Merge pull request #1173 from kjetilho/feature/pw_hash_bcrypt

pw_hash: add support for bcrypt variants

Author: david22swan

lib/puppet/parser/functions/pw_hash.rb

@@ -15,20 +15,24 @@
   The first argument to this function is the password to hash. If it is
   undef or an empty string, this function returns undef.
 
-  The second argument to this function is which type of hash to use. It
+  The second argument to this function is which hash algorithm to use. It
   will be converted into the appropriate crypt(3) hash specifier. Valid
   hash types are:
 
-  |Hash type            |Specifier|
-  |---------------------|---------|
-  |MD5                  |1        |
-  |SHA-256              |5        |
-  |SHA-512 (recommended)|6        |
+  |Hash type|Prefix|Note                 |
+  |---------|------|---------------------|
+  |MD5      |1     |                     |
+  |SHA-256  |5     |                     |
+  |SHA-512  |6     |Recommended          |
+  |bcrypt   |2b    |                     |
+  |bcrypt-a |2a    |bug compatible       |
+  |bcrypt-x |2x    |bug compatible       |
+  |bcrypt-y |2y    |historic alias for 2b|
 
   The third argument to this function is the salt to use.
 
-  @return [Hash]
-    Provides a hash usable on most POSIX systems.
+  @return [String]
+    Provides a crypt hash usable on most POSIX systems.
 
   > *Note:*: this uses the Puppet Server's implementation of crypt(3). If your
     environment contains several different operating systems, ensure that they
@@ -43,21 +47,31 @@
       arg
     end
   end
+
+  hashes = {
+    'md5'       => { prefix: '1' },
+    'sha-256'   => { prefix: '5' },
+    'sha-512'   => { prefix: '6' },
+    'bcrypt'    => { prefix: '2b', salt: %r{^[0-9]{2}\$[./A-Za-z0-9]{22}} },
+    'bcrypt-a'  => { prefix: '2a', salt: %r{^[0-9]{2}\$[./A-Za-z0-9]{22}} },
+    'bcrypt-x'  => { prefix: '2x', salt: %r{^[0-9]{2}\$[./A-Za-z0-9]{22}} },
+    'bcrypt-y'  => { prefix: '2y', salt: %r{^[0-9]{2}\$[./A-Za-z0-9]{22}} },
+  }
+
   raise ArgumentError, 'pw_hash(): first argument must be a string' unless args[0].is_a?(String) || args[0].nil?
   raise ArgumentError, 'pw_hash(): second argument must be a string' unless args[1].is_a? String
-  hashes = { 'md5'     => '1',
-             'sha-256' => '5',
-             'sha-512' => '6' }
   hash_type = hashes[args[1].downcase]
   raise ArgumentError, "pw_hash(): #{args[1]} is not a valid hash type" if hash_type.nil?
   raise ArgumentError, 'pw_hash(): third argument must be a string' unless args[2].is_a? String
   raise ArgumentError, 'pw_hash(): third argument must not be empty' if args[2].empty?
-  raise ArgumentError, 'pw_hash(): characters in salt must be in the set [a-zA-Z0-9./]' unless %r{\A[a-zA-Z0-9./]+\z}.match?(args[2])
+  salt_doc = hash_type.include?(:salt) ? "match #{hash_type[:salt]}" : 'be in the set [a-zA-Z0-9./]'
+  salt_regex = hash_type.fetch(:salt, %r{\A[a-zA-Z0-9./]+\z})
+  raise ArgumentError, "pw_hash(): characters in salt must #{salt_doc}" unless salt_regex.match?(args[2])
 
   password = args[0]
   return nil if password.nil? || password.empty?
 
-  salt = "$#{hash_type}$#{args[2]}"
+  salt = "$#{hash_type[:prefix]}$#{args[2]}"
 
   # handle weak implementations of String#crypt
   # dup the string to get rid of frozen status for testing

spec/functions/pw_hash_spec.rb

@@ -52,6 +52,10 @@
 
   context 'when the third argument contains invalid characters' do
     it { is_expected.to run.with_params('password', 'sha-512', 'one%').and_raise_error(ArgumentError, %r{characters in salt must be in the set}) }
+    it { is_expected.to run.with_params('password', 'bcrypt', '1234').and_raise_error(ArgumentError, %r{characters in salt must match}) }
+    it { is_expected.to run.with_params('password', 'bcrypt-a', '1234').and_raise_error(ArgumentError, %r{characters in salt must match}) }
+    it { is_expected.to run.with_params('password', 'bcrypt-x', '1234').and_raise_error(ArgumentError, %r{characters in salt must match}) }
+    it { is_expected.to run.with_params('password', 'bcrypt-y', '1234').and_raise_error(ArgumentError, %r{characters in salt must match}) }
   end
 
   context 'when running on a platform with a weak String#crypt implementation' do
@@ -60,6 +64,22 @@
     it { is_expected.to run.with_params('password', 'sha-512', 'salt').and_raise_error(Puppet::ParseError, %r{system does not support enhanced salts}) }
   end
 
+  begin
+    require 'etc'
+    if Etc.confstr(Etc::CS_GNU_LIBC_VERSION) =~ %r{(\d+\.\d+)} && Puppet::Util::Package.versioncmp(Regexp.last_match(1), '2.28') >= 0
+      context 'when running on platform with bcrypt' do
+        it { is_expected.to run.with_params('password', 'bcrypt', '05$salt.salt.salt.salt.sa').and_return('$2b$05$salt.salt.salt.salt.sO5QUgeeLRANZyvfNiKJW5amLo3cVD8nW') }
+        it { is_expected.to run.with_params('password', 'bcrypt-a', '05$salt.salt.salt.salt.sa').and_return('$2a$05$salt.salt.salt.salt.sO5QUgeeLRANZyvfNiKJW5amLo3cVD8nW') }
+        it { is_expected.to run.with_params('password', 'bcrypt-x', '05$salt.salt.salt.salt.sa').and_return('$2x$05$salt.salt.salt.salt.sO5QUgeeLRANZyvfNiKJW5amLo3cVD8nW') }
+        it { is_expected.to run.with_params('password', 'bcrypt-y', '05$salt.salt.salt.salt.sa').and_return('$2y$05$salt.salt.salt.salt.sO5QUgeeLRANZyvfNiKJW5amLo3cVD8nW') }
+      end
+    else
+      pending('Only testing bcrypt results on glibc 2.28 and later')
+    end
+  rescue NameError
+    pending('Only testing bcrypt results on glibc')
+  end
+
   if RUBY_PLATFORM == 'java' || 'test'.crypt('$1$1') == '$1$1$Bp8CU9Oujr9SSEw53WV6G.'
     describe 'on systems with enhanced salts support' do
       it { is_expected.to run.with_params('password', 'md5', 'salt').and_return('$1$salt$qJH7.N4xYta3aEG/dfqo/0') }