Puppet Function: simplib::passgen

Defined in:
lib/puppet/functions/simplib/passgen.rb
Function type:
Ruby 4.x API

Overview

simplib::passgen(String[1] $identifier, Optional[Hash] $password_options, Optional[Hash] $simpkv_options)String

Generates/retrieves a random password string or its hash for a passed identifier.

  • Supports 2 modes:

    • simpkv

      • Password info is stored in a key/value store and accessed using simpkv.

      • Terminates catalog compilation if ‘password_options` contains invalid parameters, any simpkv operation fails or the password cannot be created in the allotted time.

    • Legacy

      • Password info is stored in files on the local file system at ‘Puppet.settings/simp/environments/$environment/simp_autofiles/gen_passwd/`.

      • Terminates catalog compilation if the password storage directory cannot be created/accessed by the Puppet user, the password cannot be created in the allotted time, or files not owned by the Puppet user are present in the password storage directory.

  • To enable the simpkv mode, set ‘simplib::passgen::simpkv` to `true` in hieradata. When that setting absent or false, legacy mode will be used.

  • The minimum length password that this function will return is ‘8` characters.

Parameters:

  • identifier (String[1])

    Unique ‘String` to identify the password usage. Must conform to the following:

    • Identifier must contain only the following characters:

      • a-z

      • A-Z

      • 0-9

      • The following special characters:

        • ‘._:-` for the legacy implementation

        • ‘._:-/` for the simpkv-enabled implementation

    • Identifier may not contain ‘/./’ or ‘/../’ sequences.

  • password_options (Optional[Hash])

    Password options

  • simpkv_options (Optional[Hash])

    simpkv configuration when in simpkv mode.

    * Will be merged with `simpkv::options`.
* All keys are optional.

Options Hash (password_options):

  • 'last' (Boolean)

    Whether to return the last generated password. Defaults to ‘false`.

  • 'length' (Integer[8])

    Length of the new password. Defaults to ‘32`.

  • Enum[true,false,'md5',sha256','sha512']] (Enum[true,false,'md5',sha256','sha512']] 'hash'sha256' a `Hash` of the password instead of the password itself. Defaults to `false`. `true` is equivalent to 'sha256'.)

    ‘hash’ Return a ‘Hash` of the password instead of the password itself. Defaults to `false`. `true` is equivalent to ’sha256’.

  • 'complexity' (Integer[0,2])

    Specifies the types of characters to be used in the password

    * `0` => Default. Use only Alphanumeric characters in your password (safest)
* `1` => Add reasonably safe symbols
* `2` => Printable ASCII
  • 'complex_only' (Boolean)

    Whether to use only the characters explicitly added by the complexity rules. For example, when ‘complexity` is `1`, create a password from only safe symbols. Defaults to `false`.

  • 'gen_timeout_seconds' (Variant[Integer[0],Float[0]])

    Maximum time allotted to generate the password.

    * Value of `0` disables the timeout.
* Defaults to `30`.

Options Hash (simpkv_options):

  • 'app_id' (String)

    Specifies an application name that can be used to identify which backend configuration to use via fuzzy name matching, in the absence of the ‘backend` option.

    * More flexible option than `backend`.
* Useful for grouping together simpkv function calls found in different
  catalog resources.
* When specified and the `backend` option is absent, the backend will be
  selected preferring a backend in the merged `backends` option whose
  name exactly matches the `app_id`, followed by the longest backend
  name that matches the beginning of the `app_id`, followed by the
  `default` backend.
* When absent and the `backend` option is also absent, this function
  will use the `default` backend.
  • 'backend' (String)

    Definitive name of the backend to use.

    * Takes precedence over `app_id`.
* When present, must match a key in the `backends` option of the
  merged options Hash or the function will fail.
* When absent in the merged options, this function will select
  the backend as described in the `app_id` option.
  • 'backends' (Hash)

    Hash of backend configurations

    * Each backend configuration in the merged options Hash must be
  a Hash that has the following keys:

  * `type`:  Backend type.
  * `id`:  Unique name for the instance of the backend. (Same backend
    type can be configured differently).

 * Other keys for configuration specific to the backend may also be
   present.
  • 'environment' (String)

    Puppet environment to prepend to keys.

    * When set to a non-empty string, it is prepended to the key used in
  the backend operation.
* Should only be set to an empty string when the key being accessed is
  truly global.
* Defaults to the Puppet environment for the node.
  • 'softfail' (Boolean)

    Whether to ignore simpkv operation failures.

    * When `true`, this function will return a result even when the
  operation failed at the backend.
* When `false`, this function will fail when the backend operation
  failed.
* Defaults to `false`.

Returns:

  • (String)

    Password or password hash specified.

    • When the ‘last` password option is `true`, the password is determined as follows:

      • If the last password exists in the key/value store, uses the existing last password.

      • Otherwise, if the current password exists in the key/value store, uses the existing current password.

      • Otherwise, creates and stores a new password as the current password, and then uses this new password

    • When ‘last` option is `false`, the password is determined as follows:

      • If the current password doesn’t exist in the key/value store, creates and stores a new password as the current password, and then uses this new password.

      • Otherwise, if the current password exists in the key/value store and it has an appropriate length, uses the current password.

      • Otherwise, stores the current password as the last password, creates and stores a new password as the current password, and then uses this new password.

