pw_hash: add support for bcrypt variants

This is the hash algorithm used by default by Elasticsearch among others

Author: kjetilho

lib/puppet/parser/functions/pw_hash.rb

@@ -19,11 +19,15 @@
   will be converted into the appropriate crypt(3) hash specifier. Valid
   hash types are:
 
-  |Hash type            |Specifier|
-  |---------------------|---------|
-  |MD5                  |1        |
-  |SHA-256              |5        |
-  |SHA-512 (recommended)|6        |
+  |Hash type|Prefix|Note                |
+  |---------|------|--------------------|
+  |MD5      |1     |                    |
+  |SHA-256  |5     |                    |
+  |SHA-512  |6     |Recommended         |
+  |bcrypt   |2b    |                    |
+  |bcrypt-a |2a    |bug compatible      |
+  |bcrypt-x |2x    |bug compatible      |
+  |bcrypt-y |2y    |historic alias to 2b|
 
   The third argument to this function is the salt to use.
 
@@ -43,21 +47,31 @@
       arg
     end
   end
+
+  hashes = {
+    'md5'       => { :prefix => '1' },
+    'sha-256'   => { :prefix => '5' },
+    'sha-512'   => { :prefix => '6' },
+    'bcrypt'    => { :prefix => '2b', :salt => %r{^[0-9]{2}\$[./A-Za-z0-9]{22}} },
+    'bcrypt-a'  => { :prefix => '2a', :salt => %r{^[0-9]{2}\$[./A-Za-z0-9]{22}} },
+    'bcrypt-x'  => { :prefix => '2x', :salt => %r{^[0-9]{2}\$[./A-Za-z0-9]{22}} },
+    'bcrypt-y'  => { :prefix => '2y', :salt => %r{^[0-9]{2}\$[./A-Za-z0-9]{22}} },
+  }
+
   raise ArgumentError, 'pw_hash(): first argument must be a string' unless args[0].is_a?(String) || args[0].nil?
   raise ArgumentError, 'pw_hash(): second argument must be a string' unless args[1].is_a? String
-  hashes = { 'md5'     => '1',
-             'sha-256' => '5',
-             'sha-512' => '6' }
   hash_type = hashes[args[1].downcase]
   raise ArgumentError, "pw_hash(): #{args[1]} is not a valid hash type" if hash_type.nil?
   raise ArgumentError, 'pw_hash(): third argument must be a string' unless args[2].is_a? String
   raise ArgumentError, 'pw_hash(): third argument must not be empty' if args[2].empty?
-  raise ArgumentError, 'pw_hash(): characters in salt must be in the set [a-zA-Z0-9./]' unless %r{\A[a-zA-Z0-9./]+\z}.match?(args[2])
+  salt_doc = hash_type.include?(:salt) ? "match #{hash_type[:salt]}" : 'be in the set [a-zA-Z0-9./]'
+  salt_regex = hash_type.fetch(:salt, %r{\A[a-zA-Z0-9./]+\z})
+  raise ArgumentError, "pw_hash(): characters in salt must #{salt_doc}" unless salt_regex.match?(args[2])
 
   password = args[0]
   return nil if password.nil? || password.empty?
 
-  salt = "$#{hash_type}$#{args[2]}"
+  salt = "$#{hash_type[:prefix]}$#{args[2]}"
 
   # handle weak implementations of String#crypt
   # dup the string to get rid of frozen status for testing

spec/functions/pw_hash_spec.rb

@@ -52,6 +52,13 @@
 
   context 'when the third argument contains invalid characters' do
     it { is_expected.to run.with_params('password', 'sha-512', 'one%').and_raise_error(ArgumentError, %r{characters in salt must be in the set}) }
+    it { is_expected.to run.with_params('password', 'bcrypt', '1234').and_raise_error(ArgumentError, %r{characters in salt must match}) }
+  end
+
+  context 'when run' do
+    it { is_expected.to run.with_params('password', 'sha-512', '1234').and_return(%r{^\$6\$1234\$}) }
+    it { is_expected.to run.with_params('password', 'bcrypt', '05$abcdefghijklmnopqrstuv').and_return(%r{^\$2b\$05\$abcdefghijklmnopqrstu}) }
+    it { is_expected.to run.with_params('password', 'bcrypt-y', '05$abcdefghijklmnopqrstuv').and_return(%r{^\$2y\$05\$abcdefghijklmnopqrstu}) }
   end
 
   context 'when running on a platform with a weak String#crypt implementation' do