From 6ce2cb19ceb139199a7de9422a4f475cf0b56cbc Mon Sep 17 00:00:00 2001
From: cocker-cc <github.com@cocker.cc>
Date: Fri, 10 May 2024 22:07:26 +0200
Subject: [PATCH] Do not reveal sensitive Data

"auth_option" may contain sensitive Data, f.e. LDAP-Password.  So let
auth_option accept Puppet-Type Sensitive.  The consuming EPP is able to
handle sensitive Data natively, and will return the rendered Template as
Sensitive[String] then, which the Resource "file" also is able to handle.
---
 REFERENCE.md                            |  4 ++--
 manifests/server/instance/service.pp    |  3 ++-
 manifests/server/pg_hba_rule.pp         |  2 +-
 spec/defines/server/pg_hba_rule_spec.rb | 24 ++++++++++++++++++++++++
 templates/pg_hba_rule.conf.epp          |  2 +-
 types/pg_hba_rule.pp                    |  2 +-
 6 files changed, 31 insertions(+), 6 deletions(-)

diff --git a/REFERENCE.md b/REFERENCE.md
index 247b58c952..25ec947664 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -3319,7 +3319,7 @@ Default value: `'none'`
 
 ##### <a name="-postgresql--server--pg_hba_rule--auth_option"></a>`auth_option`
 
-Data type: `Optional[String]`
+Data type: `Optional[Variant[Sensitive[String], String]]`
 
 For certain auth_method settings there are extra options that can be passed. Consult the PostgreSQL pg_hba.conf documentation for
 further details.
@@ -4844,7 +4844,7 @@ Struct[{
     user                         => String,
     Optional[address]            => Optional[Postgresql::Pg_hba_rule_address],
     auth_method                  => String,
-    Optional[auth_option]        => Optional[String],
+    Optional[auth_option]        => Optional[Variant[Sensitive[String], String]],
     Optional[order]              => Variant[String,Integer],
     Optional[target]             => Stdlib::Absolutepath,
     Optional[postgresql_version] => String,
diff --git a/manifests/server/instance/service.pp b/manifests/server/instance/service.pp
index f778518dc0..70162fd81a 100644
--- a/manifests/server/instance/service.pp
+++ b/manifests/server/instance/service.pp
@@ -59,7 +59,8 @@
         require          => Service["postgresqld_instance_${name}"],
         before           => Anchor["postgresql::server::service::end::${name}"],
       }
-      Postgresql::Server::Database <| title == $default_database |> -> Postgresql_conn_validator["validate_service_is_running_instance_${name}"]
+      Postgresql::Server::Database <| title == $default_database |>
+      -> Postgresql_conn_validator["validate_service_is_running_instance_${name}"]
     }
   }
 
diff --git a/manifests/server/pg_hba_rule.pp b/manifests/server/pg_hba_rule.pp
index e7945669e0..4348087226 100644
--- a/manifests/server/pg_hba_rule.pp
+++ b/manifests/server/pg_hba_rule.pp
@@ -30,7 +30,7 @@
   String[1] $auth_method,
   Optional[Postgresql::Pg_hba_rule_address] $address = undef,
   String[1] $description          = 'none',
-  Optional[String] $auth_option   = undef,
+  Optional[Variant[Sensitive[String], String]] $auth_option = undef,
   Variant[String, Integer] $order = 150,
   Stdlib::Absolutepath $target  = $postgresql::server::pg_hba_conf_path,
   String $postgresql_version    = $postgresql::server::_version
diff --git a/spec/defines/server/pg_hba_rule_spec.rb b/spec/defines/server/pg_hba_rule_spec.rb
index 7d1187001c..41aaba9781 100644
--- a/spec/defines/server/pg_hba_rule_spec.rb
+++ b/spec/defines/server/pg_hba_rule_spec.rb
@@ -80,6 +80,30 @@ class { 'postgresql::server': }
     end
   end
 
+  context 'test template 3 with sensitive Data' do
+    let :pre_condition do
+      <<-MANIFEST
+        class { 'postgresql::server': }
+      MANIFEST
+    end
+
+    let :params do
+      {
+        type: 'host',
+        database: 'all',
+        user: 'all',
+        address: '0.0.0.0/0',
+        auth_method: 'ldap',
+        auth_option: sensitive('foo=bar'),
+        target: target
+      }
+    end
+
+    it do
+      expect(subject).to contain_concat__fragment('pg_hba_rule_test').with(content: sensitive(%r{host\s+all\s+all\s+0\.0\.0\.0/0\s+ldap\s+foo=bar}))
+    end
+  end
+
   context 'validation' do
     context 'validate supported auth_method' do
       let :pre_condition do
diff --git a/templates/pg_hba_rule.conf.epp b/templates/pg_hba_rule.conf.epp
index 9d54265624..a47cce90c7 100644
--- a/templates/pg_hba_rule.conf.epp
+++ b/templates/pg_hba_rule.conf.epp
@@ -7,7 +7,7 @@
   String[1]                                 $user,
   Optional[Postgresql::Pg_hba_rule_address] $address,
   String[1]                                 $auth_method,
-  Optional[String]                          $auth_option,
+  Optional[Variant[Sensitive[String], String]] $auth_option,
 | -%>
 # Rule Name: <%= $name %>
 # Description: <%= $description %>
diff --git a/types/pg_hba_rule.pp b/types/pg_hba_rule.pp
index b4759f3220..016c0e623f 100644
--- a/types/pg_hba_rule.pp
+++ b/types/pg_hba_rule.pp
@@ -7,7 +7,7 @@
     user                         => String,
     Optional[address]            => Optional[Postgresql::Pg_hba_rule_address],
     auth_method                  => String,
-    Optional[auth_option]        => Optional[String],
+    Optional[auth_option]        => Optional[Variant[Sensitive[String], String]],
     Optional[order]              => Variant[String,Integer],
     Optional[target]             => Stdlib::Absolutepath,
     Optional[postgresql_version] => String,