From e0754c2672a5a98219376dfea10b3654333310c0 Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Thu, 11 Jun 2015 22:29:44 +0200
Subject: added pbkdf2 function for hashing passwords using the pbkdf2
 algorithm

i.e., couchdb v1.3 changed the default pw hashing algorithm from
sha1 to pbkdf2, see http://docs.couchdb.org/en/1.4.x/configuring.html
---
 lib/puppet/parser/functions/pbkdf2.rb | 62 +++++++++++++++++++++++++++++++++++
 1 file changed, 62 insertions(+)
 create mode 100644 lib/puppet/parser/functions/pbkdf2.rb

(limited to 'lib')

diff --git a/lib/puppet/parser/functions/pbkdf2.rb b/lib/puppet/parser/functions/pbkdf2.rb
new file mode 100644
index 0000000..46400c9
--- /dev/null
+++ b/lib/puppet/parser/functions/pbkdf2.rb
@@ -0,0 +1,62 @@
+#
+# pbkdf2.rb
+#
+
+module Puppet::Parser::Functions
+  newfunction(:pbkdf2, :type => :rvalue, :doc => <<-EOS
+This converts a password and a salt (and optional iterations and keylength
+parameters) to a hash containing the salted SHA1 password hash, salt,
+iterations and keylength.
+pbkdf2 is used i.e. for couchdb passwords since v1.3.
+
+Example usage:
+  $pbkdf2 = pbkdf2($::couchdb::admin_pw, $::couchdb::admin_salt)
+  $sha1   = $pbkdf2['sha1']
+EOS
+  ) do |arguments|
+    require 'openssl'
+    require 'base64'
+
+    raise(Puppet::ParseError, "pbkdf2(): Wrong number of arguments " +
+      "passed (#{arguments.size} but we require at least 2)") if arguments.size < 2
+
+    unless arguments.is_a?(Array)
+      raise(Puppet::ParseError, 'pbkdf2(): Requires a ' +
+        "Array argument, you passed: #{password.class}")
+    end
+
+    password   = arguments[0]
+    salt       = arguments[1]
+
+    if arguments.size > 2
+      iterations = arguments[2].to_i
+    else
+      iterations = 1000
+    end
+
+    if arguments.size > 3
+      keylength  = arguments[3].to_i
+    else
+      keylength  = 20
+    end
+
+    pbkdf2 = OpenSSL::PKCS5::pbkdf2_hmac_sha1(
+      password,
+      salt,
+      iterations,
+      keylength
+    )
+
+    return_hash = Hash.new()
+    # return hex encoded string
+    return_hash['sha1']       = pbkdf2.unpack('H*')[0]
+    return_hash['password']   = password
+    return_hash['salt']       = salt
+    return_hash['iterations'] = iterations
+    return_hash['keylength']  = keylength
+
+    return return_hash
+  end
+end
+
+# vim: set ts=2 sw=2 et :
-- 
cgit v1.2.3