search

puppetlabs / puppetlabs-stdlib

Puppet Labs Standard Library module
http://forge.puppetlabs.com/puppetlabs/stdlib
Apache License 2.0
348 stars 580 forks source link

pw_hash bcrypt-a does not work anymore #1389

Closed rwaffen closed 8 months ago

rwaffen commented 1 year ago

Describe the Bug

in stdblib 8.6.0 i could do something like this:

  user { 'bcrypt_user':
    ensure   => present,
    password => pw_hash('password', 'bcrypt-a', '10$ABCDE.bcrypt.fixedsalt'),
  }

in stdlib 9.3.0 i get this:

Info: Loading facts
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Method call, Invalid salt value: $2a$10$ABCDE.bcrypt.fixedsalt (file: /etc/puppetlabs/code/environments/production/manifests/site.pp, line: 28, column: 45) on node puppet.example.com
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

https://github.com/puppetlabs/puppetlabs-stdlib/blob/main/lib/puppet/parser/functions/pw_hash.rb when i change this block, it works again

9.3.0 not working

  # handle weak implementations of String#crypt
  # dup the string to get rid of frozen status for testing
  if RUBY_PLATFORM == 'java'
    # puppetserver bundles Apache Commons Codec
    org.apache.commons.codec.digest.Crypt.crypt(password.to_java_bytes, salt)
  elsif (+'test').crypt('$1$1') == '$1$1$Bp8CU9Oujr9SSEw53WV6G.'
    password.crypt(salt)
  else
    # JRuby < 1.7.17
    # MS Windows and other systems that don't support enhanced salts
    raise Puppet::ParseError, 'system does not support enhanced salts'
  end

8.6.0 working

  # handle weak implementations of String#crypt
  # dup the string to get rid of frozen status for testing
  if ('test'.dup).crypt('$1$1') != '$1$1$Bp8CU9Oujr9SSEw53WV6G.'
    # JRuby < 1.7.17
    # MS Windows and other systems that don't support enhanced salts
    raise Puppet::ParseError, 'system does not support enhanced salts' unless RUBY_PLATFORM == 'java'
    # puppetserver bundles Apache Commons Codec
    org.apache.commons.codec.digest.Crypt.crypt(password.to_java_bytes, salt)
  else
    password.crypt(salt)
  end
rwaffen commented 1 year ago

bump ... any news here?

ekohl commented 1 year ago

Looks like it was changed in https://github.com/puppetlabs/puppetlabs-stdlib/commit/8d525d24a510d377b29a2aed2654ed2de854b94f. Perhaps @david22swan can take a look.

TuningYourCode commented 1 year ago

It seems to affect all bcrypt (not only bcrypt-a). As of the documentation of org.apache.commons.codec.digest.Crypt.crypt it also does not support bcrypt.

Looking at the source code also seems that it's not support and not only forget to be documented. Crypt.java

Patched the if to if RUBY_PLATFORM == 'java' && !args[1].downcase.start_with?('bcrypt') which seems to work for us.