Hide secrets from puppet logs

Currently secrets like rabbit_password, admin_password or database connection
are laked in puppet logs when changed. This commit changes neutron_*_config and 
neutron_*_ini types adding a new parameter that triggers obfuscation the values
in puppet logs.

Change-Id: I7dc59ce9580bfb1d4afdfbced668d0cb2979458a
Closes-Bug: #1328448

lib/puppet/type/neutron_api_config.rb

@@ -14,5 +14,30 @@
       value.capitalize! if value =~ /^(true|false)$/i
       value
     end
+
+    def is_to_s( currentvalue )
+      if resource.secret?
+        return '[old secret redacted]'
+      else
+        return currentvalue
+      end
+    end
+
+    def should_to_s( newvalue )
+      if resource.secret?
+        return '[new secret redacted]'
+      else
+        return newvalue
+      end
+    end
   end
+
+  newparam(:secret, :boolean => true) do
+    desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
+
+    newvalues(:true, :false)
+
+    defaultto false
+  end
+
 end

lib/puppet/type/neutron_config.rb

@@ -14,6 +14,30 @@
       value.capitalize! if value =~ /^(true|false)$/i
       value
     end
+
+    def is_to_s( currentvalue )
+      if resource.secret?
+        return '[old secret redacted]'
+      else
+        return currentvalue
+      end
+    end
+
+    def should_to_s( newvalue )
+      if resource.secret?
+        return '[new secret redacted]'
+      else
+        return newvalue
+      end
+    end
+  end
+
+  newparam(:secret, :boolean => true) do
+    desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
+
+    newvalues(:true, :false)
+
+    defaultto false
   end
 
   def create

lib/puppet/type/neutron_metadata_agent_config.rb

@@ -14,5 +14,30 @@
       value.capitalize! if value =~ /^(true|false)$/i
       value
     end
+
+    def is_to_s( currentvalue )
+      if resource.secret?
+        return '[old secret redacted]'
+      else
+        return currentvalue
+      end
+    end
+
+    def should_to_s( newvalue )
+      if resource.secret?
+        return '[new secret redacted]'
+      else
+        return newvalue
+      end
+    end
   end
+
+  newparam(:secret, :boolean => true) do
+    desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
+
+    newvalues(:true, :false)
+
+    defaultto false
+  end
+
 end

lib/puppet/type/neutron_plugin_cisco.rb

@@ -18,5 +18,30 @@
       value.capitalize! if value =~ /^(true|false)$/i
       value
     end
+
+    def is_to_s( currentvalue )
+      if resource.secret?
+        return '[old secret redacted]'
+      else
+        return currentvalue
+      end
+    end
+
+    def should_to_s( newvalue )
+      if resource.secret?
+        return '[new secret redacted]'
+      else
+        return newvalue
+      end
+    end
   end
+
+  newparam(:secret, :boolean => true) do
+    desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
+
+    newvalues(:true, :false)
+
+    defaultto false
+  end
+
 end

lib/puppet/type/neutron_plugin_cisco_credentials.rb

@@ -18,5 +18,30 @@
       value.capitalize! if value =~ /^(true|false)$/i
       value
     end
+
+    def is_to_s( currentvalue )
+      if resource.secret?
+        return '[old secret redacted]'
+      else
+        return currentvalue
+      end
+    end
+
+    def should_to_s( newvalue )
+      if resource.secret?
+        return '[new secret redacted]'
+      else
+        return newvalue
+      end
+    end
+  end
+
+  newparam(:secret, :boolean => true) do
+    desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
+
+    newvalues(:true, :false)
+
+    defaultto false
+
   end
 end

lib/puppet/type/neutron_plugin_nvp.rb

@@ -14,5 +14,30 @@
       value.capitalize! if value =~ /^(true|false)$/i
       value
     end
+
+    def is_to_s( currentvalue )
+      if resource.secret?
+        return '[old secret redacted]'
+      else
+        return currentvalue
+      end
+    end
+
+    def should_to_s( newvalue )
+      if resource.secret?
+        return '[new secret redacted]'
+      else
+        return newvalue
+      end
+    end
   end
+
+  newparam(:secret, :boolean => true) do
+    desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
+
+    newvalues(:true, :false)
+
+    defaultto false
+  end
+
 end

manifests/agents/metadata.pp

@@ -92,7 +92,7 @@
     'DEFAULT/auth_region':                    value => $auth_region;
     'DEFAULT/admin_tenant_name':              value => $auth_tenant;
     'DEFAULT/admin_user':                     value => $auth_user;
-    'DEFAULT/admin_password':                 value => $auth_password;
+    'DEFAULT/admin_password':                 value => $auth_password, secret => true;
     'DEFAULT/nova_metadata_ip':               value => $metadata_ip;
     'DEFAULT/nova_metadata_port':             value => $metadata_port;
     'DEFAULT/metadata_proxy_shared_secret':   value => $shared_secret;

