Unwrap sensitive values for testing

smortex · smortex · commit 38da5286d4c0 · 2023-06-29T12:54:57.000-10:00
When testing, sensitive values can be compared to the String `Sensitive
[value redacted]`, but if we want to check that the redacted content is
the one we expect, we should compare with another Sensitive wrapper.
diff --git a/spec/defines/server/role_spec.rb b/spec/defines/server/role_spec.rb
@@ -24,17 +24,17 @@
 
     it 'has create role for "test" user with password as ****' do
       expect(subject).to contain_postgresql_psql('CREATE ROLE test ENCRYPTED PASSWORD ****')
-        .with('command' => 'Sensitive [value redacted]',
+        .with('command' => sensitive(%(CREATE ROLE "test" ENCRYPTED PASSWORD 'new-pa$s' LOGIN NOCREATEROLE NOCREATEDB NOSUPERUSER  CONNECTION LIMIT -1)),
               'sensitive' => 'true',
               'unless' => "SELECT 1 FROM pg_roles WHERE rolname = 'test'",
               'port' => '5432')
     end
 
     it 'has alter role for "test" user with password as ****' do
       expect(subject).to contain_postgresql_psql('ALTER ROLE test ENCRYPTED PASSWORD ****')
-        .with('command' => 'Sensitive [value redacted]',
+        .with('command' => sensitive(%(ALTER ROLE "test" ENCRYPTED PASSWORD 'md5b6f7fcbbabb4befde4588a26c1cfd2fa')),
               'sensitive' => 'true',
-              'unless' => 'Sensitive [value redacted]',
+              'unless' => sensitive(%(SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'md5b6f7fcbbabb4befde4588a26c1cfd2fa')),
               'port' => '5432')
     end
   end
@@ -50,17 +50,19 @@
 
     it 'has create role for "test" user with password as ****' do
       expect(subject).to contain_postgresql_psql('CREATE ROLE test ENCRYPTED PASSWORD ****')
-        .with('command' => 'Sensitive [value redacted]',
+        .with('command' => sensitive(%(CREATE ROLE "test" ENCRYPTED PASSWORD 'new-pa$s' LOGIN NOCREATEROLE NOCREATEDB NOSUPERUSER  CONNECTION LIMIT -1)),
               'sensitive' => 'true',
               'unless' => "SELECT 1 FROM pg_roles WHERE rolname = 'test'",
               'port' => '5432')
     end
 
     it 'has alter role for "test" user with password as ****' do
       expect(subject).to contain_postgresql_psql('ALTER ROLE test ENCRYPTED PASSWORD ****')
-        .with('command' => 'Sensitive [value redacted]',
+        .with('command' => sensitive(%(ALTER ROLE "test" ENCRYPTED PASSWORD 'Sensitive [value redacted]')),
+              # FIXME: This is obviously wrong                               ^^^^^^^^^^^^^^^^^^^^^^^^^^
               'sensitive' => 'true',
-              'unless' => 'Sensitive [value redacted]',
+              'unless' => sensitive(%(SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'Sensitive [value redacted]')),
+              # FIXME: This is obviously wrong                                                     ^^^^^^^^^^^^^^^^^^^^^^^^^^
               'port' => '5432')
     end
   end
@@ -84,7 +86,7 @@
 
     it 'has create role for "test" user with password as ****' do
       expect(subject).to contain_postgresql_psql('CREATE ROLE test ENCRYPTED PASSWORD ****')
-        .with_command('Sensitive [value redacted]')
+        .with_command(sensitive(%(CREATE ROLE "test" ENCRYPTED PASSWORD 'new-pa$s' LOGIN NOCREATEROLE NOCREATEDB NOSUPERUSER  CONNECTION LIMIT -1)))
         .with_sensitive('true')
         .with_unless("SELECT 1 FROM pg_roles WHERE rolname = 'test'")
         .with_port(5432)
@@ -94,8 +96,8 @@
 
     it 'has alter role for "test" user with password as ****' do
       expect(subject).to contain_postgresql_psql('ALTER ROLE test ENCRYPTED PASSWORD ****')
-        .with('command' => 'Sensitive [value redacted]', 'sensitive' => 'true',
-              'unless' => 'Sensitive [value redacted]', 'port' => '5432',
+        .with('command' => sensitive(%(ALTER ROLE "test" ENCRYPTED PASSWORD 'md5b6f7fcbbabb4befde4588a26c1cfd2fa')), 'sensitive' => 'true',
+              'unless' => sensitive(%(SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'md5b6f7fcbbabb4befde4588a26c1cfd2fa')), 'port' => '5432',
               'connect_settings' => { 'PGHOST' => 'postgres-db-server', 'DBVERSION' => '9.1',
                                       'PGUSER' => 'login-user', 'PGPASSWORD' => 'login-pass' })
     end
@@ -121,16 +123,16 @@
 
     it 'has create role for "test" user with password as ****' do
       expect(subject).to contain_postgresql_psql('CREATE ROLE test ENCRYPTED PASSWORD ****')
-        .with('command' => 'Sensitive [value redacted]',
+        .with('command' => sensitive(%(CREATE ROLE "test" ENCRYPTED PASSWORD 'new-pa$s' LOGIN NOCREATEROLE NOCREATEDB NOSUPERUSER  CONNECTION LIMIT -1)),
               'sensitive' => 'true', 'unless' => "SELECT 1 FROM pg_roles WHERE rolname = 'test'",
               'connect_settings' => { 'PGHOST' => 'postgres-db-server', 'DBVERSION' => '9.1',
                                       'PGPORT' => '1234', 'PGUSER' => 'login-user', 'PGPASSWORD' => 'login-pass' })
     end
 
     it 'has alter role for "test" user with password as ****' do
       expect(subject).to contain_postgresql_psql('ALTER ROLE test ENCRYPTED PASSWORD ****')
-        .with('command' => 'Sensitive [value redacted]', 'sensitive' => 'true',
-              'unless' => 'Sensitive [value redacted]',
+        .with('command' => sensitive(%(ALTER ROLE "test" ENCRYPTED PASSWORD 'md5b6f7fcbbabb4befde4588a26c1cfd2fa')), 'sensitive' => 'true',
+              'unless' => sensitive(%(SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'md5b6f7fcbbabb4befde4588a26c1cfd2fa')),
               'connect_settings' => { 'PGHOST' => 'postgres-db-server', 'DBVERSION' => '9.1',
                                       'PGPORT' => '1234', 'PGUSER' => 'login-user', 'PGPASSWORD' => 'login-pass' })
     end
