ipmi::user: Mask passwords

If an exec command fails then the entire command including passwords is included in the output. The CR updates the commands that have a password to be Sensitive ensuring the are redacted from output and logs.
jhoblitt · Jan 4, 2024 · db1774f · db1774f
1 parent ac909d2
commit db1774f
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/manifests/user.pp b/manifests/user.pp
@@ -67,9 +67,10 @@
     }
 
     exec { "ipmi_user_setpw_${title}":
-      command => "/usr/bin/ipmitool user set password ${user_id} \'${real_password}\'",
-      unless  => "/usr/bin/ipmitool user test ${user_id} 16 \'${real_password}\'",
-      notify  => [Exec["ipmi_user_enable_${title}"], Exec["ipmi_user_enable_sol_${title}"], Exec["ipmi_user_channel_setaccess_${title}"]],
+      environment => ["PASSWORD=${real_password}"],
+      command     => "/usr/bin/ipmitool user set password ${user_id} \'\$PASSWORD\'",
+      unless      => "/usr/bin/ipmitool user test ${user_id} 16 \'\$PASSWORD\'",
+      notify      => [Exec["ipmi_user_enable_${title}"], Exec["ipmi_user_enable_sol_${title}"], Exec["ipmi_user_channel_setaccess_${title}"]],
     }
 
     exec { "ipmi_user_enable_sol_${title}":