-
Notifications
You must be signed in to change notification settings - Fork 52
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Replace erlang cookie fact with type and provider
Keeping secrets as facts is a potential security risk since facts are generally not protected as secrets. This change removes the rabbitmq_erlang_cookie fact. In order to make this feasible, the exec that wipes out the rabbitmq db and the file resource managing the cookie are replaced by a type and provider to reproduce this functionality.
- Loading branch information
Colleen Murphy
committed
Dec 19, 2014
1 parent
04145c1
commit 5c485b8
Showing
8 changed files
with
161 additions
and
89 deletions.
There are no files selected for viewing
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
require 'puppet' | ||
require 'set' | ||
Puppet::Type.type(:rabbitmq_erlang_cookie).provide(:ruby) do | ||
|
||
defaultfor :feature => :posix | ||
has_command(:puppet, 'puppet') do | ||
environment :PATH => '/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin' | ||
end | ||
|
||
def exists? | ||
# Hack to prevent the create method from being called. | ||
# We never need to create or destroy this resource, only change its value | ||
true | ||
end | ||
|
||
def content=(value) | ||
if resource[:force] == :true # Danger! | ||
puppet('resource', 'service', resource[:service_name], 'ensure=stopped') | ||
FileUtils.rm_rf('/var/lib/rabbitmq/mnesia') | ||
File.open(resource[:path], 'w') do |cookie| | ||
cookie.chmod(0400) | ||
cookie.write(value) | ||
end | ||
FileUtils.chown('rabbitmq', 'rabbitmq', resource[:path]) | ||
else | ||
fail("The current erlang cookie needs to change. In order to do this the RabbitMQ database needs to be wiped. Please set force => true to allow this to happen automatically.") | ||
end | ||
end | ||
|
||
def content | ||
if File.exists?(resource[:path]) | ||
File.read(resource[:path]) | ||
else | ||
'' | ||
end | ||
end | ||
|
||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
Puppet::Type.newtype(:rabbitmq_erlang_cookie) do | ||
desc 'Type to manage the rabbitmq erlang cookie securely' | ||
|
||
newparam(:path, :namevar => true) | ||
|
||
validate do | ||
# This does pre-validation on the content property and force parameter. | ||
# The intent is to simulate the prior behavior to the invention of this | ||
# type (see https://github.com/puppetlabs/puppetlabs-rabbitmq/blob/4.1.0/manifests/config.pp#L87-L117) | ||
# where validation occurs before the catalog starts being applied. | ||
# This prevents other resources from failing after attempting to apply | ||
# this resource and having it fail due to the force parameter being | ||
# set to false. | ||
is = (File.read(self[:path]) if File.exists?(self[:path])) || '' | ||
should = self[:content] | ||
failstring = 'The current erlang cookie needs to change. In order to do this the RabbitMQ database needs to be wiped. Please set force => true to allow this tohappen automatically.' | ||
fail(failstring) if (is != should && self[:force] != :true) | ||
end | ||
|
||
newproperty(:content) do | ||
desc 'Content of cookie' | ||
newvalues(/^\S+$/) | ||
def change_to_s(current, desired) | ||
"The rabbitmq erlang cookie was changed" | ||
end | ||
end | ||
|
||
newparam(:force) do | ||
defaultto(:false) | ||
newvalues(:true, :false) | ||
end | ||
|
||
newparam(:service_name) do | ||
newvalues(/^\S+$/) | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
require 'mocha' | ||
require 'puppet' | ||
require 'puppet/type/rabbitmq_exchange' | ||
RSpec.configure do |config| | ||
config.mock_with :mocha | ||
end | ||
describe Puppet::Type.type(:rabbitmq_erlang_cookie) do | ||
context 'when content needs to change and force is unset' do | ||
it 'fails' do | ||
File.expects(:read).with('/var/lib/rabbitmq/.erlang.cookie').returns('OLDCOOKIE') | ||
File.expects(:exists?).returns(true) | ||
expect { | ||
Puppet::Type.type(:rabbitmq_erlang_cookie).new( | ||
:name => '/var/lib/rabbitmq/.erlang.cookie', | ||
:content => 'NEWCOOKIE', | ||
) | ||
}.to raise_error(Puppet::Error, /The current erlang cookie needs to change/) | ||
end | ||
end | ||
|
||
context 'when content needs to change and force is true' do | ||
it 'sets the cookie' do | ||
File.expects(:read).with('/var/lib/rabbitmq/.erlang.cookie').returns('OLDCOOKIE') | ||
File.expects(:exists?).returns(true) | ||
cookie = Puppet::Type.type(:rabbitmq_erlang_cookie).new( | ||
:name => '/var/lib/rabbitmq/.erlang.cookie', | ||
:content => 'NEWCOOKIE', | ||
:force => true, | ||
) | ||
expect(cookie[:content]).to eq('NEWCOOKIE') | ||
end | ||
end | ||
|
||
context 'when content does not need to change' do | ||
it 'still sets the cookie' do | ||
File.expects(:read).with('/var/lib/rabbitmq/.erlang.cookie').returns('NEWCOOKIE') | ||
File.expects(:exists?).returns(true) | ||
cookie = Puppet::Type.type(:rabbitmq_erlang_cookie).new( | ||
:name => '/var/lib/rabbitmq/.erlang.cookie', | ||
:content => 'NEWCOOKIE', | ||
) | ||
expect(cookie[:content]).to eq('NEWCOOKIE') | ||
end | ||
end | ||
end |