File: str2saltedpbkdf2.rb

package info (click to toggle)
puppet-module-puppetlabs-stdlib 9.4.1-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 1,448 kB
  • sloc: ruby: 3,522; sh: 46; makefile: 2
file content (70 lines) | stat: -rw-r--r-- 3,101 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
 
# frozen_string_literal: true

# str2saltedpbkdf2.rb
#  Please note: This function is an implementation of a Ruby class and as such may not be entirely UTF8 compatible. To ensure compatibility please use this function with Ruby 2.4.0 or greater - https://bugs.ruby-lang.org/issues/10085.
#
module Puppet::Parser::Functions
  newfunction(:str2saltedpbkdf2, type: :rvalue, doc: <<-DOC
    @summary Convert a string into a salted SHA512 PBKDF2 password hash like requred for OS X / macOS 10.8+

    Convert a string into a salted SHA512 PBKDF2 password hash like requred for OS X / macOS 10.8+.
    Note, however, that Apple changes what's required periodically and this may not work for the latest
    version of macOS. If that is the case you should get a helpful error message when Puppet tries to set
    the pasword using the parameters you provide to the user resource.

    @example Plain text password and salt
      $pw_info = str2saltedpbkdf2('Pa55w0rd', 'Use a s@lt h3r3 th@t is 32 byt3s', 50000)
      user { 'jdoe':
        ensure     => present,
        iterations => $pw_info['interations'],
        password   => $pw_info['password_hex'],
        salt       => $pw_info['salt_hex'],
      }

    @example Sensitive password and salt
      $pw = Sensitive.new('Pa55w0rd')
      $salt = Sensitive.new('Use a s@lt h3r3 th@t is 32 byt3s')
      $pw_info = Sensitive.new(str2saltedpbkdf2($pw, $salt, 50000))
      user { 'jdoe':
        ensure     => present,
        iterations => unwrap($pw_info)['interations'],
        password   => unwrap($pw_info)['password_hex'],
        salt       => unwrap($pw_info)['salt_hex'],
      }

    @return [Hash]
      Provides a hash containing the hex version of the password, the hex version of the salt, and iterations.
  DOC
  ) do |args|
    require 'openssl'

    raise ArgumentError, "str2saltedpbkdf2(): wrong number of arguments (#{args.size} for 3)" if args.size != 3

    args.map! do |arg|
      if (defined? Puppet::Pops::Types::PSensitiveType::Sensitive) && (arg.is_a? Puppet::Pops::Types::PSensitiveType::Sensitive)
        arg.unwrap
      else
        arg
      end
    end

    raise ArgumentError, 'str2saltedpbkdf2(): first argument must be a string' unless args[0].is_a?(String)
    raise ArgumentError, 'str2saltedpbkdf2(): second argument must be a string' unless args[1].is_a?(String)
    raise ArgumentError, 'str2saltedpbkdf2(): second argument must be at least 8 bytes long' unless args[1].bytesize >= 8
    raise ArgumentError, 'str2saltedpbkdf2(): third argument must be an integer' unless args[2].is_a?(Integer)
    raise ArgumentError, 'str2saltedpbkdf2(): third argument must be between 40,000 and 70,000' unless args[2] > 40_000 && args[2] < 70_000

    password   = args[0]
    salt       = args[1]
    iterations = args[2]
    keylen     = 128
    digest     = OpenSSL::Digest.new('SHA512')
    hash       = OpenSSL::PKCS5.pbkdf2_hmac(password, salt, iterations, keylen, digest)

    {
      'password_hex' => hash.unpack1('H*'),
      'salt_hex' => salt.unpack1('H*'),
      'iterations' => iterations
    }
  end
end