Land rapid7#4642, Allow 'creds -u "" ' to return blank usernames

Author: wchen-r7

lib/msf/ui/console/command_dispatcher/db.rb

@@ -868,6 +868,16 @@ def creds_search(*args)
         # Exclude creds that don't match the given type
         next if type.present? && !core.private.kind_of?(type)
 
+        # Exclude non-blank username creds if that's what we're after
+        if user_regex.present? && user_regex == // && !core.public.username.blank?
+          next
+        end
+
+        # Exclude non-blank password creds if that's what we're after
+        if pass_regex.present? && pass_regex == // && !core.private.data.blank?
+          next
+        end
+
         # Exclude creds that don't match the given user
         if user_regex.present? && !core.public.username.match(user_regex)
           next

spec/lib/msf/ui/console/command_dispatcher/db_spec.rb

@@ -65,6 +65,109 @@
   it { is_expected.to respond_to :set_rhosts_from_addrs }
 
   describe "#cmd_creds" do
+
+    describe "-u" do
+      let(:username)            { "thisuser" }
+      let(:password)            { "thispass" }
+      let(:nomatch_username)    { "thatuser" }
+      let(:nomatch_password)    { "thatpass" }
+      let(:blank_username)      { "" }
+      let(:blank_password)      { "" }
+      let(:nonblank_username)   { "nonblank_user" }
+      let(:nonblank_password)   { "nonblank_pass" }
+      before(:each) do
+        priv = FactoryGirl.create(:metasploit_credential_password, data: password)
+        pub = FactoryGirl.create(:metasploit_credential_username, username: username)
+        core = FactoryGirl.create(:metasploit_credential_core,
+                                  origin: FactoryGirl.create(:metasploit_credential_origin_import),
+                                  private: priv,
+                                  public: pub,
+                                  realm: nil,
+                                  workspace: framework.db.workspace)
+        nonblank_priv = FactoryGirl.create(:metasploit_credential_password, data: nonblank_password)
+        blank_pub = FactoryGirl.create(:metasploit_credential_blank_username)
+        core = FactoryGirl.create(:metasploit_credential_core,
+                                  origin: FactoryGirl.create(:metasploit_credential_origin_import),
+                                  private: nonblank_priv,
+                                  public: blank_pub,
+                                  realm: nil,
+                                  workspace: framework.db.workspace)
+        nonblank_pub = FactoryGirl.create(:metasploit_credential_username, username: nonblank_username)
+        blank_priv = FactoryGirl.create(:metasploit_credential_password, data: blank_password)
+        core = FactoryGirl.create(:metasploit_credential_core,
+                                  origin: FactoryGirl.create(:metasploit_credential_origin_import),
+                                  private: blank_priv,
+                                  public: nonblank_pub,
+                                  realm: nil,
+                                  workspace: framework.db.workspace)
+      end
+      context "when the credential is present" do
+        it "should show a user that matches the given expression" do
+          db.cmd_creds("-u", username)
+          @output.should =~ [
+            "Credentials",
+            "===========",
+            "",
+            "host  service  public    private   realm  private_type",
+            "----  -------  ------    -------   -----  ------------",
+            "               thisuser  thispass         Password",
+          ]
+        end
+        context "and when the username is blank" do
+          it "should show a user that matches the given expression" do
+            db.cmd_creds("-u", blank_username )
+            @output.should =~ [
+              "Credentials",
+              "===========",
+              "",
+              "host  service  public  private        realm  private_type",
+              "----  -------  ------  -------        -----  ------------",
+              "                       nonblank_pass         Password"
+            ]
+          end
+        end
+        context "and when the password is blank" do
+          it "should show a user that matches the given expression" do
+            db.cmd_creds("-P", blank_password )
+            @output.should =~ [
+              "Credentials",
+              "===========",
+              "",
+              "host  service  public         private  realm  private_type",
+              "----  -------  ------         -------  -----  ------------",
+              "               nonblank_user                  Password"
+            ]
+          end
+        end
+      end
+      context "when the credential is absent" do
+        context "due to a nonmatching username" do
+          it "should return a blank set" do
+            db.cmd_creds("-u", nomatch_username)
+            @output.should =~ [
+              "===========",
+              "Credentials",
+              "",
+              "----  -------  ------  -------  -----  ------------",
+              "host  service  public  private  realm  private_type"
+            ]
+          end
+        end
+        context "due to a nonmatching password" do
+          it "should return a blank set" do
+            db.cmd_creds("-P", nomatch_password)
+            @output.should =~ [
+              "===========",
+              "Credentials",
+              "",
+              "----  -------  ------  -------  -----  ------------",
+              "host  service  public  private  realm  private_type"
+            ]
+          end
+        end
+      end
+    end
+
     describe "add-password" do
       let(:username) { "username" }
       let(:password) { "password" }