1 #! /usr/bin/env ruby -S rspec
4 describe "the pw_hash function" do
7 @enhanced_salts_supported = RUBY_PLATFORM == 'java'
10 let(:scope) { PuppetlabsSpec::PuppetInternals.scope }
13 expect(Puppet::Parser::Functions.function("pw_hash")).to eq("function_pw_hash")
16 it "should raise an ArgumentError if there are less than 3 arguments" do
17 expect { scope.function_pw_hash([]) }.to( raise_error(ArgumentError, /[Ww]rong number of arguments/) )
18 expect { scope.function_pw_hash(['password']) }.to( raise_error(ArgumentError, /[Ww]rong number of arguments/) )
19 expect { scope.function_pw_hash(['password', 'sha-512']) }.to( raise_error(ArgumentError, /[Ww]rong number of arguments/) )
22 it "should raise an ArgumentError if there are more than 3 arguments" do
23 expect { scope.function_pw_hash(['password', 'sha-512', 'salt', 5]) }.to( raise_error(ArgumentError, /[Ww]rong number of arguments/) )
26 it "should raise an ArgumentError if the first argument is not a string" do
27 expect { scope.function_pw_hash([['password'], 'sha-512', 'salt']) }.to( raise_error(ArgumentError, /first argument must be a string/) )
28 # in Puppet 3, numbers are passed as strings, so we can't test that
31 it "should return nil if the first argument is empty" do
32 expect(scope.function_pw_hash(['', 'sha-512', 'salt'])).to eq(nil)
35 it "should return nil if the first argument is undef" do
36 expect(scope.function_pw_hash([nil, 'sha-512', 'salt'])).to eq(nil)
39 it "should raise an ArgumentError if the second argument is an invalid hash type" do
40 expect { scope.function_pw_hash(['', 'invalid', 'salt']) }.to( raise_error(ArgumentError, /not a valid hash type/) )
43 it "should raise an ArgumentError if the second argument is not a string" do
44 expect { scope.function_pw_hash(['', [], 'salt']) }.to( raise_error(ArgumentError, /second argument must be a string/) )
47 it "should raise an ArgumentError if the third argument is not a string" do
48 expect { scope.function_pw_hash(['password', 'sha-512', ['salt']]) }.to( raise_error(ArgumentError, /third argument must be a string/) )
49 # in Puppet 3, numbers are passed as strings, so we can't test that
52 it "should raise an ArgumentError if the third argument is empty" do
53 expect { scope.function_pw_hash(['password', 'sha-512', '']) }.to( raise_error(ArgumentError, /third argument must not be empty/) )
56 it "should raise an ArgumentError if the third argument has invalid characters" do
57 expect { scope.function_pw_hash(['password', 'sha-512', '%']) }.to( raise_error(ArgumentError, /characters in salt must be in the set/) )
60 it "should fail on platforms with weak implementations of String#crypt" do
61 String.any_instance.expects(:crypt).with('$1$1').returns('$1SoNol0Ye6Xk')
62 expect { scope.function_pw_hash(['password', 'sha-512', 'salt']) }.to( raise_error(Puppet::ParseError, /system does not support enhanced salts/) )
65 if @enhanced_salts_supported
66 describe "on systems with enhanced salts support" do
67 it "should return a hashed password" do
68 result = scope.function_pw_hash(['password', 'sha-512', 'salt'])
69 expect(result).to eql('$6$salt$IxDD3jeSOb5eB1CX5LBsqZFVkJdido3OUILO5Ifz5iwMuTS4XMS130MTSuDDl3aCI6WouIL9AjRbLCelDCy.g.')
72 it "should use the specified salt" do
73 result = scope.function_pw_hash(['password', 'sha-512', 'salt'])
74 expect(result).to match('salt')
77 it "should use the specified hash type" do
78 resultmd5 = scope.function_pw_hash(['password', 'md5', 'salt'])
79 resultsha256 = scope.function_pw_hash(['password', 'sha-256', 'salt'])
80 resultsha512 = scope.function_pw_hash(['password', 'sha-512', 'salt'])
82 expect(resultmd5).to eql('$1$salt$qJH7.N4xYta3aEG/dfqo/0')
83 expect(resultsha256).to eql('$5$salt$Gcm6FsVtF/Qa77ZKD.iwsJlCVPY0XSMgLJL0Hnww/c1')
84 expect(resultsha512).to eql('$6$salt$IxDD3jeSOb5eB1CX5LBsqZFVkJdido3OUILO5Ifz5iwMuTS4XMS130MTSuDDl3aCI6WouIL9AjRbLCelDCy.g.')
87 it "should generate a valid hash" do
88 password_hash = scope.function_pw_hash(['password', 'sha-512', 'salt'])
90 hash_parts = password_hash.match(%r{\A\$(.*)\$([a-zA-Z0-9./]+)\$([a-zA-Z0-9./]+)\z})
92 expect(hash_parts).not_to eql(nil)