summaryrefslogtreecommitdiff
path: root/spec
diff options
context:
space:
mode:
Diffstat (limited to 'spec')
-rw-r--r--spec/acceptance/pw_hash_spec.rb34
-rw-r--r--spec/functions/pw_hash_spec.rb87
2 files changed, 121 insertions, 0 deletions
diff --git a/spec/acceptance/pw_hash_spec.rb b/spec/acceptance/pw_hash_spec.rb
new file mode 100644
index 0000000..4768975
--- /dev/null
+++ b/spec/acceptance/pw_hash_spec.rb
@@ -0,0 +1,34 @@
+#! /usr/bin/env ruby -S rspec
+require 'spec_helper_acceptance'
+
+# Windows and OS X do not have useful implementations of crypt(3)
+describe 'pw_hash function', :unless => (UNSUPPORTED_PLATFORMS + ['windows', 'Darwin']).include?(fact('operatingsystem')) do
+ describe 'success' do
+ it 'hashes passwords' do
+ pp = <<-EOS
+ $o = pw_hash('password', 6, 'salt')
+ notice(inline_template('pw_hash is <%= @o.inspect %>'))
+ EOS
+
+ apply_manifest(pp, :catch_failures => true) do |r|
+ expect(r.stdout).to match(/pw_hash is "\$6\$salt\$IxDD3jeSOb5eB1CX5LBsqZFVkJdido3OUILO5Ifz5iwMuTS4XMS130MTSuDDl3aCI6WouIL9AjRbLCelDCy\.g\."/)
+ end
+ end
+
+ it 'returns nil if no password is provided' do
+ pp = <<-EOS
+ $o = pw_hash('', 6, 'salt')
+ notice(inline_template('pw_hash is <%= @o.inspect %>'))
+ EOS
+
+ apply_manifest(pp, :catch_failures => true) do |r|
+ expect(r.stdout).to match(/pw_hash is ""/)
+ end
+ end
+ end
+ describe 'failure' do
+ it 'handles less than three arguments'
+ it 'handles more than three arguments'
+ it 'handles non strings'
+ end
+end
diff --git a/spec/functions/pw_hash_spec.rb b/spec/functions/pw_hash_spec.rb
new file mode 100644
index 0000000..01a1105
--- /dev/null
+++ b/spec/functions/pw_hash_spec.rb
@@ -0,0 +1,87 @@
+#! /usr/bin/env ruby -S rspec
+require 'spec_helper'
+
+describe "the pw_hash function" do
+ let(:scope) { PuppetlabsSpec::PuppetInternals.scope }
+
+ it "should exist" do
+ expect(Puppet::Parser::Functions.function("pw_hash")).to eq("function_pw_hash")
+ end
+
+ it "should raise an ArgumentError if there are less than 3 arguments" do
+ expect { scope.function_pw_hash([]) }.to( raise_error(ArgumentError, /[Ww]rong number of arguments/) )
+ expect { scope.function_pw_hash(['password']) }.to( raise_error(ArgumentError, /[Ww]rong number of arguments/) )
+ expect { scope.function_pw_hash(['password', 'sha-512']) }.to( raise_error(ArgumentError, /[Ww]rong number of arguments/) )
+ end
+
+ it "should raise an ArgumentError if there are more than 3 arguments" do
+ expect { scope.function_pw_hash(['password', 'sha-512', 'salt', 5]) }.to( raise_error(ArgumentError, /[Ww]rong number of arguments/) )
+ end
+
+ it "should raise an ArgumentError if the first argument is not a string" do
+ expect { scope.function_pw_hash([['password'], 'sha-512', 'salt']) }.to( raise_error(ArgumentError, /first argument must be a string/) )
+ # in Puppet 3, numbers are passed as strings, so we can't test that
+ end
+
+ it "should return nil if the first argument is empty" do
+ expect(scope.function_pw_hash(['', 'sha-512', 'salt'])).to eq(nil)
+ end
+
+ it "should return nil if the first argument is undef" do
+ expect(scope.function_pw_hash([nil, 'sha-512', 'salt'])).to eq(nil)
+ end
+
+ it "should raise an ArgumentError if the second argument is an invalid hash type" do
+ expect { scope.function_pw_hash(['', 'invalid', 'salt']) }.to( raise_error(ArgumentError, /not a valid hash type/) )
+ end
+
+ it "should raise an ArgumentError if the second argument is not a string" do
+ expect { scope.function_pw_hash(['', [], 'salt']) }.to( raise_error(ArgumentError, /second argument must be a string/) )
+ end
+
+ it "should raise an ArgumentError if the third argument is not a string" do
+ expect { scope.function_pw_hash(['password', 'sha-512', ['salt']]) }.to( raise_error(ArgumentError, /third argument must be a string/) )
+ # in Puppet 3, numbers are passed as strings, so we can't test that
+ end
+
+ it "should raise an ArgumentError if the third argument is empty" do
+ expect { scope.function_pw_hash(['password', 'sha-512', '']) }.to( raise_error(ArgumentError, /third argument must not be empty/) )
+ end
+
+ it "should raise an ArgumentError if the third argument has invalid characters" do
+ expect { scope.function_pw_hash(['password', 'sha-512', '%']) }.to( raise_error(ArgumentError, /characters in salt must be in the set/) )
+ end
+
+ it "should fail on platforms with weak implementations of String#crypt" do
+ String.any_instance.expects(:crypt).with('$1$1').returns('$1SoNol0Ye6Xk')
+ expect { scope.function_pw_hash(['password', 'sha-512', 'salt']) }.to( raise_error(Puppet::ParseError, /system does not support enhanced salts/) )
+ end
+
+ it "should return a hashed password" do
+ result = scope.function_pw_hash(['password', 'sha-512', 'salt'])
+ expect(result).to eql('$6$salt$IxDD3jeSOb5eB1CX5LBsqZFVkJdido3OUILO5Ifz5iwMuTS4XMS130MTSuDDl3aCI6WouIL9AjRbLCelDCy.g.')
+ end
+
+ it "should use the specified salt" do
+ result = scope.function_pw_hash(['password', 'sha-512', 'salt'])
+ expect(result).to match('salt')
+ end
+
+ it "should use the specified hash type" do
+ resultmd5 = scope.function_pw_hash(['password', 'md5', 'salt'])
+ resultsha256 = scope.function_pw_hash(['password', 'sha-256', 'salt'])
+ resultsha512 = scope.function_pw_hash(['password', 'sha-512', 'salt'])
+
+ expect(resultmd5).to eql('$1$salt$qJH7.N4xYta3aEG/dfqo/0')
+ expect(resultsha256).to eql('$5$salt$Gcm6FsVtF/Qa77ZKD.iwsJlCVPY0XSMgLJL0Hnww/c1')
+ expect(resultsha512).to eql('$6$salt$IxDD3jeSOb5eB1CX5LBsqZFVkJdido3OUILO5Ifz5iwMuTS4XMS130MTSuDDl3aCI6WouIL9AjRbLCelDCy.g.')
+ end
+
+ it "should generate a valid hash" do
+ password_hash = scope.function_pw_hash(['password', 'sha-512', 'salt'])
+
+ hash_parts = password_hash.match(%r{\A\$(.*)\$([a-zA-Z0-9./]+)\$([a-zA-Z0-9./]+)\z})
+
+ expect(hash_parts).not_to eql(nil)
+ end
+end