From df215b2c5600be029cc9ee98fe99c6e56d7fe049 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Romain=20Tarti=C3=A8re?= Date: Fri, 24 Feb 2023 13:25:14 -1000 Subject: [PATCH] Unwrap sensitive values for testing When testing, sensitive values can be compared to the String `Sensitive [value redacted]`, but if we want to check that the redacted content is the one we expect, we should compare with another Sensitive wrapper. --- spec/defines/server/role_spec.rb | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/spec/defines/server/role_spec.rb b/spec/defines/server/role_spec.rb index d1d61e7ff4..7ad459f4d2 100644 --- a/spec/defines/server/role_spec.rb +++ b/spec/defines/server/role_spec.rb @@ -24,7 +24,7 @@ it 'has create role for "test" user with password as ****' do expect(subject).to contain_postgresql_psql('CREATE ROLE test ENCRYPTED PASSWORD ****') - .with('command' => 'Sensitive [value redacted]', + .with('command' => sensitive(%(CREATE ROLE "test" ENCRYPTED PASSWORD 'new-pa$s' LOGIN NOCREATEROLE NOCREATEDB NOSUPERUSER CONNECTION LIMIT -1)), 'sensitive' => 'true', 'unless' => "SELECT 1 FROM pg_roles WHERE rolname = 'test'", 'port' => '5432') @@ -32,9 +32,9 @@ it 'has alter role for "test" user with password as ****' do expect(subject).to contain_postgresql_psql('ALTER ROLE test ENCRYPTED PASSWORD ****') - .with('command' => 'Sensitive [value redacted]', + .with('command' => sensitive(%(ALTER ROLE "test" ENCRYPTED PASSWORD 'md5b6f7fcbbabb4befde4588a26c1cfd2fa')), 'sensitive' => 'true', - 'unless' => 'Sensitive [value redacted]', + 'unless' => sensitive(%(SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'md5b6f7fcbbabb4befde4588a26c1cfd2fa')), 'port' => '5432') end end @@ -50,7 +50,7 @@ it 'has create role for "test" user with password as ****' do expect(subject).to contain_postgresql_psql('CREATE ROLE test ENCRYPTED PASSWORD ****') - .with('command' => 'Sensitive [value redacted]', + .with('command' => sensitive(%(CREATE ROLE "test" ENCRYPTED PASSWORD 'new-pa$s' LOGIN NOCREATEROLE NOCREATEDB NOSUPERUSER CONNECTION LIMIT -1)), 'sensitive' => 'true', 'unless' => "SELECT 1 FROM pg_roles WHERE rolname = 'test'", 'port' => '5432') @@ -58,9 +58,11 @@ it 'has alter role for "test" user with password as ****' do expect(subject).to contain_postgresql_psql('ALTER ROLE test ENCRYPTED PASSWORD ****') - .with('command' => 'Sensitive [value redacted]', + .with('command' => sensitive(%(ALTER ROLE "test" ENCRYPTED PASSWORD 'Sensitive [value redacted]')), + # FIXME: This is obviously wrong ^^^^^^^^^^^^^^^^^^^^^^^^^^ 'sensitive' => 'true', - 'unless' => 'Sensitive [value redacted]', + 'unless' => sensitive(%(SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'Sensitive [value redacted]')), + # FIXME: This is obviously wrong ^^^^^^^^^^^^^^^^^^^^^^^^^^ 'port' => '5432') end end @@ -84,7 +86,7 @@ it 'has create role for "test" user with password as ****' do expect(subject).to contain_postgresql_psql('CREATE ROLE test ENCRYPTED PASSWORD ****') - .with_command('Sensitive [value redacted]') + .with_command(sensitive(%(CREATE ROLE "test" ENCRYPTED PASSWORD 'new-pa$s' LOGIN NOCREATEROLE NOCREATEDB NOSUPERUSER CONNECTION LIMIT -1))) .with_sensitive('true') .with_unless("SELECT 1 FROM pg_roles WHERE rolname = 'test'") .with_port(5432) @@ -94,8 +96,8 @@ it 'has alter role for "test" user with password as ****' do expect(subject).to contain_postgresql_psql('ALTER ROLE test ENCRYPTED PASSWORD ****') - .with('command' => 'Sensitive [value redacted]', 'sensitive' => 'true', - 'unless' => 'Sensitive [value redacted]', 'port' => '5432', + .with('command' => sensitive(%(ALTER ROLE "test" ENCRYPTED PASSWORD 'md5b6f7fcbbabb4befde4588a26c1cfd2fa')), 'sensitive' => 'true', + 'unless' => sensitive(%(SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'md5b6f7fcbbabb4befde4588a26c1cfd2fa')), 'port' => '5432', 'connect_settings' => { 'PGHOST' => 'postgres-db-server', 'DBVERSION' => '9.1', 'PGUSER' => 'login-user', 'PGPASSWORD' => 'login-pass' }) end @@ -121,7 +123,7 @@ it 'has create role for "test" user with password as ****' do expect(subject).to contain_postgresql_psql('CREATE ROLE test ENCRYPTED PASSWORD ****') - .with('command' => 'Sensitive [value redacted]', + .with('command' => sensitive(%(CREATE ROLE "test" ENCRYPTED PASSWORD 'new-pa$s' LOGIN NOCREATEROLE NOCREATEDB NOSUPERUSER CONNECTION LIMIT -1)), 'sensitive' => 'true', 'unless' => "SELECT 1 FROM pg_roles WHERE rolname = 'test'", 'connect_settings' => { 'PGHOST' => 'postgres-db-server', 'DBVERSION' => '9.1', 'PGPORT' => '1234', 'PGUSER' => 'login-user', 'PGPASSWORD' => 'login-pass' }) @@ -129,8 +131,8 @@ it 'has alter role for "test" user with password as ****' do expect(subject).to contain_postgresql_psql('ALTER ROLE test ENCRYPTED PASSWORD ****') - .with('command' => 'Sensitive [value redacted]', 'sensitive' => 'true', - 'unless' => 'Sensitive [value redacted]', + .with('command' => sensitive(%(ALTER ROLE "test" ENCRYPTED PASSWORD 'md5b6f7fcbbabb4befde4588a26c1cfd2fa')), 'sensitive' => 'true', + 'unless' => sensitive(%(SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'md5b6f7fcbbabb4befde4588a26c1cfd2fa')), 'connect_settings' => { 'PGHOST' => 'postgres-db-server', 'DBVERSION' => '9.1', 'PGPORT' => '1234', 'PGUSER' => 'login-user', 'PGPASSWORD' => 'login-pass' }) end