From 8ea844adefdbd05957167cd8cc5be09d89912bdc Mon Sep 17 00:00:00 2001 From: cocker-cc Date: Tue, 9 Jul 2024 18:46:19 +0200 Subject: [PATCH] Use Sensitive for Secrets To not reveal Secrets, accept Datatype Sensitive. Render Templates as sensitive Content, if Secrets were given as Sensitive. --- REFERENCE.md | 16 ++++++++-------- manifests/database.pp | 2 +- manifests/database/mysql.pp | 18 ++++++++++++------ manifests/database/postgresql.pp | 7 +++++-- manifests/init.pp | 4 ++-- manifests/proxy.pp | 5 ++++- manifests/resources/web.pp | 2 +- manifests/server.pp | 5 ++++- manifests/web.pp | 13 ++++++++++--- templates/api.conf.epp | 2 +- templates/web/zabbix.conf.php.erb | 2 +- templates/zabbix_proxy.conf.erb | 6 +++--- templates/zabbix_server.conf.erb | 8 ++++---- 13 files changed, 56 insertions(+), 34 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 92e260d75..8de66ea83 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -539,7 +539,7 @@ Default value: `$zabbix::params::server_api_user` ##### `zabbix_api_pass` -Data type: `Any` +Data type: `Variant[Sensitive[String], String]` Password of the user which connects to the api. Default: zabbix @@ -653,7 +653,7 @@ Default value: `$zabbix::params::server_database_user` ##### `database_password` -Data type: `Any` +Data type: `Variant[Sensitive[String], String]` Database password. ignored for sqlite. @@ -2290,7 +2290,7 @@ Default value: `$zabbix::params::server_database_user` ##### `database_password` -Data type: `Any` +Data type: `Variant[Sensitive[String], String]` The password of the database_user. @@ -2898,7 +2898,7 @@ Default value: `$zabbix::params::proxy_database_user` ##### `database_password` -Data type: `Any` +Data type: `Variant[Sensitive[String], String]` Database password. ignored for sqlite. @@ -3860,7 +3860,7 @@ API username. ##### `zabbix_pass` -Data type: `String[1]` +Data type: `Variant[Sensitive[String[1]], String[1]]` API password. @@ -4269,7 +4269,7 @@ Default value: `$zabbix::params::server_database_user` ##### `database_password` -Data type: `Any` +Data type: `Variant[Sensitive[String], String]` Database password. ignored for sqlite. @@ -5254,7 +5254,7 @@ Default value: `$zabbix::params::server_api_user` ##### `zabbix_api_pass` -Data type: `Any` +Data type: `Variant[Sensitive[String], String]` Password of the user which connects to the api. Default: zabbix @@ -5312,7 +5312,7 @@ Default value: `$zabbix::params::server_database_user` ##### `database_password` -Data type: `Any` +Data type: `Variant[Sensitive[String], String]` Database password. ignored for sqlite. diff --git a/manifests/database.pp b/manifests/database.pp index c78f266ee..2e5539cbc 100644 --- a/manifests/database.pp +++ b/manifests/database.pp @@ -76,7 +76,7 @@ $database_schema_path = $zabbix::params::database_schema_path, $database_name = $zabbix::params::server_database_name, $database_user = $zabbix::params::server_database_user, - $database_password = $zabbix::params::server_database_password, + Variant[Sensitive[String], String] $database_password = $zabbix::params::server_database_password, $database_host = $zabbix::params::server_database_host, $database_host_ip = $zabbix::params::server_database_host_ip, $database_charset = $zabbix::params::server_database_charset, diff --git a/manifests/database/mysql.pp b/manifests/database/mysql.pp index 87cc1a547..92d5d7a3b 100644 --- a/manifests/database/mysql.pp +++ b/manifests/database/mysql.pp @@ -16,13 +16,15 @@ $database_schema_path = '', $database_name = '', $database_user = '', - $database_password = '', + Variant[Sensitive[String], String] $database_password = '', $database_host = '', Optional[Stdlib::Port::Unprivileged] $database_port = undef, $database_path = $zabbix::params::database_path, ) inherits zabbix::params { assert_private() + $database_password_unsensitive = $database_password.unwrap + if ($database_schema_path == false) or ($database_schema_path == '') { if versioncmp($zabbix_version, '6.0') >= 0 { $schema_path = '/usr/share/zabbix-sql-scripts/mysql/' @@ -43,14 +45,14 @@ case $zabbix_type { 'proxy': { $zabbix_proxy_create_sql = versioncmp($zabbix_version, '6.0') >= 0 ? { - true => "cd ${schema_path} && mysql -h '${database_host}' -u '${database_user}' -p'${database_password}' ${port}-D '${database_name}' < proxy.sql && touch /etc/zabbix/.schema.done", - false => "cd ${schema_path} && if [ -f schema.sql.gz ]; then gunzip -f schema.