theforeman · ekohl · Dec 22, 2021 · Dec 2, 2021
diff --git a/manifests/database/mysql.pp b/manifests/database/mysql.pp
@@ -11,7 +11,8 @@
   $db_port = pick($candlepin::db_port, 3306),
   $db_name = $candlepin::db_name,
   $db_user = $candlepin::db_user,
-  $db_password = $candlepin::db_password,
+  # TODO: use EPP instead of  ERB, as EPP handles Sensitive natively
+  $db_password = $candlepin::db_password.unwrap,
   $enable_hbm2ddl_validate = $candlepin::enable_hbm2ddl_validate,
 ) {
   assert_private()

diff --git a/manifests/database/postgresql.pp b/manifests/database/postgresql.pp
@@ -16,7 +16,8 @@
   $db_ssl_verify           = $candlepin::db_ssl_verify,
   $db_name                 = $candlepin::db_name,
   $db_user                 = $candlepin::db_user,
-  $db_password             = $candlepin::db_password,
+  # TODO: use EPP instead of  ERB, as EPP handles Sensitive natively
+  $db_password             = $candlepin::db_password.unwrap,
   $enable_hbm2ddl_validate = $candlepin::enable_hbm2ddl_validate,
   $log_dir                 = $candlepin::log_dir,
 

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -173,21 +173,21 @@
   Boolean $db_ssl_verify = true,
   String $db_name = 'candlepin',
   String $db_user = 'candlepin',
-  String $db_password = $candlepin::params::db_password,
+  Variant[Sensitive[String], String] $db_password = $candlepin::params::db_password,
   Stdlib::Absolutepath $crl_file = '/var/lib/candlepin/candlepin-crl.crl',
   Variant[Array[String], String] $user_groups = [],
   Stdlib::Absolutepath $log_dir = '/var/log/candlepin',
   String $oauth_key = 'candlepin',
   String $oauth_secret = 'candlepin',
   Boolean $env_filtering_enabled = true,
   Stdlib::Absolutepath $keystore_file = '/etc/candlepin/certs/keystore',
-  Optional[String] $keystore_password = undef,
+  Optional[Variant[Sensitive[String], String]] $keystore_password = undef,
   String $keystore_type = 'PKCS12',
   Stdlib::Absolutepath $truststore_file = '/etc/candlepin/certs/truststore',
-  Optional[String] $truststore_password = undef,
+  Optional[Variant[Sensitive[String], String]] $truststore_password = undef,
   Stdlib::Absolutepath $ca_key = '/etc/candlepin/certs/candlepin-ca.key',
   Stdlib::Absolutepath $ca_cert = '/etc/candlepin/certs/candlepin-ca.crt',
-  Optional[String] $ca_key_password = undef,
+  Optional[Variant[Sensitive[String], String]] $ca_key_password = undef,
   Array[String] $ciphers = $candlepin::params::ciphers,
   Array[String] $tls_versions = ['1.2'],
   Optional[String[1]] $java_package = undef,
@@ -221,6 +221,11 @@
 
   contain candlepin::service
 
+  # TODO: use EPP instead of  ERB, as EPP handles Sensitive natively
+  $keystore_password_unsensitive = $keystore_password.unwrap
+  $ca_key_password_unsensitive  = $ca_key_password.unwrap
+  $truststore_password_unsensitive = $truststore_password.unwrap
+
   Anchor <| title == 'candlepin::repo' |> ->
   class { 'candlepin::install': } ~>
   class { 'candlepin::config':  } ~>

diff --git a/spec/classes/candlepin_spec.rb b/spec/classes/candlepin_spec.rb
@@ -115,6 +115,39 @@
         it { is_expected.to contain_service('tomcat').with_ensure('running') }
       end
 
