mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-12 17:21:55 -06:00
Improve password validity check.
Allow use of characters that no longer cause troubles. Check for leading and trailing characters in case of 389 Direcory Manager password. Reviewed-By: Martin Kosek <mkosek@redhat.com>
This commit is contained in:
David Kupka
Martin Kosek
parent
1026a6387c
commit
603842867c
@ -121,7 +121,31 @@ def validate_dm_password(password):
|
|||||||
raise ValueError("Password must only contain ASCII characters")
|
raise ValueError("Password must only contain ASCII characters")
|
||||||
|
|
||||||
# Disallow characters that pkisilent doesn't process properly:
|
# Disallow characters that pkisilent doesn't process properly:
|
||||||
bad_characters = ' &\\<%'
|
bad_characters = '\\'
|
||||||
|
if any(c in bad_characters for c in password):
|
||||||
|
raise ValueError('Password must not contain these characters: %s' %
|
||||||
|
', '.join('"%s"' % c for c in bad_characters))
|
||||||
|
|
||||||
|
# TODO: Check https://fedorahosted.org/389/ticket/47849
|
||||||
|
# Actual behavior of setup-ds.pl is that it does not accept white
|
||||||
|
# space characters in password when called interactively but does when
|
||||||
|
# provided such password in INF file. But it ignores leading and trailing
|
||||||
|
# white spaces in INF file.
|
||||||
|
|
||||||
|
# Disallow leading/trailing whaitespaces
|
||||||
|
if password.strip() != password:
|
||||||
|
raise ValueError('Password must not start or end with whitespace.')
|
||||||
|
|
||||||
|
def validate_admin_password(password):
|
||||||
|
if len(password) < 8:
|
||||||
|
raise ValueError("Password must be at least 8 characters long")
|
||||||
|
if any(ord(c) < 0x20 for c in password):
|
||||||
|
raise ValueError("Password must not contain control characters")
|
||||||
|
if any(ord(c) >= 0x7F for c in password):
|
||||||
|
raise ValueError("Password must only contain ASCII characters")
|
||||||
|
|
||||||
|
# Disallow characters that pkisilent doesn't process properly:
|
||||||
|
bad_characters = '\\'
|
||||||
if any(c in bad_characters for c in password):
|
if any(c in bad_characters for c in password):
|
||||||
raise ValueError('Password must not contain these characters: %s' %
|
raise ValueError('Password must not contain these characters: %s' %
|
||||||
', '.join('"%s"' % c for c in bad_characters))
|
', '.join('"%s"' % c for c in bad_characters))
|
||||||
@ -239,8 +263,11 @@ def parse_options():
|
|||||||
validate_dm_password(options.dm_password)
|
validate_dm_password(options.dm_password)
|
||||||
except ValueError, e:
|
except ValueError, e:
|
||||||
parser.error("DS admin password: " + str(e))
|
parser.error("DS admin password: " + str(e))
|
||||||
if options.admin_password is not None and len(options.admin_password) < 8:
|
if options.admin_password is not None:
|
||||||
parser.error("Admin user password must be at least 8 characters long")
|
try:
|
||||||
|
validate_admin_password(options.admin_password)
|
||||||
|
except ValueError, e:
|
||||||
|
parser.error("Admin user password: " + str(e))
|
||||||
|
|
||||||
if options.domain_name is not None:
|
if options.domain_name is not None:
|
||||||
try:
|
try:
|
||||||
@ -450,7 +477,7 @@ def read_admin_password():
|
|||||||
print "This user is a regular system account used for IPA server administration."
|
print "This user is a regular system account used for IPA server administration."
|
||||||
print ""
|
print ""
|
||||||
#TODO: provide the option of generating a random password
|
#TODO: provide the option of generating a random password
|
||||||
admin_password = read_password("IPA admin")
|
admin_password = read_password("IPA admin", validator=validate_admin_password)
|
||||||
return admin_password
|
return admin_password
|
||||||
|
|
||||||
def check_dirsrv(unattended):
|
def check_dirsrv(unattended):
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user