diff options
author | Ben Hughes <ben@puppetlabs.com> | 2011-04-01 15:23:14 +1100 |
---|---|---|
committer | Ben Hughes <ben@puppetlabs.com> | 2011-06-01 12:35:27 -0700 |
commit | 111a4b546dd1bcaab182d5c8ad694404c2c2f91c (patch) | |
tree | 86a685fa69e176d094decb205c37046d8b680064 /acceptance | |
parent | 805b2878d0b23d76917f5210abe35489f6f84c74 (diff) | |
download | puppet-111a4b546dd1bcaab182d5c8ad694404c2c2f91c.tar.gz puppet-111a4b546dd1bcaab182d5c8ad694404c2c2f91c.tar.xz puppet-111a4b546dd1bcaab182d5c8ad694404c2c2f91c.zip |
(#6857) Password disclosure when changing a user's password
Make the should_to_s and is_to_s functions to return a form of 'redacted'.
Rather than send the password hash to system logs in cases of failure or
running in --noop mode, just state whether it's the new or old hash. We're
already doing this with password changes that work, so this just brings it
inline with those, albeit via a slightly different pair of methods.
Diffstat (limited to 'acceptance')
-rw-r--r-- | acceptance/tests/ticket_6857_password-disclosure-when-changing-a-users-password.rb | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/acceptance/tests/ticket_6857_password-disclosure-when-changing-a-users-password.rb b/acceptance/tests/ticket_6857_password-disclosure-when-changing-a-users-password.rb new file mode 100644 index 000000000..f1e100c2e --- /dev/null +++ b/acceptance/tests/ticket_6857_password-disclosure-when-changing-a-users-password.rb @@ -0,0 +1,23 @@ +test_name "#6857: redact password hashes when applying in noop mode" + +adduser_manifest = <<MANIFEST +user { 'passwordtestuser': + ensure => 'present', + password => 'apassword', +} +MANIFEST + +changepass_manifest = <<MANIFEST +user { 'passwordtestuser': + ensure => 'present', + password => 'newpassword', + noop => true, +} +MANIFEST + +apply_manifest_on(agents, adduser_manifest ) +results = apply_manifest_on(agents, changepass_manifest ) + +results.each do |result| + assert_match( /current_value \[old password hash redacted\], should be \[new password hash redacted\]/ , "#{result.stdout}" ) +end |