Rework passwords management

REFERENCE.md

@@ -38,7 +38,6 @@
 * [`Bacula::Command`](#Bacula--Command): A Bacula console command
 * [`Bacula::JobType`](#Bacula--JobType): The type of job
 * [`Bacula::Message`](#Bacula--Message): A Bacula message specification
-* [`Bacula::Password`](#Bacula--Password): Temporary workarond to accept Sensitive and non-Sensitive passwords
 * [`Bacula::Runscript`](#Bacula--Runscript): A Bacula Runscript specification
 * [`Bacula::Size`](#Bacula--Size): A size indication
 * [`Bacula::Time`](#Bacula--Time): A time indication
@@ -380,12 +379,10 @@ Default value: `[]`
 
 ##### <a name="-bacula--client--password"></a>`password`
 
-Data type: `Bacula::Password`
+Data type: `Sensitive[String[1]]`
 
 A password to use for communication with this File Daemon
 
-Default value: `'secret'`
-
 ##### <a name="-bacula--client--max_concurrent_jobs"></a>`max_concurrent_jobs`
 
 Data type: `Integer[1]`
@@ -585,12 +582,10 @@ Default value: `'bacula'`
 
 ##### <a name="-bacula--director--db_pw"></a>`db_pw`
 
-Data type: `Bacula::Password`
+Data type: `Sensitive[String[1]]`
 
 The database user's password
 
-Default value: `'notverysecret'`
-
 ##### <a name="-bacula--director--db_user"></a>`db_user`
 
 Data type: `String[1]`
@@ -682,12 +677,10 @@ Default value: `true`
 
 ##### <a name="-bacula--director--password"></a>`password`
 
-Data type: `Bacula::Password`
+Data type: `Sensitive[String[1]]`
 
 password to connect to the director
 
-Default value: `'secret'`
-
 ##### <a name="-bacula--director--port"></a>`port`
 
 Data type: `Stdlib::Port`
@@ -756,7 +749,7 @@ Default value: `$bacula::director::db_name`
 
 ##### <a name="-bacula--director--postgresql--db_pw"></a>`db_pw`
 
-Data type: `Bacula::Password`
+Data type: `Sensitive[String[1]]`
 
 The database user's password
 
@@ -937,12 +930,10 @@ Default value: `'File'`
 
 ##### <a name="-bacula--storage--password"></a>`password`
 
-Data type: `Bacula::Password`
+Data type: `Sensitive[String[1]]`
 
 Specifies the password that must be supplied by the named Director
 
-Default value: `'secret'`
-
 ##### <a name="-bacula--storage--port"></a>`port`
 
 Data type: `Stdlib::Port`
@@ -1026,13 +1017,13 @@ The address of the Bacula File server daemon
 
 ##### <a name="-bacula--director--client--port"></a>`port`
 
-Data type: `Variant[String[1],Stdlib::Port]`
+Data type: `Stdlib::Port`
 
 The port of the Bacula File server daemon
 
 ##### <a name="-bacula--director--client--password"></a>`password`
 
-Data type: `Bacula::Password`
+Data type: `Sensitive[String[1]]`
 
 The password to be used when establishing a connection with the File services
 
@@ -1107,7 +1098,7 @@ Default value: `$bacula::conf_dir`
 
 ##### <a name="-bacula--director--console--password"></a>`password`
 
-Data type: `Bacula::Password`
+Data type: `Sensitive[String[1]]`
 
 The password that must be supplied for a named Bacula Console to be authorized
 
@@ -1344,7 +1335,7 @@ Default value: `undef`
 
 ##### <a name="-bacula--director--pool--maxvoljobs"></a>`maxvoljobs`
 
-Data type: `Optional[Variant[String[1],Integer[1]]]`
+Data type: `Optional[Integer[1]]`
 
 Bacula pool configuration option "Maximum Volume Jobs"
 
