Closed teluq-pbrideau closed 1 year ago
@bastelfreak Thanks for this quick merge, but I’ve discovered a problem today about this feature: The password is not censored when another config is changed:
Notice: Augeas[yum.conf_proxy_username](provider=augeas):
--- /etc/yum.conf 2022-09-28 10:53:13.958280359 -0400
+++ /etc/yum.conf.augnew 2022-09-28 11:44:01.581689900 -0400
@@ -10,5 +10,5 @@
metadata_expire=0
mirrorlist_expire=0
proxy=http://host.example.com:3128
-proxy_username=user
+proxy_username=anotheruser
proxy_password=mysecretpassword
Notice: /Stage[main]/Yum/Yum::Config[proxy_username]/Augeas[yum.conf_proxy_username]/returns: executed successfully (corrective)
It might lure people in a false sense of security by using this config... The better way to deal with this would probably use a variable yum::show_diff
and completely revert this commit. I’ll gladly provide the PR and tests. What do you think?
I still think that the sensitive type is a good idea, it should not be reverted. However, adding the show_diff param would be a good addition (and maybe supporting sensitive for all parameters in that file).
All right, i’ll make another PR about the show_diff. :+1:
I do not understand what you means when you say «supporting sensitive for all parameters». Do you mean supporting the sensitive type for $yum::repos
for example? I don’t see a case where I would want to censor the repository I connect to, but I guess someone might want that somehow…
Pull Request (PR) description
I would like the
proxy_password
config not be leaked in the puppet log. This PR address this issue by disabling theshow_diff
when the given config is of typeSensitive
I could add support for
Sensitive[Boolean]
andSensitive[Integer]
also if you think it is necessary, feel free to ask for it. I was not sure it would be required.