Merge pull request puppetlabs#1400 from cocker-cc/Use_Puppet-Datatype_Sensitive

Use Puppet-Datatype Sensitive

Author: pmcmaw

.puppet-lint.rc

@@ -1 +1,2 @@
 --relative
+--no-140chars-check

lib/puppet/functions/mysql/password.rb

@@ -7,18 +7,35 @@
 Puppet::Functions.create_function(:'mysql::password') do
   # @param password
   #   Plain text password.
+  # @param sensitive
+  #   If the Postgresql-Passwordhash should be of Datatype Sensitive[String]
   #
   # @return hash
   #   The mysql password hash from the clear text password.
   #
   dispatch :password do
-    required_param 'String', :password
-    return_type 'String'
+    required_param 'Variant[String, Sensitive[String]]', :password
+    optional_param 'Boolean', :sensitive
+    return_type 'Variant[String, Sensitive[String]]'
   end
 
-  def password(password)
-    return '' if password.empty?
-    return password if %r{\*[A-F0-9]{40}$}.match?(password)
-    '*' + Digest::SHA1.hexdigest(Digest::SHA1.digest(password)).upcase
+  def password(password, sensitive = false)
+    if password.is_a?(Puppet::Pops::Types::PSensitiveType::Sensitive)
+      password = password.unwrap
+    end
+
+    result_string = if %r{\*[A-F0-9]{40}$}.match?(password)
+                      password
+                    elsif password.empty?
+                      ''
+                    else
+                      '*' + Digest::SHA1.hexdigest(Digest::SHA1.digest(password)).upcase
+                    end
+
+    if sensitive
+      Puppet::Pops::Types::PSensitiveType::Sensitive.new(result_string)
+    else
+      result_string
+    end
   end
 end

lib/puppet/functions/mysql_password.rb

@@ -8,12 +8,13 @@
   # @return
   #   The mysql password hash from the 4.x function mysql::password.
   dispatch :mysql_password do
-    required_param 'String', :password
-    return_type 'String'
+    required_param 'Variant[String, Sensitive[String]]', :password
+    optional_param 'Boolean', :sensitive
+    return_type 'Variant[String, Sensitive[String]]'
   end
 
-  def mysql_password(password)
+  def mysql_password(password, sensitive = false)
     call_function('deprecation', 'mysql_password', "This method has been deprecated, please use the namespaced version 'mysql::password' instead.")
-    call_function('mysql::password', password)
+    call_function('mysql::password', password, sensitive)
   end
 end

lib/puppet/provider/mysql_user/mysql.rb

@@ -74,6 +74,8 @@ def create
     max_updates_per_hour     = @resource.value(:max_updates_per_hour) || 0
     tls_options              = @resource.value(:tls_options) || ['NONE']
 
+    password_hash = password_hash.unwrap if password_hash.is_a?(Puppet::Pops::Types::PSensitiveType::Sensitive)
+
     # Use CREATE USER to be compatible with NO_AUTO_CREATE_USER sql_mode
     # This is also required if you want to specify a authentication plugin
     if !plugin.nil?

manifests/backup/mysqlbackup.pp

@@ -5,7 +5,7 @@
 #
 class mysql::backup::mysqlbackup (
   $backupuser               = '',
-  $backuppassword           = '',
+  Variant[String, Sensitive[String]] $backuppassword = '',
   $maxallowedpacket         = '1M',
   $backupdir                = '',
   $backupdirmode            = '0700',
@@ -32,6 +32,11 @@
   $compression_command      = undef,
   $compression_extension    = undef,
 ) inherits mysql::params {
+  $backuppassword_unsensitive = if $backuppassword =~ Sensitive {
+    $backuppassword.unwrap
+  } else {
+    $backuppassword
+  }
   mysql_user { "${backupuser}@localhost":
     ensure        => $ensure,
     password_hash => mysql::password($backuppassword),
@@ -104,7 +109,7 @@
       'incremental_base'       => 'history:last_backup',
       'incremental_backup_dir' => $backupdir,
       'user'                   => $backupuser,
-      'password'               => $backuppassword,
+      'password'               => $backuppassword_unsensitive
     },
   }
   $options = mysql::normalise_and_deepmerge($default_options, $mysql::server::override_options)

