Skip to content

Commit ffc6d96

Browse files
kjetilhokjetilho
committed
pw_hash: add more bcrypt tests
* check for invalid salt values for all bcrypt variants * check for valid return value on glibc 2.28 I am not entirely sure this cutoff is correct, but RHEL 8 runs glibc 2.28 and supports bcrypt, and Ubuntu 18.04 Bionic has glibc 2.27 and does not. Ubuntu Focal 20.04 has glibc 2.31 and also supports bcrypt. We will see what the test harness reports :-)
1 parent 5662521 commit ffc6d96

File tree

2 files changed

+26
-13
lines changed

2 files changed

+26
-13
lines changed

lib/puppet/parser/functions/pw_hash.rb

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -49,13 +49,13 @@
4949
end
5050

5151
hashes = {
52-
'md5' => { :prefix => '1' },
53-
'sha-256' => { :prefix => '5' },
54-
'sha-512' => { :prefix => '6' },
55-
'bcrypt' => { :prefix => '2b', :salt => %r{^[0-9]{2}\$[./A-Za-z0-9]{22}} },
56-
'bcrypt-a' => { :prefix => '2a', :salt => %r{^[0-9]{2}\$[./A-Za-z0-9]{22}} },
57-
'bcrypt-x' => { :prefix => '2x', :salt => %r{^[0-9]{2}\$[./A-Za-z0-9]{22}} },
58-
'bcrypt-y' => { :prefix => '2y', :salt => %r{^[0-9]{2}\$[./A-Za-z0-9]{22}} },
52+
'md5' => { prefix: '1' },
53+
'sha-256' => { prefix: '5' },
54+
'sha-512' => { prefix: '6' },
55+
'bcrypt' => { prefix: '2b', salt: %r{^[0-9]{2}\$[./A-Za-z0-9]{22}} },
56+
'bcrypt-a' => { prefix: '2a', salt: %r{^[0-9]{2}\$[./A-Za-z0-9]{22}} },
57+
'bcrypt-x' => { prefix: '2x', salt: %r{^[0-9]{2}\$[./A-Za-z0-9]{22}} },
58+
'bcrypt-y' => { prefix: '2y', salt: %r{^[0-9]{2}\$[./A-Za-z0-9]{22}} },
5959
}
6060

6161
raise ArgumentError, 'pw_hash(): first argument must be a string' unless args[0].is_a?(String) || args[0].nil?

spec/functions/pw_hash_spec.rb

Lines changed: 19 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -53,12 +53,9 @@
5353
context 'when the third argument contains invalid characters' do
5454
it { is_expected.to run.with_params('password', 'sha-512', 'one%').and_raise_error(ArgumentError, %r{characters in salt must be in the set}) }
5555
it { is_expected.to run.with_params('password', 'bcrypt', '1234').and_raise_error(ArgumentError, %r{characters in salt must match}) }
56-
end
57-
58-
context 'when run' do
59-
it { is_expected.to run.with_params('password', 'sha-512', '1234').and_return(%r{^\$6\$1234\$}) }
60-
it { is_expected.to run.with_params('password', 'bcrypt', '05$abcdefghijklmnopqrstuv').and_return(%r{^\$2b\$05\$abcdefghijklmnopqrstu}) }
61-
it { is_expected.to run.with_params('password', 'bcrypt-y', '05$abcdefghijklmnopqrstuv').and_return(%r{^\$2y\$05\$abcdefghijklmnopqrstu}) }
56+
it { is_expected.to run.with_params('password', 'bcrypt-a', '1234').and_raise_error(ArgumentError, %r{characters in salt must match}) }
57+
it { is_expected.to run.with_params('password', 'bcrypt-x', '1234').and_raise_error(ArgumentError, %r{characters in salt must match}) }
58+
it { is_expected.to run.with_params('password', 'bcrypt-y', '1234').and_raise_error(ArgumentError, %r{characters in salt must match}) }
6259
end
6360

6461
context 'when running on a platform with a weak String#crypt implementation' do
@@ -67,6 +64,22 @@
6764
it { is_expected.to run.with_params('password', 'sha-512', 'salt').and_raise_error(Puppet::ParseError, %r{system does not support enhanced salts}) }
6865
end
6966

67+
begin
68+
require 'etc'
69+
if Etc.confstr(Etc::CS_GNU_LIBC_VERSION) =~ %r{(\d+\.\d+)} && Puppet::Util::Package.versioncmp(Regexp.last_match(1), '2.28') >= 0
70+
context 'when running on platform with bcrypt' do
71+
it { is_expected.to run.with_params('password', 'bcrypt', '05$salt.salt.salt.salt.sa').and_return('$2b$05$salt.salt.salt.salt.sO5QUgeeLRANZyvfNiKJW5amLo3cVD8nW') }
72+
it { is_expected.to run.with_params('password', 'bcrypt-a', '05$salt.salt.salt.salt.sa').and_return('$2a$05$salt.salt.salt.salt.sO5QUgeeLRANZyvfNiKJW5amLo3cVD8nW') }
73+
it { is_expected.to run.with_params('password', 'bcrypt-x', '05$salt.salt.salt.salt.sa').and_return('$2x$05$salt.salt.salt.salt.sO5QUgeeLRANZyvfNiKJW5amLo3cVD8nW') }
74+
it { is_expected.to run.with_params('password', 'bcrypt-y', '05$salt.salt.salt.salt.sa').and_return('$2y$05$salt.salt.salt.salt.sO5QUgeeLRANZyvfNiKJW5amLo3cVD8nW') }
75+
end
76+
else
77+
pending('Only testing bcrypt results on glibc 2.28 and later')
78+
end
79+
rescue NameError
80+
pending('Only testing bcrypt results on glibc')
81+
end
82+
7083
if RUBY_PLATFORM == 'java' || 'test'.crypt('$1$1') == '$1$1$Bp8CU9Oujr9SSEw53WV6G.'
7184
describe 'on systems with enhanced salts support' do
7285
it { is_expected.to run.with_params('password', 'md5', 'salt').and_return('$1$salt$qJH7.N4xYta3aEG/dfqo/0') }

0 commit comments

Comments
 (0)