manifests/init.pp

@@ -341,7 +341,7 @@
 
     neutron_config {
       'DEFAULT/rabbit_userid':       value => $rabbit_user;
-      'DEFAULT/rabbit_password':     value => $rabbit_password;
+      'DEFAULT/rabbit_password':     value => $rabbit_password, secret => true;
       'DEFAULT/rabbit_virtual_host': value => $rabbit_virtual_host;
       'DEFAULT/rabbit_use_ssl':      value => $rabbit_use_ssl;
     }
@@ -369,7 +369,7 @@
       'DEFAULT/qpid_hostname':               value => $qpid_hostname;
       'DEFAULT/qpid_port':                   value => $qpid_port;
       'DEFAULT/qpid_username':               value => $qpid_username;
-      'DEFAULT/qpid_password':               value => $qpid_password;
+      'DEFAULT/qpid_password':               value => $qpid_password, secret => true;
       'DEFAULT/qpid_heartbeat':              value => $qpid_heartbeat;
       'DEFAULT/qpid_protocol':               value => $qpid_protocol;
       'DEFAULT/qpid_tcp_nodelay':            value => $qpid_tcp_nodelay;

manifests/plugins/cisco.pp

@@ -164,7 +164,7 @@
 
   neutron_plugin_cisco_credentials {
     'keystone/username': value => $keystone_username;
-    'keystone/password': value => $keystone_password;
+    'keystone/password': value => $keystone_password, secret => true;
     'keystone/auth_url': value => $keystone_auth_url;
     'keystone/tenant'  : value => $keystone_tenant;
   }

manifests/plugins/nvp.pp

@@ -48,7 +48,7 @@
     'DEFAULT/default_tz_uuid': value => $default_tz_uuid;
     'DEFAULT/nvp_controllers': value => join($nvp_controllers, ',');
     'DEFAULT/nvp_user':        value => $nvp_user;
-    'DEFAULT/nvp_password':    value => $nvp_password;
+    'DEFAULT/nvp_password':    value => $nvp_password, secret => true;
     'nvp/metadata_mode':       value => 'access_network';
   }
 

manifests/server.pp

@@ -271,7 +271,7 @@
     'DEFAULT/api_workers':             value => $api_workers;
     'DEFAULT/agent_down_time':         value => $agent_down_time;
     'DEFAULT/router_scheduler_driver': value => $router_scheduler_driver;
-    'database/connection':             value => $database_connection_real;
+    'database/connection':             value => $database_connection_real, secret => true;
     'database/idle_timeout':           value => $database_idle_timeout_real;
     'database/retry_interval':         value => $database_retry_interval_real;
     'database/max_retries':            value => $database_max_retries_real;
@@ -302,7 +302,7 @@
         'keystone_authtoken/auth_protocol':     value => $auth_protocol;
         'keystone_authtoken/admin_tenant_name': value => $auth_tenant;
         'keystone_authtoken/admin_user':        value => $auth_user;
-        'keystone_authtoken/admin_password':    value => $auth_password;
+        'keystone_authtoken/admin_password':    value => $auth_password, secret => true;
       }
 
       neutron_api_config {
@@ -311,7 +311,7 @@
         'filter:authtoken/auth_protocol':     value => $auth_protocol;
         'filter:authtoken/admin_tenant_name': value => $auth_tenant;
         'filter:authtoken/admin_user':        value => $auth_user;
-        'filter:authtoken/admin_password':    value => $auth_password;
+        'filter:authtoken/admin_password':    value => $auth_password, secret => true;
       }
 
       if $auth_admin_prefix {

manifests/server/notifications.pp

@@ -91,7 +91,7 @@
     'DEFAULT/nova_url':                           value => $nova_url;
     'DEFAULT/nova_admin_auth_url':                value => $nova_admin_auth_url;
     'DEFAULT/nova_admin_username':                value => $nova_admin_username;
-    'DEFAULT/nova_admin_password':                value => $nova_admin_password;
+    'DEFAULT/nova_admin_password':                value => $nova_admin_password, secret => true;
     'DEFAULT/nova_region_name':                   value => $nova_region_name;
   }
 

spec/classes/neutron_agents_metadata_spec.rb

@@ -55,6 +55,7 @@
       should contain_neutron_metadata_agent_config('DEFAULT/admin_tenant_name').with(:value => params[:auth_tenant])
       should contain_neutron_metadata_agent_config('DEFAULT/admin_user').with(:value => params[:auth_user])
       should contain_neutron_metadata_agent_config('DEFAULT/admin_password').with(:value => params[:auth_password])
+      should contain_neutron_metadata_agent_config('DEFAULT/admin_password').with_secret( true )
       should contain_neutron_metadata_agent_config('DEFAULT/nova_metadata_ip').with(:value => params[:metadata_ip])
       should contain_neutron_metadata_agent_config('DEFAULT/nova_metadata_port').with(:value => params[:metadata_port])
       should contain_neutron_metadata_agent_config('DEFAULT/metadata_workers').with(:value => params[:metadata_workers])

