Use Deferred node_encrypt function on passwords

This is a breaking change for Puppet < 6 as it requires the use of the
Deferred type.

Author: genebean

.fixtures.yml

@@ -3,12 +3,9 @@
 ---
 fixtures:
   repositories:
-    bash:
-      repo: "https://github.com/ploperations/ploperations-bash"
-      ref: "80d2812e41de9f1cd3ffe2b0f6e2bf8852f1741b"
-    classification:
-      repo: "https://github.com/ploperations/ploperations-classification"
-      ref: "a0ee04c65d89ca648113e96d15c5001c70fc718d"
+    node_encrypt:
+      repo: 'https://github.com/binford2k/binford2k-node_encrypt.git'
+      ref: '868021745829a204c5c2028bdec972a2f4dc926a'
     ssh:
       repo: "https://github.com/ploperations/ploperations-ssh"
       tag: "0.9.0"
@@ -18,11 +15,12 @@ fixtures:
   forge_modules:
     # Most of these are dependencies of puppetlabs/ssh.
     acl: "puppetlabs/acl"
-    # bash: "ploperations/bash"
+    bash: "ploperations/bash"
     chocolatey: "puppetlabs/chocolatey"
-    # classification: "ploperations/classification"
+    classification: "ploperations/classification"
     concat: "puppetlabs/concat"
     cygwin: "mdelaney/cygwin"
+    # node_encrypt: "binford2k/node_encrypt" need 0.4.1 or later
     registry: "puppetlabs/registry"
     windows_env: "puppet/windows_env"
     sshkeys_core: "puppetlabs/sshkeys_core"

.sync.yml

@@ -1,6 +1,11 @@
 ---
 .gitlab-ci.yml:
   delete: true
+.travis.yml:
+  remove_includes:
+    -
+      env: PUPPET_GEM_VERSION="~> 5.0" CHECK=parallel_spec
+      rvm: 2.4.4
 appveyor.yml:
   delete: true
 Gemfile:

.travis.yml

@@ -23,9 +23,6 @@ matrix:
       env: CHECK="syntax lint metadata_lint check:symlinks check:git_ignore check:dot_underscore check:test_file rubocop"
     -
       env: CHECK=parallel_spec
-    -
-      env: PUPPET_GEM_VERSION="~> 5.0" CHECK=parallel_spec
-      rvm: 2.4.4
 branches:
   only:
     - master

README.md

@@ -125,6 +125,11 @@ account::user:
 Note the accounts must have passwords on Windows. Defining `account::user`
 without a password on Windows will cause that user to be removed.
 
+Passwords come into `account::user` with the [Sensitive][] type. From there
+`node_encrypt::secret()` takes over. The string is encrypted on the master,
+and then decrypted on the agent during catalog application. The `node_encrypt`
+module takes advantage of Deferred functions to do the decryption. You can
+read more about this at https://forge.puppet.com/binford2k/node_encrypt
 
 ### Predefining home directory files
 
@@ -222,6 +227,7 @@ pdk bundle exec puppet strings generate --format markdown
 ```
 
 [Hiera eyaml]: https://github.com/voxpupuli/hiera-eyaml
+[Sensitive]: https://puppet.com/docs/puppet/latest/lang_data_sensitive.html
 [ploperations/ssh]: https://github.com/ploperations/ploperations-ssh
 [REFERENCE.md]: https://github.com/ploperations/ploperations-account/blob/master/REFERENCE.md
 [virtual]: https://puppet.com/docs/puppet/latest/lang_virtual.html

manifests/user.pp

@@ -77,7 +77,7 @@
   include account
 
   if $password {
-    $_password = $password
+    $_password = node_encrypt::secret($password)
   } else {
     $hiera_accounts = lookup({
       name          => 'account::user',
@@ -91,7 +91,7 @@
     }
 
     $_password = $_password_raw ? {
-      String  => Sensitive($_password_raw),
+      String  => node_encrypt::secret(Sensitive($_password_raw)),
       default => $_password_raw,
     }
   }

metadata.json

@@ -8,6 +8,10 @@
   "project_page": "https://github.com/ploperations/ploperations-account",
   "issues_url": "https://github.com/ploperations/ploperations-account/issues",
   "dependencies": [
+    {
+      "name": "binford2k/node_encrypt",
+      "version_requirement": ">= 0.4.0 < 2.0.0"
+    },
     {
       "name": "ploperations/bash",
       "version_requirement": ">= 0.1 < 2.0.0"
@@ -95,7 +99,7 @@
   "requirements": [
     {
       "name": "puppet",
-      "version_requirement": ">= 4.7.0 < 7.0.0"
+      "version_requirement": ">= 6.0.0 < 7.0.0"
     }
   ],
   "pdk-version": "1.9.0",

spec/defines/user_spec.rb

@@ -12,9 +12,26 @@
                   })
     end
 
+    let(:pre_condition) {
+      pp = <<-END
+        function node_encrypt::secret ($foo) { $foo }
+      END
+    }
+
     context "on #{os}" do
-      it { is_expected.to compile.with_all_deps }
-      it { is_expected.to contain_user('jdoe') }
+      context 'without a password' do
+        it { is_expected.to compile.with_all_deps }
+        it { is_expected.to contain_user('jdoe') }
+      end
+
+      context 'with plain text password' do
+        let(:params) do
+          { 'password' => RSpec::Puppet::RawString.new("Sensitive('myPassword')") }
+        end
+
+        it { is_expected.to compile.with_all_deps }
+        it { is_expected.to contain_user('jdoe') }
+      end
     end
   end
 end