Use git config to set password in secure.config
Storing password strings directly by substituting placeholders into the
secure.config template was causing issues whereby special characters
were not escaped correctly.
To circumvent this, the user was asked to do the relevant escaping
before setting the password strings.
Use git config to set passwords in order to delegate the responsibility
of proper escaping to the git tool rather the admin user.
Bug: Issue 13186
Change-Id: I88e543bc92d6dd8dd07ff032f4d7bc4fa0e40371
diff --git a/Secrets.md b/Secrets.md
index 1767bd5..cb2fe9b 100644
--- a/Secrets.md
+++ b/Secrets.md
@@ -65,8 +65,7 @@
### LDAP Password
You will need to put the admin LDAP password in a file called `ldapPassword`
-in the same directory of the SSH keys (e.g. `/tmp/secrets`). Password should be put in the
-plain text without quotes. If password contains quotes, they should be escaped (e.g aa\"bb)
+in the same directory of the SSH keys (e.g. `/tmp/secrets`).
### SMTP Password
diff --git a/gerrit/etc/secure.config.template b/gerrit/etc/secure.config.template
deleted file mode 100644
index 143aaf2..0000000
--- a/gerrit/etc/secure.config.template
+++ /dev/null
@@ -1,6 +0,0 @@
-[auth]
- registerEmailPrivateKey = {{ REGISTER_EMAIL_PRIVATE_KEY }}
-[ldap]
- password = "{{ LDAP_PASSWORD }}"
-[sendemail]
- smtpPass = {{ SMTP_PASSWORD }}
diff --git a/gerrit/setup_gerrit.py b/gerrit/setup_gerrit.py
index 81cec8d..7db592a 100755
--- a/gerrit/setup_gerrit.py
+++ b/gerrit/setup_gerrit.py
@@ -56,6 +56,13 @@
return base64.b64decode(get_secret_value_response['SecretBinary'])
+def set_secure_password(stanza, password):
+ secure_config = GERRIT_CONFIG_DIRECTORY + "secure.config"
+ os.system(
+ "git config -f %s %s '%s'" % (secure_config, stanza, password.strip())
+ )
+
+
"""
This script setup Gerrit configuration and its plugins when the container spins up.
@@ -106,17 +113,18 @@
file_loader = FileSystemLoader(GERRIT_CONFIG_DIRECTORY)
env = Environment(loader=file_loader)
-print("Setting Register Email Private Key in '" +
- GERRIT_CONFIG_DIRECTORY + "secure.config'")
-template = env.get_template("secure.config.template")
-with open(GERRIT_CONFIG_DIRECTORY + "secure.config", 'w',
- encoding='utf-8') as f:
- f.write(template.render(
- REGISTER_EMAIL_PRIVATE_KEY=get_secret(
- GERRIT_KEY_PREFIX + "_registerEmailPrivateKey"),
- LDAP_PASSWORD=get_secret(GERRIT_KEY_PREFIX + "_ldapPassword"),
- SMTP_PASSWORD=get_secret(GERRIT_KEY_PREFIX + "_smtpPassword"))
- )
+set_secure_password(
+ "auth.registerEmailPrivateKey",
+ get_secret(GERRIT_KEY_PREFIX + "_registerEmailPrivateKey")
+)
+set_secure_password(
+ "ldap.password",
+ get_secret(GERRIT_KEY_PREFIX + "_ldapPassword")
+)
+set_secure_password(
+ "sendemail.smtpPass",
+ get_secret(GERRIT_KEY_PREFIX + "_smtpPassword")
+)
BASE_CONFIG_DIR = "/tmp"
print("Setting Gerrit config in '" + GERRIT_CONFIG_DIRECTORY + "gerrit.config'")
