Merge branch 'password-validation-fixes' into 'main'

cleaning up password validation

See merge request weblogic-cloud/weblogic-deploy-tooling!1539

Author: robertpatrick

core/pom.xml

@@ -11,7 +11,7 @@
     <parent>
         <artifactId>weblogic-deploy</artifactId>
         <groupId>com.oracle.weblogic.lifecycle</groupId>
-        <version>3.4.1-SNAPSHOT</version>
+        <version>3.5.0-SNAPSHOT</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
 

core/src/main/java/oracle/weblogic/deploy/validate/PasswordValidator.java

@@ -5,7 +5,9 @@
 package oracle.weblogic.deploy.validate;
 
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.Map;
+import java.util.Set;
 
 import oracle.weblogic.deploy.logging.PlatformLogger;
 import oracle.weblogic.deploy.logging.WLSDeployLogFactory;
@@ -37,14 +39,19 @@ public class PasswordValidator {
     private static final char[] DISALLOWED_PASSWORD_START_CHARACTERS = { '{' };
 
     private final Map<String, Object> config;
+    private final Map<String, Object> cieDefaults;
+    private final Set<String> notifications;
 
     /**
      * The constructor.
      *
-     * @param config a map of the configuration values
+     * @param config      a map of the configuration values from the model
+     * @param cieDefaults a map of the default values from the aliases
      */
-    public PasswordValidator(Map<String, Object> config) {
+    public PasswordValidator(Map<String, Object> config, Map<String, Object> cieDefaults) {
         this.config = config;
+        this.cieDefaults = cieDefaults;
+        this.notifications = new HashSet<>();
     }
 
     /**
@@ -297,6 +304,20 @@ private int getIntegerFieldConfiguration(String fieldName) {
                 result = (int) value;
             }
         }
+        if (cieDefaults.containsKey(fieldName)) {
+            Object value = cieDefaults.get(fieldName);
+            if (Integer.class.isAssignableFrom(value.getClass())) {
+                int cieDefault  = (int) value;
+
+                if (cieDefault > result) {
+                    if (result != NO_RESTRICTION && !notifications.contains(fieldName)) {
+                        LOGGER.notification("WLSDPLY-05415", fieldName, result, cieDefault);
+                        notifications.add(fieldName);
+                    }
+                    result = cieDefault;
+                }
+            }
+        }
         return result;
     }
 
@@ -305,7 +326,12 @@ private boolean getBooleanFieldConfiguration(String fieldName) {
         if (config.containsKey(fieldName)) {
             Object value = config.get(fieldName);
             if (Boolean.class.isAssignableFrom(value.getClass())) {
-                result = (boolean) value;
+                result = (Boolean) value;
+            }
+        } else if (cieDefaults.containsKey(fieldName)) {
+            Object value = cieDefaults.get(fieldName);
+            if (Boolean.class.isAssignableFrom(value.getClass())) {
+                result = (Boolean) value;
             }
         }
         return result;

core/src/main/python/create.py

@@ -371,8 +371,6 @@ def main(model_context):
 
         # check for any content problems in the merged, substituted model
         content_validator = ContentValidator(model_context, aliases)
-        # password validation errors are fatal and will raise a CreateException if any are found.
-        content_validator.validate_user_passwords(model_dictionary)
         content_validator.validate_model(model_dictionary)
 
         archive_helper = None

core/src/main/python/wlsdeploy/tool/util/default_authenticator_helper.py

@@ -1,14 +1,13 @@
 """
-Copyright (c) 2021, 2022, Oracle Corporation and/or its affiliates.
+Copyright (c) 2021, 2023, Oracle Corporation and/or its affiliates.
 Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 """
-import com.octetstring.vde.util.PasswordEncryptor as PasswordEncryptor
-import com.bea.security.xacml.cache.resource.ResourcePolicyIdUtil as ResourcePolicyIdUtil
 from java.io import File
-from java.lang import String
-import java.util.regex.Pattern as Pattern
 
-import oracle.weblogic.deploy.aliases.TypeUtils as TypeUtils
+from com.octetstring.vde.util import PasswordEncryptor
+from com.bea.security.xacml.cache.resource import ResourcePolicyIdUtil
+from oracle.weblogic.deploy.aliases import TypeUtils
+from oracle.weblogic.deploy.create import CreateException
 
 from wlsdeploy.aliases.model_constants import DESCRIPTION
 from wlsdeploy.aliases.model_constants import GROUP
@@ -69,7 +68,8 @@ def create_default_init_file(self, security_mapping_nodes):
         output_dir = File(self._model_context.get_domain_home(), SECURITY_SUBDIR)
         output_file = File(output_dir, DEFAULT_AUTH_INIT_FILE)
 
