Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

PSCredentials and alike should accept both String and Sensitive[String] #367

Open
Clebam opened this issue Feb 14, 2025 · 1 comment
Open

PSCredentials and alike should accept both String and Sensitive[String] #367

Clebam opened this issue Feb 14, 2025 · 1 comment

Comments

@Clebam
Copy link
Contributor

Clebam commented Feb 14, 2025

Use Case

There are 2 things :

  1. When migrating from old dsc to pwshlib, many resources with dsc_credentials become unusable and it adds a huge burden on migration
  2. With our scenario using hiera and lookup has (apparently) no easy solution to handle Sensitive String

Hiera

sw_iis::iis_application_pools:
  machin.fr:
    # // stuff here//
    dsc_managedruntimeversion: 'v4.0'
    dsc_identitytype: 'SpecificUser'
    dsc_credential:
      user: 'toto'
      password: 'tata'

init.pp

# // stuff//
  $iis_application_pools            = lookup('sw_iis::iis_application_pools',Hash,$_merge_strategy, {})
  include sw_iis::gensite
# //Stuff//

gensite.pp

# //Stuff//
$sw_iis::iis_application_pools.each |String $name, Hash $config| {
      ensure_resources(dsc_webapppool, { $name => $config },$defaults_dsc_webapppool)
  }
# //Stuff//

Describe the Solution You Would Like

I opened this issue : puppetlabs/Puppet.Dsc#306
The solution would need both.

  1. Ensure dsc modules are generated with credentials like this
dsc_psdscrunascredential: {
      type: 'Optional[Struct[{ user => String[1], password => Variant[String[1], Sensitive[String[1]]] }]]',
      desc: ' ',

      behaviour: :parameter,
      mandatory_for_get: false,
      mandatory_for_set: false,
      mof_type: 'PSCredential',
      mof_is_embedded: true,
    },

Notice the change on type:

type: 'Optional[Struct[{ user => String[1], password => Sensitive[String[1]] }]]',

# to

type: 'Optional[Struct[{ user => String[1], password => Variant[String[1], Sensitive[String[1]]] }]]',
  1. Ensure the dsc_base_provider does not enforce Sensitive when dealing with PSCredential

Describe Alternatives You've Considered

An easy way maybe would be to catch PSCredential as you do in PSCredential and apply Sensitive at this level if a PSCredential['password'] is a string.
@Clebam
Copy link
Contributor Author

Clebam commented Feb 14, 2025
edited
Loading

I modified dsc_base_provider.rb

 'password' => escape_quotes(property_hash[:value]['password'].unwrap)
 'password' => escape_quotes(unwrap(property_hash[:value]['password']))

the unwrap function being already implemented

I tested with also having modified puppet.dsc to make a Variant and it works

I will push a PR next week

This was referenced Feb 17, 2025
Merged
Open
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Clebam