manifests/backup/mysqldump.pp

@@ -4,7 +4,7 @@
 #
 class mysql::backup::mysqldump (
   $backupuser               = '',
-  $backuppassword           = '',
+  Variant[String, Sensitive[String]] $backuppassword = '',
   $backupdir                = '',
   $maxallowedpacket         = '1M',
   $backupdirmode            = '0700',
@@ -33,6 +33,12 @@
   $compression_command      = 'bzcat -zc',
   $compression_extension    = '.bz2'
 ) inherits mysql::params {
+  $backuppassword_unsensitive = if $backuppassword =~ Sensitive {
+    $backuppassword.unwrap
+  } else {
+    $backuppassword
+  }
+
   unless $::osfamily == 'FreeBSD' {
     if $backupcompress and $compression_command == 'bzcat -zc' {
       ensure_packages(['bzip2'])
@@ -82,6 +88,7 @@
     require  => File['mysqlbackup.sh'],
   }
 
+  # TODO: use EPP instead of ERB, as EPP can handle Data of Type Sensitive without further ado
   file { 'mysqlbackup.sh':
     ensure  => $ensure,
     path    => '/usr/local/sbin/mysqlbackup.sh',

manifests/backup/xtrabackup.pp

@@ -5,7 +5,7 @@
 class mysql::backup::xtrabackup (
   $xtrabackup_package_name  = $mysql::params::xtrabackup_package_name,
   $backupuser               = undef,
-  $backuppassword           = undef,
+  Optional[Variant[String, Sensitive[String]]] $backuppassword = undef,
   $backupdir                = '',
   $maxallowedpacket         = '1M',
   $backupmethod             = 'xtrabackup',
@@ -36,6 +36,12 @@
 ) inherits mysql::params {
   ensure_packages($xtrabackup_package_name)
 
+  $backuppassword_unsensitive = if $backuppassword =~ Sensitive {
+    $backuppassword.unwrap
+  } else {
+    $backuppassword
+  }
+
   if $backupuser and $backuppassword {
     mysql_user { "${backupuser}@localhost":
       ensure        => $ensure,
@@ -121,6 +127,7 @@
     group  => $backupdirgroup,
   }
 
+  # TODO: use EPP instead of ERB, as EPP can handle Data of Type Sensitive without further ado
   file { 'xtrabackup.sh':
     ensure  => $ensure,
     path    => '/usr/local/sbin/xtrabackup.sh',

manifests/bindings.pp

@@ -102,13 +102,13 @@
 ) inherits mysql::params {
   case $::osfamily {
     'Archlinux': {
-      if $java_enable { fail("::mysql::bindings::java cannot be managed by puppet on ${osfamily}
+      if $java_enable { fail("::mysql::bindings::java cannot be managed by puppet on ${::facts['os']['family']}
                           as it is not in official repositories. Please disable java mysql binding.") }
       if $perl_enable { include 'mysql::bindings::perl' }
-      if $php_enable { warning("::mysql::bindings::php does not need to be managed by puppet on ${osfamily}
+      if $php_enable { warning("::mysql::bindings::php does not need to be managed by puppet on ${::facts['os']['family']}
                           as it is included in mysql package by default.") }
       if $python_enable { include 'mysql::bindings::python' }
-      if $ruby_enable { fail("::mysql::bindings::ruby cannot be managed by puppet on %{osfamily}
+      if $ruby_enable { fail("::mysql::bindings::ruby cannot be managed by puppet on %{::facts['os']['family']}
                           as it is not in official repositories. Please disable ruby mysql binding.") }
     }
 

manifests/bindings/client_dev.pp

@@ -12,6 +12,6 @@
       provider        => $mysql::bindings::client_dev_package_provider,
     }
   } else {
-    warning("No MySQL client development package configured for ${os}.")
+    warning("No MySQL client development package configured for ${::facts['os']['family']}.")
   }
 }

manifests/bindings/daemon_dev.pp

@@ -12,6 +12,6 @@
       provider        => $mysql::bindings::daemon_dev_package_provider,
     }
   } else {
-    warning("No MySQL daemon development package configured for ${os}.")
+    warning("No MySQL daemon development package configured for ${::facts['os']['family']}.")
   }
 }