Raises:

  • Exception if ‘password_options` contains invalid parameters, a simpkv operation fails, or password generation times out



22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
 
# File 'lib/puppet/functions/simplib/passgen.rb', line 22

Puppet::Functions.create_function(:'simplib::passgen') do

  # @param identifier Unique `String` to identify the password usage.
  #   Must conform to the following:
  #   * Identifier must contain only the following characters:
  #     * a-z
  #     * A-Z
  #     * 0-9
  #     * The following special characters:
  #       * `._:-` for the legacy implementation
  #       * `._:-/` for the simpkv-enabled implementation
  #   * Identifier may not contain '/./' or '/../' sequences.
  #
  # @param password_options
  #   Password options
  #
  # @option password_options [Boolean] 'last'
  #   Whether to return the last generated password.
  #   Defaults to `false`.
  # @option password_options [Integer[8]] 'length'
  #   Length of the new password.
  #   Defaults to `32`.
  # @option password_options [Enum[true,false,'md5',sha256','sha512']] 'hash'
  #   Return a `Hash` of the password instead of the password itself.
  #   Defaults to `false`.  `true` is equivalent to 'sha256'.
  # @option password_options [Integer[0,2]] 'complexity'
  #   Specifies the types of characters to be used in the password
  #     * `0` => Default. Use only Alphanumeric characters in your password (safest)
  #     * `1` => Add reasonably safe symbols
  #     * `2` => Printable ASCII
  # @option password_options [Boolean] 'complex_only'
  #   Whether to use only the characters explicitly added by the complexity rules.
  #   For example, when `complexity` is `1`, create a password from only safe symbols.
  #   Defaults to `false`.
  # @option password_options [Variant[Integer[0],Float[0]]] 'gen_timeout_seconds'
  #   Maximum time allotted to generate the password.
  #     * Value of `0` disables the timeout.
  #     * Defaults to `30`.
  #
  # @param simpkv_options
  #   simpkv configuration when in simpkv mode.
  #
  #     * Will be merged with `simpkv::options`.
  #     * All keys are optional.
  #
  # @option simpkv_options [String] 'app_id'
  #   Specifies an application name that can be used to identify which backend
  #   configuration to use via fuzzy name matching, in the absence of the
  #   `backend` option.
  #
  #     * More flexible option than `backend`.
  #     * Useful for grouping together simpkv function calls found in different
  #       catalog resources.
  #     * When specified and the `backend` option is absent, the backend will be
  #       selected preferring a backend in the merged `backends` option whose
  #       name exactly matches the `app_id`, followed by the longest backend
  #       name that matches the beginning of the `app_id`, followed by the
  #       `default` backend.
  #     * When absent and the `backend` option is also absent, this function
  #       will use the `default` backend.
  #
  # @option simpkv_options [String] 'backend'
  #   Definitive name of the backend to use.
  #
  #     * Takes precedence over `app_id`.
  #     * When present, must match a key in the `backends` option of the
  #       merged options Hash or the function will fail.
  #     * When absent in the merged options, this function will select
  #       the backend as described in the `app_id` option.
  #
  # @option simpkv_options [Hash] 'backends'
  #   Hash of backend configurations
  #
  #     * Each backend configuration in the merged options Hash must be
  #       a Hash that has the following keys:
  #
  #       * `type`:  Backend type.
  #       * `id`:  Unique name for the instance of the backend. (Same backend
  #         type can be configured differently).
  #
  #      * Other keys for configuration specific to the backend may also be
  #        present.
  #
  # @option simpkv_options [String] 'environment'
  #   Puppet environment to prepend to keys.
  #
  #     * When set to a non-empty string, it is prepended to the key used in
  #       the backend operation.
  #     * Should only be set to an empty string when the key being accessed is
  #       truly global.
  #     * Defaults to the Puppet environment for the node.
  #
  # @option simpkv_options [Boolean] 'softfail'
  #   Whether to ignore simpkv operation failures.
  #
  #     * When `true`, this function will return a result even when the
  #       operation failed at the backend.
  #     * When `false`, this function will fail when the backend operation
  #       failed.
  #     * Defaults to `false`.
  #
  #
  # @return [String] Password or password hash specified.
  #
  #   * When the `last` password option is `true`, the password is determined
  #     as follows:
  #
  #     * If the last password exists in the key/value store, uses the existing
  #       last password.
  #     * Otherwise, if the current password exists in the key/value store,
  #       uses the existing current password.
  #     * Otherwise, creates and stores a new password as the current password,
  #       and then uses this new password
  #
  #   * When `last` option is `false`, the password is determined as follows:
  #
  #     * If the current password doesn't exist in the key/value store, creates
  #       and stores a new password as the current password, and then uses this
  #       new password.
  #     * Otherwise, if the current password exists in the key/value store and it
  #       has an appropriate length, uses the current password.
  #     * Otherwise, stores the current password as the last password, creates
  #       and stores a new password as the current password, and then uses this
  #       new password.
  #
  # @raise Exception if `password_options` contains invalid parameters,
  #   a simpkv operation fails, or password generation times out
  #
  dispatch :passgen do
    required_param 'String[1]', :identifier
    optional_param 'Hash',      :password_options
    optional_param 'Hash',      :simpkv_options
  end

  def passgen(identifier, password_options={}, simpkv_options={'app_id' => 'simplib::passgen'})
    use_simpkv = call_function('lookup', 'simplib::passgen::simpkv',
      { 'default_value' => false })

    password = nil
    if use_simpkv
      password = call_function('simplib::passgen::simpkv::passgen', identifier,
        password_options, simpkv_options)
    else
      password = call_function('simplib::passgen::legacy::passgen', identifier,
        password_options)
    end
    password
  end
end