Puppet Function: simplib::passgen::simpkv::set

Defined in:
lib/puppet/functions/simplib/passgen/simpkv/set.rb
Function type:
Ruby 4.x API

Overview

simplib::passgen::simpkv::set(String[1] $identifier, String[1] $password, String[1] $salt, Integer[0,2] $complexity, Boolean $complex_only, Optional[Hash] $simpkv_options)Nil

Using simpkv, sets a generated password with attributes

  • simpkv key is the identifier.

  • simpkv value is a Hash with ‘password’ and ‘salt’ attributes

  • simpkv metadata is a Hash with ‘complexity’, ‘complex_only’ and ‘history’ attributes

  • ‘complexity’ and ‘complex_only’ attributes are stored so that the password to be regenerated with the same characteristics and the current password.

  • ‘history’ attribute stores up to 10 most recent <password,salt> pairs.

  • Stores complexity and complex_only settings in metadata so the password can be regenerated with the same characteristics and the current password

  • Maintains a history of up to 10 previous <password,salt> pairs in metadata.

  • Terminates catalog compilation if any simpkv operation fails.

Parameters:

  • identifier (String[1])

    Unique ‘String` to identify the password usage. Must conform to the following:

    • Identifier must contain only the following characters:

      • a-z

      • A-Z

      • 0-9

      • The following special characters: ‘._:-/`

    • Identifier may not contain ‘/./’ or ‘/../’ sequences.

  • password (String[1])

    Password value

  • salt (String[1])

    Salt for the password for use in encryption operations

  • complexity (Integer[0,2])

    Specifies the types of characters in the password

    * `0` => Only Alphanumeric characters
* `1` => Alphanumeric characters plus reasonably safe symbols
* `2` => Printable ASCII
  • complex_only (Boolean)

    Whether the password contains only the characters explicitly added by the complexity rules. For example, when ‘complexity` is `1`, the password contains only safe symbols.

  • simpkv_options (Optional[Hash])

    simpkv configuration that will be merged ‘simpkv::options`. All keys are optional.

Options Hash (simpkv_options):

  • 'app_id' (String)

    Specifies an application name that can be used to identify which backend configuration to use via fuzzy name matching, in the absence of the ‘backend` option.

    * More flexible option than `backend`.
* Useful for grouping together simpkv function calls found in different
  catalog resources.
* When specified and the `backend` option is absent, the backend will be
  selected preferring a backend in the merged `backends` option whose
  name exactly matches the `app_id`, followed by the longest backend
  name that matches the beginning of the `app_id`, followed by the
  `default` backend.
* When absent and the `backend` option is also absent, this function
  will use the `default` backend.
  • 'backend' (String)

    Definitive name of the backend to use.

    * Takes precedence over `app_id`.
* When present, must match a key in the `backends` option of the
  merged options Hash or the function will fail.
* When absent in the merged options, this function will select
  the backend as described in the `app_id` option.
  • 'backends' (Hash)

    Hash of backend configurations

    * Each backend configuration in the merged options Hash must be
  a Hash that has the following keys:

  * `type`:  Backend type.
  * `id`:  Unique name for the instance of the backend. (Same backend
    type can be configured differently).

 * Other keys for configuration specific to the backend may also be
   present.
  • 'environment' (String)

    Puppet environment to prepend to keys.

    * When set to a non-empty string, it is prepended to the key used in
  the backend operation.
* Should only be set to an empty string when the key being accessed is
  truly global.
* Defaults to the Puppet environment for the node.
  • 'softfail' (Boolean)

    Whether to ignore simpkv operation failures.

    * When `true`, this function will return a result even when the
  operation failed at the backend.
* When `false`, this function will fail when the backend operation
  failed.
* Defaults to `false`.

