Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Puppet module exposes passwords - current and previous in plane text during puppet runs #82

Closed
ghost opened this issue Nov 29, 2017 · 6 comments
Closed

Puppet module exposes passwords - current and previous in plane text during puppet runs #82

ghost opened this issue Nov 29, 2017 · 6 comments

Comments

@ghost
Copy link

ghost commented Nov 29, 2017
edited by ghost
Loading

Affected Puppet, Ruby, OS and module versions/distributions

  • Puppet: 5.3.2
  • Ruby: 2.4.1p111
  • Distribution: Centos 7.4
  • Module version: 4.0.2

How to reproduce (e.g Puppet code you use)

Puppet code:

class profiles::services::dashboard
(
  Hash $grafana_admin,
  Hash $grafana_users,
  Hash $grafana_datasource,
  Array $grafana_panels,
  Array $grafana_dashboards,
)
{
  ...
  create_resources('grafana_user', $grafana_users, $grafana_admin)
  create_resources('grafana_datasource', $grafana_datasource)
  ...
}

Hiera data

profiles::services::dashboard::grafana_users:
  'guest':
    is_admin: false
    full_name: 'John Doe'
    password: >
      ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQAw
      DQYJKoZIhvcNAQEBBQAEggEA0Fjl/2UKSUV7PjI74aecTX5UE1hGKkXEMwAF
      NHMRRsWhkgCc5pUAY1qUfJGFBuCLflZMzHSDhAy5z+UsUdpepXczi9lFk6lc
      eCQMoAbuEVL0kNUGk2y5sM5SM90gpfnf32TsmqUmd/fkv1WHbZopQdEzE+sg
      7agJL8CPoFOotGR29NcIa5SazUIS7JnVCsTLW6uvshpdfmEdJyB66YAk52Qz
      16hRgguy4IvMIYs3rG31BYMIoNIz7XzkQieBbB/EqpJmREzHBhtQCuHHY2eS
      7PUGJJL7uoyY7UO5atmTR9QwL2AUgrfBsooMKyE2EeaKpXTdXCQb0jwSz3IS
      FPepVDA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDROuPXiS4la51sndv4
      xPENgBBW1ox3k2I6DNB97EJ+dCt8]
    email: 'some_email@some_company.org'

profiles::services::dashboard::grafana_datasource:
  'influxdb':
    grafana_url: 'http://localhost:8081'
    grafana_user: 'admin'
    grafana_password: >
      ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQAw
      DQYJKoZIhvcNAQEBBQAEggEALITTRDFA+TCjzCeHyex+4CS71jRmg9FUIe/v
      x37fopwcDGXZfepc+hayW8NjldzAEgVmLk7VUw29ASlIg6Ig41C3Of75UltD
      L64YhryxQlZ9rfzZ1hgrtLHbjYxWDT1oS94KlkuC/6+JafdRSqoPVFFKupcF
      5NHZvJj1WC04nB6Ax7cm9o+16IOvo8fRRZVg88W9slV2wc8d/di7KAYoGhwL
      UpWR8K6Z+iKVEtGHESqybz29WT+79VpZ6rLjy8rBuQyWHynR+d+hEt93Vp+3
      QLSjGOXmHfxIA/gU42Z1r+iFNi6OfYu4x3AeH2HzMKpPpluWvS/AquG3akaK
      V3merzBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBDvnyXVH+W+FQqCuwK
      ZEHrgCAww1GB0ptRIwKvyqfRhG0rd7JCiY0OCibPxyceNh8t9w==]
    type: 'influxdb'
    url: 'http://int-influxdb-01:8086'
    user: 'admin'
    password: >
      ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQAw
      DQYJKoZIhvcNAQEBBQAEggEAjw9mW7QbN1wtM9D0uqlbtJcMsqT0TorB3dXu
      LahneBC0sxyVrCXVw9vGtoZl7W0PQ6sEaulQ9kTgvObgDao7amgVJusmOqHt
      sWDw+CsRjDIKnyBRA8CybtDr3oC8CgwsoMbeJpof8uJnxIjVTqmxEd1KzcKf
      o+Thq8dL+3yUIawd9Em5KSrL6abrq085hFCI86vld5g7th4TfJVB2aEeq4v4
      5pxcKP1ZUZg/0JyCJz4eKTgVKnbse4fcxrOB4EBl8AP1kuKD5fh2ej/KSoQT
      4ILIHeUTWqlNRo1Sy7R9ibDSbyvz9q+TFllpvJfzK/elS51azmAumAqM58wp
      9SMqQzA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBS+yRk0z9tFhBk1uqx
      LlEIgBAItdELbUGP+yiNYEi+RW/L]
    database: 'icinga2'
    access_mode: 'direct'
    is_default: true

