From 23be4020ddd4f95dc589ecebe57cd1b27d85248b Mon Sep 17 00:00:00 2001 From: Eli Young Date: Mon, 2 Feb 2015 16:41:38 -0800 Subject: (MODULES-1737) Add pw_hash() function --- spec/functions/pw_hash_spec.rb | 87 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 87 insertions(+) create mode 100644 spec/functions/pw_hash_spec.rb (limited to 'spec/functions/pw_hash_spec.rb') diff --git a/spec/functions/pw_hash_spec.rb b/spec/functions/pw_hash_spec.rb new file mode 100644 index 0000000..01a1105 --- /dev/null +++ b/spec/functions/pw_hash_spec.rb @@ -0,0 +1,87 @@ +#! /usr/bin/env ruby -S rspec +require 'spec_helper' + +describe "the pw_hash function" do + let(:scope) { PuppetlabsSpec::PuppetInternals.scope } + + it "should exist" do + expect(Puppet::Parser::Functions.function("pw_hash")).to eq("function_pw_hash") + end + + it "should raise an ArgumentError if there are less than 3 arguments" do + expect { scope.function_pw_hash([]) }.to( raise_error(ArgumentError, /[Ww]rong number of arguments/) ) + expect { scope.function_pw_hash(['password']) }.to( raise_error(ArgumentError, /[Ww]rong number of arguments/) ) + expect { scope.function_pw_hash(['password', 'sha-512']) }.to( raise_error(ArgumentError, /[Ww]rong number of arguments/) ) + end + + it "should raise an ArgumentError if there are more than 3 arguments" do + expect { scope.function_pw_hash(['password', 'sha-512', 'salt', 5]) }.to( raise_error(ArgumentError, /[Ww]rong number of arguments/) ) + end + + it "should raise an ArgumentError if the first argument is not a string" do + expect { scope.function_pw_hash([['password'], 'sha-512', 'salt']) }.to( raise_error(ArgumentError, /first argument must be a string/) ) + # in Puppet 3, numbers are passed as strings, so we can't test that + end + + it "should return nil if the first argument is empty" do + expect(scope.function_pw_hash(['', 'sha-512', 'salt'])).to eq(nil) + end + + it "should return nil if the first argument is undef" do + expect(scope.function_pw_hash([nil, 'sha-512', 'salt'])).to eq(nil) + end + + it "should raise an ArgumentError if the second argument is an invalid hash type" do + expect { scope.function_pw_hash(['', 'invalid', 'salt']) }.to( raise_error(ArgumentError, /not a valid hash type/) ) + end + + it "should raise an ArgumentError if the second argument is not a string" do + expect { scope.function_pw_hash(['', [], 'salt']) }.to( raise_error(ArgumentError, /second argument must be a string/) ) + end + + it "should raise an ArgumentError if the third argument is not a string" do + expect { scope.function_pw_hash(['password', 'sha-512', ['salt']]) }.to( raise_error(ArgumentError, /third argument must be a string/) ) + # in Puppet 3, numbers are passed as strings, so we can't test that + end + + it "should raise an ArgumentError if the third argument is empty" do + expect { scope.function_pw_hash(['password', 'sha-512', '']) }.to( raise_error(ArgumentError, /third argument must not be empty/) ) + end + + it "should raise an ArgumentError if the third argument has invalid characters" do + expect { scope.function_pw_hash(['password', 'sha-512', '%']) }.to( raise_error(ArgumentError, /characters in salt must be in the set/) ) + end + + it "should fail on platforms with weak implementations of String#crypt" do + String.any_instance.expects(:crypt).with('$1$1').returns('$1SoNol0Ye6Xk') + expect { scope.function_pw_hash(['password', 'sha-512', 'salt']) }.to( raise_error(Puppet::ParseError, /system does not support