Bug 1610266

Summary: Inconsistent password length requirements
Product: [Red Hat Storage] Red Hat Gluster Storage Reporter: Elena Bondarenko <ebondare>
Component: web-admin-tendrl-uiAssignee: Neha Gupta <negupta>
Status: CLOSED ERRATA QA Contact: Elena Bondarenko <ebondare>
Severity: high Docs Contact:
Priority: unspecified    
Version: rhgs-3.4CC: apaladug, kmurarka, mbukatov, nthomas, rhs-bugs, sankarshan
Target Milestone: ---Keywords: Regression
Target Release: RHGS 3.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: tendrl-ui-1.6.3-10.el7rhgs.noarch Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-09-04 07:08:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1503137    

Description Elena Bondarenko 2018-07-31 10:35:10 UTC 
Description of problem
======================

It is possible to set up a password of length 8 using My Settings. If one logs out and tries to log in again using the new password, the password isn't accepted, the error message is

>The username or password you entered is incorrect.

The old password is not accepted either. A truly incorrect password, including the old one, causes a different error message:

>The username or password you entered does not match our records. Please try again.

Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. Install RHGS WA via tendrl-ansible
2. Login as admin user with default password
3. Click on the User Actions icon in top left part of the screen
   and "My Settings" modal window shows up
4. Type in a password of length 8 into both password fields in the "My Settings" screen
5. Click Save
6. Click on the User Actions icon again and click Logout
7. Try to log in using the new password

Actual results:

New password is not accepted, the error message "The username or password you entered is incorrect" is shown.
User is unable log in again because neither password works.

Expected results:

My Settings form does the validation of password length consistent with password length requirements.
Login screen doesn't do the validation of password length.
User is able to log in using the validated password.

Additional info:
Comment 2 Martin Bukatovic 2018-07-31 10:40:46 UTC 
Marking as blocker? because this could lock an user out of RHGS WA, without any
documented way to recover.
Comment 3 Elena Bondarenko 2018-07-31 11:53:38 UTC 
Version-Release number of selected component (if applicable):

tendrl-ui-1.6.3-8.el7rhgs.noarch
Comment 4 Martin Bukatovic 2018-08-01 09:20:49 UTC 
This seems to be a consequence of broken fix of BZ 1594994. Moreover RHGS WA
3.3.1 doesn't check length of password in login screen.
Comment 5 Martin Bukatovic 2018-08-02 10:39:10 UTC 
QE team will validate this issue strictly based on the Expected results sections
in this bug report.
Comment 6 Martin Bukatovic 2018-08-03 09:10:24 UTC 
Attaching to the tracker, as all 3 acks are present.
Comment 8 Neha Gupta 2018-08-07 09:48:38 UTC 
@mbukatov Can you please confirm that this issue is same as the comment mentioned at https://bugzilla.redhat.com/show_bug.cgi?id=1594994#c29.
Comment 9 Kanika Murarka 2018-08-08 15:04:42 UTC 
We have fixed the issue, so now user will not be able to update his account with 8 characters password length.
Also, the modal we have used is angular-patternfly modal(https://www.patternfly.org/angular-patternfly/#/api/patternfly.modals.componenet:pfModalOverlay),there is an issue inside this component, it doesn't respond properly to custom validations. It closes the modal even if UI is disallowing it(by setting the required flags in case of invalid input for fields ) once user clicks the Save button. For eg, if we provide mismatched passwords and then click on Save, it will still close the modal though Ajax call is not sent as the password are mismatched. But this user experience can confuse the user.
A bug has been reported on angular-patternfly, patternfly/angular-patternfly#755 for the same.

To make it work we have done a workaround - now we are showing notification(instead of error message) on right corner of view (even if the modal gets closed) with proper error message(which will help user to identify the issue). So in case of mismatched passwords, the user can see the notification saying "Failed to update profile. Password and Confirm Password doesn't match."; @mbukatov please take this work around into account and confirm.
Comment 10 Neha Gupta 2018-08-09 10:01:56 UTC 
@kmurarka As per the Ju's comment - https://bugzilla.redhat.com/show_bug.cgi?id=1612150#c7, the error message to be shown for mismatched passwords will be "Your password and confirmation password do not match.  Go to My Settings to reset your password."
Comment 12 Elena Bondarenko 2018-08-15 09:19:10 UTC 
My Settings form doesn't allow a password of length 8 anymore.

If I set up a password of length 8 using an Ansible playbook, I'm able to log in to WA using this password.
Comment 14 errata-xmlrpc 2018-09-04 07:08:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2616