Use curl netrc file instead of --user

[alexjfisher]

This stops credentials appearing in the process list and failed
downloads won't result in the credentials being logged in puppet reports
and agent log output.

Fixes #397

[alexjfisher]

I intend to fixup/rewrite the tests after getting some initial feedback.

[alexjfisher]

Should probably implement a similar fix for the wget provider. Annoyingly, wget can also use netrc files, but it appears you can't actually specify a path to such a file. It only looks in ~/.netrc (which we can't overwrite!)

[alexjfisher]

You can use a WGETRC environment variable.
https://www.gnu.org/software/wget/manual/html_node/Wgetrc-Location.html

Since the implementation wouldn't have too much in common, and since you have to go out of your way to select wget as the provider, I'll probably just leave this for a separate PR.

[igalic]

and we can't use Sensitive type in a puppet type?

[alexjfisher]

Type properties automatically work with Sensitive types. When puppet syncs the property it just knows to redact the change. But password is a parameter. (You can also define a property to be Sensitive always even if the user provides a normal string. See puppetlabs/puppet@f62a592)

With parameters, you can pass a Sensitive value if you like and it will work. But you'll get a warning like:

Unable to mark 'password' as sensitive: password is a parameter and not a property, and cannot be automatically redacted.

I suppose you could suppress the warning by converting the parameter into a property that is fudged to always be in sync (like in puppetlabs/puppetlabs-stdlib#786)

But since we don't (in this fix of this provider), pass the password to the command being executed, we don't have to do something crazy like in https://github.com/puppetlabs/puppetlabs-vcsrepo/pull/416/files

[alexjfisher]

By switching to using a netrc file, I think we avoid all the hassle of having to conditionally redact command output by calling Puppet::Util::Execution directly instead of using the autogenerated helper. If we couldn't have used netrc, then I don't think I'd even check to see if password was Sensitive, but always consider it so.
I'm also guessing if you Puppet::Util::Execution.execute("curl $PARAMS", sensitive: true) you end up redacting the command error output completely. This would be very helpful to users.

[alexjfisher]

I'm unclear as to why in https://github.com/puppetlabs/puppetlabs-vcsrepo/pull/416/files#diff-574463866055cc3f49ee013638f6652aR81 they have to call unwrap. If I set archive's password parameter to a Sensitive value, it just works. No need to explicitly unwrap anything. It gets written out to the file just fine.

[ekohl]

I like this approach. One reason to do this regardless of the use of Sensitive is that it doesn't show the password in the process list (ps aux).

[ekohl]

Is this still WIP?

[ekohl]

Thanks!