FixAuth for ConfigurationScript#credentials

agrare · Jan 5, 2024 · 2b4fbd8 · 2b4fbd8
1 parent 0b3d445
commit 2b4fbd8
Show file tree

Hide file tree

Showing 6 changed files with 72 additions and 6 deletions.
diff --git a/spec/tools/fix_auth/models/fix_configuration_script_spec.rb b/spec/tools/fix_auth/models/fix_configuration_script_spec.rb
@@ -0,0 +1,53 @@
+$LOAD_PATH << Rails.root.join("tools").to_s
+
+require "fix_auth"
+
+RSpec.describe FixAuth::FixConfigurationScript do
+  let!(:configuration_script) { FactoryBot.create(:configuration_script, :credentials => credentials) }
+  let(:legacy_key) { ManageIQ::Password::Key.new }
+  let(:pass)       { "password" }
+  let(:enc_old)    { ManageIQ::Password.encrypt(pass, legacy_key) }
+  let(:options)    { {:legacy_key => legacy_key, :silent => true} }
+
+  context "with nil credentials" do
+    let(:credentials) { nil }
+
+    it "does nothing" do
+      FixAuth::FixConfigurationScript.run(options)
+      expect(configuration_script.credentials).to be_nil
+    end
+  end
+
+  context "with no v2 encrypted passwords in credentials" do
+    let(:credentials) { {"foo" => "bar"} }
+
+    it "does nothing" do
+      FixAuth::FixConfigurationScript.run(options)
+      expect(configuration_script.credentials).to eq(credentials)
+    end
+  end
+
+  context "with a hash in the credentials value" do
+    let(:credentials) { {"foo" => {"credential_ref" => "bar", "credential_field" => "password"}} }
+
+    it "does nothing" do
+      FixAuth::FixConfigurationScript.run(options)
+      expect(configuration_script.credentials).to eq(credentials)
+    end
+  end
+
+  context "with v2 encrypted passwords in credentials" do
+    let(:credentials) { {"foo" => enc_old, "foo2" => enc_old, "bar" => "other"} }
+
+    it "re-encrypts the passwords" do
+      FixAuth::FixConfigurationScript.run(options)
+      expect(configuration_script.reload.credentials["foo"]).to be_encrypted(pass)
+      expect(configuration_script.reload.credentials["foo2"]).to be_encrypted(pass)
+    end
+
+    it "does nothing" do
+      FixAuth::FixConfigurationScript.run(options)
+      expect(configuration_script.reload.credentials["bar"]).to eq("other")
+    end
+  end
+end
diff --git a/spec/tools/fix_auth/models_spec.rb → .../fix_auth/models/fix_database_yml_spec.rb b/spec/tools/fix_auth/models_spec.rb → .../fix_auth/models/fix_database_yml_spec.rb
diff --git a/tools/fix_auth/auth_config_model.rb b/tools/fix_auth/auth_config_model.rb
@@ -15,7 +15,9 @@ def display_record(r)
 
       def display_column(r, column, options)
         puts "    #{column}:"
-        traverse_column([], YAML.load(r.send(column)), options)
+
+        hash = r.send(column).kind_of?(Hash) ? r.send(column) : YAML.load(r.send(column))
+        traverse_column([], hash, options)
       end
 
       def password_field?(key)
@@ -33,14 +35,14 @@ def traverse_column(names, hash, options)
       end
 
       def recrypt(old_value, options = {})
-        hash = YAML.load(old_value)
+        hash = old_value.kind_of?(Hash) ? old_value : YAML.load(old_value)
 
         Vmdb::SettingsWalker.walk(hash) do |key, value, _path, owning|
           owning[key] = super(value, options) if password_field?(key) && value.present?
         end
 
         symbol_keys ? hash.deep_symbolize_keys! : hash.deep_stringify_keys!
-        hash.to_yaml
+        old_value.kind_of?(Hash) ? hash : hash.to_yaml
       rescue ArgumentError # undefined class/module
         unless options[:allow_failures]
           STDERR.puts "potentially bad yaml:"

diff --git a/tools/fix_auth/auth_model.rb b/tools/fix_auth/auth_model.rb
@@ -22,7 +22,7 @@ def contenders
       # bring back anything with a password column that has a non blank v1 or v2 password in it
       def selection_criteria
         available_columns.collect do |column|
-          "(#{column} like '%v2:{%')"
+          "(#{column}::text like '%v2:{%')"
         end.join(" OR ")
       end
 

diff --git a/tools/fix_auth/fix_auth.rb b/tools/fix_auth/fix_auth.rb
@@ -34,8 +34,8 @@ def database
     end
 
     def models
-      [FixAuthentication, FixMiqDatabase, FixMiqAeValue, FixMiqAeField,
-       FixSettingsChange, FixMiqRequest, FixMiqRequestTask]
+      [FixAuthentication, FixConfigurationScript, FixMiqDatabase, FixMiqAeValue,
+       FixMiqAeField, FixSettingsChange, FixMiqRequest, FixMiqRequestTask]
     end
 
     def generate_password

diff --git a/tools/fix_auth/models.rb b/tools/fix_auth/models.rb
@@ -10,6 +10,17 @@ class FixAuthentication < ActiveRecord::Base
     self.inheritance_column = :_type_disabled
   end
 
+  class FixConfigurationScript < ActiveRecord::Base
+    include FixAuth::AuthConfigModel
+    self.table_name = "configuration_scripts"
+    self.password_columns = %w[credentials]
+
+    # no particular fields for passwords, instead encrypt everything
+    self.password_fields = []
+    # blank prefix matches all fields
+    self.password_prefix = ""
+  end
+
   class FixMiqDatabase < ActiveRecord::Base
     include FixAuth::AuthModel
     self.table_name = "miq_databases"