Allow secure user password update.

Pradeep Kilambi · Pradeep Kilambi · commit f2e0818bc97b · 2013-05-20T14:02:16.000-04:00
This patch allows the ability for user password to be updated via
a command prompt so the password doesnt show up in the bash history.
The prompted password is asked twice to verify the match.
If user cntl-D's the prompt a message appears suggesting user to use
either of the options to update the password.

Fixes: bug#938315

Change-Id: I4271ae569b922f33c34f9b015a7ee6f760414e39
diff --git a/keystoneclient/utils.py b/keystoneclient/utils.py
@@ -1,5 +1,7 @@
-import uuid
+import getpass
 import hashlib
+import sys
+import uuid
 
 import prettytable
 
@@ -128,3 +130,22 @@ def hash_signed_token(signed_text):
     hash_ = hashlib.md5()
     hash_.update(signed_text)
     return hash_.hexdigest()
+
+
+def prompt_for_password():
+    """
+     Prompt user for password if not provided so the password
+     doesn't show up in the bash history.
+    """
+    if not (hasattr(sys.stdin, 'isatty') and sys.stdin.isatty()):
+        # nothing to do
+        return
+
+    while True:
+        try:
+            new_passwd = getpass.getpass('New Password: ')
+            rep_passwd = getpass.getpass('Repeat New Password: ')
+            if new_passwd == rep_passwd:
+                return new_passwd
+        except EOFError:
+            return
diff --git a/keystoneclient/v2_0/shell.py b/keystoneclient/v2_0/shell.py
@@ -17,6 +17,7 @@
 
 import argparse
 import getpass
+import sys
 
 from keystoneclient.v2_0 import client
 from keystoneclient import utils
@@ -103,14 +104,19 @@ def do_user_update(kc, args):
         print 'Unable to update user: %s' % e
 
 
-@utils.arg('--pass', metavar='<password>', dest='passwd', required=True,
+@utils.arg('--pass', metavar='<password>', dest='passwd', required=False,
            help='Desired new password')
 @utils.arg('user', metavar='<user>',
            help='Name or ID of user to update password')
 def do_user_password_update(kc, args):
     """Update user password"""
     user = utils.find_resource(kc.users, args.user)
-    kc.users.update_password(user, args.passwd)
+    new_passwd = args.passwd or utils.prompt_for_password()
+    if new_passwd is None:
+        msg = ("\nPlease specify password using the --pass option "
+               "or using the prompt")
+        sys.exit(msg)
+    kc.users.update_password(user, new_passwd)
 
 
 @utils.arg('--current-password', metavar='<current-password>',
