Bug 745193

Summary: Old user validation rules have been dropped, maybe by design
Product: [Retired] CloudForms Cloud Engine Reporter: wes hayutin <whayutin>
Component: aeolus-conductorAssignee: chris alfonso <calfonso>
Status: CLOSED ERRATA QA Contact: Aziza Karol <akarol>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 1.0.0CC: akarol, calfonso, dajohnso, deltacloud-maint, dgao, hbrock, ssachdev
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: https://qeblade5.rhq.lab.eng.bos.redhat.com/conductor/users
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-05-15 21:11:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description wes hayutin 2011-10-11 15:46:24 UTC 
Description of problem:

I have a sudo list of rules that we used to validate for users..

// check username
		if (user.username().length()<1){
			list.add(Users.LOGIN_TOO_SHORT);
			list.add(Users.LOGIN_NO_SPECIAL_CHAR);
			fatalError = true;
		}
		
		// check username
		if (user.username().length()<3){
			list.add(Users.LOGIN_TOO_SHORT);
			fatalError = true;
		}
			
		if (user.username().length() > 100){ 
			list.add(Users.LOGIN_TOO_LONG);
			fatalError = true;
		}
		
		String bad_characters = "`~!#$%^&*()+=[]{}';:\"/,<>?\\|";
		
		for (int i = 0; i<bad_characters.length();i++) {
			CharSequence badChar = bad_characters.subSequence(i, i+1);
			if (user.username().contains(badChar)){
				list.add(Users.LOGIN_NO_SPECIAL_CHAR);
				fatalError = true;
				break;	
			}
		}
		
		// check password & confirm password   
		if(user.password().length()<4){
		    list.add(Users.PASSWD_TOO_SHORT);
		    fatalError = true;
		}
			
		if(user.confirmPassword().length()<4){
		    list.add(Users.PASS_CONFIRM_TOO_SHORT);
		    fatalError = true;
		}
			
		if(!user.password().equals(user.confirmPassword())){
			list.add(Users.PASSWD_NO_MATCH);
			fatalError = true;
		}
		
		if(user.get_quota().length() > 100){
			list.add(Users.BAD_QUOTA);
		}
			
			
		
		// check email
		if(user.email().length()<6){
		    list.add(EMAIL_TOO_SHORT);
		    fatalError = true;
		}
		
		if(!user.email().contains("@")||!user.email().contains(".")){
		    list.add(Users.EMAIL_INVALID);
		    fatalError = true;
		}

public static final String LOGIN_SUCCESSFUL = "Login successful!";
	public static final String INVALID_PERMISSION = "Invalid Permission to perform this operation";
	public static final String LOGIN_TOO_SHORT = "Login is too short (minimum is 3 characters)";
	public static final String LOGIN_NO_SPECIAL_CHAR = "Login should use only letters, numbers, spaces, and .-_@ please.";
	public static final String LOGIN_DUPLICATE = "Login has already been taken";
	public static final String LOGIN_TOO_LONG = "Login is too long (maximum is 100 characters)";
	public static final String PASSWD_TOO_SHORT = "Password is too short (minimum is 4 characters)";
	public static final String PASS_CONFIRM_TOO_SHORT = "Password confirmation is too short (minimum is 4 characters)";
	public static final String PASSWD_NO_MATCH = "Password doesn't match confirmation";
	public static final String USER_CREATION_FAILED = "User registration failed: validation failed";
	public static final String USER_CREATION_SUCCESS = "User registered!";
	public static final String USER_UPDATE_SUCCESS = "User updated!";
	public static final String SELF_REG_SUCCESS = "You have successfully registered!";
	
	public static final String EMAIL_TAKEN = "Email has already been taken";
	public static final String EMAIL_TOO_SHORT = "Email is too short (minimum is 6 characters)";
	public static final String EMAIL_INVALID = "Email should look like an email address.";
	public static final String EMAIL_TOO_LONG = "Email is too long (maximum is 100 characters)";
	public static final String SELF_USER_DELETE = "Can not delete the currently logged in user!";
	public static final String FIRSTNAME_TOO_LONG = "First name is too long (maximum is 255 characters)";
	public static final String LASTNAME_TOO_LONG = "Last name is too long (maximum is 255 characters)";
	public static final String BAD_QUOTA = "Maximum running instances must be a positive whole number less than 2147483647";
	public static final String NO_USER_SELECTED = "Please select any user to be deleted before clicking Delete button";
Comment 1 wes hayutin 2011-10-11 15:47:22 UTC 
[root@qeblade5 ~]# rpm -qa | grep aeolus
rubygem-actionmailer-3.0.9-1.aeolus.el6.noarch
aeolus-configure-2.1.0-1.el6.noarch
aeolus-conductor-doc-0.4.0-1.el6.noarch
rubygem-rack-mount-0.7.1-3.aeolus.el6.noarch
rubygem-activesupport-3.0.9-1.aeolus.el6.noarch
rubygem-actionpack-3.0.9-1.aeolus.el6.noarch
rubygem-aeolus-image-0.1.0-3.20111003170706git8f23238.el6.noarch
aeolus-conductor-0.4.0-1.el6.noarch
rubygem-arel-2.0.10-0.aeolus.el6.noarch
rubygem-ZenTest-4.3.3-2.aeolus.el6.noarch
rubygem-aeolus-cli-0.1.0-3.20111003133323git9451323.el6.noarch
aeolus-conductor-daemons-0.4.0-1.el6.noarch
aeolus-all-0.4.0-1.el6.noarch
rubygem-activerecord-3.0.9-1.aeolus.el6.noarch
Comment 2 chris alfonso 2011-10-12 19:29:39 UTC 
Current user validation is implemented as follows:
validates_presence_of :quota
validates_length_of :first_name, :maximum => 255, :allow_blank => true
validates_length_of :last_name, :maximum => 255, :allow_blank => true
 
validates_uniqueness_of :login
validates_length_of :login, :within => 1..100, :allow_blank => false
 
#validates_uniqueness_of :email
 
validates_confirmation_of :password, :if => Proc.new {|u| u.check_password?}
validates_length_of :password, :within => 4..255, :if => Proc.new {|u| u.check_password?}


I talked to wes, and we're going to add email format validation.
Comment 3 chris alfonso 2011-10-13 15:18:44 UTC 
commit 80caf4fc48f6eac6ac85d34d5bbf474e1f02dc72
conductor.git repo
Comment 4 wes hayutin 2011-11-03 01:13:45 UTC 
please also add requires all fields to be filled out.
Comment 5 chris alfonso 2012-01-31 18:22:31 UTC 
It appears that first and last name are not required.  Do they need to be required?
Comment 6 chris alfonso 2012-02-01 17:36:17 UTC 
Ok, it appears to work correctly.  As discussed  via irc with weshay, moving this to ON_QA
Comment 7 wes hayutin 2012-02-27 21:07:57 UTC 
verified in 

[root@qeblade31 ~]# rpm -qa | grep aeolus
rubygem-aeolus-image-0.3.0-10.el6.noarch
aeolus-conductor-doc-0.8.0-36.el6.noarch
aeolus-all-0.8.0-36.el6.noarch
rubygem-aeolus-cli-0.4.0-0.20120227105812git15ef29d.el6.noarch
aeolus-conductor-0.8.0-36.el6.noarch
aeolus-configure-2.5.0-15.el6.noarch
aeolus-conductor-daemons-0.8.0-36.el6.noarch
aeolus-conductor-devel-0.8.0-36.el6.noarch
Comment 8 errata-xmlrpc 2012-05-15 21:11:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2012-0583.html