Passwords should be secret

Change-Id: I7db850a55905eb5113c5ac3ed131e42c52f6df5d
2020-05-12 17:41:59 +09:00 · 2020-05-12 17:41:59 +09:00 · de443f28fc
commit de443f28fc
parent e98f4bde16
8 changed files with 19 additions and 19 deletions
--- a/manifests/keymaster.pp
+++ b/manifests/keymaster.pp
@ -81,17 +81,17 @@ class swift::keymaster(
  include swift::deps

  swift_keymaster_config {
-    'kms_keymaster/api_class': value => $api_class;
-    'kms_keymaster/key_id': value => $key_id;
-    'kms_keymaster/username': value => $username;
-    'kms_keymaster/password': value => $password;
-    'kms_keymaster/project_name': value => $project_name;
-    'kms_keymaster/project_id': value => $project_id;
-    'kms_keymaster/auth_endpoint': value => $auth_endpoint;
+    'kms_keymaster/api_class':           value => $api_class;
+    'kms_keymaster/key_id':              value => $key_id;
+    'kms_keymaster/username':            value => $username;
+    'kms_keymaster/password':            value => $password, secret => true;
+    'kms_keymaster/project_name':        value => $project_name;
+    'kms_keymaster/project_id':          value => $project_id;
+    'kms_keymaster/auth_endpoint':       value => $auth_endpoint;
    'kms_keymaster/project_domain_name': value => $project_domain_name;
-    'kms_keymaster/user_domain_name': value => $user_domain_name;
-    'kms_keymaster/project_domain_id': value => $project_domain_id;
-    'kms_keymaster/user_domain_id': value => $user_domain_id;
+    'kms_keymaster/user_domain_name':    value => $user_domain_name;
+    'kms_keymaster/project_domain_id':   value => $project_domain_id;
+    'kms_keymaster/user_domain_id':      value => $user_domain_id;
  }
 }

--- a/manifests/proxy/authtoken.pp
+++ b/manifests/proxy/authtoken.pp
@ -127,7 +127,7 @@ class swift::proxy::authtoken(
    'filter:authtoken/user_domain_id':               value => $user_domain_id;
    'filter:authtoken/project_name':                 value => $project_name;
    'filter:authtoken/username':                     value => $username;
-    'filter:authtoken/password':                     value => $password;
+    'filter:authtoken/password':                     value => $password, secret => true;
    'filter:authtoken/region_name':                  value => $region_name;
    'filter:authtoken/delay_auth_decision':          value => $delay_auth_decision;
    'filter:authtoken/cache':                        value => $cache;
--- a/manifests/proxy/ceilometer.pp
+++ b/manifests/proxy/ceilometer.pp
@ -183,7 +183,7 @@ class swift::proxy::ceilometer(
    'filter:ceilometer/user_domain_name':     value => $user_domain_name;
    'filter:ceilometer/project_name':         value => $project_name;
    'filter:ceilometer/username':             value => $username;
-    'filter:ceilometer/password':             value => $password;
+    'filter:ceilometer/password':             value => $password, secret => true;
    'filter:ceilometer/region_name':          value => $region_name;
  }

--- a/manifests/proxy/s3token.pp
+++ b/manifests/proxy/s3token.pp
@ -127,7 +127,7 @@ class swift::proxy::s3token(
    'filter:s3token/auth_url':              value => $auth_url;
    'filter:s3token/auth_type':             value => $auth_type;
    'filter:s3token/username':              value => $username;
-    'filter:s3token/password':              value => $password;
+    'filter:s3token/password':              value => $password, secret => true;
    'filter:s3token/project_name':          value => $project_name;
    'filter:s3token/project_domain_id':     value => $project_domain_id;
    'filter:s3token/user_domain_id':        value => $user_domain_id;
--- a/spec/classes/swift_keymaster.rb
+++ b/spec/classes/swift_keymaster.rb
@ -21,7 +21,7 @@ describe 'swift::keymaster' do
      end