enhanced salts/) ) + end + + it "should return a hashed password" do + result = scope.function_pw_hash(['password', 'sha-512', 'salt']) + expect(result).to eql('$6$salt$IxDD3jeSOb5eB1CX5LBsqZFVkJdido3OUILO5Ifz5iwMuTS4XMS130MTSuDDl3aCI6WouIL9AjRbLCelDCy.g.') + end + + it "should use the specified salt" do + result = scope.function_pw_hash(['password', 'sha-512', 'salt']) + expect(result).to match('salt') + end + + it "should use the specified hash type" do + resultmd5 = scope.function_pw_hash(['password', 'md5', 'salt']) + resultsha256 = scope.function_pw_hash(['password', 'sha-256', 'salt']) + resultsha512 = scope.function_pw_hash(['password', 'sha-512', 'salt']) + + expect(resultmd5).to eql('$1$salt$qJH7.N4xYta3aEG/dfqo/0') + expect(resultsha256).to eql('$5$salt$Gcm6FsVtF/Qa77ZKD.iwsJlCVPY0XSMgLJL0Hnww/c1') + expect(resultsha512).to eql('$6$salt$IxDD3jeSOb5eB1CX5LBsqZFVkJdido3OUILO5Ifz5iwMuTS4XMS130MTSuDDl3aCI6WouIL9AjRbLCelDCy.g.') + end + + it "should generate a valid hash" do + password_hash = scope.function_pw_hash(['password', 'sha-512', 'salt']) + + hash_parts = password_hash.match(%r{\A\$(.*)\$([a-zA-Z0-9./]+)\$([a-zA-Z0-9./]+)\z}) + + expect(hash_parts).not_to eql(nil) + end +end -- cgit v1.2.3 From 601e2e2574c37f5496323ed56702d4a657c278dd Mon Sep 17 00:00:00 2001 From: Bryan Jen Date: Fri, 10 Apr 2015 11:38:15 -0700 Subject: Modules-2474: Only runs enhanced salts functional test on systems that support it. --- spec/functions/pw_hash_spec.rb | 49 +++++++++++++++++++++++++----------------- 1 file changed, 29 insertions(+), 20 deletions(-) (limited to 'spec/functions/pw_hash_spec.rb') diff --git a/spec/functions/pw_hash_spec.rb b/spec/functions/pw_hash_spec.rb index 01a1105..3378090 100644 --- a/spec/functions/pw_hash_spec.rb +++ b/spec/functions/pw_hash_spec.rb @@ -2,6 +2,11 @@ require 'spec_helper' describe "the pw_hash function" do + + before :all do + @enhanced_salts_supported = RUBY_PLATFORM == 'java' + end + let(:scope) { PuppetlabsSpec::PuppetInternals.scope } it "should exist" do @@ -57,31 +62,35 @@ describe "the pw_hash function" do expect { scope.function_pw_hash(['password', 'sha-512', 'salt']) }.to( raise_error(Puppet::ParseError, /system does not support enhanced salts/) ) end - it "should return a hashed password" do - result = scope.function_pw_hash(['password', 'sha-512', 'salt']) - expect(result).to eql('$6$salt$IxDD3jeSOb5eB1CX5LBsqZFVkJdido3OUILO5Ifz5iwMuTS4XMS130MTSuDDl3aCI6WouIL9AjRbLCelDCy.g.') - end + if @enhanced_salts_supported + describe "on systems with enhanced salts support" do + it "should return a hashed password" do + result = scope.function_pw_hash(['password', 'sha-512', 'salt']) + expect(result).to eql('$6$salt$IxDD3jeSOb5eB1CX5LBsqZFVkJdido3OUILO5Ifz5iwMuTS4XMS130MTSuDDl3aCI6WouIL9AjRbLCelDCy.g.') + end - it "should use the specified salt" do - result = scope.function_pw_hash(['password', 'sha-512', 'salt']) - expect(result).to match('salt') - end + it "should use the specified salt" do + result = scope.function_pw_hash(['password', 'sha-512', 'salt']) + expect(result).to match('salt') + end - it "should use the specified hash type" do - resultmd5 = scope.function_pw_hash(['password', 'md5', 'salt']) - resultsha256 = scope.function_pw_hash(['password', 'sha-256', 'salt']) - resultsha512 = scope.function_pw_hash(['password', 'sha-512', 'salt']) + it "should use the specified hash type" do + resultmd5 = scope.function_pw_hash(['password', 'md5', 'salt']) + resultsha256 = scope.function_pw_hash(['password', 