Use Sensitive data type for passwords (!130) · Merge requests · Adullact / puppet-freeipa

The source project of this merge request has been removed.

Patrick Brideau requested to merge (removed):feat/sensitive_password into master Sep 20, 2022

Currently, the master password of the whole infrastructure is displayed in the logs when the install exec fail:

Error: '/usr/sbin/ipa-client-install [...] --password='myverysecurepassword' [...]

Obviously, it is not a very secure way to display sensitive informations. This patch store the password into an environment variable, at least the password is not displayed in the logs when the exec fail:

Error: '/usr/sbin/ipa-client-install [...] --password="$PASSWORD_USEDTO_JOINDOMAIN" [...]

I’ve also added support to provide the password as Sensitive type, which exists in puppet 6 and puppet 7. Not supported on Puppet 5 (which is claimed to be supported in metadata.json) but is EOL. I’ve adjusted the metadata.json. Also added tests about this feature.

Any feedback is welcome!

Edited Sep 21, 2022 by Fabien Combernous

Use Sensitive data type for passwords

Merge request reports