CLOUDSTACK-7977

Fix password generator, add guards for minimum length
2025-10-26 08:42:29 +01:00 · 2014-11-26 15:08:48 -08:00 · 2014-11-26 15:08:48 -08:00 · 960b7bbf74
commit 960b7bbf74
parent 95ea203907
4 changed files with 34 additions and 10 deletions
--- a/server/src/com/cloud/configuration/Config.java
+++ b/server/src/com/cloud/configuration/Config.java
@ -908,6 +908,14 @@ public enum Config {
            "0",
            "Default disk I/O read rate in requests per second allowed in User vm's disk.",
            null),
+    VmPasswordLength(
+            "Advanced",
+            ManagementServer.class,
+            Integer.class,
+            "vm.password.length",
+            "6",
+            "Specifies the length of a randomly generated password",
+            null),
    VmDiskThrottlingIopsWriteRate(
            "Advanced",
            ManagementServer.class,
--- a/server/src/com/cloud/configuration/ConfigurationManagerImpl.java
+++ b/server/src/com/cloud/configuration/ConfigurationManagerImpl.java
@ -367,6 +367,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
        configValuesForValidation.add("xenserver.heartbeat.interval");
        configValuesForValidation.add("xenserver.heartbeat.timeout");
        configValuesForValidation.add("incorrect.login.attempts.allowed");
+        configValuesForValidation.add("vm.password.length");
    }

    private void weightBasedParametersForValidation() {
@ -780,6 +781,10 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
                if (val <= 0) {
                    throw new InvalidParameterValueException("Please enter a positive value for the configuration parameter:" + name);
                }
+                //TODO - better validation for all password pamameters
+                if ("vm.password.length".equalsIgnoreCase(name) && val < 6) {
+                    throw new InvalidParameterValueException("Please enter a value greater than 6 for the configuration parameter:" + name);
+                }
            } catch (NumberFormatException e) {
                s_logger.error("There was an error trying to parse the integer value for:" + name);
                throw new InvalidParameterValueException("There was an error trying to parse the integer value for:" + name);
--- a/utils/src/com/cloud/utils/PasswordGenerator.java
+++ b/utils/src/com/cloud/utils/PasswordGenerator.java
@ -35,18 +35,28 @@ public class PasswordGenerator {
    static private char[] alphaNumeric = new char[] {'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'J', 'K', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y',
        'Z', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'j', 'k', 'm', 'n', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '2', '3', '4', '5', '6', '7', '8', '9'};

+    static private int minLength = 3;
+
    public static String generateRandomPassword(int num) {
        Random r = new SecureRandom();
        StringBuilder password = new StringBuilder();

-        // Generate random 3-character string with a lowercase character,
-        // uppercase character, and a digit
-        password.append(generateLowercaseChar(r)).append(generateUppercaseChar(r)).append(generateDigit(r));
+        //Guard for num < minLength
+        if (num < minLength) {
+            //Add alphanumeric chars at random
+            for (int i = 0; i < minLength; i++) {
+                password.append(generateAlphaNumeric(r));
+            }
+        } else {
+            // Generate random 3-character string with a lowercase character,
+            // uppercase character, and a digit
+            password.append(generateLowercaseChar(r)).append(generateUppercaseChar(r)).append(generateDigit(r));

-        // Generate a random n-character string with only lowercase
-        // characters
-        for (int i = 0; i < num; i++) {
-            password.append(generateLowercaseChar(r));
+            // Generate a random n-character string with only lowercase
+            // characters
+            for (int i = 0; i < num - 3; i++) {
+                password.append(generateLowercaseChar(r));
+            }
        }

        return password.toString();
--- a/utils/test/com/cloud/utils/PasswordGeneratorTest.java
+++ b/utils/test/com/cloud/utils/PasswordGeneratorTest.java
@ -25,10 +25,11 @@ import org.junit.Test;
 public class PasswordGeneratorTest {
    @Test
    public void generateRandomPassword() {
-        // actual length is requested length + 3
+        // actual length is requested length, minimum length is 3
        Assert.assertTrue(PasswordGenerator.generateRandomPassword(0).length() == 3);
-        Assert.assertTrue(PasswordGenerator.generateRandomPassword(1).length() == 4);
-        String password = PasswordGenerator.generateRandomPassword(0);
+        Assert.assertTrue(PasswordGenerator.generateRandomPassword(1).length() == 3);
+        Assert.assertTrue(PasswordGenerator.generateRandomPassword(5).length() == 5);
+        String password = PasswordGenerator.generateRandomPassword(8);
        // TODO: this might give more help to bruteforcing than desired
        // the actual behavior is that the first character is a random lowercase
        // char