read password from env var

florindragos · florindragos · commit c8436f9be0b4 · 2018-07-12T15:36:33.000+03:00
diff --git a/manifests/registry.pp b/manifests/registry.pp
@@ -53,12 +53,14 @@
     $exec_path = ['c:/Windows/Temp/', 'C:/Program Files/Docker/']
     $exec_provider = 'powershell'
     $password_env = '$env:password'
+    $exec_user = undef
   } else {
     $exec_environment = ['HOME=/root']
     $exec_path = ['/bin', '/usr/bin']
     $exec_timeout = 0
     $exec_provider = undef
     $password_env = "\${password}"
+    $exec_user = $local_user
   }
 
   if $ensure == 'present' {
@@ -67,7 +69,7 @@
       $auth_environment = "password=${password}"
     }
     elsif $username != undef and $password != undef {
-      $auth_cmd = "${docker_command} login -u '${username}' -p ${password_env} ${server}"
+      $auth_cmd = "${docker_command} login -u '${username}' -p '${password_env}' ${server}"
       $auth_environment = "password=${password}"
     }
     else {
@@ -80,6 +82,7 @@
     $auth_environment = ''
   }
 
+  $docker_auth = "${title}${auth_environment}${auth_cmd}${local_user}"
   if $receipt {
 
     # server may be an URI, which can contain /
@@ -90,7 +93,7 @@
       $local_user_strip = regsubst($local_user, '-', '', 'G')
 
       $_pass_hash = $pass_hash ? {
-        Undef   => pw_hash("${title}${auth_environment}${auth_cmd}${local_user}", 'SHA-512', $local_user_strip),
+        Undef   => pw_hash($docker_auth, 'SHA-512', $local_user_strip),
         default => $pass_hash
       }
       $_auth_command = "${auth_cmd} || rm -f \"/root/registry-auth-puppet_receipt_${server_strip}_${local_user}\""
@@ -101,7 +104,6 @@
         notify  => Exec["${title} auth"],
       }
     } else {
-      $pass = "${title}${auth_environment}${auth_cmd}${local_user}"
       $_auth_command = $auth_cmd
       $pw_hash_path = 'C:/Windows/Temp/compute_hash.ps1'
       $passfile = "C:/Windows/Temp/registry-auth-puppet_receipt_${server_strip}_${local_user}"
@@ -124,10 +126,16 @@
     $_auth_command = $auth_cmd
   }
 
+  if $auth_environment != '' {
+    $exec_env = concat($exec_environment, $auth_environment, "docker_auth=${docker_auth}")
+  } else {
+    $exec_env = concat($exec_environment, "docker_auth=${docker_auth}")
+  }
+
   exec { "${title} auth":
-    environment =>  concat($exec_environment, $auth_environment),
+    environment => $exec_env,
     command     => $_auth_command,
-    #user        => $local_user,
+    user        => $exec_user,
     path        => $exec_path,
     timeout     => $exec_timeout,
     provider    => $exec_provider,
diff --git a/spec/defines/registry_spec.rb b/spec/defines/registry_spec.rb
@@ -40,22 +40,22 @@
 
   context 'with ensure => present and username => user1, and password => secret and email => user1@example.io' do
     let(:params) { { 'ensure' => 'present', 'username' => 'user1', 'password' => 'secret', 'email' => 'user1@example.io', 'version' => '17.06', 'pass_hash' => 'test1234', 'receipt' => false } }
-    it { should contain_exec('localhost:5000 auth').with_command("docker login -u 'user1' -p \"${password}\" localhost:5000").with_environment('password=secret') }
+    it { should contain_exec('localhost:5000 auth').with_command("docker login -u 'user1' -p '${password}' localhost:5000").with_environment(/password=secret/) }
   end
 
  context 'with ensure => present and username => user1, and password => secret and email => user1@example.io and version < 1.11.0' do
     let(:params) { { 'ensure' => 'present', 'username' => 'user1', 'password' => 'secret', 'email' => 'user1@example.io', 'version' => '1.9.0', 'pass_hash' => 'test1234', 'receipt' => false } }
-    it { should contain_exec('localhost:5000 auth').with_command("docker login -u 'user1' -p \"${password}\" -e 'user1@example.io' localhost:5000").with_environment('password=secret') }
+    it { should contain_exec('localhost:5000 auth').with_command("docker login -u 'user1' -p '${password}' -e 'user1@example.io' localhost:5000").with_environment(/password=secret/) }
   end
 
   context 'with username => user1, and password => secret' do
     let(:params) { { 'username' => 'user1', 'password' => 'secret', 'version' => '17.06', 'pass_hash' => 'test1234', 'receipt' => false } }
-    it { should contain_exec('localhost:5000 auth').with_command("docker login -u 'user1' -p \"${password}\" localhost:5000").with_environment('password=secret') }
+    it { should contain_exec('localhost:5000 auth').with_command("docker login -u 'user1' -p '${password}' localhost:5000").with_environment(/password=secret/) }
   end
 
   context 'with username => user1, and password => secret and local_user => testuser' do
     let(:params) { { 'username' => 'user1', 'password' => 'secret', 'local_user' => 'testuser', 'version' => '17.06', 'pass_hash' => 'test1234', 'receipt' => false } }
-    it { should contain_exec('localhost:5000 auth').with_command("docker login -u 'user1' -p \"${password}\" localhost:5000").with_user('testuser').with_environment('password=secret') }
+    it { should contain_exec('localhost:5000 auth').with_command("docker login -u 'user1' -p '${password}' localhost:5000").with_user('testuser').with_environment(/password=secret/) }
   end
 
   context 'with an invalid ensure value' do
diff --git a/templates/windows/compute_hash.ps1.erb b/templates/windows/compute_hash.ps1.erb
@@ -1,6 +1,6 @@
 #file computes the 512SHA for a given string and writes it to a file
 
-$String = "<%= @pass %>"
+$String = $env:docker_auth
 $HashName = "SHA512"
 $StringBuilder = New-Object System.Text.StringBuilder 
 [System.Security.Cryptography.HashAlgorithm]::Create($HashName).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($String))|%{ 
