[Freeipa-devel] [PATCH] 0002 Improve password validity check
Martin Kosek
mkosek at redhat.com
Tue Jul 22 06:55:21 UTC 2014
On 07/21/2014 04:08 PM, David Kupka wrote:
> On 07/18/2014 12:52 PM, Martin Kosek wrote:
>> On 07/18/2014 12:33 PM, David Kupka wrote:
>>> https://fedorahosted.org/freeipa/ticket/2796
>>
>> 1) Would it be easier/more convenient to just implement following simple check
>> instead of bad_prefix/bad_suffix?
>>
>> if password.strip() != password:
>> raise ValueError('Password must not start or end with whitespace')
>>
>
> Yes it would. Edited patch attached.
>
>>
>> 2) The main goal of the ticket 2796 was not fixed yet. It sometimes happen that
>> when installation crashes somewhere right after pkicreate, it does not record
>> and and does not uninstall the PKI component during "ipa-server-install
>> --uninstall".
>>
>> You may artificially invoke some crash in cainstance.py after pkicreate to test
>> it. When fixing it, check how is_configured() in Service object works an how
>> self.backup_state is called in other service modules (like dsinstance.py) where
>> the detection works correctly.
>
> You're completely right, Martin. I was unable to reproduce the bug (to force
> pkicreate/pkispawn to fail) so I thought that it was fixed by the password
> restriction.
> Then I discovered that most of the banned characters for password are no longer
> causing troubles a focused on this. But it's yet another issue.
1) Whitespace error:
$ git am /tmp/freeipa-dkupka-0002-2-Improve-password-validity-check.patch
Applying: Improve password validity check.
/home/mkosek/freeipa/.git/rebase-apply/patch:25: trailing whitespace.
# Disallow leading/trailing whaitespaces
warning: 1 line adds whitespace errors.
2) The new admin validator is not applied to "-a" command line option and you
can pass any garbage to it. You need to replace this section:
if options.admin_password is not None and len(options.admin_password) < 8:
parser.error("Admin user password must be at least 8 characters long")
... with the new validator just like we validate DM password.
Martin
More information about the Freeipa-devel
mailing list