From 95133be05049a1e9d1c0493478ba4f719b9b714e Mon Sep 17 00:00:00 2001 From: Evgeni Golov Date: Wed, 16 Oct 2024 09:24:20 +0200 Subject: [PATCH 1/3] properly escape quotes in passwords by calling to_ruby database passwords can contain special characters, especially " and ' so we can't just print the value of the field enclosed by double quotes as that would break whenever the user uses a literal " in their password using to_ruby here and not to_yaml, as the former gives us correct escaping without the whole `---` and `\n` enclosing that to_yaml forces. using to_yaml would require to pass *the whole* config hash to it --- templates/database.yml.epp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/database.yml.epp b/templates/database.yml.epp index 7e45e2627..444cdfd10 100644 --- a/templates/database.yml.epp +++ b/templates/database.yml.epp @@ -30,6 +30,6 @@ username: <%= $username %> <% } -%> <% if $password { -%> - password: "<%= $password %>" + password: <%= stdlib::to_ruby($password) %> <% } -%> pool: <%= $db_pool %> From 8903ba202a4cdb9b48f11619e84fc1d4f8a96219 Mon Sep 17 00:00:00 2001 From: Evgeni Golov Date: Wed, 16 Oct 2024 12:39:32 +0200 Subject: [PATCH 2/3] try db_password to be Sensitive --- manifests/init.pp | 2 +- spec/classes/foreman_spec.rb | 11 +++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index a3dde8393..bb6edff9c 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -226,7 +226,7 @@ Optional[Stdlib::Port] $db_port = undef, String[1] $db_database = 'foreman', String[1] $db_username = 'foreman', - String[1] $db_password = $foreman::params::db_password, + Variant[String[1], Sensitive[String[1]]] $db_password = $foreman::params::db_password, Optional[String[1]] $db_sslmode = undef, Optional[String[1]] $db_root_cert = undef, Optional[Integer[0]] $db_pool = undef, diff --git a/spec/classes/foreman_spec.rb b/spec/classes/foreman_spec.rb index 35e4a2d65..ede873859 100644 --- a/spec/classes/foreman_spec.rb +++ b/spec/classes/foreman_spec.rb @@ -484,6 +484,17 @@ it { should contain_user('foreman').with('groups' => []) } end + + describe 'with sensitive passwords' do + let(:params) do + super().merge(db_password: sensitive('secret')) + end + + it 'should configure the database' do + should contain_file('/etc/foreman/database.yml') + .with_content(/password: "secret"/) + end + end end end end From a2f3872923f3ea3ea1dccd52b58ca0b3551c71b7 Mon Sep 17 00:00:00 2001 From: Evgeni Golov Date: Wed, 16 Oct 2024 13:43:11 +0200 Subject: [PATCH 3/3] sensitive?! --- spec/classes/foreman_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/classes/foreman_spec.rb b/spec/classes/foreman_spec.rb index ede873859..89fad98f7 100644 --- a/spec/classes/foreman_spec.rb +++ b/spec/classes/foreman_spec.rb @@ -492,7 +492,7 @@ it 'should configure the database' do should contain_file('/etc/foreman/database.yml') - .with_content(/password: "secret"/) + .with_content(sensitive(/password: "secret"/)) end end end