-
Notifications
You must be signed in to change notification settings - Fork 897
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Encrypt ldap bind password when queuing to MiqQueue #6539
Conversation
@abellotti Please review and share any suggestions for where the encrypt and decrypt methods should live if not where I have them. I could imagine their might be other possibilities for where they should be but there was other Also the v2 encrypted test data might be better generated instead of hard coded but I an not sure the best way to generate them. As long as the encrypted and decrypted test data will always match the solution I have should work fine. |
@@ -97,6 +97,7 @@ def authenticate(username, password, request = nil, options = {}) | |||
|
|||
def authorize(taskid, username, *args) | |||
audit = {:event => "authorize", :userid => username} | |||
decrypt_ldap_password(config) if MiqLdap.using_ldap? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
where is this config
variable defined?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@chessbyte It's a reader, line 28.
3cec58b
to
3ea47f0
Compare
@chrisarcand and @jrafanie Thank you for the spec simplification suggestions. I like this approach much better. 👍 |
allow(MiqQueue).to receive(:put) { :return_value } | ||
allow(subject).to receive(:encrypt_ldap_password) { called_encrypt_ldap_password = true } | ||
authenticate | ||
expect(called_encrypt_ldap_password).to be_truthy |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm I'm not sure what's going on here. This could easily be a false positive as without any of the preceding lines called_encrypt_ldap_password
could be true.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Indeed, line 174 means this test always passes.
You should be doing some form of expect(subject).to receive(:encrypt_ldap_password)
I'm also not sure what double(:id => :return_value)
does. Does RSpec have a :return_value
? Even if it does, I'm not sure what you're trying to do in 172 or 173 (the latter would theoretically 'allow' MiqQueue something that it already does normally ;) )
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see you mean :return_value
as a dummy value, derp. In this case I'd personally use an Integer on line 172 (whatever, though) but more importantly you needn't give line 173 a block, allow(MiqQueue).to receive(:put)
will work just fine 👌
I suggest the following:
context "when using LDAP" do
let(:config) { super().merge(:ldap_role => true) }
before do
allow(MiqQueue).to receive(:put)
end
it "encrypts password for queuing" do
expect(subject).to receive(:authorize_queue)
authenticate
end
end
Whatcha think?
fe1a058
to
f81bc84
Compare
@chrisarcand Thank you again for the help! |
allow(subject).to receive(:decrypt_ldap_password) { called_decrypt_ldap_password = true } | ||
subject.authorize(22, 'alice', 1) | ||
expect(called_decrypt_ldap_password).to be_truthy | ||
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not quite, @jvlcek ! You forgot to do the same thing here :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
D'oh! Thanks @chrisarcand!
cc2e40e
to
56258a2
Compare
Checked commit jvlcek@56258a2 with ruby 2.2.3, rubocop 0.34.2, and haml-lint 0.13.0 |
👍 🎉 |
@@ -163,6 +164,20 @@ def authenticate | |||
let(:username) { 'alice' } | |||
let(:password) { 'secret' } | |||
|
|||
context "when using LDAP" do | |||
let(:config) { super().merge(:ldap_role => true) } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are the empty parens required in the super()
@chrisarcand?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jrafanie They seem to be. I just tried running the spec without them and it fails. :) The super()
is found throughout the spec.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jrafanie I uncovered the reason.
super without arguments will invoke the superclass method with the original params. To pass no params the empty parens are needed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, you need them if you want to call that way.
Not worth changing here but FWIW I avoid this by using another helper to change contexts when you're this far down the nesting, ie:
Instead of:
describe Thing do
let(:credentials) { { username: "asdf", password: "qwerty" } }
context "default do
(test that uses "qwerty" password)
end
context "using a different password" do
let(:credentials) { super().merge(password: "a different one") }
(test that uses "a different one")
end
end
I do
describe Thing do
let(:credentials) { { username: "asdf", password: password } }
let(:password) { "qwerty" }
context "default do
(test that uses "qwerty" password)
end
context "using a different password" do
let(:password) { "a different one" }
(test that uses "a different one")
end
end
¯_(ツ)_/¯
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @jvlcek, I had a hunch that super()
was used to discard the args but it's not obvious why, maybe because the block arg is different... who knows. ✨
Either way, I prefer @chrisarcand's latter example above, but yeah, it's fine for this PR.
🍰 |
Encrypt ldap bind password when queuing to MiqQueue
🏆 |
https://bugzilla.redhat.com/show_bug.cgi?id=1302062 PR: ManageIQ#6539 Cherry Pick was not clean. Conflicts showed up in spec/models/authenticator/ldap_spec.rb due to earlier updates to the spec that are not cherry picked
Encrypt ldap bind password when queuing to MiqQueue https://bugzilla.redhat.com/show_bug.cgi?id=1302062 PR: ManageIQ#6539 Cherry Pick was not clean. Conflicts showed up in spec/models/authenticator/ldap_spec.rb due to earlier updates to the spec that are not cherry picked See merge request !781
https://bugzilla.redhat.com/show_bug.cgi?id=1297576
This PR encrypts the Ldap bind password when placing it on the MiqQueue in Args
and decrypts it when popping the message off the MiqQueue. This ensures unencrypted
passwords are not in the DB and also prevents them from being logged.