Merge pull request #1485 from puppetlabs/maint-harden_root_password_class

LukasAud · web-flow · commit 18813a151f15 · 2022-08-23T14:25:42.000+01:00
Harden root password class
diff --git a/manifests/params.pp b/manifests/params.pp
@@ -9,7 +9,6 @@
   $purge_conf_dir         = false
   $restart                = false
   $root_password          = 'UNSET'
-  $install_secret_file    = '/.mysql_secret'
   $server_package_ensure  = 'present'
   $server_package_manage  = true
   $server_service_manage  = true
diff --git a/manifests/server.pp b/manifests/server.pp
@@ -17,8 +17,6 @@
 #   The location, as a path, of !includedir for custom configuration overrides.
 # @param install_options
 #   Passes [install_options](https://docs.puppetlabs.com/references/latest/type.html#package-attribute-install_options) array to managed package resources. You must pass the appropriate options for the specified package manager
-# @param install_secret_file
-#   Path to secret file containing temporary root password.
 # @param manage_config_file
 #   Whether the MySQL configuration file should be managed. Valid values are `true`, `false`. Defaults to `true`.
 # @param options
@@ -81,7 +79,6 @@
   $config_file_mode        = $mysql::params::config_file_mode,
   $includedir              = $mysql::params::includedir,
   $install_options         = undef,
-  $install_secret_file     = $mysql::params::install_secret_file,
   $manage_config_file      = $mysql::params::manage_config_file,
   Mysql::Options  $options                 = {},
   $override_options        = {},
diff --git a/manifests/server/root_password.pp b/manifests/server/root_password.pp
@@ -16,20 +16,15 @@
   }
 
   $options = $mysql::server::_options
-  $secret_file = $mysql::server::install_secret_file
   $login_file = $mysql::server::login_file
 
   # New installations of MySQL will configure a default random password for the root user
   # with an expiration. No actions can be performed until this password is changed. The
   # below exec will remove this default password. If the user has supplied a root
   # password it will be set further down with the mysql_user resource.
-  $rm_pass_cmd = join([
-      "mysqladmin -u root --password=\$(grep -o '[^ ]\\+\$' ${secret_file}) password ''",
-      "rm -f ${secret_file}",
-  ], ' && ')
   exec { 'remove install pass':
-    command => $rm_pass_cmd,
-    onlyif  => "test -f ${secret_file}",
+    command => "mysqladmin -u root --password=\$(grep -o '[^ ]\\+\$' /.mysql_secret) password && (rm -f  /.mysql_secret; exit 0) || (rm -f /.mysql_secret; exit 1)",
+    onlyif  => [['test', '-f' ,'/.mysql_secret']],
     path    => '/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin',
   }
 
diff --git a/pdk.yaml b/pdk.yaml
@@ -0,0 +1,2 @@
+---
+ignore: []
diff --git a/spec/acceptance/01_mysql_db_spec.rb b/spec/acceptance/01_mysql_db_spec.rb
@@ -37,7 +37,7 @@ class { 'mysql::server':
         class { 'mysql::server': override_options => { 'root_password' => 'password' } }
         file { '/tmp/spec.sql':
           ensure  => file,
-          content => 'CREATE TABLE table1 (id int);',
+          content => 'CREATE TABLE IF NOT EXISTS table1 (id int);',
           before  => Mysql::Db['spec2'],
         }
         mysql::db { 'spec2':
diff --git a/spec/classes/mysql_server_spec.rb b/spec/classes/mysql_server_spec.rb
@@ -158,8 +158,8 @@
         describe 'when defaults' do
           it {
             is_expected.to contain_exec('remove install pass').with(
-              command: 'mysqladmin -u root --password=$(grep -o \'[^ ]\\+$\' /.mysql_secret) password \'\' && rm -f /.mysql_secret',
-              onlyif: 'test -f /.mysql_secret',
+              command: "mysqladmin -u root --password=\$(grep -o '[^ ]\\+\$' /.mysql_secret) password && (rm -f  /.mysql_secret; exit 0) || (rm -f /.mysql_secret; exit 1)",
+              onlyif: [['test', '-f', '/.mysql_secret']],
               path: '/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin',
             )
           }
@@ -198,16 +198,6 @@
           it { is_expected.not_to contain_mysql_user('root@localhost') }
           it { is_expected.not_to contain_file('/root/.my.cnf') }
         end
-        describe 'when install_secret_file set to /root/.mysql_secret' do
-          let(:params) { { install_secret_file: '/root/.mysql_secret' } }
-
-          it {
-            is_expected.to contain_exec('remove install pass').with(
-              command: 'mysqladmin -u root --password=$(grep -o \'[^ ]\\+$\' /root/.mysql_secret) password \'\' && rm -f /root/.mysql_secret',
-              onlyif: 'test -f /root/.mysql_secret',
-            )
-          }
-        end
       end
 
       context 'mysql::server::providers' do

Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,7 @@ class { 'mysql::server':`
`37`	`37`	`class { 'mysql::server': override_options => { 'root_password' => 'password' } }`
`38`	`38`	`file { '/tmp/spec.sql':`
`39`	`39`	`ensure => file,`
`40`		`- content => 'CREATE TABLE table1 (id int);',`
	`40`	`+ content => 'CREATE TABLE IF NOT EXISTS table1 (id int);',`
`41`	`41`	`before => Mysql::Db['spec2'],`
`42`	`42`	`}`
`43`	`43`	`mysql::db { 'spec2':`