summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMartin Styk <mastyk@redhat.com>2019-03-06 10:24:35 +0100
committerMartin Styk <mastyk@redhat.com>2019-04-11 08:16:57 +0000
commit298d95fa56fc21330a444ded938cda38719ea083 (patch)
tree6118027e8697c0fd2cbc3b7273b75ddb2b433780
parent6f8084814d53d32df81dac997a1409505f327f6d (diff)
Switch from cracklib to pwquality
With this patch we are aiming for RHEL 7 server. Bug: 1120434 Change-Id: I7570f7cea625c13f9adaa5b713f1e12f13bebee0
-rw-r--r--IntegrationTests/src/bkr/inttest/client/test_group_create.py6
-rw-r--r--IntegrationTests/src/bkr/inttest/client/test_group_modify.py4
-rw-r--r--IntegrationTests/src/bkr/inttest/server/selenium/test_group_edit.py18
-rw-r--r--IntegrationTests/src/bkr/inttest/server/selenium/test_prefs.py15
-rw-r--r--Server/bkr/server/model/identity.py14
-rw-r--r--beaker.spec4
6 files changed, 40 insertions, 21 deletions
diff --git a/IntegrationTests/src/bkr/inttest/client/test_group_create.py b/IntegrationTests/src/bkr/inttest/client/test_group_create.py
index d232b9d..0cbffc8 100644
--- a/IntegrationTests/src/bkr/inttest/client/test_group_create.py
+++ b/IntegrationTests/src/bkr/inttest/client/test_group_create.py
@@ -123,11 +123,11 @@ class GroupCreateTest(ClientTestCase):
try:
out = run_client(['bkr', 'group-create',
- '--root-password', 'fail',
+ '--root-password', 'fa1l',
group_name])
self.fail('Expected to fail due to short password')
except ClientError, e:
- self.assertTrue('Root password is too short' in e.stderr_output,
+ self.assertTrue('The group root password is shorter than 7 characters' in e.stderr_output,
e.stderr_output)
try:
@@ -137,7 +137,7 @@ class GroupCreateTest(ClientTestCase):
self.fail('Expected to fail due to dictionary words')
except ClientError, e:
- self.assertTrue('Root password is based on a dictionary word' in
+ self.assertTrue('The group root password fails the dictionary check' in
e.stderr_output, e.stderr_output)
out = run_client(['bkr', 'group-create',
'--root-password', 'Borrow or rob?',
diff --git a/IntegrationTests/src/bkr/inttest/client/test_group_modify.py b/IntegrationTests/src/bkr/inttest/client/test_group_modify.py
index 66bcc3e..606879f 100644
--- a/IntegrationTests/src/bkr/inttest/client/test_group_modify.py
+++ b/IntegrationTests/src/bkr/inttest/client/test_group_modify.py
@@ -189,13 +189,13 @@ class GroupModifyTest(ClientTestCase):
self.assertEquals(group.activity[-1].service, u'HTTP')
# Test unsuccessful cleartext password change
- short_password = 'fail'
+ short_password = 'fa1l'
try:
run_client(['bkr', 'group-modify', '--root-password', short_password,
self.group.group_name], config=self.client_config)
self.fail('Should fail with short password')
except ClientError, e:
- self.assertTrue('password is too short' in str(e))
+ self.assertTrue('The group root password is shorter than 7 characters' in str(e))
session.expire(self.group)
with session.begin():
group = self.group
diff --git a/IntegrationTests/src/bkr/inttest/server/selenium/test_group_edit.py b/IntegrationTests/src/bkr/inttest/server/selenium/test_group_edit.py
index 64d3a8b..bfda97e 100644
--- a/IntegrationTests/src/bkr/inttest/server/selenium/test_group_edit.py
+++ b/IntegrationTests/src/bkr/inttest/server/selenium/test_group_edit.py
@@ -34,7 +34,6 @@ class TestGroupsWD(WebDriverTestCase):
self.browser = self.get_browser()
self.clear_password = 'gyfrinachol'
self.hashed_password = '$1$NaCl$O34mAzBXtER6obhoIodu8.'
