Skip to content

Commit

Permalink
ipmi::user: Mask passwords
Browse files Browse the repository at this point in the history 
If an exec command fails then the entire command including passwords is
included in the output.

The CR updates the commands that have a password to be Sensitive
ensuring the are redacted from output and logs.

The new output looks like
(of course now i cant recreate it :/)
  • Loading branch information
@b4ldr
b4ldr committed Jan 4, 2024
1 parent ac909d2 commit 6e86c20
Showing 1 changed file with 4 additions and 3 deletions.
7 changes: 4 additions & 3 deletions manifests/user.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,9 +67,10 @@
}

exec { "ipmi_user_setpw_${title}":
command => "/usr/bin/ipmitool user set password ${user_id} \'${real_password}\'",
unless => "/usr/bin/ipmitool user test ${user_id} 16 \'${real_password}\'",
notify => [Exec["ipmi_user_enable_${title}"], Exec["ipmi_user_enable_sol_${title}"], Exec["ipmi_user_channel_setaccess_${title}"]],
environment => [ "PASSWORD=${real_password}" ],

Check failure on line 70 in manifests/user.pp

View workflow job for this annotation

GitHub Actions / Puppet / Static validations 

there should be no whitespace or a single newline before a closing bracket (check: manifest_whitespace_closing_bracket_before)

Check failure on line 70 in manifests/user.pp

View workflow job for this annotation

GitHub Actions / Puppet / Static validations 

there should be no whitespace or a single newline after an opening bracket (check: manifest_whitespace_opening_bracket_after)
command => "/usr/bin/ipmitool user set password ${user_id} \'\$PASSWORD\'",
unless => "/usr/bin/ipmitool user test ${user_id} 16 \'\$PASSWORD\'",
notify => [Exec["ipmi_user_enable_${title}"], Exec["ipmi_user_enable_sol_${title}"], Exec["ipmi_user_channel_setaccess_${title}"]],
}

exec { "ipmi_user_enable_sol_${title}":
Expand Down

0 comments on commit 6e86c20

Please sign in to comment.