+      describe 'sensitive parameters' do
+        let :params do
+          {
+            db_type: 'postgresql',
+            db_password: sensitive('MY_DB_PASSWORD'),
+            keystore_password: sensitive('MY_KEYSTORE_PASSWORD'),
+            truststore_password: sensitive('MY_TRUSTSTORE_PASSWORD'),
+            ca_key_password: sensitive('MY_CA_KEY_PASSWORD')
+          }
+        end
+
+        it { is_expected.to compile.with_all_deps }
+        it { is_expected.to contain_concat('/etc/candlepin/candlepin.conf') }
+        it do
+          is_expected.to contain_concat_fragment('PostgreSQL Database Configuration').
+            with_content(/^jpa.config.hibernate.connection.password=MY_DB_PASSWORD$/).
+            with_content(/^org.quartz.dataSource.myDS.password=MY_DB_PASSWORD$/)
+        end
+        it do
+          is_expected.to contain_concat_fragment('General Config').
+            with_content(/^candlepin.ca_key_password=MY_CA_KEY_PASSWORD$/)
+        end
+        it do
+          is_expected.to contain_file('/etc/candlepin/broker.xml').
+            with_content(/;keyStorePassword=MY_KEYSTORE_PASSWORD;/).
+            with_content(/;trustStorePassword=MY_TRUSTSTORE_PASSWORD;/)
+        end
+        it do
+          is_expected.to contain_file('/etc/tomcat/server.xml').
+            with_content(/^ *keystorePass="MY_KEYSTORE_PASSWORD"$/)
+        end
+      end
+
       describe 'selinux' do
         describe 'on' do
           let(:facts) { override_facts(super(), os: {selinux: {enabled: true}}) }

diff --git a/templates/broker.xml.erb b/templates/broker.xml.erb
@@ -12,7 +12,7 @@
 
         <acceptors>
             <acceptor name="in-vm">vm://0</acceptor>
-            <acceptor name="stomp">tcp://<%= scope['candlepin::artemis_host'] %>:<%= scope['candlepin::artemis_port'] %>?protocols=STOMP;useEpoll=false;sslEnabled=true;trustStorePath=<%= scope['candlepin::truststore_file'] %>;trustStorePassword=<%= scope['candlepin::truststore_password'] %>;keyStorePath=<%= scope['candlepin::keystore_file'] %>;keyStorePassword=<%= scope['candlepin::keystore_password'] %>;needClientAuth=true</acceptor>
+            <acceptor name="stomp">tcp://<%= scope['candlepin::artemis_host'] %>:<%= scope['candlepin::artemis_port'] %>?protocols=STOMP;useEpoll=false;sslEnabled=true;trustStorePath=<%= scope['candlepin::truststore_file'] %>;trustStorePassword=<%= scope['candlepin::truststore_password_unsensitive'] %>;keyStorePath=<%= scope['candlepin::keystore_file'] %>;keyStorePassword=<%= scope['candlepin::keystore_password_unsensitive'] %>;needClientAuth=true</acceptor>
         </acceptors>
 
         <security-enabled>true</security-enabled>

diff --git a/templates/candlepin.conf.erb b/templates/candlepin.conf.erb
@@ -22,8 +22,8 @@ module.config.adapter_module=<%= scope['candlepin::adapter_module'] %>
 candlepin.ca_key=<%= scope['candlepin::ca_key'] %>
 candlepin.ca_cert=<%= scope['candlepin::ca_cert'] %>
 candlepin.crl.file=<%= scope['candlepin::crl_file'] %>
-<% unless [nil, :undefined, :undef].include?(scope['candlepin::ca_key_password']) -%>
-candlepin.ca_key_password=<%= scope['candlepin::ca_key_password'] %>
+<% unless [nil, :undefined, :undef].include?(scope['candlepin::ca_key_password_unsensitive']) -%>
+candlepin.ca_key_password=<%= scope['candlepin::ca_key_password_unsensitive'] %>
 <%- end -%>
 
 candlepin.async.jobs.ExpiredPoolsCleanupJob.schedule=<%= scope['candlepin::expired_pools_schedule'] %>

diff --git a/templates/tomcat/server.xml.erb b/templates/tomcat/server.xml.erb
@@ -81,10 +81,10 @@
                sslProtocol="<%= scope['::candlepin::tls_versions'].map { |version| "TLSv#{version}"}.join(",") %>"
                sslEnabledProtocols="<%= scope['::candlepin::tls_versions'].map { |version| "TLSv#{version}"}.join(",") %>"
                keystoreFile="<%= scope['::candlepin::keystore_file'] %>"
-               keystorePass="<%= scope['::candlepin::keystore_password'] %>"
+               keystorePass="<%= scope['::candlepin::keystore_password_unsensitive'] %>"
                keystoreType="<%= scope['::candlepin::keystore_type'] %>"
                truststoreFile="<%= scope['::candlepin::truststore_file'] %>"
-               truststorePass="<%= scope['::candlepin::truststore_password'] %>"
+               truststorePass="<%= scope['::candlepin::truststore_password_unsensitive'] %>"
                ciphers="<%= scope['::candlepin::ciphers'].join(",\n                    ") %>" />
 
     <!-- An Engine represents the entry point (within Catalina) that processes