Mandate the use of Sensitive to pass passwords

This allows us to get rid of the `show_diff` trickery as an epp template
that render a Sensitive value return a Sensitive.

While here, fix some data-type mismatches.

Author: smortex

REFERENCE.md

@@ -38,7 +38,6 @@
 * [`Bacula::Command`](#Bacula--Command): A Bacula console command
 * [`Bacula::JobType`](#Bacula--JobType): The type of job
 * [`Bacula::Message`](#Bacula--Message): A Bacula message specification
-* [`Bacula::Password`](#Bacula--Password): Temporary workarond to accept Sensitive and non-Sensitive passwords
 * [`Bacula::Runscript`](#Bacula--Runscript): A Bacula Runscript specification
 * [`Bacula::Size`](#Bacula--Size): A size indication
 * [`Bacula::Time`](#Bacula--Time): A time indication
@@ -380,7 +379,7 @@ Default value: `[]`
 
 ##### <a name="-bacula--client--password"></a>`password`
 
-Data type: `Bacula::Password`
+Data type: `Sensitive[String[1]]`
 
 A password to use for communication with this File Daemon
 
@@ -585,7 +584,7 @@ Default value: `'bacula'`
 
 ##### <a name="-bacula--director--db_pw"></a>`db_pw`
 
-Data type: `Bacula::Password`
+Data type: `Sensitive[String[1]]`
 
 The database user's password
 
@@ -682,7 +681,7 @@ Default value: `true`
 
 ##### <a name="-bacula--director--password"></a>`password`
 
-Data type: `Bacula::Password`
+Data type: `Sensitive[String[1]]`
 
 password to connect to the director
 
@@ -756,7 +755,7 @@ Default value: `$bacula::director::db_name`
 
 ##### <a name="-bacula--director--postgresql--db_pw"></a>`db_pw`
 
-Data type: `Bacula::Password`
+Data type: `Sensitive[String[1]]`
 
 The database user's password
 
@@ -937,7 +936,7 @@ Default value: `'File'`
 
 ##### <a name="-bacula--storage--password"></a>`password`
 
-Data type: `Bacula::Password`
+Data type: `Sensitive[String[1]]`
 
 Specifies the password that must be supplied by the named Director
 
@@ -1032,7 +1031,7 @@ The port of the Bacula File server daemon
 
 ##### <a name="-bacula--director--client--password"></a>`password`
 
-Data type: `Bacula::Password`
+Data type: `Sensitive[String[1]]`
 
 The password to be used when establishing a connection with the File services
 
@@ -1107,7 +1106,7 @@ Default value: `$bacula::conf_dir`
 
 ##### <a name="-bacula--director--console--password"></a>`password`
 
-Data type: `Bacula::Password`
+Data type: `Sensitive[String[1]]`
 
 The password that must be supplied for a named Bacula Console to be authorized
 
@@ -1478,7 +1477,7 @@ Default value: `9103`
 
 ##### <a name="-bacula--director--storage--password"></a>`password`
 
-Data type: `Bacula::Password`
+Data type: `Sensitive[String[1]]`
 
 Bacula director configuration for Storage option 'Password'
 