@@ -1360,7 +1351,7 @@ Default value: `undef`
 
 ##### <a name="-bacula--director--pool--maxvols"></a>`maxvols`
 
-Data type: `Optional[Variant[String[1],Integer[1]]]`
+Data type: `Optional[Integer[1]]`
 
 Bacula pool configuration option "Maximum Volumes"
 
@@ -1478,12 +1469,10 @@ Default value: `9103`
 
 ##### <a name="-bacula--director--storage--password"></a>`password`
 
-Data type: `Bacula::Password`
+Data type: `Sensitive[String[1]]`
 
 Bacula director configuration for Storage option 'Password'
 
-Default value: `'secret'`
-
 ##### <a name="-bacula--director--storage--device_name"></a>`device_name`
 
 Data type: `String[1]`
@@ -2399,12 +2388,6 @@ Struct[{
 }]
 ```
 
-### <a name="Bacula--Password"></a>`Bacula::Password`
-
-Temporary workarond to accept Sensitive and non-Sensitive passwords
-
-Alias of `Variant[String[1], Sensitive[String[1]]]`
-
 ### <a name="Bacula--Runscript"></a>`Bacula::Runscript`
 
 A Bacula Runscript specification

data/common.yaml

@@ -1,4 +1,13 @@
 ---
+lookup_options:
+  "bacula::client::password":
+    convert_to: "Sensitive"
+  "bacula::director::db_pw":
+    convert_to: "Sensitive"
+  "bacula::director::password":
+    convert_to: "Sensitive"
+  "bacula::storage::password":
+    convert_to: "Sensitive"
 bacula::director::messages:
     Daemon:
       mname:        'Daemon'

manifests/client.pp

@@ -60,10 +60,10 @@
   Optional[String[1]]            $default_pool_full,
   Optional[String[1]]            $default_pool_inc,
   Optional[String[1]]            $default_pool_diff,
+  Sensitive[String[1]]           $password,
   String[1]                      $ensure              = 'present',
   Stdlib::Port                   $port                = 9102,
   Array[String[1]]               $listen_address      = [],
-  Bacula::Password               $password            = 'secret',
   Integer[1]                     $max_concurrent_jobs = 2,
   String[1]                      $director_name       = $bacula::director_name,
   Bacula::Yesno                  $autoprune           = true,
@@ -94,12 +94,11 @@
   $use_pki = ($pki_signatures or $pki_encryption) and $pki_keypair
 
   concat { $config_file:
-    owner     => 'root',
-    group     => $group,
-    mode      => '0640',
-    show_diff => false,
-    require   => Package[$packages],
-    notify    => Service[$services],
+    owner   => 'root',
+    group   => $group,
+    mode    => '0640',
+    require => Package[$packages],
+    notify  => Service[$services],
   }
 
   concat::fragment { 'bacula-client-header':

manifests/director.pp

@@ -40,11 +40,12 @@
   Array[String[1]]                 $packages,
   String[1]                        $services,
   String[1]                        $make_bacula_tables,
+  Sensitive[String[1]]             $db_pw,
+  Sensitive[String[1]]             $password,
   String[1]                        $ensure              = 'present',
   Bacula::Yesno                    $manage_db           = true,
   Stdlib::Absolutepath             $conf_dir            = $bacula::conf_dir,
   String[1]                        $db_name             = 'bacula',
-  Bacula::Password                 $db_pw               = 'notverysecret',
   String[1]                        $db_user             = 'bacula',
   Optional[String[1]]              $db_address          = undef,
   Optional[Stdlib::Port]           $db_port             = undef,
@@ -56,7 +57,6 @@
   Array[String[1]]                 $listen_address      = [],
   Integer[1]                       $max_concurrent_jobs = 20,
   Boolean                          $manage_defaults     = true,
-  Bacula::Password                 $password            = 'secret',
