From a0441f74551271d55427fbcda005e7c67305fa6f Mon Sep 17 00:00:00 2001
From: Borne Mace <borne.mace@oracle.com>
Date: Fri, 27 Apr 2018 16:21:48 -0700
Subject: [PATCH] Fix setting passwords with special characters

Password strings with special characters were not being correctly
escaped.  If --insecure is used the argument should be wrapped
in single quotes or escaped per character and there is nothing
that can be done about that since the shell messes with the
arguments before even passed to the command.

Change-Id: Ida14fa62faad4b5793f9736ce079fcfd4af6523e
---
 kolla_cli/api/password.py     | 25 +++++++++++++++++++------
 kolla_cli/common/passwords.py | 10 +++++-----
 kolla_cli/common/utils.py     | 12 +++++++++++-
 3 files changed, 35 insertions(+), 12 deletions(-)

diff --git a/kolla_cli/api/password.py b/kolla_cli/api/password.py
index 0c3cd5d..3cf7247 100644
--- a/kolla_cli/api/password.py
+++ b/kolla_cli/api/password.py
@@ -19,6 +19,7 @@ from kolla_cli.common.passwords import init_passwords
 from kolla_cli.common.passwords import set_password
 from kolla_cli.common.passwords import set_password_sshkey
 from kolla_cli.common.utils import check_arg
+from kolla_cli.common.utils import disallow_chars
 
 
 class PasswordApi(object):
@@ -32,9 +33,13 @@ class PasswordApi(object):
         :param value: value of the password
         :type value: string
         """
-        check_arg(name, u._('Password name'), str)
-        check_arg(value, u._('Password value'), str, display_param=False,
+        password_name_string = u._('Password name')
+        password_value_string = u._('Password value')
+        check_arg(name, password_name_string, str)
+        disallow_chars(name, password_name_string, '\'')
+        check_arg(value, password_value_string, str, display_param=False,
                   empty_ok=True, none_ok=True)
+        disallow_chars(value, password_value_string, '\'')
         set_password(name, value)
 
     def password_set_sshkey(self, name, private_key, public_key):
@@ -48,9 +53,15 @@ class PasswordApi(object):
         :param public_key: ssh public key
         :type value: string
         """
-        check_arg(name, u._('Password name'), str)
-        check_arg(private_key, u._('Private key'), str, display_param=False)
-        check_arg(public_key, u._('Public key'), str, display_param=False)
+        password_name_string = u._('Password name')
+        private_key_string = u._('Private key')
+        public_key_string = u._('Public key')
+        check_arg(name, password_name_string, str)
+        disallow_chars(name, password_name_string, '\'')
+        check_arg(private_key, private_key_string, str, display_param=False)
+        disallow_chars(private_key, private_key_string, '\'')
+        check_arg(public_key, public_key_string, str, display_param=False)
+        disallow_chars(public_key, public_key_string, '\'')
         set_password_sshkey(name, private_key, public_key)
 
     def password_clear(self, name):
@@ -60,7 +71,9 @@ class PasswordApi(object):
         :param name: name of the password
         :type name: string
         """
-        check_arg(name, u._('Password name'), str)
+        password_name_string = u._('Password name')
+        check_arg(name, password_name_string, str)
+        disallow_chars(name, password_name_string, '\'')
         clear_password(name)
 
     def password_get_names(self):
diff --git a/kolla_cli/common/passwords.py b/kolla_cli/common/passwords.py
index b93540f..eba4f10 100644
--- a/kolla_cli/common/passwords.py
+++ b/kolla_cli/common/passwords.py
@@ -31,8 +31,8 @@ def set_password(pwd_key, pwd_value):
     if not pwd_value:
         pwd_value = ''
         value_switch = ''
-    cmd = '%s -k %s %s %s' % (_get_cmd_prefix(), pwd_key, value_switch,
-                              pwd_value)
+    cmd = '%s -k \'%s\' %s \'%s\'' % (_get_cmd_prefix(), pwd_key, value_switch,
+                                      pwd_value)
     err_msg, output = utils.run_cmd(cmd, print_output=False)
     if err_msg:
         raise FailedOperation(
@@ -41,8 +41,8 @@ def set_password(pwd_key, pwd_value):
 
 
 def set_password_sshkey(pwd_key, private_key, public_key):
-    cmd = '%s -k %s -r "%s" -u "%s"' % (_get_cmd_prefix(), pwd_key,
-                                        private_key, public_key)
+    cmd = '%s -k \'%s\' -r \'%s\' -u \'%s\'' % (_get_cmd_prefix(), pwd_key,
+                                                private_key, public_key)
     err_msg, output = utils.run_cmd(cmd, print_output=False)
     if err_msg:
         raise FailedOperation(
@@ -55,7 +55,7 @@ def clear_password(pwd_key):
 
     if the password exists, it will be removed from the passwords file
     """
-    cmd = '%s -k %s -c' % (_get_cmd_prefix(), pwd_key)
+    cmd = '%s -k \'%s\' -c' % (_get_cmd_prefix(), pwd_key)
     err_msg, output = utils.run_cmd(cmd, print_output=False)
     if err_msg:
         raise FailedOperation('%s %s' % (err_msg, output))
diff --git a/kolla_cli/common/utils.py b/kolla_cli/common/utils.py
index 4fb4c80..d1dcd4c 100644
--- a/kolla_cli/common/utils.py
+++ b/kolla_cli/common/utils.py
@@ -163,7 +163,6 @@ def run_cmd(cmd, print_output=True):
                 not None=command failed
     - output:   string: all the output of the run command
     """
-    err = None
     output = None
     try:
         process = subprocess.Popen(cmd, shell=True,  # nosec
@@ -464,6 +463,17 @@ def check_arg(param, param_name, expected_type, none_ok=False, empty_ok=False,
                                           type=expected_type))
 
 
+def disallow_chars(param, param_name, chars):
+    if param is None:
+        return
+
+    for char in chars:
+        if char in param:
+            raise InvalidArgument(
+                u._('{name} contains invalid character {chars}')
+                .format(name=param_name, chars=chars))
+
+
 class Lock(object):
     """Object which represents an exclusive resource lock