10 年之前 · 0c7702b331
--- a/test/config.sh
+++ b/test/config.sh
@@ -4,7 +4,7 @@ set -e
 
				 globalTests=(
			
 
				 	utc
			
 
				 	cve-2014--shellshock
			
 
				-	no-root-password
			
 
				+	no-hard-coded-passwords
			
 
				 )
			
 
				 
			
 
				 declare -A testAlias=(
			
@@ -113,8 +113,8 @@ declare -A globalExcludeTests=(
 
				 	[hello-world_utc]=1
			
 
				 	[swarm_utc]=1
			
 
				 	
			
 
				-	[hello-world_no-root-password]=1
			
 
				-	[swarm_no-root-password]=1
			
 
				+	[hello-world_no-hard-coded-passwords]=1
			
 
				+	[swarm_no-hard-coded-passwords]=1
			
 
				 
			
 
				 	# no "native" dependencies
			
 
				 	[ruby:slim_ruby-bundler]=1
			
--- a/test/tests/no-hard-coded-passwords/run.sh
+++ b/test/tests/no-hard-coded-passwords/run.sh
@@ -0,0 +1,51 @@
 
				+#!/bin/bash
			
 
				+set -e
			
 
				+
			
 
				+IFS=$'\n'
			
 
				+userPasswds=( $(docker run --rm --user 0:0 --entrypoint awk "$1" -F ':' '{ print $1 ":" $2 }' /etc/passwd) )
			
 
				+userShadows=()
			
 
				+if echo "${userPasswds[*]}" | grep -qE ':x$'; then
			
 
				+	userShadows=( $(docker run --rm --user 0:0 --entrypoint awk "$1" -F ':' '{ print $1 ":" $2 }' /etc/shadow) )
			
 
				+fi
			
 
				+unset IFS
			
 
				+
			
 
				+declare -A passwds=()
			
 
				+for userPasswd in "${userPasswds[@]}"; do
			
 
				+	user="${userPasswd%%:*}"
			
 
				+	pass="${userPasswd#*:}"
			
 
				+	passwds[$user]="$pass"
			
 
				+done
			
 
				+for userShadow in "${userShadows[@]}"; do
			
 
				+	user="${userShadow%%:*}"
			
 
				+	if [ "${passwds[$user]}" = 'x' ]; then
			
 
				+		pass="${userShadow#*:}"
			
 
				+		passwds[$user]="$pass"
			
 
				+	fi
			
 
				+done
			
 
				+
			
 
				+ret=0
			
 
				+for user in "${!passwds[@]}"; do
			
 
				+	pass="${passwds[$user]}"
			
 
				+
			
 
				+	if [ -z "$pass" -o "$pass" = '*' ]; then
			
 
				+		# '*' and '' mean no password
			
 
				+		continue
			
 
				+	fi
			
 
				+
			
 
				+	if [ "${pass:0:1}" = '!' ]; then
			
 
				+		# '!anything' means "locked" password
			
 
				+		#echo >&2 "warning: locked password detected for '$user': '$pass'"
			
 
				+		continue
			
 
				+	fi
			
 
				+
			
 
				+	if [ "${pass:0:1}" = '$' ]; then
			
 
				+		# gotta be crypt ($id$salt$encrypted), must be a fail
			
 
				+		echo >&2 "error: crypt password detected for '$user': '$pass'"
			
 
				+		ret=1
			
 
				+		continue
			
 
				+	fi
			
 
				+
			
 
				+	echo >&2 "warning: garbage password detected for '$user': '$pass'"
			
 
				+done
			
 
				+
			
 
				+exit "$ret"
			
--- a/test/tests/no-root-password/run.sh
+++ b/test/tests/no-root-password/run.sh
@@ -1,29 +0,0 @@
 
				-#!/bin/bash
			
 
				-set -e
			
 
				-
			
 
				-pass="$(docker run --rm --entrypoint awk "$1" -F ':' '$1 == "root" { print $2 }' /etc/passwd)"
			
 
				-
			
 
				-if [ "$pass" = 'x' ]; then
			
 
				-	# 'x' means password is in /etc/shadow instead
			
 
				-	pass="$(docker run --rm --entrypoint awk --user root "$1" -F ':' '$1 == "root" { print $2 }' /etc/shadow)"
			
 
				-fi
			
 
				-
			
 
				-if [ -z "$pass" -o "$pass" = '*' ]; then
			
 
				-	# '*' and '' mean no password
			
 
				-	exit 0
			
 
				-fi
			
 
				-
			
 
				-if [ "${pass:0:1}" = '!' ]; then
			
 
				-	# '!anything' means "locked" password
			
 
				-	echo >&2 "warning: locked password detected for root: '$pass'"
			
 
				-	exit 0
			
 
				-fi
			
 
				-
			
 
				-if [ "${pass:0:1}" = '$' ]; then
			
 
				-	# gotta be crypt ($id$salt$encrypted), must be a fail
			
 
				-	echo >&2 "error: crypt password detected for root: '$pass'"
			
 
				-	exit 1
			
 
				-fi
			
 
				-
			
 
				-echo >&2 "warning: garbage password detected for root: '$pass'"
			
 
				-exit 0