Details
-
Bug
-
Status: Resolved
-
Minor
-
Resolution: Fixed
-
PUP 4.10.12, PUP 5.5.14, PUP 6.4.2
-
- Puppet should not reveal sensitive information while isntalling modules.
- Unit tests are added that assure that masking is done
-
Coremunity
-
Platform Core KANBAN
-
Needs Assessment
-
Bug Fix
-
If the Puppet[:module_repository] URL includes credentials, then redact them when connecting to the forge.
-
Needs Assessment
Description
Puppet Version: any
Puppet Server Version: any
OS Name/Version: any
Actual Behavior:
Puppet Forge is public, and downloading modules don't require authentication. However there are some repositories that can hold modules and require authentication to connect.
Those repositories are:
- Artifactory (live)
- Nexus (emerging)
When installing modules from those repositories user is forced to set his credentials in plain text in URI supported form, for ex.:
https://admin:s3creT@pkg.acmecorp.com/repository/puppet
|
Installing modules with similar module repository being set, reveals those credentials. In fact it's done each time a module is installed, with a message:
Notice: Preparing to install into /home/jdoe/.puppetlabs/etc/code/modules ...
|
Notice: Downloading from https://jdoe:s3creT@pkg.acmecorp.com/repository/puppet ...
|
Desired Behavior:
Puppet should mask password if given, like this:
Notice: Preparing to install into /home/jdoe/.puppetlabs/etc/code/modules ...
|
Notice: Downloading from https://jdoe:***@pkg.acmecorp.com/repository/puppet ...
|
Attachments
Issue Links
- links to