What are you seeing

Notice: /Stage[main]/Profiles::Services::Dashboard/Grafana_user[guest]/password: password changed  to 'guest'
Notice: /Stage[main]/Profiles::Services::Dashboard/Grafana_datasource[influxdb]/password: password changed 'admin' to 'yBmAdsqqC371Hvd4b'

After changing passwords:

Notice: /Stage[main]/Profiles::Services::Dashboard/Grafana_user[guest]/password: password changed  to 'guest'
Notice: /Stage[main]/Profiles::Services::Dashboard/Grafana_datasource[influxdb]/password: password changed 'YbmMJqBCQ7KHvd3a' to 'admin'
Notice: Applied catalog in 35.65 seconds

What behaviour did you expect instead

Notice: /Stage[main]/Profiles::Services::Dashboard/Grafana_user[guest]/password: password changed
Notice: /Stage[main]/Profiles::Services::Dashboard/Grafana_datasource[influxdb]/password: password changed

Output log

Any additional information you'd like to impart

No
@ghost ghost changed the title Puppet module exposes passwords in plane text during puppet runs Puppet module exposes passwords - current and previous in plane text during puppet runs Nov 29, 2017
@ghost
Copy link
Author

ghost commented Mar 12, 2018

Any response on this? It's kinda a security breach...

@bastelfreak
Copy link
Member

Sorry for the slow @alexizmailov. I will have a look at disabling this. I'm not sure how to do this in a custom provider.

CC: @roidelapluie

@alexjfisher
Copy link
Member

@bastelfreak I think I know how to fix this. Let me know if you need any help.

@alexjfisher
Copy link
Member

See https://puppet.com/docs/puppet/5.3/custom_types.html#customizing-behaviour
is_to_s, should_to_s and change_to_s

@alexjfisher alexjfisher mentioned this issue Mar 13, 2018
Closed
@sammcj
Copy link

sammcj commented May 30, 2018

Any update with this @bastelfreak / @alexjfisher ?

We've got a dodgy hack in place but I'd like to remove it ;P

@alexjfisher
Copy link
Member

@sammcj Are you able to create a PR? The change should actually be quite simple.

In

puppet-grafana/lib/puppet/type/grafana_user.rb

Line 44 in 02aec65

newproperty(:password) do
, try adding something like...

def is_to_s( _currentvalue )
  '[old password redacted]'
end
def should_to_s( _newvalue )
  '[new password redacted]'
end

@dhoppe dhoppe mentioned this issue Mar 26, 2019
Closed
alexjfisher added a commit to alexjfisher/puppet-grafana that referenced this issue Mar 26, 2019
@alexjfisher
Mark passwords as sensitive
783473f 
Fixes voxpupuli#82
@alexjfisher alexjfisher mentioned this issue Mar 26, 2019
Merged
dhoppe pushed a commit that referenced this issue Mar 27, 2019
@alexjfisher @dhoppe
Mark passwords as sensitive (#165)
78c361b 
Fixes #82
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Make sure that the passwords are redacted
3 participants
@alexjfisher @bastelfreak @sammcj