From db1774f11910ddccdf186715f1ad744724222b53 Mon Sep 17 00:00:00 2001
From: jbond <github@johnbond.org>
Date: Wed, 3 Jan 2024 19:52:45 +0100
Subject: [PATCH] ipmi::user: Mask passwords

If an exec command fails then the entire command including passwords is
included in the output.

The CR updates the commands that have a password to be Sensitive
ensuring the are redacted from output and logs.
---
 manifests/user.pp | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/manifests/user.pp b/manifests/user.pp
index 4f2ff31..fdc3a6c 100644
--- a/manifests/user.pp
+++ b/manifests/user.pp
@@ -67,9 +67,10 @@
     }
 
     exec { "ipmi_user_setpw_${title}":
-      command => "/usr/bin/ipmitool user set password ${user_id} \'${real_password}\'",
-      unless  => "/usr/bin/ipmitool user test ${user_id} 16 \'${real_password}\'",
-      notify  => [Exec["ipmi_user_enable_${title}"], Exec["ipmi_user_enable_sol_${title}"], Exec["ipmi_user_channel_setaccess_${title}"]],
+      environment => ["PASSWORD=${real_password}"],
+      command     => "/usr/bin/ipmitool user set password ${user_id} \'\$PASSWORD\'",
+      unless      => "/usr/bin/ipmitool user test ${user_id} 16 \'\$PASSWORD\'",
+      notify      => [Exec["ipmi_user_enable_${title}"], Exec["ipmi_user_enable_sol_${title}"], Exec["ipmi_user_channel_setaccess_${title}"]],
     }
 
     exec { "ipmi_user_enable_sol_${title}":