   Stdlib::Port                     $port                = 9101,
   Stdlib::Absolutepath             $rundir              = $bacula::rundir,
   String[1]                        $storage_name        = $bacula::storage_name,
@@ -87,7 +87,7 @@
       }
     )
   }
-  ensure_packages($package_names, { ensure => $ensure })
+  stdlib::ensure_packages($package_names, { ensure => $ensure })
 
   service { $services:
     ensure  => running,
@@ -100,11 +100,10 @@
   }
 
   file { "${conf_dir}/bconsole.conf":
-    owner     => 'root',
-    group     => $group,
-    mode      => '0640',
-    show_diff => false,
-    content   => epp('bacula/bconsole.conf.epp');
+    owner   => 'root',
+    group   => $group,
+    mode    => '0640',
+    content => epp('bacula/bconsole.conf.epp');
   }
 
   Concat {
@@ -145,7 +144,6 @@
   Concat::Fragment <<| tag == "bacula-${director}" |>>
 
   concat { "${conf_dir}/bacula-dir.conf":
-    show_diff => false,
   }
 
   $sub_confs = [
@@ -154,20 +152,13 @@
     "${conf_dir}/conf.d/job.conf",
     "${conf_dir}/conf.d/jobdefs.conf",
     "${conf_dir}/conf.d/fileset.conf",
-  ]
-
-  $sub_confs_with_secrets = [
     "${conf_dir}/conf.d/console.conf",
     "${conf_dir}/conf.d/client.conf",
     "${conf_dir}/conf.d/storage.conf",
   ]
 
   concat { $sub_confs: }
 
-  concat { $sub_confs_with_secrets:
-    show_diff => false,
-  }
-
   bacula::director::fileset { 'Common':
     files => ['/etc'],
   }

manifests/director/client.pp

@@ -23,13 +23,13 @@
 #   }
 #
 define bacula::director::client (
-  String[1]                       $address,
-  Variant[String[1],Stdlib::Port] $port, # FIXME: Remove String
-  Bacula::Password                $password,
-  Bacula::Time                    $file_retention,
-  Bacula::Time                    $job_retention,
-  Bacula::Yesno                   $autoprune,
-  Stdlib::Absolutepath            $conf_dir = $bacula::conf_dir,
+  String[1]            $address,
+  Stdlib::Port         $port,
+  Sensitive[String[1]] $password,
+  Bacula::Time         $file_retention,
+  Bacula::Time         $job_retention,
+  Bacula::Yesno        $autoprune,
+  Stdlib::Absolutepath $conf_dir = $bacula::conf_dir,
 ) {
   $epp_client_variables = {
     name           => $name,

manifests/director/console.pp

@@ -25,7 +25,7 @@
 #   }
 #
 define bacula::director::console (
-  Bacula::Password       $password,
+  Sensitive[String[1]]   $password,
   String                 $conf_dir    = $bacula::conf_dir,
   String[1]              $catalogacl  = '*all*',
   Array[Bacula::Command] $commandacl  = ['list'],

manifests/director/pool.pp

@@ -29,19 +29,19 @@
 #   }
 #
 define bacula::director::pool (
-  Optional[Bacula::Time]                  $volret         = undef,
-  Optional[Variant[String[1],Integer[1]]] $maxvoljobs     = undef, # FIXME: Remove String
-  Optional[Bacula::Size]                  $maxvolbytes    = undef,
-  Optional[Variant[String[1],Integer[1]]] $maxvols        = undef, # FIXME: Remove String
-  Optional[String[1]]                     $label          = undef,
-  Optional[Bacula::Time]                  $voluseduration = undef,
-  String[1]                               $storage        = $bacula::director::storage,
-  String[1]                               $pooltype       = 'Backup',
-  Bacula::Yesno                           $recycle        = true,
-  Bacula::Yesno                           $autoprune      = true,
-  String[1]                               $purgeaction    = 'Truncate',
-  Optional[String[1]]                     $next_pool      = undef,
-  Stdlib::Absolutepath                    $conf_dir       = $bacula::conf_dir,