-        self._logger.info('WLSDPLY-01900', output_file, class_name=self._class_name, method_name=_method_name)
+        self._logger.info('WLSDPLY-01900', output_file,
+                          class_name=self._class_name, method_name=_method_name)
 
         file_template_helper.append_file_from_resource(template_path, template_hash, output_file, self._exception_type)
 
@@ -79,6 +79,7 @@ def _build_default_template_hash(self, mapping_section_nodes):
         :param mapping_section_nodes: the security elements from the model
         :return: the template hash dictionary
         """
+        _method_name = '_build_default_template_hash'
         template_hash = dict()
 
         group_mappings = []
@@ -92,8 +93,12 @@ def _build_default_template_hash(self, mapping_section_nodes):
         if USER in mapping_section_nodes.keys():
             user_mapping_nodes = mapping_section_nodes[USER]
             for name in user_mapping_nodes:
-                mapping_hash = self._build_user_mapping_hash(user_mapping_nodes[name], name)
-                user_mappings.append(mapping_hash)
+                try:
+                    mapping_hash = self._build_user_mapping_hash(user_mapping_nodes[name], name)
+                    user_mappings.append(mapping_hash)
+                except CreateException, ce:
+                    self._logger.warning('WLSDPLY-01902', name, ce.getLocalizedMessage(),
+                                         error=ce, class_name=self._class_name, method_name=_method_name)
 
         template_hash[GROUP_MAPPINGS] = group_mappings
         template_hash[USER_MAPPINGS] = user_mappings
@@ -110,7 +115,10 @@ def _build_group_mapping_hash(self, group_mapping_section, name):
         hash_entry[HASH_NAME] = name
         group_attributes = group_mapping_section
         description = dictionary_utils.get_element(group_attributes, DESCRIPTION)
-        hash_entry[HASH_DESCRIPTION] = description
+        if description is not None:
+            hash_entry[HASH_DESCRIPTION] = description
+        else:
+            hash_entry[HASH_DESCRIPTION] = ''
         groups = dictionary_utils.get_element(group_attributes, GROUP_MEMBER_OF)
         group_list = []
         group_mappings = list()
@@ -148,12 +156,16 @@ def _build_user_mapping_hash(self, user_mapping_section, name):
         :param user_mapping_section: The security user section from the model
         :param name: name of the user for the user section
         :return: template hash map
+        :raises: CreateException if the user's password cannot be encoded
         """
         hash_entry = dict()
         hash_entry[HASH_NAME] = name
         group_attributes = user_mapping_section
         description = dictionary_utils.get_element(group_attributes, DESCRIPTION)
-        hash_entry[HASH_DESCRIPTION] = description
+        if description is not None:
+            hash_entry[HASH_DESCRIPTION] = description
+        else:
+            hash_entry[HASH_DESCRIPTION] = ''
         groups = dictionary_utils.get_element(group_attributes, GROUP_MEMBER_OF)
         password = self._get_required_attribute(user_mapping_section, PASSWORD, USER, name)
         password = self._aliases.decrypt_password(password)
@@ -175,17 +187,15 @@ def _build_user_mapping_hash(self, user_mapping_section, name):
         return hash_entry
 
     def _encode_password(self, user, password):
-        pwd_pattern = '[\\!a-zA-Z]{1,}'
-        matches = Pattern.matches(pwd_pattern, password)
-        if len(password) < 8 or matches:
-            self._logger.warning('WLSDPLY-01902', user)
-            return None
+        _method_name = '_encode_password'
         try:
             encrypted_pass = PasswordEncryptor.doSSHA256(password)
             encrypted_pass = "{ssha256}" + encrypted_pass
         except Exception, e:
-            self._logger.warning('WLSDPLY-01901', user, e)
-            return None
+            ex = exception_helper.create_create_exception('WLSDPLY-01901',user, e.getLocalizedMessage(),
+                                                          error=e)
+            self._logger.throwing(ex, class_name=self._class_name, method_name=_method_name)
+            raise ex
         return encrypted_pass
 
     def _get_required_attribute(self, dictionary, name, mapping_type, mapping_name):