FixAuth for ConfigurationScript#credentials

agrare · Jan 4, 2024 · d91dec8 · d91dec8
1 parent 0b3d445
commit d91dec8
Showing 5 changed files with 55 additions and 4 deletions.
diff --git a/spec/tools/fix_auth/models/fix_configuration_script_spec.rb b/spec/tools/fix_auth/models/fix_configuration_script_spec.rb
@@ -0,0 +1,38 @@
+$LOAD_PATH << Rails.root.join("tools").to_s
+
+require "fix_auth"
+
+RSpec.describe FixAuth::FixConfigurationScript do
+  let!(:configuration_script) { FactoryBot.create(:configuration_script, :credentials => credentials) }
+  let(:legacy_key) { ManageIQ::Password::Key.new }
+  let(:pass)       { "password" }
+  let(:enc_old)    { ManageIQ::Password.encrypt(pass, legacy_key) }
+  let(:options)    { {:legacy_key => legacy_key, :silent => true} }
+
+  context "with nil credentials" do
+    let(:credentials) { nil }
+
+    it "does nothing" do
+      FixAuth::FixConfigurationScript.run(options)
+      expect(configuration_script.credentials).to be_nil
+    end
+  end
+
+  context "with no v2 encrypted passwords in credentials" do
+    let(:credentials) { {} }
+
+    it "does nothing" do
+      FixAuth::FixConfigurationScript.run(options)
+      expect(configuration_script.credentials).to eq({})
+    end
+  end
+
+  context "with v2 encrypted passwords in credentials" do
+    let(:credentials) { {"foo" => enc_old} }
+
+    it "re-encrypts the passwords" do
+      FixAuth::FixConfigurationScript.run(options)
+      expect(configuration_script.reload.credentials["foo"]).to be_encrypted(pass)
+    end
+  end
+end
diff --git a/spec/tools/fix_auth/models_spec.rb → .../fix_auth/models/fix_database_yml_spec.rb b/spec/tools/fix_auth/models_spec.rb → .../fix_auth/models/fix_database_yml_spec.rb
diff --git a/tools/fix_auth/auth_model.rb b/tools/fix_auth/auth_model.rb
@@ -22,7 +22,7 @@ def contenders
       # bring back anything with a password column that has a non blank v1 or v2 password in it
       def selection_criteria
         available_columns.collect do |column|
-          "(#{column} like '%v2:{%')"
+          "(#{column}::text like '%v2:{%')"
         end.join(" OR ")
       end
 
@@ -61,7 +61,14 @@ def recrypt(old_value, options = {})
       def fix_passwords(obj, options)
         available_columns.each do |column|
           if (old_value = obj.send(column)).present?
-            new_value = recrypt(old_value, options)
+            if old_value.kind_of?(Hash)
+              new_value = {}
+              old_value.each do |key, old_sub_value|
+                new_value[key] = recrypt(old_sub_value, options)
+              end
+            else
+              new_value = recrypt(old_value, options)
+            end
             obj.send("#{column}=", new_value) if new_value != old_value
           end
         end

diff --git a/tools/fix_auth/fix_auth.rb b/tools/fix_auth/fix_auth.rb
@@ -34,8 +34,8 @@ def database
     end
 
     def models
-      [FixAuthentication, FixMiqDatabase, FixMiqAeValue, FixMiqAeField,
-       FixSettingsChange, FixMiqRequest, FixMiqRequestTask]
+      [FixAuthentication, FixConfigurationScript, FixMiqDatabase, FixMiqAeValue,
+       FixMiqAeField, FixSettingsChange, FixMiqRequest, FixMiqRequestTask]
     end
 
     def generate_password

diff --git a/tools/fix_auth/models.rb b/tools/fix_auth/models.rb
@@ -10,6 +10,12 @@ class FixAuthentication < ActiveRecord::Base
     self.inheritance_column = :_type_disabled
   end
 
+  class FixConfigurationScript < ActiveRecord::Base
+    include FixAuth::AuthModel
+    self.table_name = "configuration_scripts"
+    self.password_columns = %w[credentials]
+  end
+
   class FixMiqDatabase < ActiveRecord::Base
     include FixAuth::AuthModel
     self.table_name = "miq_databases"