'sha-256', 'salt']) + resultsha512 = scope.function_pw_hash(['password', 'sha-512', 'salt']) - expect(resultmd5).to eql('$1$salt$qJH7.N4xYta3aEG/dfqo/0') - expect(resultsha256).to eql('$5$salt$Gcm6FsVtF/Qa77ZKD.iwsJlCVPY0XSMgLJL0Hnww/c1') - expect(resultsha512).to eql('$6$salt$IxDD3jeSOb5eB1CX5LBsqZFVkJdido3OUILO5Ifz5iwMuTS4XMS130MTSuDDl3aCI6WouIL9AjRbLCelDCy.g.') - end + expect(resultmd5).to eql('$1$salt$qJH7.N4xYta3aEG/dfqo/0') + expect(resultsha256).to eql('$5$salt$Gcm6FsVtF/Qa77ZKD.iwsJlCVPY0XSMgLJL0Hnww/c1') + expect(resultsha512).to eql('$6$salt$IxDD3jeSOb5eB1CX5LBsqZFVkJdido3OUILO5Ifz5iwMuTS4XMS130MTSuDDl3aCI6WouIL9AjRbLCelDCy.g.') + end - it "should generate a valid hash" do - password_hash = scope.function_pw_hash(['password', 'sha-512', 'salt']) + it "should generate a valid hash" do + password_hash = scope.function_pw_hash(['password', 'sha-512', 'salt']) - hash_parts = password_hash.match(%r{\A\$(.*)\$([a-zA-Z0-9./]+)\$([a-zA-Z0-9./]+)\z}) + hash_parts = password_hash.match(%r{\A\$(.*)\$([a-zA-Z0-9./]+)\$([a-zA-Z0-9./]+)\z}) - expect(hash_parts).not_to eql(nil) + expect(hash_parts).not_to eql(nil) + end + end end end -- cgit v1.2.3 From f3e79ddcd56a221c7799b35efde7e9803a5c7923 Mon Sep 17 00:00:00 2001 From: David Schmitt Date: Mon, 1 Jun 2015 12:21:59 +0100 Subject: Convert tests to use plain rspec-puppet Tests in the new style produces the following documentation output: abs should not eq nil should run abs() and raise an Puppet::ParseError should run abs(-34) and return 34 should run abs("-34") and return 34 should run abs(34) and return 34 should run abs("34") and return 34 --- spec/functions/pw_hash_spec.rb | 107 +++++++++++++++-------------------------- 1 file changed, 40 insertions(+), 67 deletions(-) (limited to 'spec/functions/pw_hash_spec.rb') diff --git a/spec/functions/pw_hash_spec.rb b/spec/functions/pw_hash_spec.rb index 3378090..df5348c 100644 --- a/spec/functions/pw_hash_spec.rb +++ b/spec/functions/pw_hash_spec.rb @@ -1,96 +1,69 @@ -#! /usr/bin/env ruby -S rspec require 'spec_helper' -describe "the pw_hash function" do +describe 'pw_hash' do - before :all do - @enhanced_salts_supported = RUBY_PLATFORM == 'java' - end - - let(:scope) { PuppetlabsSpec::PuppetInternals.scope } - - it "should exist" do - expect(Puppet::Parser::Functions.function("pw_hash")).to eq("function_pw_hash") - end + it { is_expected.not_to eq(nil) } - it "should raise an ArgumentError if there are less than 3 arguments" do - expect { scope.function_pw_hash([]) }.to( raise_error(ArgumentError, /[Ww]rong number of arguments/) ) - expect { scope.function_pw_hash(['password']) }.to( raise_error(ArgumentError, /[Ww]rong number of arguments/) ) - expect { scope.function_pw_hash(['password', 'sha-512']) }.to( raise_error(ArgumentError, /[Ww]rong number of arguments/) ) + context 'when there are less than 3 arguments' do + it { is_expected.to run.with_params().and_raise_error(ArgumentError, /wrong number of arguments/i) } + it { is_expected.to run.with_params('password').and_raise_error(ArgumentError, /wrong number of arguments/i) } + it { is_expected.to run.with_params('password', 'sha-256').and_raise_error(ArgumentError, /wrong number of arguments/i) } end - it "should raise an ArgumentError if there are more than 3 arguments" do - expect { scope.function_pw_hash(['password', 'sha-512', 'salt', 5]) }.to( raise_error(ArgumentError, /[Ww]rong number of arguments/) ) + context 'when there are more than 3 arguments' do + it { is_expected.to