Accept Datatype Sensitive for all Secrets

- accept Datatype Sensitive for Puppet-Type foreman_config_entry
- accept Datatype Sensitive for CLI-Password
- accept Datatype Sensitive for initial Admin-Password
- accept Datatype Sensitive for Database-Password
- accept Datatype Sensitive for OAuth-Secrets
- accept Datatype Sensitive for SMTP-Secrets

Author: Cocker Koch

lib/puppet/provider/foreman_config_entry/cli.rb

@@ -65,6 +65,8 @@ def value
 
   def value=(value)
     return if resource[:dry]
+
+    value = value.unwrap if value.respond_to?(:unwrap)
     run_foreman_config("-k '#{name}' -v '#{value}'", :combine => true, :failonfail => true)
     @property_hash[:value] = value
   end

manifests/cli.pp

@@ -30,7 +30,7 @@
   String $version = $foreman::cli::params::version,
   Boolean $manage_root_config = $foreman::cli::params::manage_root_config,
   Optional[String] $username = $foreman::cli::params::username,
-  Optional[String] $password = $foreman::cli::params::password,
+  Optional[Variant[String, Sensitive[String]]] $password = $foreman::cli::params::password,
   Boolean $use_sessions = $foreman::cli::params::use_sessions,
   Boolean $refresh_cache = $foreman::cli::params::refresh_cache,
   Integer[-1] $request_timeout = $foreman::cli::params::request_timeout,

manifests/database.pp

@@ -14,7 +14,7 @@
   if $foreman::db_manage_rake {
     $seed_env = {
       'SEED_ADMIN_USER'       => $foreman::initial_admin_username,
-      'SEED_ADMIN_PASSWORD'   => $foreman::initial_admin_password,
+      'SEED_ADMIN_PASSWORD'   => if $foreman::initial_admin_password =~ Sensitive {$foreman::initial_admin_password.unwrap} else {$foreman::initial_admin_password},
       'SEED_ADMIN_FIRST_NAME' => $foreman::initial_admin_first_name,
       'SEED_ADMIN_LAST_NAME'  => $foreman::initial_admin_last_name,
       'SEED_ADMIN_EMAIL'      => $foreman::initial_admin_email,

manifests/init.pp

@@ -215,7 +215,7 @@
   Variant[Undef, Enum['UNSET'], Stdlib::Port] $db_port = 'UNSET',
   Optional[String] $db_database = 'UNSET',
   Optional[String] $db_username = $foreman::params::db_username,
-  Optional[String] $db_password = $foreman::params::db_password,
+  Optional[Variant[String, Sensitive[String]]] $db_password = $foreman::params::db_password,
   Optional[String] $db_sslmode = 'UNSET',
   Optional[String] $db_root_cert = undef,
   Integer[0] $db_pool = $foreman::params::db_pool,
@@ -234,11 +234,11 @@
   Stdlib::Absolutepath $client_ssl_key = $foreman::params::client_ssl_key,
   Boolean $oauth_active = $foreman::params::oauth_active,
   Boolean $oauth_map_users = $foreman::params::oauth_map_users,
-  String $oauth_consumer_key = $foreman::params::oauth_consumer_key,
-  String $oauth_consumer_secret = $foreman::params::oauth_consumer_secret,
+  Variant[String, Sensitive[String]] $oauth_consumer_key = $foreman::params::oauth_consumer_key,
+  Variant[String, Sensitive[String]] $oauth_consumer_secret = $foreman::params::oauth_consumer_secret,
   String $oauth_effective_user = $foreman::params::oauth_effective_user,
   String $initial_admin_username = $foreman::params::initial_admin_username,
-  String $initial_admin_password = $foreman::params::initial_admin_password,
+  Variant[String, Sensitive[String]] $initial_admin_password = $foreman::params::initial_admin_password,
   Optional[String] $initial_admin_first_name = $foreman::params::initial_admin_first_name,
   Optional[String] $initial_admin_last_name = $foreman::params::initial_admin_last_name,
   Optional[String] $initial_admin_email = $foreman::params::initial_admin_email,
@@ -265,7 +265,7 @@
   Optional[Stdlib::Fqdn] $email_smtp_domain = $foreman::params::email_smtp_domain,
   Enum['none', 'plain', 'login', 'cram-md5'] $email_smtp_authentication = $foreman::params::email_smtp_authentication,
   Optional[String] $email_smtp_user_name = $foreman::params::email_smtp_user_name,
-  Optional[String] $email_smtp_password = $foreman::params::email_smtp_password,
+  Optional[Variant[String, Sensitive[String]]] $email_smtp_password = $foreman::params::email_smtp_password,
   Optional[String] $email_reply_address = $foreman::params::email_reply_address,
   Optional[String] $email_subject_prefix = $foreman::params::email_subject_prefix,
   String $telemetry_prefix = $foreman::params::telemetry_prefix,

