From 960b7bbf742bbba62cd25bc62b700c6c829e35f2 Mon Sep 17 00:00:00 2001 From: amoghvk Date: Wed, 26 Nov 2014 15:08:48 -0800 Subject: [PATCH] CLOUDSTACK-7977 Fix password generator, add guards for minimum length --- .../src/com/cloud/configuration/Config.java | 8 +++++++ .../ConfigurationManagerImpl.java | 5 ++++ .../com/cloud/utils/PasswordGenerator.java | 24 +++++++++++++------ .../cloud/utils/PasswordGeneratorTest.java | 7 +++--- 4 files changed, 34 insertions(+), 10 deletions(-) diff --git a/server/src/com/cloud/configuration/Config.java b/server/src/com/cloud/configuration/Config.java index a1dd882cd66..cd0824e8cb9 100644 --- a/server/src/com/cloud/configuration/Config.java +++ b/server/src/com/cloud/configuration/Config.java @@ -908,6 +908,14 @@ public enum Config { "0", "Default disk I/O read rate in requests per second allowed in User vm's disk.", null), + VmPasswordLength( + "Advanced", + ManagementServer.class, + Integer.class, + "vm.password.length", + "6", + "Specifies the length of a randomly generated password", + null), VmDiskThrottlingIopsWriteRate( "Advanced", ManagementServer.class, diff --git a/server/src/com/cloud/configuration/ConfigurationManagerImpl.java b/server/src/com/cloud/configuration/ConfigurationManagerImpl.java index 714e6fc0cb9..918dd93f7bd 100644 --- a/server/src/com/cloud/configuration/ConfigurationManagerImpl.java +++ b/server/src/com/cloud/configuration/ConfigurationManagerImpl.java @@ -367,6 +367,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati configValuesForValidation.add("xenserver.heartbeat.interval"); configValuesForValidation.add("xenserver.heartbeat.timeout"); configValuesForValidation.add("incorrect.login.attempts.allowed"); + configValuesForValidation.add("vm.password.length"); } private void weightBasedParametersForValidation() { @@ -780,6 +781,10 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati if (val <= 0) { throw new InvalidParameterValueException("Please enter a positive value for the configuration parameter:" + name); } + //TODO - better validation for all password pamameters + if ("vm.password.length".equalsIgnoreCase(name) && val < 6) { + throw new InvalidParameterValueException("Please enter a value greater than 6 for the configuration parameter:" + name); + } } catch (NumberFormatException e) { s_logger.error("There was an error trying to parse the integer value for:" + name); throw new InvalidParameterValueException("There was an error trying to parse the integer value for:" + name); diff --git a/utils/src/com/cloud/utils/PasswordGenerator.java b/utils/src/com/cloud/utils/PasswordGenerator.java index b6e4bed0800..6fa28437819 100644 --- a/utils/src/com/cloud/utils/PasswordGenerator.java +++ b/utils/src/com/cloud/utils/PasswordGenerator.java @@ -35,18 +35,28 @@ public class PasswordGenerator { static private char[] alphaNumeric = new char[] {'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'J', 'K', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'j', 'k', 'm', 'n', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '2', '3', '4', '5', '6', '7', '8', '9'}; + static private int minLength = 3; + public static String generateRandomPassword(int num) { Random r = new SecureRandom(); StringBuilder password = new StringBuilder(); - // Generate random 3-character string with a lowercase character, - // uppercase character, and a digit - password.append(generateLowercaseChar(r)).append(generateUppercaseChar(r)).append(generateDigit(r)); + //Guard for num < minLength + if (num < minLength) { + //Add alphanumeric chars at random + for (int i = 0; i < minLength; i++) { + password.append(generateAlphaNumeric(r)); + } + } else { + // Generate random 3-character string with a lowercase character, + // uppercase character, and a digit + password.append(generateLowercaseChar(r)).append(generateUppercaseChar(r)).append(generateDigit(r)); - // Generate a random n-character string with only lowercase - // characters - for (int i = 0; i < num; i++) { - password.append(generateLowercaseChar(r)); + // Generate a random n-character string with only lowercase + // characters + for (int i = 0; i < num - 3; i++) { + password.append(generateLowercaseChar(r)); + } } return password.toString(); diff --git a/utils/test/com/cloud/utils/PasswordGeneratorTest.java b/utils/test/com/cloud/utils/PasswordGeneratorTest.java index 3e82d982857..bd8798711f0 100644 --- a/utils/test/com/cloud/utils/PasswordGeneratorTest.java +++ b/utils/test/com/cloud/utils/PasswordGeneratorTest.java @@ -25,10 +25,11 @@ import org.junit.Test; public class PasswordGeneratorTest { @Test public void generateRandomPassword() { - // actual length is requested length + 3 + // actual length is requested length, minimum length is 3 Assert.assertTrue(PasswordGenerator.generateRandomPassword(0).length() == 3); - Assert.assertTrue(PasswordGenerator.generateRandomPassword(1).length() == 4); - String password = PasswordGenerator.generateRandomPassword(0); + Assert.assertTrue(PasswordGenerator.generateRandomPassword(1).length() == 3); + Assert.assertTrue(PasswordGenerator.generateRandomPassword(5).length() == 5); + String password = PasswordGenerator.generateRandomPassword(8); // TODO: this might give more help to bruteforcing than desired // the actual behavior is that the first character is a random lowercase // char