Jgreen has uploaded a new change for review. https://gerrit.wikimedia.org/r/294331
Change subject: Modify secret.rb to accept a file list and use first match, like http://www.puppetcookbook.com/posts/select-a-file-based-on-a-fact.html ...................................................................... Modify secret.rb to accept a file list and use first match, like http://www.puppetcookbook.com/posts/select-a-file-based-on-a-fact.html Change-Id: I29f45abcdcd7ad177e6b6964646cf69ecb3f05a2 --- M modules/wmflib/lib/puppet/parser/functions/secret.rb 1 file changed, 46 insertions(+), 13 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/31/294331/1 diff --git a/modules/wmflib/lib/puppet/parser/functions/secret.rb b/modules/wmflib/lib/puppet/parser/functions/secret.rb index fc66a02..6961a7d 100644 --- a/modules/wmflib/lib/puppet/parser/functions/secret.rb +++ b/modules/wmflib/lib/puppet/parser/functions/secret.rb @@ -1,3 +1,27 @@ +# == Function: secret('some/private/source/file.txt') +# +# Alternate method to serve the contents of a files from a private +# repository/module on the puppetmaster without exposing them by puppet's +# fileserver. This is a bit more secure and less trouble than creating a whole +# lot of host and mount ACLs. Note this function supports lists with file +# search behavior similar to puppet source => []. +# +# === Example: +# +# Invocation: +# +# file { '/etc/file.conf': +# ensure => 'file', +# mode => '0640', +# content => secret("what/${role}-file.conf", 'what/default-file.conf'), +# } +# +# Result: +# +# puppetmaster will work down the list (left to right) looking for a match in +# the private secret/secrets collection. The first file that matches will be read and +# written as {node}:/etc/file.conf. If no match is found, the puppet run fails. +# require 'pathname' module Puppet::Parser::Functions @@ -5,25 +29,34 @@ mod_name = 'secret' secs_subdir = '/secrets/' - if args.length != 1 || !args.first.is_a?(String) - fail(ArgumentError, 'secret(): exactly one string arg') - end - in_path = args.first - if mod = Puppet::Module.find(mod_name) - mod_path = mod.path() + mod_path = mod.path() else - fail("secret(): Module #{mod_name} not found") + fail("secret(): Private module #{mod_name} wasn't loaded. Check your module path.") end - sec_path = mod_path + secs_subdir + in_path - final_path = Pathname.new(sec_path).cleanpath() + nonviable_files = [] - # Bail early if it's not a regular, readable file - if !final_path.file? || !final_path.readable? - fail(ArgumentError, "secret(): invalid secret #{in_path}") + args.each do |in_path| + if in_path.is_a?(String) + sec_path = mod_path + secs_subdir + in_path + final_path = Pathname.new(sec_path).cleanpath() + if final_path.file? + if final_path.readable? + return final_path.read() + else + fail(ArgumentError, "secret(): Input file #{final_path} is present, but not readable.") + end + else + nonviable_files.push(in_path) + end + else + fail(ArgumentError, "secret(): Input must be exactly one string, but this isn't: [#{in_path}]") + end end - return final_path.read() + list_of_fail = nonviable_files.join(', ') + fail(ArgumentError, "secret(): No viable files found from input list: [#{list_of_fail}]") + end end -- To view, visit https://gerrit.wikimedia.org/r/294331 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I29f45abcdcd7ad177e6b6964646cf69ecb3f05a2 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Jgreen <[email protected]> _______________________________________________ MediaWiki-commits mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