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p'${database_password}' ${port}-D '${database_name}' < schema.sql && touch /etc/zabbix/.schema.done" + true => "cd ${schema_path} && mysql -h '${database_host}' -u '${database_user}' -p'${database_password_unsensitive}' ${port}-D '${database_name}' < proxy.sql && touch /etc/zabbix/.schema.done", + false => "cd ${schema_path} && if [ -f schema.sql.gz ]; then gunzip -f schema.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p'${database_password_unsensitive}' ${port}-D '${database_name}' < schema.sql && touch /etc/zabbix/.schema.done" } } default: { $zabbix_server_create_sql = versioncmp($zabbix_version, '6.0') >= 0 ? { - true => "cd ${schema_path} && if [ -f server.sql.gz ]; then gunzip -f server.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p'${database_password}' ${port}-D '${database_name}' < server.sql && touch /etc/zabbix/.schema.done", - false => "cd ${schema_path} && if [ -f create.sql.gz ]; then gunzip -f create.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p'${database_password}' ${port}-D '${database_name}' < create.sql && touch /etc/zabbix/.schema.done" + true => "cd ${schema_path} && if [ -f server.sql.gz ]; then gunzip -f server.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p'${database_password_unsensitive}' ${port}-D '${database_name}' < server.sql && touch /etc/zabbix/.schema.done", + false => "cd ${schema_path} && if [ -f create.sql.gz ]; then gunzip -f create.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p'${database_password_unsensitive}' ${port}-D '${database_name}' < create.sql && touch /etc/zabbix/.schema.done" } } } @@ -59,7 +61,11 @@ case $zabbix_type { 'proxy' : { exec { 'zabbix_proxy_create.sql': - command => $zabbix_proxy_create_sql, + command => if $database_password =~ Sensitive { + Sensitive($zabbix_proxy_create_sql) + } else { + $zabbix_proxy_create_sql + }, path => "/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:${database_path}", unless => 'test -f /etc/zabbix/.schema.done', provider => 'shell', diff --git a/manifests/database/postgresql.pp b/manifests/database/postgresql.pp index 10df743f0..bac1f0ddf 100644 --- a/manifests/database/postgresql.pp +++ b/manifests/database/postgresql.pp @@ -16,13 +16,16 @@ $database_schema_path = '', $database_name = '', $database_user = '', - $database_password = '', + Variant[Sensitive[String], String] $database_password = '', $database_host = '', Stdlib::Port::Unprivileged $database_port = 5432, $database_path = $zabbix::params::database_path, ) inherits zabbix::params { assert_private() + # TODO: use EPP instead of ERB, as EPP can handle Sensitive natively + $database_password_unsensitive = $database_password.unwrap + if $database_schema_path != false and $database_schema_path != '' { $schema_path = $database_schema_path } elsif versioncmp($zabbix_version, '6.0') >= 0 { @@ -56,7 +59,7 @@ "PGHOST=${database_host}", "PGPORT=${database_port}", "PGUSER=${database_user}", - "PGPASSWORD=${database_password}", + "PGPASSWORD=${database_password_unsensitive}", "PGDATABASE=${database_name}", ] diff --git a/manifests/init.pp b/manifests/init.pp index 830218ccd..f85b653a7 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -251,7 +251,7 @@ Optional[Stdlib::Absolutepath] $ldap_clientkey = $zabbix::params::ldap_clientkey, Optional[Enum['never', 'allow', 'try', 'demand', 'hard']] $ldap_reqcert = $zabbix::params::ldap_reqcert, $zabbix_api_user = $zabbix::params::server_api_user, - $zabbix_api_pass = $zabbix::params::server_api_pass, + Variant[Sensitive[String], String] $zabbix_api_pass = $zabbix::params::server_api_pass, Optional[Array[Stdlib::Host,1]] $zabbix_api_access = $zabbix::params::server_api_access, $listenport = $zabbix::params::server_listenport, $sourceip = $zabbix::params::server_sourceip, @@ -265,7 +265,7 @@ $database_schema = $zabbix::params::server_database_schema, Boolean $database_double_ieee754 = $zabbix::params::server_database_double_ieee754, $database_user = $zabbix::params::server_database_user, - $database_password = $zabbix::params::server_database_password, + Variant[Sensitive[String], String] $database_password = $zabbix::params::server_database_password, $database_socket = $zabbix::params::server_database_socket, $database_port = $zabbix::params::server_database_port, $database_charset = $zabbix::params::server_database_charset, diff --git a/manifests/proxy.pp b/manifests/proxy.pp index f01169989..1df9fb5a2 100755 --- a/manifests/proxy.pp +++ b/manifests/proxy.pp @@ -222,7 +222,7 @@ $database_name = $zabbix::params::proxy_database_name, $database_schema = $zabbix::params::proxy_database_schema, $database_user = $zabbix::params::proxy_database_user, - $database_password = $zabbix::params::proxy_database_password, + Variant[Sensitive[String], String] $database_password = $zabbix::params::proxy_database_password, $database_socket = $zabbix::params::proxy_database_socket, $database_port = $zabbix::params::proxy_database_port, $database_charset = $zabbix::params::server_database_charset, @@ -306,6 +306,9 @@ Boolean $manage_selinux = $zabbix::params::manage_selinux, Optional[Stdlib::Absolutepath] $socketdir = $zabbix::params::proxy_socketdir, ) inherits zabbix::params { + # TODO: use EPP instead of ERB, as EPP can handle Sensitive natively + $database_password_unsensitive = $database_password.unwrap + # check osfamily, Arch is currently not supported for web if $facts['os']['family'] == 'Archlinux' { fail('Archlinux is currently not supported for zabbix::proxy ') diff --git a/manifests/resources/web.pp b/manifests/resources/web.pp index 8de4c2c97..b849c7ff7 100644 --- a/manifests/resources/web.pp +++ b/manifests/resources/web.pp @@ -6,7 +6,7 @@ class zabbix::resources::web ( String[1] $zabbix_url, String[1] $zabbix_user, - String[1] $zabbix_pass, + Variant[Sensitive[String[1]], String[1]] $zabbix_pass, Boolean $apache_use_ssl, ) { file { '/etc/zabbix/api.conf': diff --git a/manifests/server.pp b/manifests/server.pp index f6e71e618..550b0ae2f 100755 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -195,7 +195,7 @@ $database_name = $zabbix::params::server_database_name, $database_schema = $zabbix::params::server_database_schema, $database_user = $zabbix::params::server_database_user, - $database_password = $zabbix::params::server_database_password, + Variant[Sensitive[String], String] $database_password = $zabbix::params::server_database_password, $database_socket = $zabbix::params::server_database_socket, Optional[Stdlib::Port::Unprivileged] $database_port = $zabbix::params::server_database_port, Optional[Enum['required', 'verify_ca', 'verify_full']] $database_tlsconnect = $zabbix::params::server_database_tlsconnect, @@ -281,6 +281,9 @@ Optional[String[1]] $hanodename = $zabbix::params::server_hanodename, Optional[String[1]] $nodeaddress = $zabbix::params::server_nodeaddress, ) inherits zabbix::params { + # TODO: use EPP instead of ERB, as EPP can handle Sensitive natively + $database_password_unsensitive = $database_password.unwrap + # zabbix server 5.2, 5.4 and 6.0 is not supported on RHEL 7. # https://www.zabbix.com/documentation/current/manual/installation/install_from_packages/rhel_centos if $facts['os']['family'] == 'RedHat' and versioncmp($zabbix_version, '5.2') >= 0 { diff --git a/manifests/web.pp b/manifests/web.pp index 533faaf93..a8a274028 100644 --- a/manifests/web.pp +++ b/manifests/web.pp @@ -114,14 +114,14 @@ Variant[Array[Stdlib::Port], Stdlib::Port] $apache_listenport = $zabbix::params::apache_listenport, Variant[Array[Stdlib::Port], Stdlib::Port] $apache_listenport_ssl = $zabbix::params::apache_listenport_ssl, $zabbix_api_user = $zabbix::params::server_api_user, - $zabbix_api_pass = $zabbix::params::server_api_pass, + Variant[Sensitive[String], String] $zabbix_api_pass = $zabbix::params::server_api_pass, Optional[Array[Stdlib::Host,1]] $zabbix_api_access = $zabbix::params::server_api_access, $database_host = $zabbix::params::server_database_host, $database_name = $zabbix::params::server_database_name, $database_schema = $zabbix::params::server_database_schema, Boolean $database_double_ieee754 = $zabbix::params::server_database_double_ieee754, $database_user = $zabbix::params::server_database_user, - $database_password = $zabbix::params::server_database_password, + Variant[Sensitive[String], String] $database_password = $zabbix::params::server_database_password, $database_socket = $zabbix::params::server_database_socket, $database_port = $zabbix::params::server_database_port, $zabbix_server = $zabbix::params::zabbix_server, @@ -146,6 +146,9 @@ Boolean $manage_selinux = $zabbix::params::manage_selinux, Hash[String[1], Any] $apache_vhost_custom_params = {}, ) inherits zabbix::params { + # TODO: use EPP instead of ERB, as EPP can handle Sensitive natively + $database_password_unsensitive = $database_password.unwrap + # check osfamily, Arch is currently not supported for web if $facts['os']['family'] in ['Archlinux', 'Gentoo',] { fail("${facts['os']['family']} is currently not supported for zabbix::web") @@ -262,7 +265,11 @@ group => $web_config_group, mode => '0640', replace => true, - content => template('zabbix/web/zabbix.conf.php.erb'), + content => if $database_password =~ Sensitive { + Sensitive(template('zabbix/web/zabbix.conf.php.erb')) + } else { + template('zabbix/web/zabbix.conf.php.erb') + }, } # For API to work on Zabbix 5.x zabbix.conf.php needs to be in the root folder. diff --git a/templates/api.conf.epp b/templates/api.conf.epp index 32679f37b..ed449ad2d 100644 --- a/templates/api.conf.epp +++ b/templates/api.conf.epp @@ -1,6 +1,6 @@ <%- | String[1] $zabbix_url, String[1] $zabbix_user, - String[1] $zabbix_pass, + Variant[Sensitive[String[1]], String[1]] $zabbix_pass, Boolean $apache_use_ssl, | -%> # MANAGED BY PUPPET diff --git a/templates/web/zabbix.conf.php.erb b/templates/web/zabbix.conf.php.erb index 930e4110e..4d19d41cf 100755 --- a/templates/web/zabbix.conf.php.erb +++ b/templates/web/zabbix.conf.php.erb @@ -13,7 +13,7 @@ $DB['PORT'] = '0'; <% end -%> $DB['DATABASE'] = '<%= @database_name %>'; $DB['USER'] = '<%= @database_user %>'; -$DB['PASSWORD'] = '<%= @database_password %>'; +$DB['PASSWORD'] = '<%= @database_password_unsensitive %>'; // SCHEMA is relevant only for IBM_DB2 and PostgreSQL database <% if @database_schema -%> diff --git a/templates/zabbix_proxy.conf.erb b/templates/zabbix_proxy.conf.erb index 03c044cb4..373346fe3 100755 --- a/templates/zabbix_proxy.conf.erb +++ b/templates/zabbix_proxy.conf.erb @@ -169,7 +169,7 @@ DBUser=<%= @database_user %> # Comment this line if no password is used. # # Mandatory: no -DBPassword=<%= @database_password %> +DBPassword=<%= @database_password_unsensitive %> ### Option: DBSocket # Path to MySQL socket. @@ -894,7 +894,7 @@ LoadModulePath=<%= @loadmodulepath %> <% if @zabbix_version.to_f >= 7.0 %> ### Option: VaultPrefix # Custom prefix for Vault path or query depending on the Vault. -# Most suitable defaults will be used if not specified. +# Most suitable defaults will be used if not specified. # Note that 'data' is automatically appended after mountpoint for HashiCorp if VaultPrefix is not specified. # Example prefix for HashiCorp: # /v1/secret/data/ @@ -969,4 +969,4 @@ LoadModulePath=<%= @loadmodulepath %> # Default: # StartBrowserPollers=1 -<% end %> \ No newline at end of file +<% end %> diff --git a/templates/zabbix_server.conf.erb b/templates/zabbix_server.conf.erb index 9aaba7fd3..008e3c7dc 100755 --- a/templates/zabbix_server.conf.erb +++ b/templates/zabbix_server.conf.erb @@ -106,7 +106,7 @@ DBUser=<%= @database_user %> # Comment this line if no password is used. # # Mandatory: no -DBPassword=<%= @database_password %> +DBPassword=<%= @database_password_unsensitive %> ### Option: DBSocket # Path to MySQL socket. @@ -849,7 +849,7 @@ LoadModulePath=<%= @loadmodulepath %> <% if @zabbix_version.to_f >= 7.0 %> ### Option: VaultPrefix # Custom prefix for Vault path or query depending on the Vault. -# Most suitable defaults will be used if not specified. +# Most suitable defaults will be used if not specified. # Note that 'data' is automatically appended after mountpoint for HashiCorp if VaultPrefix is not specified. # Example prefix for HashiCorp: # /v1/secret/data/ @@ -946,7 +946,7 @@ LoadModulePath=<%= @loadmodulepath %> # EnableGlobalScripts=1 # Option: AllowSoftwareUpdateCheck -# Allow Zabbix UI to receive information about software updates from zabbix.com +# Allow Zabbix UI to receive information about software updates from zabbix.com # 0 - disable software update checks # 1 - enable software update checks # @@ -1017,4 +1017,4 @@ LoadModulePath=<%= @loadmodulepath %> # Default: # StartBrowserPollers=1 -<% end %> \ No newline at end of file +<% end %>