@@ -2399,12 +2398,6 @@ Struct[{
 }]
 ```
 
-### <a name="Bacula--Password"></a>`Bacula::Password`
-
-Temporary workarond to accept Sensitive and non-Sensitive passwords
-
-Alias of `Variant[String[1], Sensitive[String[1]]]`
-
 ### <a name="Bacula--Runscript"></a>`Bacula::Runscript`
 
 A Bacula Runscript specification

data/common.yaml

@@ -1,4 +1,15 @@
 ---
+lookup_options:
+  "bacula::client::password":
+    convert_to: "Sensitive"
+  "bacula::director::db_pw":
+    convert_to: "Sensitive"
+  "bacula::director::password":
+    convert_to: "Sensitive"
+  "bacula::storage::password":
+    convert_to: "Sensitive"
+  "bacula::storage::password":
+    convert_to: "Sensitive"
 bacula::director::messages:
     Daemon:
       mname:        'Daemon'

manifests/client.pp

@@ -63,7 +63,7 @@
   String[1]                      $ensure              = 'present',
   Stdlib::Port                   $port                = 9102,
   Array[String[1]]               $listen_address      = [],
-  Bacula::Password               $password            = Sensitive('secret'),
+  Sensitive[String[1]]           $password            = Sensitive('secret'),
   Integer[1]                     $max_concurrent_jobs = 2,
   String[1]                      $director_name       = $bacula::director_name,
   Bacula::Yesno                  $autoprune           = true,
@@ -94,12 +94,11 @@
   $use_pki = ($pki_signatures or $pki_encryption) and $pki_keypair
 
   concat { $config_file:
-    owner     => 'root',
-    group     => $group,
-    mode      => '0640',
-    show_diff => false,
-    require   => Package[$packages],
-    notify    => Service[$services],
+    owner   => 'root',
+    group   => $group,
+    mode    => '0640',
+    require => Package[$packages],
+    notify  => Service[$services],
   }
 
   concat::fragment { 'bacula-client-header':

manifests/director.pp

@@ -44,7 +44,7 @@
   Bacula::Yesno                    $manage_db           = true,
   Stdlib::Absolutepath             $conf_dir            = $bacula::conf_dir,
   String[1]                        $db_name             = 'bacula',
-  Bacula::Password                 $db_pw               = Sensitive('notverysecret'),
+  Sensitive[String[1]]             $db_pw               = Sensitive('notverysecret'),
   String[1]                        $db_user             = 'bacula',
   Optional[String[1]]              $db_address          = undef,
   Optional[Stdlib::Port]           $db_port             = undef,
@@ -56,7 +56,7 @@
   Array[String[1]]                 $listen_address      = [],
   Integer[1]                       $max_concurrent_jobs = 20,
   Boolean                          $manage_defaults     = true,
-  Bacula::Password                 $password            = Sensitive('secret'),
+  Sensitive[String[1]]             $password            = Sensitive('secret'),
   Stdlib::Port                     $port                = 9101,
   Stdlib::Absolutepath             $rundir              = $bacula::rundir,
   String[1]                        $storage_name        = $bacula::storage_name,
@@ -100,11 +100,10 @@
   }
 
   file { "${conf_dir}/bconsole.conf":
-    owner     => 'root',
-    group     => $group,
-    mode      => '0640',
-    show_diff => false,
-    content   => epp('bacula/bconsole.conf.epp');
+    owner   => 'root',
+    group   => $group,
+    mode    => '0640',
+    content => epp('bacula/bconsole.conf.epp');
   }
 
   Concat {
@@ -145,7 +144,6 @@
   Concat::Fragment <<| tag == "bacula-${director}" |>>
 
   concat { "${conf_dir}/bacula-dir.conf":
-    show_diff => false,
   }
 
   $sub_confs = [
@@ -154,20 +152,13 @@
     "${conf_dir}/conf.d/job.conf",
     "${conf_dir}/conf.d/jobdefs.conf",
     "${conf_dir}/conf.d/fileset.conf",
-  ]
-
-  $sub_confs_with_secrets = [
     "${conf_dir}/conf.d/console.conf",
     "${conf_dir}/conf.d/client.conf",
     "${conf_dir}/conf.d/storage.conf",
   ]
 
   concat { $sub_confs: }
 
-  concat { $sub_confs_with_secrets:
-    show_diff => false,
-  }
-
   bacula::director::fileset { 'Common':
     files => ['/etc'],
   }

manifests/director/client.pp

@@ -25,7 +25,7 @@
 define bacula::director::client (
   String[1]                       $address,
   Variant[String[1],Stdlib::Port] $port, # FIXME: Remove String
