From 4eefa678a905140620ca8b390d48fe318d36e4ea Mon Sep 17 00:00:00 2001 From: Justin Sherrill Date: Wed, 31 Jul 2019 11:20:37 -0400 Subject: [PATCH] Fixes #27485 - encrypt discovery password within task (cherry picked from commit bc9fa1391334a165b22e89a3a3e2e5142b221ddb) --- .../actions/katello/repository/discover.rb | 22 ++++----- .../katello/repository/discover_test.rb | 47 +++++++++++++++++++ 2 files changed, 57 insertions(+), 12 deletions(-) create mode 100644 test/actions/katello/repository/discover_test.rb diff --git a/app/lib/actions/katello/repository/discover.rb b/app/lib/actions/katello/repository/discover.rb index ba8ce958990..7506ce4a4c9 100644 --- a/app/lib/actions/katello/repository/discover.rb +++ b/app/lib/actions/katello/repository/discover.rb @@ -1,8 +1,9 @@ module Actions module Katello module Repository - class Discover < Actions::Base + class Discover < Actions::EntryAction include Dynflow::Action::Cancellable + include EncryptValue input_format do param :url, String @@ -17,7 +18,8 @@ class Discover < Actions::Base end def plan(url, content_type, upstream_username, upstream_password, search) - plan_self(url: url, content_type: content_type, upstream_username: upstream_username, upstream_password: upstream_password, search: search) + password = encrypt_field(upstream_password) + plan_self(url: url, content_type: content_type, upstream_username: upstream_username, upstream_password: password, search: search) end def run(event = nil) @@ -25,14 +27,15 @@ def run(event = nil) output[:crawled] = output[:crawled] || [] output[:to_follow] = output[:to_follow] || [input[:url]] - repo_discovery = ::Katello::RepoDiscovery.new(input[:url], input[:content_type], - input[:upstream_username], input[:upstream_password], - input[:search], proxy, - output[:crawled], output[:repo_urls], output[:to_follow]) - match(event, (on nil do unless output[:to_follow].empty? + password = decrypt_field(input[:upstream_password]) + repo_discovery = ::Katello::RepoDiscovery.new(input[:url], input[:content_type], + input[:upstream_username], password, + input[:search], proxy, + output[:crawled], output[:repo_urls], output[:to_follow]) + repo_discovery.run(output[:to_follow].shift) suspend { |suspended_action| world.clock.ping suspended_action, 0.001 } end @@ -42,11 +45,6 @@ def run(event = nil) end)) end - # @return urls found by the action - def task_input - input[:url] - end - # @return [Array] urls found by the action def task_output output[:repo_urls] || [] diff --git a/test/actions/katello/repository/discover_test.rb b/test/actions/katello/repository/discover_test.rb new file mode 100644 index 00000000000..7abe7faf4ea --- /dev/null +++ b/test/actions/katello/repository/discover_test.rb @@ -0,0 +1,47 @@ +require 'katello_test_helper' + +module EncryptionKey + ENCRYPTION_KEY = nil +end + +module Actions + describe Katello::Repository::CloneToVersion do + include Dynflow::Testing + include Support::Actions::Fixtures + include FactoryBot::Syntax::Methods + + let(:action_class) { ::Actions::Katello::Repository::Discover } + + def setup + get_organization #ensure we have an org label + end + + def test_discovers_without_encryption + EncryptionKey.const_set(:ENCRYPTION_KEY, nil) + + mock_discovery = mock + url = 'http://foo.com' + ::Katello::RepoDiscovery.expects(:new).with(url, 'yum', 'admin', 'secret', nil, {}, [], [], [url]).returns(mock_discovery) + mock_discovery.expects(:run).with("http://foo.com").once + + task = ForemanTasks.sync_task(action_class, url, 'yum', 'admin', 'secret', nil) + + refute_empty task.input[:upstream_password] + assert_equal task.input[:upstream_password], 'secret' + end + + def test_discovers_with_hidden_password + EncryptionKey.const_set(:ENCRYPTION_KEY, 'ebf26a286b3edec3d31ac10e8e97bd60') + + mock_discovery = mock + url = 'http://foo.com' + ::Katello::RepoDiscovery.expects(:new).with(url, 'yum', 'admin', 'secret', nil, {}, [], [], [url]).returns(mock_discovery) + mock_discovery.expects(:run).with("http://foo.com").once + + task = ForemanTasks.sync_task(action_class, url, 'yum', 'admin', 'secret', nil) + + refute_empty task.input[:upstream_password] + refute_equal task.input[:upstream_password], 'secret' + end + end +end