Change implementation of "no newlines in secrets" to use a type alias…

… with Pattern, and also create a type for passwords

manifests/client.pp

@@ -1,6 +1,6 @@
 # Install FreeRADIUS clients (WISMs or testing servers)
 define freeradius::client (
-  String $secret,
+  Freeradius::Secret $secret,
   Optional[String] $shortname                        = $title,
   Optional[String] $ip                               = undef,
   Optional[String] $ip6                              = undef,
@@ -23,7 +23,7 @@
     'other',
   ]] $nastype = undef,
   Optional[String] $login                            = undef,
-  Optional[String] $password                         = undef,
+  Optional[Freeradius::Password] $password           = undef,
   Optional[String] $coa_server                       = undef,
   Optional[String] $response_window                  = undef,
   Optional[Integer] $max_connections                 = undef,
@@ -42,10 +42,6 @@
   $fr_basepath = $::freeradius::params::fr_basepath
   $fr_group    = $::freeradius::params::fr_group
 
-  if ($secret !~ /\A[^\n]+\z/) {
-    fail('Secrets cannot have newlines in them')
-  }
-
   file { "${fr_basepath}/clients.d/${shortname}.conf":
     ensure  => $ensure,
     mode    => '0640',

manifests/home_server.pp

@@ -1,6 +1,6 @@
 # Configure a home_server for proxy config
 define freeradius::home_server (
-  String $secret,
+  Freeradius::Secret $secret,
   Enum['udp', 'tcp'] $proto                              = 'udp',
   Enum['none', 'status-server', 'request'] $status_check = 'none',
   Enum['auth', 'acct', 'auth+acct', 'coa'] $type         = 'auth',
@@ -11,7 +11,7 @@
   Optional[Integer] $max_outstanding                     = undef,
   Optional[Enum['no', 'yes']] $no_response_fail          = undef,
   Optional[Integer] $num_answers_to_alive                = undef,
-  Optional[String] $password                             = undef,
+  Optional[Freeradius::Password] $password               = undef,
   Optional[Integer] $port                                = 1812,
   Optional[Integer] $response_window                     = undef,
   Optional[Integer] $revive_interval                     = undef,

manifests/ldap.pp

@@ -1,7 +1,7 @@
 # Configure LDAP support for FreeRADIUS
 define freeradius::ldap (
   String $identity,
-  String $password,
+  Freeradius::Password $password,
   String $basedn,
   Array[String] $server         = ['localhost'],
   Integer $port                 = 389,

manifests/module/eap.pp

@@ -17,7 +17,7 @@
   Optional[String] $gtc_challenge                                   = undef,
   String $gtc_auth_type                                             = 'PAP',
   String $tls_config_name                                           = 'tls-common',
-  Optional[String] $tls_private_key_password                        = undef,
+  Optional[Freeradius::Password] $tls_private_key_password          = undef,
   String $tls_private_key_file                                      = "\${certdir}/server.pem",
   String $tls_certificate_file                                      = "\${certdir}/server.pem",
   String $tls_ca_file                                               = "\${certdir}/ca.pem",

manifests/module/ldap.pp

@@ -5,7 +5,7 @@
   Array[String] $server                                               = ['localhost'],
   Integer $port                                                       = 389,
   Optional[String] $identity                                          = undef,
-  Optional[String] $password                                          = undef,
+  Optional[Freeradius::Password] $password                            = undef,
   Optional[Freeradius::Sasl] $sasl                                    = {},
   Optional[String] $valuepair_attribute                               = undef,
   Optional[Array[String]] $update                                     = undef,

manifests/sql.pp

@@ -1,7 +1,7 @@
 # Configure SQL support for FreeRADIUS
 define freeradius::sql (
   Enum['mysql', 'mssql', 'oracle', 'postgresql'] $database,
-  String $password,
+  Freeradius::Password $password,
   Optional[String] $server                       = 'localhost',
   Optional[String] $login                        = 'radius',
   Optional[String] $radius_db                    = 'radius',

manifests/statusclient.pp

@@ -1,6 +1,6 @@
 # Install FreeRADIUS clients (WISMs or testing servers)
 define freeradius::statusclient (
-  String $secret,
+  Freeradius::Secret $secret,
   Optional[String] $ip        = undef,
   Optional[String] $ip6       = undef,
   Optional[Integer] $port     = undef,

spec/defines/client_spec.rb

@@ -33,7 +33,19 @@
     end
 
     it do
-      is_expected.to compile.and_raise_error(%r{Secrets cannot have newlines in them})
+      is_expected.to compile.and_raise_error(%r{parameter 'secret' expects a match for Freeradius::Secret})
+    end
+  end
+
+  context 'with password containing a newline' do
+    let(:params) do
+      super().merge(
+        password: "foo\nbar",
+      )
+    end
+
+    it do
+      is_expected.to compile.and_raise_error(%r{parameter 'password' expects a match for Freeradius::Password})
     end
   end
 end

spec/defines/home_server_spec.rb

@@ -18,4 +18,28 @@
       .with_order('10')
       .with_target('/etc/raddb/proxy.conf')
   end
+
+  context 'with secret containing a newline' do
+    let(:params) do
+      super().merge(
+        secret: "foo\nbar",
+      )
+    end
+
+    it do
+      is_expected.to compile.and_raise_error(%r{parameter 'secret' expects a match for Freeradius::Secret})
+    end
+  end
+
+  context 'with password containing a newline' do
+    let(:params) do
+      super().merge(
+        password: "foo\nbar",
+      )
+    end
+
+    it do
+      is_expected.to compile.and_raise_error(%r{parameter 'password' expects a match for Freeradius::Password})
+    end
+  end
 end

spec/defines/module/ldap_spec.rb

@@ -134,4 +134,16 @@
   #     is_expected.to compile.and_raise_error(%r{^The `use_referral_credentials` parameter requires FreeRADIUS 3.1.x})
   #   end
   # end
+
+  context 'with password containing a newline' do
+    let(:params) do
+      super().merge(
+        password: "foo\nbar",
+      )
+    end
+
+    it do
+      is_expected.to compile.and_raise_error(%r{parameter 'password' expects a match for Freeradius::Password})
+    end
+  end
 end

spec/defines/sql_spec.rb

@@ -133,6 +133,18 @@
       #     is_expected.to compile.and_raise_error(%r{^The `pool_connect_timeout` parameter requires FreeRADIUS 3.1.x})
       #   end
       # end
+
+      context 'with password containing a newline' do
+        let(:params) do
+          super().merge(
+            password: "foo\nbar",
+          )
+        end
+
+        it do
+          is_expected.to compile.and_raise_error(%r{parameter 'password' expects a match for Freeradius::Password})
+        end
+      end
     end
   end
 end

spec/defines/statusclient_spec.rb

@@ -24,4 +24,16 @@
       .that_requires('Group[radiusd]')
       .that_requires('File[/etc/raddb/clients.d]')
   end
+
+  context 'with secret containing a newline' do
+    let(:params) do
+      super().merge(
+        secret: "foo\nbar",
+      )
+    end
+
+    it do
+      is_expected.to compile.and_raise_error(%r{parameter 'secret' expects a match for Freeradius::Secret})
+    end
+  end
 end

types/password.pp

@@ -0,0 +1 @@
+type Freeradius::Password = Pattern[/\A[^\n]+\z/]

types/secret.pp

@@ -0,0 +1 @@
+type Freeradius::Secret = Pattern[/\A[^\n]+\z/]