Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stronger check for DM password during server install #443

Closed
wants to merge 1 commit into from
Closed

Stronger check for DM password during server install #443

wants to merge 1 commit into from

Conversation

stlaz
Copy link
Contributor

@stlaz stlaz commented Feb 8, 2017

DM password is used as an NSS database password during server installation, therefore it must comply to NSS database requirements for password in FIPS.

https://fedorahosted.org/freeipa/ticket/5695

@tkrizek tkrizek self-assigned this Feb 8, 2017
@pvoborni
Copy link
Member

pvoborni commented Feb 8, 2017

Function check_password_fips_nssdb_compatible looks like a great candidate for unit test.

pvoborni
pvoborni reviewed Feb 8, 2017
View reviewed changes
ipaserver/install/server/install.py Outdated
gotnumeric = any(c.isdigit() for c in password[:-1])
gotupper = any(c.isupper() for c in password[1:])
gotlower = any(c.islower() for c in password)
gotspecial = password.isalnum()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This line should be negated.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, was editing this right before pushing but forgot how to logic :)

tkrizek
tkrizek suggested changes Feb 8, 2017
View reviewed changes
Copy link
Contributor

@tkrizek tkrizek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As mentioned, a unit test for the function would be great as well. Especially covering the NSS-specific edge cases - at least we'd have the expected behavior documented with a test.

ipaserver/install/server/install.py
"""
Check whether the given password can be used for NSSDB setup in FIPS mode
"""
gotnumeric = any(c.isdigit() for c in password[:-1])
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps we could use a comment that the :-1 and 1: is a NSSDB-specific requirement.

@HonzaCholasta
Copy link
Contributor

IMHO you got it backwards - DM password may not comply to NSS requirements for passwords, therefore it must not be used as a password for any NSS database during server install.

@stlaz
Copy link
Contributor Author

stlaz commented Feb 9, 2017

@HonzaCholasta: +1, you're right, I should investigate more on how to change this behavior, either we or Dogtag don't behave correctly here.
@pvoborni, @tomaskrizek: out of curiousity, do we have a design/guideline on how to write unit tests for FreeIPA? Did not find any.

@stlaz
Copy link
Contributor Author

stlaz commented Feb 16, 2017

Closing as REJECTED, this will be sorted out in another way.

@stlaz stlaz added the rejected Pull Request has been rejected label Feb 16, 2017
@stlaz stlaz closed this Feb 16, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pvoborni pvoborni pvoborni left review comments

@tkrizek tkrizek tkrizek requested changes

Assignees

@tkrizek tkrizek

Labels
rejected Pull Request has been rejected
Projects
None yet
Milestone
No milestone
4 participants
@stlaz @pvoborni @HonzaCholasta @tkrizek