From 111a4b546dd1bcaab182d5c8ad694404c2c2f91c Mon Sep 17 00:00:00 2001
From: Ben Hughes <ben@puppetlabs.com>
Date: Fri, 1 Apr 2011 15:23:14 +1100
Subject: (#6857) Password disclosure when changing a user's password

Make the should_to_s and is_to_s functions to return a form of 'redacted'.

Rather than send the password hash to system logs in cases of failure or
running in --noop mode, just state whether it's the new or old hash. We're
already doing this with password changes that work, so this just brings it
inline with those, albeit via a slightly different pair of methods.
---
 ...rd-disclosure-when-changing-a-users-password.rb | 23 ++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 acceptance/tests/ticket_6857_password-disclosure-when-changing-a-users-password.rb

(limited to 'acceptance/tests')

diff --git a/acceptance/tests/ticket_6857_password-disclosure-when-changing-a-users-password.rb b/acceptance/tests/ticket_6857_password-disclosure-when-changing-a-users-password.rb
new file mode 100644
index 000000000..f1e100c2e
--- /dev/null
+++ b/acceptance/tests/ticket_6857_password-disclosure-when-changing-a-users-password.rb
@@ -0,0 +1,23 @@
+test_name "#6857: redact password hashes when applying in noop mode"
+
+adduser_manifest = <<MANIFEST
+user { 'passwordtestuser':
+  ensure   => 'present',
+  password => 'apassword',
+}
+MANIFEST
+
+changepass_manifest = <<MANIFEST
+user { 'passwordtestuser':
+  ensure   => 'present',
+  password => 'newpassword',
+  noop     => true,
+}
+MANIFEST
+
+apply_manifest_on(agents, adduser_manifest )
+results = apply_manifest_on(agents, changepass_manifest )
+
+results.each do |result|
+  assert_match( /current_value \[old password hash redacted\], should be \[new password hash redacted\]/ , "#{result.stdout}" )
+end
-- 
cgit