manifests/plugin.pp

@@ -27,7 +27,7 @@
   String[1] $config_file_owner = 'root',
   String[1] $config_file_group = $foreman::group,
   Stdlib::Filemode $config_file_mode = '0640',
-  Optional[String] $config = undef,
+  Optional[Variant[String, Sensitive[String]]] $config = undef,
 ) {
   # Debian gem2deb converts underscores to hyphens
   case $facts['os']['family'] {

manifests/plugin/supervisory_authority.pp

@@ -30,7 +30,7 @@
 #
 class foreman::plugin::supervisory_authority (
   Stdlib::HTTPUrl              $server_url,
-  String                       $secret_token,
+  Variant[String, Sensitive[String]] $secret_token,
   Pattern[/^[a-zA-Z0-9 _-]+$/] $service_name,
   Integer[0,5]                 $log_level             = 1,
   Integer[0]                   $pool_size             = 1,

spec/classes/foreman_spec.rb

@@ -263,6 +263,20 @@
         end
       end
 
+      describe 'with all parameters and Sensitive for Secrets' do
+        let :params do
+          {
+            db_password: sensitive('secret'),
+            oauth_consumer_key: sensitive('random'),
+            oauth_consumer_secret: sensitive('random'),
+            initial_admin_password: sensitive('secret'),
+            email_smtp_password: sensitive('secret'),
+          }
+        end
+
+        it { is_expected.to compile.with_all_deps }
+      end
+
       context 'with journald logging' do
         let(:params) { super().merge(logging_type: 'journald') }
         it { is_expected.to compile.with_all_deps }

spec/classes/plugin/supervisory_authority_spec.rb

@@ -1,13 +1,27 @@
 require 'spec_helper'
 
 describe 'foreman::plugin::supervisory_authority' do
-  let(:params) do
-    {
-      'server_url'   => 'https://example.com',
-      'secret_token' => 'secret_example',
-      'service_name' => 'foreman prod',
-    }
+  context 'with Standard-Parameters' do
+    let(:params) do
+      {
+        'server_url'   => 'https://example.com',
+        'secret_token' => 'secret_example',
+        'service_name' => 'foreman prod',
+      }
+    end
+    include_examples 'basic foreman plugin tests', 'supervisory_authority'
+    it { is_expected.to contain_foreman__plugin('supervisory_authority').with_config(%r{^---\n:foreman_supervisory_authority:\n  server_url: https://example\.com\n}) }
+  end
+
+  context 'with Sensitive secret_token' do
+    let(:params) do
+      {
+        'server_url'   => 'https://example.com',
+        'secret_token' => sensitive('secret_example'),
+        'service_name' => 'foreman prod',
+      }
+    end
+    include_examples 'basic foreman plugin tests', 'supervisory_authority'
+    it { is_expected.to contain_foreman__plugin('supervisory_authority').with_config(%r{^---\n:foreman_supervisory_authority:\n  server_url: https://example\.com\n}) }
   end
-  include_examples 'basic foreman plugin tests', 'supervisory_authority'
-  it { is_expected.to contain_foreman__plugin('supervisory_authority').with_config(%r{^---\n:foreman_supervisory_authority:\n  server_url: https://example\.com\n}) }
 end

templates/hammer_root.yml.epp

@@ -1,8 +1,8 @@
 <%- |
   Optional[String] $username,
-  Optional[String] $password,
+  Optional[Variant[String, Sensitive[String]]] $password,
 | -%>
 :foreman:
   # Credentials. You'll be asked for the interactively if you leave them blank here
-  :username: '<%= $username %>'
-  :password: '<%= $password %>'
+  :username:<%= if $username { " '${username}'" } %>
+  :password:<%= if $password { " '${password}'" } %>