Fix downloading when passwords contain spaces

This also adds our first acceptance tests to this module.

.github/workflows/ci.yml

@@ -45,3 +45,31 @@ jobs:
           bundler-cache: true
       - name: Run tests
         run: bundle exec rake
+
+  acceptance:
+    needs: setup_matrix
+    runs-on: ubuntu-latest
+    env:
+      BUNDLE_WITHOUT: development:test:release
+    strategy:
+      fail-fast: false
+      matrix:
+        setfile: ${{fromJson(needs.setup_matrix.outputs.beaker_setfiles)}}
+        puppet: ${{fromJson(needs.setup_matrix.outputs.puppet_major_versions)}}
+    name: ${{ matrix.puppet.name }} - ${{ matrix.setfile.name }}
+    steps:
+      - name: Enable IPv6 on docker
+        run: |
+          echo '{"ipv6":true,"fixed-cidr-v6":"2001:db8:1::/64"}' | sudo tee /etc/docker/daemon.json
+          sudo service docker restart
+      - uses: actions/checkout@v2
+      - name: Setup ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '2.7'
+          bundler-cache: true
+      - name: Run tests
+        run: bundle exec rake beaker
+        env:
+          BEAKER_PUPPET_COLLECTION: ${{ matrix.puppet.collection }}
+          BEAKER_setfile: ${{ matrix.setfile.value }}

.sync.yml

@@ -1,5 +1,5 @@
 ---
-.travis.yml:
-  secure: "S8pxtUQSCxezeHuMTOa2nmbOC1Ln37evcDBd6rcAPse4DhrwzdJ7Ijme2tE+cPcdyYgO66jL0wWUBNia+10vOoYs1mCMj3mUq2bgySRhML0CQxGIvKYu8R6PbijljSK7LYplD1THQRgFLyHQ+f4Mh7+8yFpjXSmxuAQMdCPfPv8="
 spec/spec_helper.rb:
   unmanaged: true
+spec/spec_helper_acceptance.rb:
+  unmanaged: false

lib/puppet/provider/archive/curl.rb

@@ -7,8 +7,14 @@
 
   def curl_params(params)
     if resource[:username]
-      create_netrcfile
-      params += ['--netrc-file', @netrc_file.path]
+      if resource[:username] =~ %r{\s} || resource[:password] =~ %r{\s}
+        Puppet.warning('Username or password contains a space.  Unable to use netrc file to hide credentials')
+        account = [resource[:username], resource[:password]].compact.join(':')
+        params += optional_switch(account, ['--user', '%s'])
+      else
+        create_netrcfile
+        params += ['--netrc-file', @netrc_file.path]
+      end
     end
     params += optional_switch(resource[:proxy_server], ['--proxy', '%s'])
     params += ['--insecure'] if resource[:allow_insecure]

lib/puppet/provider/archive/wget.rb

@@ -2,8 +2,8 @@
   commands wget: 'wget'
 
   def wget_params(params)
-    params += optional_switch(resource[:username], ['--user=%s'])
-    params += optional_switch(resource[:password], ['--password=%s'])
+    params += optional_switch(Shellwords.shellescape(resource[:username]), ['--user=%s'])
+    params += optional_switch(Shellwords.shellescape(resource[:password]), ['--password=%s'])
     params += optional_switch(resource[:cookie], ['--header="Cookie: %s"'])
     params += optional_switch(resource[:proxy_server], ['-e use_proxy=yes', "-e #{resource[:proxy_type]}_proxy=#{resource[:proxy_server]}"])
     params += ['--no-check-certificate'] if resource[:allow_insecure]

spec/acceptance/authentication_spec.rb

@@ -0,0 +1,46 @@
+require 'spec_helper_acceptance'
+require 'uri'
+
+context 'authenticated download' do
+  let(:source) do
+    URI.escape("http://httpbin.org/basic-auth/user/#{password}")
+  end
+  let(:pp) do
+    <<-EOS
+      archive { '/tmp/testfile':
+        source   => '#{source.gsub("'") { "\\'" }}',
+        username => 'user',
+        password => '#{password.gsub("'") { "\\'" }}',
+        provider => #{provider},
+      }
+    EOS
+  end
+
+  %w[curl wget ruby].each do |provider|
+    context "with provider #{provider}" do
+      let(:provider) { provider }
+
+      [
+        'hunter2',
+        'pass word with spaces',
+        'y^%88_',
+        "passwordwithsinglequote'!",
+      ].each do |password|
+        context "with password '#{password}'" do
+          let(:password) { password }
+
+          it 'applies idempotently with no errors' do
+            shell('/bin/rm -f /tmp/testfile')
+            apply_manifest(pp, catch_failures: true)
+            apply_manifest(pp, catch_changes: true)
+          end
+
+          describe file('/tmp/testfile') do
+            it { is_expected.to be_file }
+            its(:content_as_json) { is_expected.to include('authenticated' => true, 'user' => 'user') }
+          end
+        end
+      end
+    end
+  end
+end

spec/spec_helper_acceptance.rb

@@ -0,0 +1,6 @@
+# This file is completely managed via modulesync
+require 'voxpupuli/acceptance/spec_helper_acceptance'
+
+configure_beaker
+
+Dir['./spec/support/acceptance/**/*.rb'].sort.each { |f| require f }

spec/unit/puppet/provider/archive/curl_spec.rb

@@ -70,6 +70,22 @@
         provider.download(name)
         expect(File.exist?(netrc_filepath)).to eq(false)
       end
+
+      context 'with password containing space' do
+        let(:resource_properties) do
+          {
+            name: name,
+            source: 'http://home.lan/example.zip',
+            username: 'foo',
+            password: 'b ar'
+          }
+        end
+
+        it 'calls curl with default options and username and password on command line' do
+          provider.download(name)
+          expect(provider).to have_received(:curl).with(default_options << '--user' << 'foo:b ar')
+        end
+      end
     end
 
     context 'allow_insecure true' do