Merge pull request #825 from infosiftr/no-hard-coded-passwords

Update "no-root-password" to test all users

test/config.sh

@@ -4,7 +4,7 @@ set -e
 globalTests=(
 	utc
 	cve-2014--shellshock
-	no-root-password
+	no-hard-coded-passwords
 )
 
 declare -A testAlias=(
@@ -113,8 +113,8 @@ declare -A globalExcludeTests=(
 	[hello-world_utc]=1
 	[swarm_utc]=1
 	
-	[hello-world_no-root-password]=1
-	[swarm_no-root-password]=1
+	[hello-world_no-hard-coded-passwords]=1
+	[swarm_no-hard-coded-passwords]=1
 
 	# no "native" dependencies
 	[ruby:slim_ruby-bundler]=1

test/tests/no-hard-coded-passwords/run.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+set -e
+
+IFS=$'\n'
+userPasswds=( $(docker run --rm --user 0:0 --entrypoint awk "$1" -F ':' '{ print $1 ":" $2 }' /etc/passwd) )
+userShadows=()
+if echo "${userPasswds[*]}" | grep -qE ':x$'; then
+	userShadows=( $(docker run --rm --user 0:0 --entrypoint awk "$1" -F ':' '{ print $1 ":" $2 }' /etc/shadow) )
+fi
+unset IFS
+
+declare -A passwds=()
+for userPasswd in "${userPasswds[@]}"; do
+	user="${userPasswd%%:*}"
+	pass="${userPasswd#*:}"
+	passwds[$user]="$pass"
+done
+for userShadow in "${userShadows[@]}"; do
+	user="${userShadow%%:*}"
+	if [ "${passwds[$user]}" = 'x' ]; then
+		pass="${userShadow#*:}"
+		passwds[$user]="$pass"
+	fi
+done
+
+ret=0
+for user in "${!passwds[@]}"; do
+	pass="${passwds[$user]}"
+
+	if [ -z "$pass" -o "$pass" = '*' ]; then
+		# '*' and '' mean no password
+		continue
+	fi
+
+	if [ "${pass:0:1}" = '!' ]; then
+		# '!anything' means "locked" password
+		#echo >&2 "warning: locked password detected for '$user': '$pass'"
+		continue
+	fi
+
+	if [ "${pass:0:1}" = '$' ]; then
+		# gotta be crypt ($id$salt$encrypted), must be a fail
+		echo >&2 "error: crypt password detected for '$user': '$pass'"
+		ret=1
+		continue
+	fi
+
+	echo >&2 "warning: garbage password detected for '$user': '$pass'"
+done
+
+exit "$ret"

test/tests/no-root-password/run.sh

@@ -1,29 +0,0 @@
-#!/bin/bash
-set -e
-
-pass="$(docker run --rm --entrypoint awk "$1" -F ':' '$1 == "root" { print $2 }' /etc/passwd)"
-
-if [ "$pass" = 'x' ]; then
-	# 'x' means password is in /etc/shadow instead
-	pass="$(docker run --rm --entrypoint awk --user root "$1" -F ':' '$1 == "root" { print $2 }' /etc/shadow)"
-fi
-
-if [ -z "$pass" -o "$pass" = '*' ]; then
-	# '*' and '' mean no password
-	exit 0
-fi
-
-if [ "${pass:0:1}" = '!' ]; then
-	# '!anything' means "locked" password
-	echo >&2 "warning: locked password detected for root: '$pass'"
-	exit 0
-fi
-
-if [ "${pass:0:1}" = '$' ]; then
-	# gotta be crypt ($id$salt$encrypted), must be a fail
-	echo >&2 "error: crypt password detected for root: '$pass'"
-	exit 1
-fi
-
-echo >&2 "warning: garbage password detected for root: '$pass'"
-exit 0