+  Optional[Bacula::Time] $volret         = undef,
+  Optional[Integer[1]]   $maxvoljobs     = undef,
+  Optional[Bacula::Size] $maxvolbytes    = undef,
+  Optional[Integer[1]]   $maxvols        = undef,
+  Optional[String[1]]    $label          = undef,
+  Optional[Bacula::Time] $voluseduration = undef,
+  String[1]              $storage        = $bacula::director::storage,
+  String[1]              $pooltype       = 'Backup',
+  Bacula::Yesno          $recycle        = true,
+  Bacula::Yesno          $autoprune      = true,
+  String[1]              $purgeaction    = 'Truncate',
+  Optional[String[1]]    $next_pool      = undef,
+  Stdlib::Absolutepath   $conf_dir       = $bacula::conf_dir,
 ) {
   $epp_pool_variables = {
     name           => $name,

manifests/director/postgresql.pp

@@ -8,10 +8,10 @@
 # @param db_user            The database user
 #
 class bacula::director::postgresql (
-  String[1]        $make_bacula_tables = $bacula::director::make_bacula_tables,
-  String[1]        $db_name            = $bacula::director::db_name,
-  Bacula::Password $db_pw              = $bacula::director::db_pw,
-  String[1]        $db_user            = $bacula::director::db_user,
+  String[1]            $make_bacula_tables = $bacula::director::make_bacula_tables,
+  String[1]            $db_name            = $bacula::director::db_name,
+  Sensitive[String[1]] $db_pw              = $bacula::director::db_pw,
+  String[1]            $db_user            = $bacula::director::db_user,
 ) {
   include bacula
 

manifests/director/storage.pp

@@ -17,9 +17,9 @@
 # @param conf_dir            Bacula configuration directory
 #
 define bacula::director::storage (
+  Sensitive[String[1]] $password,
   String[1]            $address             = $name,
   Stdlib::Port         $port                = 9103,
-  Bacula::Password     $password            = 'secret',
   String[1]            $device_name         = "${facts['networking']['fqdn']}-device",
   String[1]            $media_type          = 'File',
   Optional[Integer[1]] $maxconcurjobs       = undef,

manifests/storage.pp

@@ -30,6 +30,7 @@
 class bacula::storage (
   String[1]            $services,
   Array[String[1]]     $packages,
+  Sensitive[String[1]] $password,
   String[1]            $ensure                     = 'present',
   Stdlib::Absolutepath $conf_dir                   = $bacula::conf_dir,
   Stdlib::Absolutepath $device                     = '/bacula',
@@ -45,7 +46,6 @@
   Optional[Integer[1]] $maxconcurjobs              = undef,
   Integer[1]           $max_concurrent_jobs        = 20,
   String[1]            $media_type                 = 'File',
-  Bacula::Password     $password                   = 'secret',
   Stdlib::Port         $port                       = 9103,
   Stdlib::Absolutepath $rundir                     = $bacula::rundir,
   String[1]            $storage                    = $trusted['certname'], # storage here is not storage_name
@@ -64,7 +64,7 @@
       }
     )
   }
-  ensure_packages($package_names, { ensure => $ensure })
+  stdlib::ensure_packages($package_names, { ensure => $ensure })
 
   service { $services:
     ensure  => running,
@@ -99,11 +99,10 @@
   Concat::Fragment <<| tag == "bacula-storage-dir-${director_name}" |>>
 
   concat { "${conf_dir}/bacula-sd.conf":
-    owner     => 'root',
-    group     => $group,
-    mode      => '0640',
-    show_diff => false,
-    notify    => Service[$services],
+    owner  => 'root',
+    group  => $group,
+    mode   => '0640',
+    notify => Service[$services],
   }
 
   @@bacula::director::storage { $storage: