Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

random_password.bcrypt_hash is incorrect since 3.4.0 #307

Closed
1 task done
marcus-bcl opened this issue Sep 2, 2022 · 2 comments · Fixed by #308
Closed
1 task done

random_password.bcrypt_hash is incorrect since 3.4.0 #307

marcus-bcl opened this issue Sep 2, 2022 · 2 comments · Fixed by #308
Labels
bug
Milestone
v3.4.3

Comments

@marcus-bcl
Copy link

Terraform CLI and Provider Versions

Terraform v1.2.8
on linux_amd64

  • provider registry.terraform.io/hashicorp/random v3.4.0

Terraform Configuration

resource "random_password" "password" {
  length  = 32
}

output "result" {
  value = random_password.password.result
  sensitive = true
}

# THIS DOES NOT WORK
output "bcrypt_hash" {
  value = random_password.password.bcrypt_hash
  sensitive = true
}

# THIS WORKS
output "function_hash" {
  value = bcrypt(random_password.password.result)
  sensitive = true
}

Expected Behavior

The result output can be verified against the bcrypt_hash output, e.g. using https://gchq.github.io/CyberChef/#recipe=Bcrypt_compare('')

Actual Behavior

The bcrypt_hash is not a valid hash of result.

Steps to Reproduce

  1. terraform apply
  2. terraform output bcrypt_hash
  3. terraform output result
  4. Check whether bcrypt_hash is a valid hash of result

How much impact is this issue causing?

Medium

Logs

No response

Additional Information

This worked in 3.3.2, but is broken in 3.4.0+.

Note: the bcrypt(...) function still works as expected, however generates a new hash on each apply. The following workaround can be used to get a static hash:

resource "null_resource" "password" {
  triggers = {
    result = random_password.password.result
    bcrypt_hash = bcrypt(random_password.password.result)
  }
  lifecycle {
    ignore_changes = [triggers["bcrypt_hash"]]
  }
}

output "bcrypt_hash" {
  value = null_resource.password.triggers["bcrypt_hash"]
}

Code of Conduct

  • I agree to follow this project's Code of Conduct
@marcus-bcl marcus-bcl added the bug label Sep 2, 2022
@bflad
Copy link
Contributor

bflad commented Sep 2, 2022

Hi @marcus-bcl 👋 Thank you for raising this and sorry you are running into trouble with this. I have been able to reproduce on 3.4.2 and believe I found a root cause. I will ensure there is additional testing for this functionality and submit a fix for it shortly.

@bflad bflad added this to the v3.4.3 milestone Sep 2, 2022
bflad added a commit that referenced this issue Sep 2, 2022
@bflad
resource/random_password: Fix bcrypt_hash generation
a07c5b8 
Reference: #307

This change fixes the source of the `bcrypt_hash` generation to being the result of the random password generation. The issue was introduced in v3.4.0.

Previously:

```
--- FAIL: TestAccResourcePassword_BcryptHash (0.63s)
    /Users/bflad/src/github.com/hashicorp/terraform-provider-random/internal/provider/resource_password_test.go:107: Step 1/1 error: Check failed: Check 3/3 error: crypto/bcrypt: hashedPassword is not the hash of the given password
```

Suggested CHANGELOG:

```
NOTES:

* resource/random_password: If the resource was created between versions 3.4.0 and 3.4.2, the `bcrypt_hash` value will not correctly verify against the `result` value. Use `terraform taint` or `terraform apply -replace` to trigger resource recreation with this version.

BUG FIXES:

* resource/random_password: Fixed incorrect `bcrypt_hash` generation since version 3.4.0
```
@bflad bflad mentioned this issue Sep 2, 2022
Merged
@bflad bflad closed this as completed in #308 Sep 6, 2022
bflad added a commit that referenced this issue Sep 6, 2022
@bflad
resource/random_password: Fix bcrypt_hash generation (#308)
d324547 
Reference: #307

This change fixes the source of the `bcrypt_hash` generation to being the result of the random password generation. The issue was introduced in v3.4.0.

Previously:

```
--- FAIL: TestAccResourcePassword_BcryptHash (0.63s)
    /Users/bflad/src/github.com/hashicorp/terraform-provider-random/internal/provider/resource_password_test.go:107: Step 1/1 error: Check failed: Check 3/3 error: crypto/bcrypt: hashedPassword is not the hash of the given password
```

Suggested CHANGELOG:

```
NOTES:

* resource/random_password: If the resource was created between versions 3.4.0 and 3.4.2, the `bcrypt_hash` value would not correctly verify against the `result` value. Affected resources will automatically regenerate a valid `bcrypt_hash` after this upgrade.

BUG FIXES:

* resource/random_password: Fixed incorrect `bcrypt_hash` generation since version 3.4.0
```
@github-actions GitHub Actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 23, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
v3.4.3
Development

Successfully merging a pull request may close this issue.

resource/random_password: Fix bcrypt_hash generation hashicorp/terraform-provider-random
2 participants
@bflad @marcus-bcl