| 1 | Puppet::Parser::Functions::newfunction(
|
|---|
| 2 | :pw_hash,
|
|---|
| 3 | :type => :rvalue,
|
|---|
| 4 | :arity => 3,
|
|---|
| 5 | :doc => "Hashes a password using the crypt function. Provides a hash
|
|---|
| 6 | usable on most POSIX systems.
|
|---|
| 7 |
|
|---|
| 8 | The first argument to this function is the password to hash. If it is
|
|---|
| 9 | undef or an empty string, this function returns undef.
|
|---|
| 10 |
|
|---|
| 11 | The second argument to this function is which type of hash to use. It
|
|---|
| 12 | will be converted into the appropriate crypt(3) hash specifier. Valid
|
|---|
| 13 | hash types are:
|
|---|
| 14 |
|
|---|
| 15 | |Hash type |Specifier|
|
|---|
| 16 | |---------------------|---------|
|
|---|
| 17 | |MD5 |1 |
|
|---|
| 18 | |SHA-256 |5 |
|
|---|
| 19 | |SHA-512 (recommended)|6 |
|
|---|
| 20 |
|
|---|
| 21 | The third argument to this function is the salt to use.
|
|---|
| 22 |
|
|---|
| 23 | Note: this uses the Puppet Master's implementation of crypt(3). If your
|
|---|
| 24 | environment contains several different operating systems, ensure that they
|
|---|
| 25 | are compatible before using this function.") do |args|
|
|---|
| 26 | raise ArgumentError, "pw_hash(): wrong number of arguments (#{args.size} for 3)" if args.size != 3
|
|---|
| 27 | raise ArgumentError, "pw_hash(): first argument must be a string" unless args[0].is_a? String or args[0].nil?
|
|---|
| 28 | raise ArgumentError, "pw_hash(): second argument must be a string" unless args[1].is_a? String
|
|---|
| 29 | hashes = { 'md5' => '1',
|
|---|
| 30 | 'sha-256' => '5',
|
|---|
| 31 | 'sha-512' => '6' }
|
|---|
| 32 | hash_type = hashes[args[1].downcase]
|
|---|
| 33 | raise ArgumentError, "pw_hash(): #{args[1]} is not a valid hash type" if hash_type.nil?
|
|---|
| 34 | raise ArgumentError, "pw_hash(): third argument must be a string" unless args[2].is_a? String
|
|---|
| 35 | raise ArgumentError, "pw_hash(): third argument must not be empty" if args[2].empty?
|
|---|
| 36 | raise ArgumentError, "pw_hash(): characters in salt must be in the set [a-zA-Z0-9./]" unless args[2].match(/\A[a-zA-Z0-9.\/]+\z/)
|
|---|
| 37 |
|
|---|
| 38 | password = args[0]
|
|---|
| 39 | return nil if password.nil? or password.empty?
|
|---|
| 40 |
|
|---|
| 41 | salt = "$#{hash_type}$#{args[2]}"
|
|---|
| 42 |
|
|---|
| 43 | # handle weak implementations of String#crypt
|
|---|
| 44 | if 'test'.crypt('$1$1') != '$1$1$Bp8CU9Oujr9SSEw53WV6G.'
|
|---|
| 45 | # JRuby < 1.7.17
|
|---|
| 46 | if RUBY_PLATFORM == 'java'
|
|---|
| 47 | # puppetserver bundles Apache Commons Codec
|
|---|
| 48 | org.apache.commons.codec.digest.Crypt.crypt(password.to_java_bytes, salt)
|
|---|
| 49 | else
|
|---|
| 50 | # MS Windows and other systems that don't support enhanced salts
|
|---|
| 51 | raise Puppet::ParseError, 'system does not support enhanced salts'
|
|---|
| 52 | end
|
|---|
| 53 | else
|
|---|
| 54 | password.crypt(salt)
|
|---|
| 55 | end
|
|---|
| 56 | end
|
|---|