- self.simple_password = 's3cr3t'
def go_to_group_page(self, group=None, tab=None):
if group is None:
@@ -131,15 +130,26 @@ class TestGroupsWD(WebDriverTestCase):
for keyword in [action, group.group_name]:
self.assert_(keyword in msg_payload, (keyword, msg_payload))
+ def test_too_short_password_rejected(self):
+ b = self.browser
+ login(b, user=self.user.user_name, password='password')
+ self.go_to_group_page(tab='Root Password')
+ tab = b.find_element_by_id('rootpassword')
+ tab.find_element_by_name('root_password').send_keys('s3cr3t')
+ tab.find_element_by_tag_name('form').submit()
+ self.assertIn('The group root password is shorter than 7 characters',
+ tab.find_element_by_class_name('alert-error').text)
+
def test_dictionary_password_rejected(self):
b = self.browser
login(b, user=self.user.user_name, password='password')
self.go_to_group_page(tab='Root Password')
tab = b.find_element_by_id('rootpassword')
- tab.find_element_by_name('root_password').send_keys(self.simple_password)
+ tab.find_element_by_name('root_password').send_keys('s3cr3tive')
tab.find_element_by_tag_name('form').submit()
- self.assertIn('Root password is based on a dictionary word',
- tab.find_element_by_class_name('alert-error').text)
+ self.assertIn('The group root password fails the dictionary check - '
+ 'it is based on a dictionary word',
+ tab.find_element_by_class_name('alert-error').text)
def test_set_hashed_password(self):
b = self.browser
diff --git a/IntegrationTests/src/bkr/inttest/server/selenium/test_prefs.py b/IntegrationTests/src/bkr/inttest/server/selenium/test_prefs.py
index 74a5ed7..3d2735c 100644
--- a/IntegrationTests/src/bkr/inttest/server/selenium/test_prefs.py
+++ b/IntegrationTests/src/bkr/inttest/server/selenium/test_prefs.py
@@ -24,7 +24,6 @@ class UserPrefs(WebDriverTestCase):
self.clear_password = 'gyfrinachol'
self.hashed_password = '$1$NaCl$O34mAzBXtER6obhoIodu8.'
- self.simple_password = 's3cr3t'
def go_to_prefs_tab(self, tab):
b = self.browser
@@ -129,13 +128,23 @@ class UserPrefs(WebDriverTestCase):
new_hash = pane.find_element_by_xpath('p[1]/code').text
self.failUnless(crypt.crypt(self.clear_password, new_hash) == self.hashed_password)
+ def test_too_short_password_is_rejected(self):
+ b = self.browser
+ pane = self.go_to_prefs_tab(tab='Root Password')
+ e = pane.find_element_by_name('root_password')
+ e.send_keys('s3cr3t')
+ pane.find_element_by_tag_name('form').submit()
+ self.assertIn('The root password is shorter than 7 characters',
+ pane.find_element_by_class_name('alert-error').text)
+
def test_dictionary_password_rejected(self):
b = self.browser
pane = self.go_to_prefs_tab(tab='Root Password')
e = pane.find_element_by_name('root_password')
- e.send_keys(self.simple_password)
+ e.send_keys('s3cr3tive')
pane.find_element_by_tag_name('form').submit()
- self.assertIn('Root password is based on a dictionary word',
+ self.assertIn('The root password fails the dictionary check - '
+ 'it is based on a dictionary word',
pane.find_element_by_class_name('alert-error').text)
def test_ssh_key_allows_whitespace_in_description(self):
diff --git a/Server/bkr/server/model/identity.py b/Server/bkr/server/model/identity.py
index fff2947..5ae0672 100644
--- a/Server/bkr/server/model/identity.py
+++ b/Server/bkr/server/model/identity.py
@@ -11,7 +11,7 @@ import crypt
import random
import string
import re
-import cracklib
+import pwquality
import urllib
from kid import Element
import passlib.context
@@ -442,9 +442,9 @@ class User(DeclarativeMappedObject, ActivityMixin):
if password:
if len(password.split('$')) != 4:
try:
- cracklib.VeryFascistCheck(password)
- except ValueError as e:
- msg = re.sub(r'^it', 'Root password', str(e))
+ pwquality.PWQSettings().check(password)
+ except pwquality.PWQError as e:
+ msg = re.sub(r'The password', 'The root password', e.args[1])
raise ValueError(msg)
salt = ''.join(random.choice(string.digits + string.ascii_letters)
for i in range(8))
@@ -658,9 +658,9 @@ class Group(DeclarativeMappedObject, ActivityMixin):
"""
if password:
try:
- cracklib.VeryFascistCheck(password)
- except ValueError, msg:
- msg = re.sub(r'^it', 'Root password', str(msg))
+ pwquality.PWQSettings().check(password)
+ except pwquality.PWQError as e:
+ msg = re.sub(r'The password', 'The group root password', e.args[1])
raise ValueError(msg)
else:
self._root_password = password
diff --git a/beaker.spec b/beaker.spec
index 8f970c0..2646846 100644
--- a/beaker.spec
+++ b/beaker.spec
@@ -202,7 +202,7 @@ BuildRequires: python-lxml
BuildRequires: python-ldap
BuildRequires: python-rdflib >= 3.2.0
BuildRequires: python-TurboMail >= 3.0
-BuildRequires: cracklib-python
+BuildRequires: python-pwquality
BuildRequires: rpm-python
BuildRequires: python-netaddr
BuildRequires: python-itsdangerous
@@ -225,7 +225,7 @@ Requires: python-daemon
Requires: python-lockfile >= 0.9
Requires: python-gssapi
Requires: python-TurboMail >= 3.0
-Requires: cracklib-python
+Requires: python-pwquality
Requires: python-jinja2
Requires: python-netaddr
Requires: python-requests >= 1.0