diff options
| author | David Kupka <dkupka@redhat.com> | 2014-07-24 13:32:37 +0200 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2014-07-24 14:22:40 +0200 |
| commit | 603842867c65ae93d74a7c453c4301073c998441 (patch) | |
| tree | b8557f1ad866e2917e4283875ac73a8a50f02a2d | |
| parent | 1026a6387cd392994ec996db53141d16dfcbee29 (diff) | |
| download | freeipa-603842867c65ae93d74a7c453c4301073c998441.tar.gz freeipa-603842867c65ae93d74a7c453c4301073c998441.tar.xz freeipa-603842867c65ae93d74a7c453c4301073c998441.zip | |
Improve password validity check.
Allow use of characters that no longer cause troubles. Check for
leading and trailing characters in case of 389 Direcory Manager password.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
| -rwxr-xr-x | install/tools/ipa-server-install | 35 |
1 files changed, 31 insertions, 4 deletions
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 671a226d6..fc9cef060 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -121,7 +121,31 @@ def validate_dm_password(password): raise ValueError("Password must only contain ASCII characters") # Disallow characters that pkisilent doesn't process properly: - bad_characters = ' &\\<%' + bad_characters = '\\' + if any(c in bad_characters for c in password): + raise ValueError('Password must not contain these characters: %s' % + ', '.join('"%s"' % c for c in bad_characters)) + + # TODO: Check https://fedorahosted.org/389/ticket/47849 + # Actual behavior of setup-ds.pl is that it does not accept white + # space characters in password when called interactively but does when + # provided such password in INF file. But it ignores leading and trailing + # white spaces in INF file. + + # Disallow leading/trailing whaitespaces + if password.strip() != password: + raise ValueError('Password must not start or end with whitespace.') + +def validate_admin_password(password): + if len(password) < 8: + raise ValueError("Password must be at least 8 characters long") + if any(ord(c) < 0x20 for c in password): + raise ValueError("Password must not contain control characters") + if any(ord(c) >= 0x7F for c in password): + raise ValueError("Password must only contain ASCII characters") + + # Disallow characters that pkisilent doesn't process properly: + bad_characters = '\\' if any(c in bad_characters for c in password): raise ValueError('Password must not contain these characters: %s' % ', '.join('"%s"' % c for c in bad_characters)) @@ -239,8 +263,11 @@ def parse_options(): validate_dm_password(options.dm_password) except ValueError, e: parser.error("DS admin password: " + str(e)) - if options.admin_password is not None and len(options.admin_password) < 8: - parser.error("Admin user password must be at least 8 characters long") + if options.admin_password is not None: + try: + validate_admin_password(options.admin_password) + except ValueError, e: + parser.error("Admin user password: " + str(e)) if options.domain_name is not None: try: @@ -450,7 +477,7 @@ def read_admin_password(): print "This user is a regular system account used for IPA server administration." print "" #TODO: provide the option of generating a random password - admin_password = read_password("IPA admin") + admin_password = read_password("IPA admin", validator=validate_admin_password) return admin_password def check_dirsrv(unattended): |