Returns:

  • (Nil)

Raises:

  • Exception if a simpkv operation fails



15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
 
# File 'lib/puppet/functions/simplib/passgen/simpkv/set.rb', line 15

Puppet::Functions.create_function(:'simplib::passgen::simpkv::set') do

  # @param identifier
  #   Unique `String` to identify the password usage.
  #   Must conform to the following:
  #   * Identifier must contain only the following characters:
  #     * a-z
  #     * A-Z
  #     * 0-9
  #     * The following special characters: `._:-/`
  #   * Identifier may not contain '/./' or '/../' sequences.
  #
  # @param password
  #   Password value
  #
  # @param salt
  #   Salt for the password for use in encryption operations
  #
  # @param complexity
  #   Specifies the types of characters in the password
  #     * `0` => Only Alphanumeric characters
  #     * `1` => Alphanumeric characters plus reasonably safe symbols
  #     * `2` => Printable ASCII
  #
  # @param complex_only
  #   Whether the password contains only the characters explicitly added by the
  #   complexity rules.  For example, when `complexity` is `1`, the password
  #   contains only safe symbols.
  #
  # @param simpkv_options
  #   simpkv configuration that will be merged `simpkv::options`.
  #   All keys are optional.
  #
  # @option simpkv_options [String] 'app_id'
  #   Specifies an application name that can be used to identify which backend
  #   configuration to use via fuzzy name matching, in the absence of the
  #   `backend` option.
  #
  #     * More flexible option than `backend`.
  #     * Useful for grouping together simpkv function calls found in different
  #       catalog resources.
  #     * When specified and the `backend` option is absent, the backend will be
  #       selected preferring a backend in the merged `backends` option whose
  #       name exactly matches the `app_id`, followed by the longest backend
  #       name that matches the beginning of the `app_id`, followed by the
  #       `default` backend.
  #     * When absent and the `backend` option is also absent, this function
  #       will use the `default` backend.
  #
  # @option simpkv_options [String] 'backend'
  #   Definitive name of the backend to use.
  #
  #     * Takes precedence over `app_id`.
  #     * When present, must match a key in the `backends` option of the
  #       merged options Hash or the function will fail.
  #     * When absent in the merged options, this function will select
  #       the backend as described in the `app_id` option.
  #
  # @option simpkv_options [Hash] 'backends'
  #   Hash of backend configurations
  #
  #     * Each backend configuration in the merged options Hash must be
  #       a Hash that has the following keys:
  #
  #       * `type`:  Backend type.
  #       * `id`:  Unique name for the instance of the backend. (Same backend
  #         type can be configured differently).
  #
  #      * Other keys for configuration specific to the backend may also be
  #        present.
  #
  # @option simpkv_options [String] 'environment'
  #   Puppet environment to prepend to keys.
  #
  #     * When set to a non-empty string, it is prepended to the key used in
  #       the backend operation.
  #     * Should only be set to an empty string when the key being accessed is
  #       truly global.
  #     * Defaults to the Puppet environment for the node.
  #
  # @option simpkv_options [Boolean] 'softfail'
  #   Whether to ignore simpkv operation failures.
  #
  #     * When `true`, this function will return a result even when the
  #       operation failed at the backend.
  #     * When `false`, this function will fail when the backend operation
  #       failed.
  #     * Defaults to `false`.
  #
  # @return [Nil]
  # @raise Exception if a simpkv operation fails
  #
  dispatch :set do
    required_param 'String[1]',    :identifier
    required_param 'String[1]',    :password
    required_param 'String[1]',    :salt
    required_param 'Integer[0,2]', :complexity
    required_param 'Boolean',      :complex_only
    optional_param 'Hash',         :simpkv_options
  end

  def set(identifier, password, salt, complexity, complex_only,
      simpkv_options={'app_id' => 'simplib::passgen'})

    key_root_dir = call_function('simplib::passgen::simpkv::root_dir')
    key = "#{key_root_dir}/#{identifier}"
    key_info = { 'password' => password, 'salt' => salt }
    metadata = {
      'complexity'   => complexity,
      'complex_only' => complex_only,
      'history'      => get_history(identifier, simpkv_options)
    }

    # TODO If simpkv is updated to allow transaction locks, lock prior to
    # get_history() which calls simpkv::get under the hood, and release the
    # lock after this simpkv::put call.
    call_function('simpkv::put', key, key_info, metadata, simpkv_options)
  end

  def get_history(identifier, simpkv_options)
    last_password_info = call_function('simplib::passgen::simpkv::get', identifier,
      simpkv_options)

    history = []
    unless last_password_info.empty?
      history = last_password_info['metadata']['history'].dup
      history.unshift([
        last_password_info['value']['password'],
        last_password_info['value']['salt']
      ])

      # only keep the last 10 <password,salt> pairs
      history = history[0..9]
    end

    history
  end
end