!d)})
+            }
           end
         end
 
@@ -372,7 +397,11 @@
               super().merge(configure_sshd: false)
             end
 
-            it { is_expected.to contain_exec('client_install_ipa.rpsec.example.lan').with_command(%r{--no-sshd}) }
+            it {
+              is_expected.to contain_exec('client_install_ipa.rpsec.example.lan').with(
+                logoutput: false
+              ).with_command(%r{--no-sshd})
+            }
           end
         end