Don't hash passwords that are already hashed

puppetlabs · Nov 19, 2015 · 61058b7 · 61058b7
1 parent 2f144b3
commit 61058b7
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -152,6 +152,19 @@ server address and credentials. For example:
 When working with a remote server, do *not* use the
 `mysql::server` class in your Puppet manifests.
 
+### Using passwords
+
+As well as inputting passwords as plain text you can input them as hashes. For example:
+
+~~~
+mysql::db { 'mydb':
+  user     => 'myuser',
+  password => '*6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4',
+  host     => 'localhost',
+  grant    => ['SELECT', 'UPDATE'],
+}
+~~~
+
 ## Reference
 
 ### Classes

diff --git a/lib/puppet/parser/functions/mysql_password.rb b/lib/puppet/parser/functions/mysql_password.rb
@@ -11,6 +11,7 @@ module Puppet::Parser::Functions
       "given (#{args.size} for 1)") if args.size != 1
 
     return '' if args[0].empty?
+    return args[0] if args[0] =~ /\*[A-F0-9]{40}$/
     '*' + Digest::SHA1.hexdigest(Digest::SHA1.digest(args[0])).upcase
   end
 end
diff --git a/spec/unit/puppet/functions/mysql_password_spec.rb b/spec/unit/puppet/functions/mysql_password_spec.rb
@@ -29,4 +29,9 @@
     expect(result).to(eq(''))
   end
 
+  it 'should not convert a password that is already a hash' do
+    result = scope.function_mysql_password(['*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19'])
+    expect(result).to(eq('*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19'))
+  end
+
 end