puppetlabs/puppetlabs-stdlib

pw_hash bcrypt-a does not work anymore

rwaffen opened this issue · 3 comments

rwaffen commented

Describe the Bug

in stdblib 8.6.0 i could do something like this:

  user { 'bcrypt_user':
    ensure   => present,
    password => pw_hash('password', 'bcrypt-a', '10$ABCDE.bcrypt.fixedsalt'),
  }

in stdlib 9.3.0 i get this:

Info: Loading facts
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Method call, Invalid salt value: $2a$10$ABCDE.bcrypt.fixedsalt (file: /etc/puppetlabs/code/environments/production/manifests/site.pp, line: 28, column: 45) on node puppet.example.com
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

https://github.com/puppetlabs/puppetlabs-stdlib/blob/main/lib/puppet/parser/functions/pw_hash.rb
when i change this block, it works again

9.3.0 not working

  # handle weak implementations of String#crypt
  # dup the string to get rid of frozen status for testing
  if RUBY_PLATFORM == 'java'
    # puppetserver bundles Apache Commons Codec
    org.apache.commons.codec.digest.Crypt.crypt(password.to_java_bytes, salt)
  elsif (+'test').crypt('$1$1') == '$1$1$Bp8CU9Oujr9SSEw53WV6G.'
    password.crypt(salt)
  else
    # JRuby < 1.7.17
    # MS Windows and other systems that don't support enhanced salts
    raise Puppet::ParseError, 'system does not support enhanced salts'
  end

8.6.0 working

  # handle weak implementations of String#crypt
  # dup the string to get rid of frozen status for testing
  if ('test'.dup).crypt('$1$1') != '$1$1$Bp8CU9Oujr9SSEw53WV6G.'
    # JRuby < 1.7.17
    # MS Windows and other systems that don't support enhanced salts
    raise Puppet::ParseError, 'system does not support enhanced salts' unless RUBY_PLATFORM == 'java'
    # puppetserver bundles Apache Commons Codec
    org.apache.commons.codec.digest.Crypt.crypt(password.to_java_bytes, salt)
  else
    password.crypt(salt)
  end
rwaffen commented

bump ... any news here?

ekohl commented

Looks like it was changed in 8d525d2. Perhaps @david22swan can take a look.

TuningYourCode commented

It seems to affect all bcrypt (not only bcrypt-a). As of the documentation of org.apache.commons.codec.digest.Crypt.crypt it also does not support bcrypt.

Looking at the source code also seems that it's not support and not only forget to be documented. Crypt.java

Patched the if to if RUBY_PLATFORM == 'java' && !args[1].downcase.start_with?('bcrypt') which seems to work for us.

  • 👍1