diff options
| author | Jacob Helwig <jacob@puppetlabs.com> | 2011-07-21 16:37:18 -0700 |
|---|---|---|
| committer | Jacob Helwig <jacob@puppetlabs.com> | 2011-07-21 16:37:18 -0700 |
| commit | 5e2a3d200b74eef9549e3e2a5bdbe2a23ae7fac1 (patch) | |
| tree | 5f662d57bcb89f484f5404b59726ba1f0dca8f0c | |
| parent | 691554ce752b631ae09bb87762b7bb9fcbe68e68 (diff) | |
| parent | a87ef54385cbf325d6b085200606562b0d4d7876 (diff) | |
| download | puppet-5e2a3d200b74eef9549e3e2a5bdbe2a23ae7fac1.tar.gz puppet-5e2a3d200b74eef9549e3e2a5bdbe2a23ae7fac1.tar.xz puppet-5e2a3d200b74eef9549e3e2a5bdbe2a23ae7fac1.zip | |
Merge branch '2.6.x' into 2.7.x
* 2.6.x:
(#6857) Password disclosure when changing a user's password
| -rw-r--r-- | acceptance/tests/ticket_6857_password-disclosure-when-changing-a-users-password.rb | 23 | ||||
| -rwxr-xr-x | lib/puppet/type/user.rb | 8 | ||||
| -rwxr-xr-x | spec/unit/type/user_spec.rb | 8 |
3 files changed, 39 insertions, 0 deletions
diff --git a/acceptance/tests/ticket_6857_password-disclosure-when-changing-a-users-password.rb b/acceptance/tests/ticket_6857_password-disclosure-when-changing-a-users-password.rb new file mode 100644 index 000000000..f1e100c2e --- /dev/null +++ b/acceptance/tests/ticket_6857_password-disclosure-when-changing-a-users-password.rb @@ -0,0 +1,23 @@ +test_name "#6857: redact password hashes when applying in noop mode" + +adduser_manifest = <<MANIFEST +user { 'passwordtestuser': + ensure => 'present', + password => 'apassword', +} +MANIFEST + +changepass_manifest = <<MANIFEST +user { 'passwordtestuser': + ensure => 'present', + password => 'newpassword', + noop => true, +} +MANIFEST + +apply_manifest_on(agents, adduser_manifest ) +results = apply_manifest_on(agents, changepass_manifest ) + +results.each do |result| + assert_match( /current_value \[old password hash redacted\], should be \[new password hash redacted\]/ , "#{result.stdout}" ) +end diff --git a/lib/puppet/type/user.rb b/lib/puppet/type/user.rb index 572d5796d..c64bf69e8 100755 --- a/lib/puppet/type/user.rb +++ b/lib/puppet/type/user.rb @@ -168,6 +168,14 @@ module Puppet return "changed password" end end + + def is_to_s( currentvalue ) + return '[old password hash redacted]' + end + def should_to_s( newvalue ) + return '[new password hash redacted]' + end + end newproperty(:password_min_age, :required_features => :manages_password_age) do diff --git a/spec/unit/type/user_spec.rb b/spec/unit/type/user_spec.rb index 71c9e1857..823b12f27 100755 --- a/spec/unit/type/user_spec.rb +++ b/spec/unit/type/user_spec.rb @@ -289,6 +289,14 @@ describe user do @password.change_to_s("other", "mypass").should_not be_include("mypass") end + it "should redact the password when displaying the old value" do + @password.is_to_s("currentpassword").should =~ /^\[old password hash redacted\]$/ + end + + it "should redact the password when displaying the new value" do + @password.should_to_s("newpassword").should =~ /^\[new password hash redacted\]$/ + end + it "should fail if a ':' is included in the password" do lambda { @password.should = "some:thing" }.should raise_error(Puppet::Error) end |