Generate a new ansible rabbitmq password

If the current rabbitmq password contains special characters it will fail a new preflight check in the setup playbook. This is fixed for new installations by ManageIQ/manageiq#18092 but because we re-run the setup playbook when we upgrade the tower version, we also need to correct existing ones. https://bugzilla.redhat.com/show_bug.cgi?id=1638009
carbonin · Oct 12, 2018 · 10f6739 · 10f6739
1 parent e3f2b88
commit 10f6739
Show file tree

Hide file tree

Showing 2 changed files with 80 additions and 0 deletions.
diff --git a/db/migrate/20181012160010_remove_special_characters_from_ansible_rabbitmq_password.rb b/db/migrate/20181012160010_remove_special_characters_from_ansible_rabbitmq_password.rb
@@ -0,0 +1,25 @@
+require 'securerandom'
+
+class RemoveSpecialCharactersFromAnsibleRabbitmqPassword < ActiveRecord::Migration[5.0]
+  # used only in specs
+  class MiqDatabase < ActiveRecord::Base; end
+
+  class Authentication < ActiveRecord::Base
+    self.inheritance_column = :_type_disabled
+    include ActiveRecord::IdRegions
+  end
+
+  def up
+    auth = Authentication.in_my_region.find_by(
+      :name     => "Ansible Rabbitmq Authentication",
+      :authtype => "ansible_rabbitmq_auth",
+      :userid   => "ansible",
+      :type     => "AuthUseridPassword"
+    )
+
+    return unless auth
+
+    current = MiqPassword.decrypt(auth.password)
+    auth.update_attributes!(:password => MiqPassword.encrypt(SecureRandom.hex(18))) unless current.match?(/^[a-zA-Z0-9]+$/)
+  end
+end
diff --git a/...igrations/20181012160010_remove_special_characters_from_ansible_rabbitmq_password_spec.rb b/...igrations/20181012160010_remove_special_characters_from_ansible_rabbitmq_password_spec.rb
@@ -0,0 +1,55 @@
+require_migration
+
+describe RemoveSpecialCharactersFromAnsibleRabbitmqPassword do
+  let(:database_stub)       { migration_stub(:MiqDatabase) }
+  let(:authentication_stub) { migration_stub(:Authentication) }
+  let(:db_id)               { database_stub.first.id }
+  let(:auth_attributes) do
+    {
+      :name          => "Ansible Rabbitmq Authentication",
+      :authtype      => "ansible_rabbitmq_auth",
+      :userid        => "ansible",
+      :type          => "AuthUseridPassword",
+      :resource_id   => db_id,
+      :resource_type => "MiqDatabase"
+    }
+  end
+
+  before { database_stub.create! }
+
+  migration_context :up do
+    it "does nothing if the authentication record doesn't exist" do
+      expect(rabbitmq_auths.count).to eq(0)
+      migrate
+      expect(rabbitmq_auths.count).to eq(0)
+    end
+
+    it "does not change the password if the existing one doesn't contain special characters" do
+      authentication_stub.create!(auth_attributes.merge(:password => MiqPassword.encrypt("password")))
+      expect(ansible_rabbitmq_password).to eq("password")
+
+      migrate
+
+      expect(ansible_rabbitmq_password).to eq("password")
+    end
+
+    it "generates a new password when the existing one contains special characters" do
+      authentication_stub.create!(auth_attributes.merge(:password => MiqPassword.encrypt("pass_word")))
+      expect(ansible_rabbitmq_password).to eq("pass_word")
+
+      migrate
+
+      expect(ansible_rabbitmq_password).to match(/^[a-zA-Z0-9]+$/)
+    end
+  end
+
+  def rabbitmq_auths
+    authentication_stub.where(auth_attributes)
+  end
+
+  def ansible_rabbitmq_password
+    auths = rabbitmq_auths
+    expect(auths.count).to eq(1)
+    MiqPassword.decrypt(auths.first.password)
+  end
+end