spec/classes/neutron_init_spec.rb

@@ -97,6 +97,7 @@
     it 'configures credentials for rabbit' do
       should contain_neutron_config('DEFAULT/rabbit_userid').with_value( params[:rabbit_user] )
       should contain_neutron_config('DEFAULT/rabbit_password').with_value( params[:rabbit_password] )
+      should contain_neutron_config('DEFAULT/rabbit_password').with_secret( true )
       should contain_neutron_config('DEFAULT/rabbit_virtual_host').with_value( params[:rabbit_virtual_host] )
     end
 

spec/classes/neutron_plugins_cisco_spec.rb

@@ -105,6 +105,7 @@ class { 'neutron': rabbit_password => 'passw0rd' }"
         with_value(params[:keystone_username])
       should contain_neutron_plugin_cisco_credentials('keystone/password').\
         with_value(params[:keystone_password])
+      should contain_neutron_plugin_cisco_credentials('keystone/password').with_secret( true )
       should contain_neutron_plugin_cisco_credentials('keystone/auth_url').\
         with_value(params[:keystone_auth_url])
       should contain_neutron_plugin_cisco_credentials('keystone/tenant').\

spec/classes/neutron_plugins_nvp_spec.rb

@@ -58,6 +58,7 @@
       should contain_neutron_plugin_nvp('DEFAULT/nvp_controllers').with_value(p[:nvp_controllers].join(','))
       should contain_neutron_plugin_nvp('DEFAULT/nvp_user').with_value(p[:nvp_user])
       should contain_neutron_plugin_nvp('DEFAULT/nvp_password').with_value(p[:nvp_password])
+      should contain_neutron_plugin_nvp('DEFAULT/nvp_password').with_secret( true )
       should_not contain_neutron_plugin_nvp('DEFAULT/default_l3_gw_service_uuid').with_value(p[:default_l3_gw_service_uuid])
     end
 

spec/classes/neutron_server_notifications_spec.rb

@@ -53,6 +53,7 @@
             should contain_neutron_config('DEFAULT/nova_admin_auth_url').with_value('http://127.0.0.1:35357/v2.0')
             should contain_neutron_config('DEFAULT/nova_admin_username').with_value('nova')
             should contain_neutron_config('DEFAULT/nova_admin_password').with_value('secrete')
+            should contain_neutron_config('DEFAULT/nova_admin_password').with_secret( true )
             should contain_neutron_config('DEFAULT/nova_region_name').with_value('RegionOne')
             should contain_neutron_config('DEFAULT/nova_admin_tenant_id').with_value('UUID')
         end
@@ -78,6 +79,7 @@
                 should contain_neutron_config('DEFAULT/nova_admin_auth_url').with_value('http://keystone:35357/v2.0')
                 should contain_neutron_config('DEFAULT/nova_admin_username').with_value('joe')
                 should contain_neutron_config('DEFAULT/nova_admin_password').with_value('secrete')
+                should contain_neutron_config('DEFAULT/nova_admin_password').with_secret( true )
                 should contain_neutron_config('DEFAULT/nova_region_name').with_value('MyRegion')
                 should contain_neutron_config('DEFAULT/nova_admin_tenant_id').with_value('UUID2')
             end

spec/classes/neutron_server_spec.rb

@@ -37,6 +37,7 @@
 
     it 'should perform default database configuration of' do
       should contain_neutron_config('database/connection').with_value(p[:database_connection])
+      should contain_neutron_config('database/connection').with_secret( true )
       should contain_neutron_config('database/max_retries').with_value(p[:database_max_retries])
       should contain_neutron_config('database/idle_timeout').with_value(p[:database_idle_timeout])
       should contain_neutron_config('database/retry_interval').with_value(p[:database_retry_interval])
@@ -50,6 +51,7 @@
       should contain_neutron_api_config('filter:authtoken/admin_tenant_name').with_value(p[:auth_tenant]);
       should contain_neutron_api_config('filter:authtoken/admin_user').with_value(p[:auth_user]);
       should contain_neutron_api_config('filter:authtoken/admin_password').with_value(p[:auth_password]);
+      should contain_neutron_api_config('filter:authtoken/admin_password').with_secret( true )
       should contain_neutron_api_config('filter:authtoken/auth_admin_prefix').with(:ensure => 'absent')
       should contain_neutron_api_config('filter:authtoken/auth_uri').with_value("http://localhost:5000/");
     end