-  Bacula::Password                $password,
+  Sensitive[String[1]]            $password,
   Bacula::Time                    $file_retention,
   Bacula::Time                    $job_retention,
   Bacula::Yesno                   $autoprune,

manifests/director/console.pp

@@ -25,7 +25,7 @@
 #   }
 #
 define bacula::director::console (
-  Bacula::Password       $password,
+  Sensitive[String[1]]   $password,
   String                 $conf_dir    = $bacula::conf_dir,
   String[1]              $catalogacl  = '*all*',
   Array[Bacula::Command] $commandacl  = ['list'],

manifests/director/postgresql.pp

@@ -8,10 +8,10 @@
 # @param db_user            The database user
 #
 class bacula::director::postgresql (
-  String[1]        $make_bacula_tables = $bacula::director::make_bacula_tables,
-  String[1]        $db_name            = $bacula::director::db_name,
-  Bacula::Password $db_pw              = $bacula::director::db_pw,
-  String[1]        $db_user            = $bacula::director::db_user,
+  String[1]            $make_bacula_tables = $bacula::director::make_bacula_tables,
+  String[1]            $db_name            = $bacula::director::db_name,
+  Sensitive[String[1]] $db_pw              = $bacula::director::db_pw,
+  String[1]            $db_user            = $bacula::director::db_user,
 ) {
   include bacula
 

manifests/director/storage.pp

@@ -19,7 +19,7 @@
 define bacula::director::storage (
   String[1]            $address             = $name,
   Stdlib::Port         $port                = 9103,
-  Bacula::Password     $password            = Sensitive('secret'),
+  Sensitive[String[1]] $password            = Sensitive('secret'),
   String[1]            $device_name         = "${facts['networking']['fqdn']}-device",
   String[1]            $media_type          = 'File',
   Optional[Integer[1]] $maxconcurjobs       = undef,

manifests/storage.pp

@@ -45,7 +45,7 @@
   Optional[Integer[1]] $maxconcurjobs              = undef,
   Integer[1]           $max_concurrent_jobs        = 20,
   String[1]            $media_type                 = 'File',
-  Bacula::Password     $password                   = Sensitive('secret'),
+  Sensitive[String[1]] $password                   = Sensitive('secret'),
   Stdlib::Port         $port                       = 9103,
   Stdlib::Absolutepath $rundir                     = $bacula::rundir,
   String[1]            $storage                    = $trusted['certname'], # storage here is not storage_name
@@ -99,11 +99,10 @@
   Concat::Fragment <<| tag == "bacula-storage-dir-${director_name}" |>>
 
   concat { "${conf_dir}/bacula-sd.conf":
-    owner     => 'root',
-    group     => $group,
-    mode      => '0640',
-    show_diff => false,
-    notify    => Service[$services],
+    owner  => 'root',
+    group  => $group,
+    mode   => '0640',
+    notify => Service[$services],
   }
 
   @@bacula::director::storage { $storage:

spec/defines/director_console_spec.rb

@@ -14,11 +14,11 @@
 
         let(:params) do
           {
-            password: 'monitoring_password',
+            password: sensitive('monitoring_password'),
           }
         end
 
-        it { is_expected.to contain_concat__fragment('bacula-director-console-Monitoring').with(content: <<~FRAGMENT) }
+        it { is_expected.to contain_concat__fragment('bacula-director-console-Monitoring').with(content: sensitive(<<~FRAGMENT)) }
           Console {
               Name        = Monitoring
               Password    = "monitoring_password"
@@ -33,7 +33,7 @@
 
         let(:params) do
           {
-            password: 'A different UntrustedUser',
+            password: sensitive('A different UntrustedUser'),
             jobacl: 'Restricted Client Save',
             clientacl: 'restricted-client',
             storageacl: 'second-storage',
@@ -46,7 +46,7 @@
           }
         end
 
-        it { is_expected.to contain_concat__fragment('bacula-director-console-restricted-user').with(content: <<~FRAGMENT) }
+        it { is_expected.to contain_concat__fragment('bacula-director-console-restricted-user').with(content: sensitive(<<~FRAGMENT)) }
           Console {
               Name        = restricted-user
               Password    = "A different UntrustedUser"