puppetlabs-java_ks icon indicating copy to clipboard operation
puppetlabs-java_ks copied to clipboard
verified publisher icon puppetlabs

Check, if keytool exists, before trying to execute it

Open cocker-cc opened this issue 2 years ago • 4 comments

Use Case

If keytool does not exist, sensitive Password is not “redacted” in Error-Message:

Error: /Stage[main]/Myprofilemodule/Java_ks[myRootCA]/ensure: change from 'absent' to 'latest' failed:  
Execution of 'keytool -importcert -noprompt -alias myrootca -file /etc/pki/tls/certs/myCA_root.pem -keystore /path/to/mykeystore -srcstorepass MyPassword -deststorepass MyPassword' returned 1:  
Error: Could not execute posix command: No such file or directory - keytool

Describe the Solution You Would Like

  • check, if keytool exists, before trying to execute it
  • prevent Password-Leak in other Error-Situations

cocker-cc avatar Oct 12 '23 14:10 cocker-cc

@david22swan (apologies for tagging you, you seem to be the last one who contributed to the latest version of this module)

I have a similar issue, I have installed 2 different version of java on the same machine and java_ks does not find the keytool one I'd like to use.

It there a way to implement a way to provide the PATH where keytool is installed? Thanks

danifr avatar Nov 10 '23 15:11 danifr

I worked around it creating a link:

  file { '/usr/local/bin/keytool':
    ensure  => link,
    target  => "${java_binaries_path}/keytool",
    require => Class['java'],
  }

danifr avatar Nov 13 '23 09:11 danifr

@danifr: But you know, that this is not the Point of this Issue, right? This Issue is about leaking Secrets.

cocker-cc avatar Nov 13 '23 09:11 cocker-cc

Yes yes sorry for hijacking your ticket :)

danifr avatar Nov 13 '23 09:11 danifr