CLOUDSTACK-7977 Fix password generator, add guards for minimum length
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/960b7bbf Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/960b7bbf Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/960b7bbf Branch: refs/heads/useraccount-refactoring Commit: 960b7bbf742bbba62cd25bc62b700c6c829e35f2 Parents: 95ea203 Author: amoghvk <amogh.vase...@citrix.com> Authored: Wed Nov 26 15:08:48 2014 -0800 Committer: amoghvk <amogh.vase...@citrix.com> Committed: Wed Nov 26 15:08:48 2014 -0800 ---------------------------------------------------------------------- server/src/com/cloud/configuration/Config.java | 8 ++++++ .../configuration/ConfigurationManagerImpl.java | 5 ++++ .../src/com/cloud/utils/PasswordGenerator.java | 26 ++++++++++++++------ .../com/cloud/utils/PasswordGeneratorTest.java | 7 +++--- 4 files changed, 35 insertions(+), 11 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/960b7bbf/server/src/com/cloud/configuration/Config.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/configuration/Config.java b/server/src/com/cloud/configuration/Config.java index a1dd882..cd0824e 100644 --- a/server/src/com/cloud/configuration/Config.java +++ b/server/src/com/cloud/configuration/Config.java @@ -908,6 +908,14 @@ public enum Config { "0", "Default disk I/O read rate in requests per second allowed in User vm's disk.", null), + VmPasswordLength( + "Advanced", + ManagementServer.class, + Integer.class, + "vm.password.length", + "6", + "Specifies the length of a randomly generated password", + null), VmDiskThrottlingIopsWriteRate( "Advanced", ManagementServer.class, http://git-wip-us.apache.org/repos/asf/cloudstack/blob/960b7bbf/server/src/com/cloud/configuration/ConfigurationManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/configuration/ConfigurationManagerImpl.java b/server/src/com/cloud/configuration/ConfigurationManagerImpl.java index 714e6fc..918dd93 100644 --- a/server/src/com/cloud/configuration/ConfigurationManagerImpl.java +++ b/server/src/com/cloud/configuration/ConfigurationManagerImpl.java @@ -367,6 +367,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati configValuesForValidation.add("xenserver.heartbeat.interval"); configValuesForValidation.add("xenserver.heartbeat.timeout"); configValuesForValidation.add("incorrect.login.attempts.allowed"); + configValuesForValidation.add("vm.password.length"); } private void weightBasedParametersForValidation() { @@ -780,6 +781,10 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati if (val <= 0) { throw new InvalidParameterValueException("Please enter a positive value for the configuration parameter:" + name); } + //TODO - better validation for all password pamameters + if ("vm.password.length".equalsIgnoreCase(name) && val < 6) { + throw new InvalidParameterValueException("Please enter a value greater than 6 for the configuration parameter:" + name); + } } catch (NumberFormatException e) { s_logger.error("There was an error trying to parse the integer value for:" + name); throw new InvalidParameterValueException("There was an error trying to parse the integer value for:" + name); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/960b7bbf/utils/src/com/cloud/utils/PasswordGenerator.java ---------------------------------------------------------------------- diff --git a/utils/src/com/cloud/utils/PasswordGenerator.java b/utils/src/com/cloud/utils/PasswordGenerator.java index b6e4bed..6fa2843 100644 --- a/utils/src/com/cloud/utils/PasswordGenerator.java +++ b/utils/src/com/cloud/utils/PasswordGenerator.java @@ -35,18 +35,28 @@ public class PasswordGenerator { static private char[] alphaNumeric = new char[] {'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'J', 'K', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'j', 'k', 'm', 'n', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '2', '3', '4', '5', '6', '7', '8', '9'}; + static private int minLength = 3; + public static String generateRandomPassword(int num) { Random r = new SecureRandom(); StringBuilder password = new StringBuilder(); - // Generate random 3-character string with a lowercase character, - // uppercase character, and a digit - password.append(generateLowercaseChar(r)).append(generateUppercaseChar(r)).append(generateDigit(r)); - - // Generate a random n-character string with only lowercase - // characters - for (int i = 0; i < num; i++) { - password.append(generateLowercaseChar(r)); + //Guard for num < minLength + if (num < minLength) { + //Add alphanumeric chars at random + for (int i = 0; i < minLength; i++) { + password.append(generateAlphaNumeric(r)); + } + } else { + // Generate random 3-character string with a lowercase character, + // uppercase character, and a digit + password.append(generateLowercaseChar(r)).append(generateUppercaseChar(r)).append(generateDigit(r)); + + // Generate a random n-character string with only lowercase + // characters + for (int i = 0; i < num - 3; i++) { + password.append(generateLowercaseChar(r)); + } } return password.toString(); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/960b7bbf/utils/test/com/cloud/utils/PasswordGeneratorTest.java ---------------------------------------------------------------------- diff --git a/utils/test/com/cloud/utils/PasswordGeneratorTest.java b/utils/test/com/cloud/utils/PasswordGeneratorTest.java index 3e82d98..bd87987 100644 --- a/utils/test/com/cloud/utils/PasswordGeneratorTest.java +++ b/utils/test/com/cloud/utils/PasswordGeneratorTest.java @@ -25,10 +25,11 @@ import org.junit.Test; public class PasswordGeneratorTest { @Test public void generateRandomPassword() { - // actual length is requested length + 3 + // actual length is requested length, minimum length is 3 Assert.assertTrue(PasswordGenerator.generateRandomPassword(0).length() == 3); - Assert.assertTrue(PasswordGenerator.generateRandomPassword(1).length() == 4); - String password = PasswordGenerator.generateRandomPassword(0); + Assert.assertTrue(PasswordGenerator.generateRandomPassword(1).length() == 3); + Assert.assertTrue(PasswordGenerator.generateRandomPassword(5).length() == 5); + String password = PasswordGenerator.generateRandomPassword(8); // TODO: this might give more help to bruteforcing than desired // the actual behavior is that the first character is a random lowercase // char