From 23be4020ddd4f95dc589ecebe57cd1b27d85248b Mon Sep 17 00:00:00 2001 From: Eli Young Date: Mon, 2 Feb 2015 16:41:38 -0800 Subject: (MODULES-1737) Add pw_hash() function --- lib/puppet/parser/functions/pw_hash.rb | 56 ++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 lib/puppet/parser/functions/pw_hash.rb (limited to 'lib/puppet/parser/functions/pw_hash.rb') diff --git a/lib/puppet/parser/functions/pw_hash.rb b/lib/puppet/parser/functions/pw_hash.rb new file mode 100644 index 0000000..ad3e393 --- /dev/null +++ b/lib/puppet/parser/functions/pw_hash.rb @@ -0,0 +1,56 @@ +Puppet::Parser::Functions::newfunction( + :pw_hash, + :type => :rvalue, + :arity => 3, + :doc => "Hashes a password using the crypt function. Provides a hash + usable on most POSIX systems. + + The first argument to this function is the password to hash. If it is + undef or an empty string, this function returns undef. + + The second argument to this function is which type of hash to use. It + will be converted into the appropriate crypt(3) hash specifier. Valid + hash types are: + + |Hash type |Specifier| + |---------------------|---------| + |MD5 |1 | + |SHA-256 |5 | + |SHA-512 (recommended)|6 | + + The third argument to this function is the salt to use. + + Note: this uses the Puppet Master's implementation of crypt(3). If your + environment contains several different operating systems, ensure that they + are compatible before using this function.") do |args| + raise ArgumentError, "pw_hash(): wrong number of arguments (#{args.size} for 3)" if args.size != 3 + raise ArgumentError, "pw_hash(): first argument must be a string" unless args[0].is_a? String or args[0].nil? + raise ArgumentError, "pw_hash(): second argument must be a string" unless args[1].is_a? String + hashes = { 'md5' => '1', + 'sha-256' => '5', + 'sha-512' => '6' } + hash_type = hashes[args[1].downcase] + raise ArgumentError, "pw_hash(): #{args[1]} is not a valid hash type" if hash_type.nil? + raise ArgumentError, "pw_hash(): third argument must be a string" unless args[2].is_a? String + raise ArgumentError, "pw_hash(): third argument must not be empty" if args[2].empty? + raise ArgumentError, "pw_hash(): characters in salt must be in the set [a-zA-Z0-9./]" unless args[2].match(/\A[a-zA-Z0-9.\/]+\z/) + + password = args[0] + return nil if password.nil? or password.empty? + + # handle weak implementations of String#crypt + if 'test'.crypt('$1$1') != '$1$1$Bp8CU9Oujr9SSEw53WV6G.' + # JRuby < 1.7.17 + if RUBY_PLATFORM == 'java' + # override String#crypt for password variable + def password.crypt(salt) + # puppetserver bundles Apache Commons Codec + org.apache.commons.codec.digest.Crypt.crypt(self.to_java_bytes, salt) + end + else + # MS Windows and other systems that don't support enhanced salts + raise Puppet::ParseError, 'system does not support enhanced salts' + end + end + password.crypt("$#{hash_type}$#{args[2]}") +end -- cgit v1.2.3 From 9bae8356fded9d1c7aaea96cba246709bfe1a516 Mon Sep 17 00:00:00 2001 From: David Schmitt Date: Wed, 22 Apr 2015 16:04:00 -0700 Subject: pw_hash: avoid ruby magic when running on java --- lib/puppet/parser/functions/pw_hash.rb | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) (limited to 'lib/puppet/parser/functions/pw_hash.rb') diff --git a/lib/puppet/parser/functions/pw_hash.rb b/lib/puppet/parser/functions/pw_hash.rb index ad3e393..4682a63 100644 --- a/lib/puppet/parser/functions/pw_hash.rb +++ b/lib/puppet/parser/functions/pw_hash.rb @@ -42,15 +42,13 @@ Puppet::Parser::Functions::newfunction( if 'test'.crypt('$1$1') != '$1$1$Bp8CU9Oujr9SSEw53WV6G.' # JRuby < 1.7.17 if RUBY_PLATFORM == 'java' - # override String#crypt for password variable - def password.crypt(salt) - # puppetserver bundles Apache Commons Codec - org.apache.commons.codec.digest.Crypt.crypt(self.to_java_bytes, salt) - end + # puppetserver bundles Apache Commons Codec + org.apache.commons.codec.digest.Crypt.crypt(password.to_java_bytes, salt) else # MS Windows and other systems that don't support enhanced salts raise Puppet::ParseError, 'system does not support enhanced salts' end + else + password.crypt("$#{hash_type}$#{args[2]}") end - password.crypt("$#{hash_type}$#{args[2]}") end -- cgit v1.2.3 From 7d7e905b543448f5d37d13c9e1a03d1e0be307fe Mon Sep 17 00:00:00 2001 From: Eli Young Date: Tue, 5 May 2015 15:16:35 -0700 Subject: pw_hash: Fix functionality on JRuby < 1.7.17 The previous change to this function broke it on JRuby before 1.7.17 by attempting to use a variable that wasn't defined (`salt`). To fix this, define `salt` ahead of time and use that instead of building the salt later. cf. https://github.com/puppetlabs/puppetlabs-stdlib/pull/443#discussion_r29718588 --- lib/puppet/parser/functions/pw_hash.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'lib/puppet/parser/functions/pw_hash.rb') diff --git a/lib/puppet/parser/functions/pw_hash.rb b/lib/puppet/parser/functions/pw_hash.rb index 4682a63..41d4223 100644 --- a/lib/puppet/parser/functions/pw_hash.rb +++ b/lib/puppet/parser/functions/pw_hash.rb @@ -38,6 +38,8 @@ Puppet::Parser::Functions::newfunction( password = args[0] return nil if password.nil? or password.empty? + salt = "$#{hash_type}$#{args[2]}" + # handle weak implementations of String#crypt if 'test'.crypt('$1$1') != '$1$1$Bp8CU9Oujr9SSEw53WV6G.' # JRuby < 1.7.17 @@ -49,6 +51,6 @@ Puppet::Parser::Functions::newfunction( raise Puppet::ParseError, 'system does not support enhanced salts' end else - password.crypt("$#{hash_type}$#{args[2]}") + password.crypt(salt) end end -- cgit v1.2.3