CKS: generate a strong random password for CKS user #11637
Conversation
|
@blueorangutan package |
|
@weizhouapache a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress. |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## 4.20 #11637 +/- ##
============================================
- Coverage 16.17% 16.17% -0.01%
- Complexity 13298 13299 +1
============================================
Files 5656 5656
Lines 498151 498159 +8
Branches 60441 60443 +2
============================================
Hits 80589 80589
- Misses 408591 408597 +6
- Partials 8971 8973 +2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
| protected String generateRandomUserPassword(Long domainId) { | ||
| Integer passwordPolicyMinimumLength = PasswordPolicy.PasswordPolicyMinimumLength.valueIn(domainId); | ||
| if (passwordPolicyMinimumLength == null || passwordPolicyMinimumLength < CKS_USER_MIN_PASSWORD_LENGTH) { | ||
| passwordPolicyMinimumLength = CKS_USER_MIN_PASSWORD_LENGTH; |
There was a problem hiding this comment.
operator doesn't know that the min length is implicitly set here if it's configured between 1 and 11. Update the config description that min 12 length is considered for CKS users, or better we restrict the min length to be >= 12 for all (to be strong for all cases).
There was a problem hiding this comment.
@sureshanaparti
I do not understand your concern
this is used to generate a strong random password for CKS user (the password is unknown for every one)
There was a problem hiding this comment.
@weizhouapache not the password, the minimum length considered for generating it (as the config setting is overridden if it set between 1 and 11)
There was a problem hiding this comment.
I think nobody will care about the length of password of CKS user, as nobody knows and uses the password.
12 is good enough in my opinion. But if user wants to have user passwords with more length, just respect it.
There was a problem hiding this comment.
as you are addressing it, better not allow less than 10 as minimum length for passwords (if not in 4.20.2, we can address in 4.22, need to add a check for config)
There was a problem hiding this comment.
actually CKS user password policy check is ignored, that's the main change of this PR
if (!User.Source.CKS.equals(source)) {
passwordPolicy.verifyIfPasswordCompliesWithPasswordPolicies(password, userName, getAccount(accountId).getDomainId());
}
the password policy check has several checks (regex, username, min length, min uppcase, min lowercase, min digits)
ideally there should be a method to generate a random password which matches all the password requirements, it looks difficult so far.
|
closed this ticket, let's revisit later |
There was a problem hiding this comment.
Got closed too soon! Code looks good to me. Thanks @weizhouapache for the fix
If possible, this can be included in 4.20.2
thanks @shwstppr 😄 This could still be improved. I created a simple PR #11639 for quick fix |
|
Packaging result [SF]: ✖️ el8 ✖️ el9 ✔️ debian ✖️ suse15. SL-JID 15009 |
Description
This PR fixes #11626
Types of changes
Feature/Enhancement Scale or Bug Severity
Feature/Enhancement Scale
Bug Severity
Screenshots (if appropriate):
How Has This Been Tested?
How did you try to break this feature and the system with this change?