Skip to content

Harden root password class #1485

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Aug 23, 2022
Merged

Harden root password class #1485

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
90168d9
Harden root_password class
chelnak Aug 17, 2022
90b8c26
Add spec tests
chelnak Aug 17, 2022
f2b3bde
Ensure tests are idempotent
chelnak Aug 23, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion manifests/params.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@
$purge_conf_dir = false
$restart = false
$root_password = 'UNSET'
$install_secret_file = '/.mysql_secret'
$server_package_ensure = 'present'
$server_package_manage = true
$server_service_manage = true
Expand Down
3 changes: 0 additions & 3 deletions manifests/server.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,6 @@
# The location, as a path, of !includedir for custom configuration overrides.
# @param install_options
# Passes [install_options](https://docs.puppetlabs.com/references/latest/type.html#package-attribute-install_options) array to managed package resources. You must pass the appropriate options for the specified package manager
# @param install_secret_file
# Path to secret file containing temporary root password.
# @param manage_config_file
# Whether the MySQL configuration file should be managed. Valid values are `true`, `false`. Defaults to `true`.
# @param options
Expand Down Expand Up @@ -81,7 +79,6 @@
$config_file_mode = $mysql::params::config_file_mode,
$includedir = $mysql::params::includedir,
$install_options = undef,
$install_secret_file = $mysql::params::install_secret_file,
$manage_config_file = $mysql::params::manage_config_file,
Mysql::Options $options = {},
$override_options = {},
Expand Down
9 changes: 2 additions & 7 deletions manifests/server/root_password.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,20 +16,15 @@
}

$options = $mysql::server::_options
$secret_file = $mysql::server::install_secret_file
$login_file = $mysql::server::login_file

# New installations of MySQL will configure a default random password for the root user
# with an expiration. No actions can be performed until this password is changed. The
# below exec will remove this default password. If the user has supplied a root
# password it will be set further down with the mysql_user resource.
$rm_pass_cmd = join([
"mysqladmin -u root --password=\$(grep -o '[^ ]\\+\$' ${secret_file}) password ''",
"rm -f ${secret_file}",
], ' && ')
exec { 'remove install pass':
command => $rm_pass_cmd,
onlyif => "test -f ${secret_file}",
command => "mysqladmin -u root --password=\$(grep -o '[^ ]\\+\$' /.mysql_secret) password && (rm -f /.mysql_secret; exit 0) || (rm -f /.mysql_secret; exit 1)",
onlyif => [['test', '-f' ,'/.mysql_secret']],
path => '/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin',
}

Expand Down
2 changes: 2 additions & 0 deletions pdk.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
---
ignore: []
2 changes: 1 addition & 1 deletion spec/acceptance/01_mysql_db_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ class { 'mysql::server':
class { 'mysql::server': override_options => { 'root_password' => 'password' } }
file { '/tmp/spec.sql':
ensure => file,
content => 'CREATE TABLE table1 (id int);',
content => 'CREATE TABLE IF NOT EXISTS table1 (id int);',
before => Mysql::Db['spec2'],
}
mysql::db { 'spec2':
Expand Down
14 changes: 2 additions & 12 deletions spec/classes/mysql_server_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,8 +158,8 @@
describe 'when defaults' do
it {
is_expected.to contain_exec('remove install pass').with(
command: 'mysqladmin -u root --password=$(grep -o \'[^ ]\\+$\' /.mysql_secret) password \'\' && rm -f /.mysql_secret',
onlyif: 'test -f /.mysql_secret',
command: "mysqladmin -u root --password=\$(grep -o '[^ ]\\+\$' /.mysql_secret) password && (rm -f /.mysql_secret; exit 0) || (rm -f /.mysql_secret; exit 1)",
onlyif: [['test', '-f', '/.mysql_secret']],
path: '/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin',
)
}
Expand Down Expand Up @@ -198,16 +198,6 @@
it { is_expected.not_to contain_mysql_user('root@localhost') }
it { is_expected.not_to contain_file('/root/.my.cnf') }
end
describe 'when install_secret_file set to /root/.mysql_secret' do
let(:params) { { install_secret_file: '/root/.mysql_secret' } }

it {
is_expected.to contain_exec('remove install pass').with(
command: 'mysqladmin -u root --password=$(grep -o \'[^ ]\\+$\' /root/.mysql_secret) password \'\' && rm -f /root/.mysql_secret',
onlyif: 'test -f /root/.mysql_secret',
)
}
end
end

context 'mysql::server::providers' do
Expand Down