From 61058b76100f37296e72960fa8afcf1bb1e5cf1a Mon Sep 17 00:00:00 2001 From: Martin Hagstrom Date: Mon, 19 Oct 2015 15:07:04 +0200 Subject: [PATCH] Don't hash passwords that are already hashed --- README.md | 13 +++++++++++++ lib/puppet/parser/functions/mysql_password.rb | 1 + spec/unit/puppet/functions/mysql_password_spec.rb | 5 +++++ 3 files changed, 19 insertions(+) diff --git a/README.md b/README.md index 99ac0f3..9961d6d 100644 --- a/README.md +++ b/README.md @@ -152,6 +152,19 @@ server address and credentials. For example: When working with a remote server, do *not* use the `mysql::server` class in your Puppet manifests. +### Using passwords + +As well as inputting passwords as plain text you can input them as hashes. For example: + +~~~ +mysql::db { 'mydb': + user => 'myuser', + password => '*6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4', + host => 'localhost', + grant => ['SELECT', 'UPDATE'], +} +~~~ + ## Reference ### Classes diff --git a/lib/puppet/parser/functions/mysql_password.rb b/lib/puppet/parser/functions/mysql_password.rb index b8a6cda..74d7fa8 100644 --- a/lib/puppet/parser/functions/mysql_password.rb +++ b/lib/puppet/parser/functions/mysql_password.rb @@ -11,6 +11,7 @@ module Puppet::Parser::Functions "given (#{args.size} for 1)") if args.size != 1 return '' if args[0].empty? + return args[0] if args[0] =~ /\*[A-F0-9]{40}$/ '*' + Digest::SHA1.hexdigest(Digest::SHA1.digest(args[0])).upcase end end diff --git a/spec/unit/puppet/functions/mysql_password_spec.rb b/spec/unit/puppet/functions/mysql_password_spec.rb index 14aebd9..2d5feea 100644 --- a/spec/unit/puppet/functions/mysql_password_spec.rb +++ b/spec/unit/puppet/functions/mysql_password_spec.rb @@ -29,4 +29,9 @@ describe 'the mysql_password function' do expect(result).to(eq('')) end + it 'should not convert a password that is already a hash' do + result = scope.function_mysql_password(['*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19']) + expect(result).to(eq('*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19')) + end + end