allow rails to be loaded in fix auth

When objects are serialized into yaml blobs in tables,
we need to load our whole environment to handle the deserialization

This typically happens with miq_requests.options

- add --allow-failures flag
- add note where error was found
- require standard rails when allow failures
- continue despite errors when allow failures
- display status, counts, and # errors
- change order of fixes
- reduce columns brought back
- sending error output to STDERR
- only bring back request/task records that have v1/2 encoded passwords

tools/fix_auth/auth_config_model.rb

@@ -42,8 +42,10 @@ def recrypt(old_value, options = {})
         symbol_keys ? hash.deep_symbolize_keys! : hash.deep_stringify_keys!
         hash.to_yaml
       rescue ArgumentError # undefined class/module
-        puts "potentially bad yaml:"
-        puts old_value
+        unless options[:allow_failures]
+          STDERR.puts "potentially bad yaml:"
+          STDERR.puts old_value
+        end
         raise
       end
     end

tools/fix_auth/auth_model.rb

@@ -11,14 +11,18 @@ def available_columns
         column_names & password_columns
       end
 
+      def select_columns
+        [:id] + available_columns
+      end
+
       def contenders
-        where(selection_criteria)
+        where(selection_criteria).select(select_columns)
       end
 
-      # bring back anything with a password column that is not nil or blank
+      # bring back anything with a password column that has a non blank v1 or v2 password in it
       def selection_criteria
         available_columns.collect do |column|
-          "(COALESCE(#{column},'') <> '')"
+          "(#{column} ~ 'v[12]:{[^}]')"
         end.join(" OR ")
       end
 
@@ -81,16 +85,32 @@ def display_column(r, column, options)
       def run(options = {})
         return if available_columns.empty?
         puts "fixing #{table_name}.#{available_columns.join(", ")}" unless options[:silent]
+        processed = 0
+        errors = 0
         contenders.each do |r|
-          fix_passwords(r, options)
-          if options[:verbose]
-            display_record(r)
-            available_columns.each do |column|
-              display_column(r, column, options)
+          begin
+            fix_passwords(r, options)
+            if options[:verbose]
+              display_record(r)
+              available_columns.each do |column|
+                display_column(r, column, options)
+              end
             end
+            r.save! if !options[:dry_run] && r.changed?
+            processed += 1
+          rescue ArgumentError # undefined class/module
+            errors += 1
+            unless options[:allow_failures]
+              STDERR.puts "unable to fix #{r.class.table_name}:#{r.id}" unless options[:silent]
+              raise
+            end
+          end
+          if !options[:silent] && (errors + processed) % 10_000 == 0
+            puts "processed #{processed} with #{errors} errors"
           end
-          r.save! unless options[:dry_run]
         end
+        puts "#{options[:dry_run] ? "viewed" : "processed"} #{processed} records" unless options[:silent]
+        puts "found #{errors} errors" if errors > 0 && !options[:silent]
       end
 
       def clean_up

tools/fix_auth/cli.rb

@@ -25,6 +25,7 @@ def parse(args, env = {})
         opt :databaseyml, "Rewrite database.yml", :type => :boolean, :short => "y", :default => false
         opt :db,       "Upgrade database",  :type => :boolean, :short => 'x', :default => false
         opt :legacy_key, "Legacy Key",      :type => :string, :short => "K"
+        opt :allow_failures, "Run through all records, even with errors", :type => :boolean, :short => nil, :default => false
       end
 
       options[:database] = args.first || "vmdb_production"

tools/fix_auth/fix_auth.rb

@@ -26,7 +26,7 @@ def db_attributes(database)
     end
 
     def run_options
-      options.slice(:verbose, :dry_run, :hardcode, :invalid)
+      options.slice(:verbose, :dry_run, :hardcode, :invalid, :allow_failures)
     end
 
     def database
@@ -35,7 +35,7 @@ def database
 
     def models
       [FixAuthentication, FixMiqDatabase, FixMiqAeValue, FixMiqAeField,
-       FixMiqRequest, FixMiqRequestTask, FixSettingsChange]
+       FixSettingsChange, FixMiqRequest, FixMiqRequestTask]
     end
 
     def generate_password
@@ -69,6 +69,10 @@ def fix_database_yml
       FixDatabaseYml.run({:hardcode => options[:password]}.merge(run_options))
     end
 
+    def load_rails
+      require File.expand_path("../../../config/application.rb", __FILE__)
+    end
+
     def set_passwords
       MiqPassword.key_root = cert_dir if cert_dir
       MiqPassword.add_legacy_key("v0_key", :v0)
@@ -83,6 +87,7 @@ def run
 
       generate_password if options[:key]
       fix_database_yml if options[:databaseyml]
+      load_rails if options[:allow_failures]
       fix_database_passwords if options[:db]
     end
   end

tools/fix_auth/models.rb

@@ -56,10 +56,6 @@ class FixMiqRequest < ActiveRecord::Base
     self.password_prefix = "password::"
     self.symbol_keys = true
     self.table_name = "miq_requests"
-
-    def self.contenders
-      where("options like '%password%'")
-    end
   end
 
   class FixMiqRequestTask < ActiveRecord::Base
@@ -71,10 +67,6 @@ class FixMiqRequestTask < ActiveRecord::Base
     self.password_prefix = "password::"
     self.symbol_keys = true
     self.table_name = "miq_request_tasks"
-
-    def self.contenders
-      where("options like '%password%'")
-    end
   end
 
   class FixSettingsChange < ActiveRecord::Base
@@ -113,6 +105,10 @@ def load
       self
     end
 
+    def changed?
+      true
+    end
+
     def save!
       File.write(id, @yaml)
     end