run.with_params('password', 'sha-256', 'salt', 'extra').and_raise_error(ArgumentError, /wrong number of arguments/i) } + it { is_expected.to run.with_params('password', 'sha-256', 'salt', 'extra', 'extra').and_raise_error(ArgumentError, /wrong number of arguments/i) } end - it "should raise an ArgumentError if the first argument is not a string" do - expect { scope.function_pw_hash([['password'], 'sha-512', 'salt']) }.to( raise_error(ArgumentError, /first argument must be a string/) ) - # in Puppet 3, numbers are passed as strings, so we can't test that + context 'when the first argument is not a string' do + it { is_expected.to run.with_params([], 'sha-256', 'salt').and_raise_error(ArgumentError, /first argument must be a string/) } + it { is_expected.to run.with_params({}, 'sha-256', 'salt').and_raise_error(ArgumentError, /first argument must be a string/) } + it { is_expected.to run.with_params(1, 'sha-256', 'salt').and_raise_error(ArgumentError, /first argument must be a string/) } + it { is_expected.to run.with_params(true, 'sha-256', 'salt').and_raise_error(ArgumentError, /first argument must be a string/) } end - it "should return nil if the first argument is empty" do - expect(scope.function_pw_hash(['', 'sha-512', 'salt'])).to eq(nil) + context 'when the first argument is undefined' do + it { is_expected.to run.with_params('', 'sha-256', 'salt').and_return(nil) } + it { is_expected.to run.with_params(nil, 'sha-256', 'salt').and_return(nil) } end - it "should return nil if the first argument is undef" do - expect(scope.function_pw_hash([nil, 'sha-512', 'salt'])).to eq(nil) + context 'when the second argument is not a string' do + it { is_expected.to run.with_params('password', [], 'salt').and_raise_error(ArgumentError, /second argument must be a string/) } + it { is_expected.to run.with_params('password', {}, 'salt').and_raise_error(ArgumentError, /second argument must be a string/) } + it { is_expected.to run.with_params('password', 1, 'salt').and_raise_error(ArgumentError, /second argument must be a string/) } + it { is_expected.to run.with_params('password', true, 'salt').and_raise_error(ArgumentError, /second argument must be a string/) } end - it "should raise an ArgumentError if the second argument is an invalid hash type" do - expect { scope.function_pw_hash(['', 'invalid', 'salt']) }.to( raise_error(ArgumentError, /not a valid hash type/) ) + context 'when the second argument is not one of the supported hashing algorithms' do + it { is_expected.to run.with_params('password', 'no such algo', 'salt').and_raise_error(ArgumentError, /is not a valid hash type/) } end - it "should raise an ArgumentError if the second argument is not a string" do - expect { scope.function_pw_hash(['', [], 'salt']) }.to( raise_error(ArgumentError, /second argument must be a string/) ) + context 'when the third argument is not a string' do + it { is_expected.to run.with_params('password', 'sha-256', []).and_raise_error(ArgumentError, /third argument must be a string/) } + it { is_expected.to run.with_params('password', 'sha-256', {}).and_raise_error(ArgumentError, /third argument must be a string/) } + it { is_expected.to run.with_params('password', 'sha-256', 1).and_raise_error(ArgumentError, /third argument must be a string/) } + it { is_expected.to run.with_params('password', 'sha-256', true).and_raise_error(ArgumentError, /third argument must be a string/) } end - it "should raise an ArgumentError if the third argument is not a