      it { is_expected.to contain_swift_keymaster_config('kms_keymaster/key_id').with_value('dummy_key_id') }
-      it { is_expected.to contain_swift_keymaster_config('kms_keymaster/password').with_value('fake_password') }
+      it { is_expected.to contain_swift_keymaster_config('kms_keymaster/password').with_value('fake_password').with_secret(true) }
      it { is_expected.to contain_swift_keymaster_config('kms_keymaster/auth_endpoint').with_value('http://127.0.0.1:5000') }
      it { is_expected.to contain_swift_keymaster_config('kms_keymaster/project_name').with_value('barbican_swift_service') }
    end
--- a/spec/classes/swift_proxy_authtoken_spec.rb
+++ b/spec/classes/swift_proxy_authtoken_spec.rb
@ -28,7 +28,7 @@ describe 'swift::proxy::authtoken' do
      it { is_expected.to contain_swift_proxy_config('filter:authtoken/user_domain_id').with_value('default') }
      it { is_expected.to contain_swift_proxy_config('filter:authtoken/project_name').with_value('services') }
      it { is_expected.to contain_swift_proxy_config('filter:authtoken/username').with_value('swift') }
-      it { is_expected.to contain_swift_proxy_config('filter:authtoken/password').with_value('password') }
+      it { is_expected.to contain_swift_proxy_config('filter:authtoken/password').with_value('password').with_secret(true) }
      it { is_expected.to contain_swift_proxy_config('filter:authtoken/region_name').with_value('<SERVICE DEFAULT>') }
      it { is_expected.to contain_swift_proxy_config('filter:authtoken/delay_auth_decision').with_value('1') }
      it { is_expected.to contain_swift_proxy_config('filter:authtoken/cache').with_value('swift.cache') }
@ -62,7 +62,7 @@ describe 'swift::proxy::authtoken' do
      it { is_expected.to contain_swift_proxy_config('filter:authtoken/user_domain_id').with_value('default') }
      it { is_expected.to contain_swift_proxy_config('filter:authtoken/project_name').with_value('admin') }
      it { is_expected.to contain_swift_proxy_config('filter:authtoken/username').with_value('swiftuser') }
-      it { is_expected.to contain_swift_proxy_config('filter:authtoken/password').with_value('swiftpassword') }
+      it { is_expected.to contain_swift_proxy_config('filter:authtoken/password').with_value('swiftpassword').with_secret(true) }
      it { is_expected.to contain_swift_proxy_config('filter:authtoken/region_name').with_value('region2') }
      it { is_expected.to contain_swift_proxy_config('filter:authtoken/delay_auth_decision').with_value('0') }
      it { is_expected.to contain_swift_proxy_config('filter:authtoken/cache').with_value('foo') }
--- a/spec/classes/swift_proxy_ceilometer_spec.rb
+++ b/spec/classes/swift_proxy_ceilometer_spec.rb
@ -58,7 +58,7 @@ describe 'swift::proxy::ceilometer' do
        it { is_expected.to contain_swift_proxy_config('filter:ceilometer/user_domain_name').with_value('Default') }
        it { is_expected.to contain_swift_proxy_config('filter:ceilometer/project_name').with_value('services') }
        it { is_expected.to contain_swift_proxy_config('filter:ceilometer/username').with_value('swift') }
-        it { is_expected.to contain_swift_proxy_config('filter:ceilometer/password').with_value('password') }
+        it { is_expected.to contain_swift_proxy_config('filter:ceilometer/password').with_value('password').with_secret(true) }
        it { is_expected.to contain_swift_proxy_config('filter:ceilometer/region_name').with_value('region2') }
      end

--- a/spec/classes/swift_proxy_s3token_spec.rb
+++ b/spec/classes/swift_proxy_s3token_spec.rb
@ -12,7 +12,7 @@ describe 'swift::proxy::s3token' do
      it { is_expected.to contain_swift_proxy_config('filter:s3token/auth_url').with_value('http://127.0.0.1:5000') }
      it { is_expected.to contain_swift_proxy_config('filter:s3token/auth_type').with_value('password') }
      it { is_expected.to contain_swift_proxy_config('filter:s3token/username').with_value('swift') }
-      it { is_expected.to contain_swift_proxy_config('filter:s3token/password').with_value('password') }
+      it { is_expected.to contain_swift_proxy_config('filter:s3token/password').with_value('password').with_secret(true) }
      it { is_expected.to contain_swift_proxy_config('filter:s3token/project_name').with_value('services') }
      it { is_expected.to contain_swift_proxy_config('filter:s3token/project_domain_id').with_value('default') }
      it { is_expected.to contain_swift_proxy_config('filter:s3token/user_domain_id').with_value('default') }
@ -58,7 +58,7 @@ describe 'swift::proxy::s3token' do
      it { is_expected.to contain_swift_proxy_config('filter:s3token/auth_url').with_value('http://192.168.24.11:5000') }
      it { is_expected.to contain_swift_proxy_config('filter:s3token/auth_type').with_value('password') }
      it { is_expected.to contain_swift_proxy_config('filter:s3token/username').with_value('swift') }
-      it { is_expected.to contain_swift_proxy_config('filter:s3token/password').with_value('swift') }
+      it { is_expected.to contain_swift_proxy_config('filter:s3token/password').with_value('swift').with_secret(true) }
      it { is_expected.to contain_swift_proxy_config('filter:s3token/project_name').with_value('admin') }
      it { is_expected.to contain_swift_proxy_config('filter:s3token/project_domain_id').with_value('12345') }
      it { is_expected.to contain_swift_proxy_config('filter:s3token/user_domain_id').with_value('12345') }