From 111a4b546dd1bcaab182d5c8ad694404c2c2f91c Mon Sep 17 00:00:00 2001
From: Ben Hughes <ben@puppetlabs.com>
Date: Fri, 1 Apr 2011 15:23:14 +1100
Subject: (#6857) Password disclosure when changing a user's password

Make the should_to_s and is_to_s functions to return a form of 'redacted'.

Rather than send the password hash to system logs in cases of failure or
running in --noop mode, just state whether it's the new or old hash. We're
already doing this with password changes that work, so this just brings it
inline with those, albeit via a slightly different pair of methods.
---
 spec/unit/type/user_spec.rb | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'spec/unit')

diff --git a/spec/unit/type/user_spec.rb b/spec/unit/type/user_spec.rb
index 5a84af443..594802c6e 100755
--- a/spec/unit/type/user_spec.rb
+++ b/spec/unit/type/user_spec.rb
@@ -290,6 +290,14 @@ describe user do
       @password.change_to_s("other", "mypass").should_not be_include("mypass")
     end
 
+    it "should redact the password when displaying the old value" do
+      @password.is_to_s("currentpassword").should =~ /^\[old password hash redacted\]$/
+    end
+
+    it "should redact the password when displaying the new value" do
+      @password.should_to_s("newpassword").should =~ /^\[new password hash redacted\]$/
+    end
+
     it "should fail if a ':' is included in the password" do
       lambda { @password.should = "some:thing" }.should raise_error(Puppet::Error)
     end
-- 
cgit