string" do - expect { scope.function_pw_hash(['password', 'sha-512', ['salt']]) }.to( raise_error(ArgumentError, /third argument must be a string/) ) - # in Puppet 3, numbers are passed as strings, so we can't test that + context 'when the third argument is empty' do + it { is_expected.to run.with_params('password', 'sha-512', '').and_raise_error(ArgumentError, /third argument must not be empty/) } end - it "should raise an ArgumentError if the third argument is empty" do - expect { scope.function_pw_hash(['password', 'sha-512', '']) }.to( raise_error(ArgumentError, /third argument must not be empty/) ) + context 'when the third argument contains invalid characters' do + it { is_expected.to run.with_params('password', 'sha-512', 'one%').and_raise_error(ArgumentError, /characters in salt must be in the set/) } end - it "should raise an ArgumentError if the third argument has invalid characters" do - expect { scope.function_pw_hash(['password', 'sha-512', '%']) }.to( raise_error(ArgumentError, /characters in salt must be in the set/) ) - end + context 'when running on a platform with a weak String#crypt implementation' do + before(:each) { allow_any_instance_of(String).to receive(:crypt).with('$1$1').and_return('a bad hash') } - it "should fail on platforms with weak implementations of String#crypt" do - String.any_instance.expects(:crypt).with('$1$1').returns('$1SoNol0Ye6Xk') - expect { scope.function_pw_hash(['password', 'sha-512', 'salt']) }.to( raise_error(Puppet::ParseError, /system does not support enhanced salts/) ) + it { is_expected.to run.with_params('password', 'sha-512', 'salt').and_raise_error(Puppet::ParseError, /system does not support enhanced salts/) } end - if @enhanced_salts_supported + if RUBY_PLATFORM == 'java' or 'test'.crypt('$1$1') == '$1$1$Bp8CU9Oujr9SSEw53WV6G.' describe "on systems with enhanced salts support" do - it "should return a hashed password" do - result = scope.function_pw_hash(['password', 'sha-512', 'salt']) - expect(result).to eql('$6$salt$IxDD3jeSOb5eB1CX5LBsqZFVkJdido3OUILO5Ifz5iwMuTS4XMS130MTSuDDl3aCI6WouIL9AjRbLCelDCy.g.') - end - - it "should use the specified salt" do - result = scope.function_pw_hash(['password', 'sha-512', 'salt']) - expect(result).to match('salt') - end - - it "should use the specified hash type" do - resultmd5 = scope.function_pw_hash(['password', 'md5', 'salt']) - resultsha256 = scope.function_pw_hash(['password', 'sha-256', 'salt']) - resultsha512 = scope.function_pw_hash(['password', 'sha-512', 'salt']) - - expect(resultmd5).to eql('$1$salt$qJH7.N4xYta3aEG/dfqo/0') - expect(resultsha256).to eql('$5$salt$Gcm6FsVtF/Qa77ZKD.iwsJlCVPY0XSMgLJL0Hnww/c1') - expect(resultsha512).to eql('$6$salt$IxDD3jeSOb5eB1CX5LBsqZFVkJdido3OUILO5Ifz5iwMuTS4XMS130MTSuDDl3aCI6WouIL9AjRbLCelDCy.g.') - end - - it "should generate a valid hash" do - password_hash = scope.function_pw_hash(['password', 'sha-512', 'salt']) - - hash_parts = password_hash.match(%r{\A\$(.*)\$([a-zA-Z0-9./]+)\$([a-zA-Z0-9./]+)\z}) - - expect(hash_parts).not_to eql(nil) - end + it { is_expected.to run.with_params('password', 'md5', 'salt').and_return('$1$salt$qJH7.N4xYta3aEG/dfqo/0') } + it { is_expected.to run.with_params('password', 'sha-256', 'salt').and_return('$5$salt$Gcm6FsVtF/Qa77ZKD.iwsJlCVPY0XSMgLJL0Hnww/c1') } + it { is_expected.to run.with_params('password', 'sha-512', 'salt').and_return('$6$salt$IxDD3jeSOb5eB1CX5LBsqZFVkJdido3OUILO5Ifz5iwMuTS4XMS130MTSuDDl3aCI6WouIL9AjRbLCelDCy.g.') } end end end -- cgit v1.2.3