fix(host,host-deployer): host-deployer add password quality check (#23876)

Author: wanyaoqi

pkg/baremetal/manager.go

@@ -3063,10 +3063,12 @@ func (s *SBaremetalServer) SyncPartitionSize(term *ssh.Client, rootDisk *disktoo
 
 func (s *SBaremetalServer) DoDeploy(tool *disktool.SSHPartitionTool, term *ssh.Client, data jsonutils.JSONObject, isInit bool) (jsonutils.JSONObject, error) {
 	publicKey := deployapi.GetKeys(data)
+	isRandomPassword := false
 	password, _ := data.GetString("password")
 	resetPassword := jsonutils.QueryBoolean(data, "reset_password", false)
 	if resetPassword && len(password) == 0 {
 		password = seclib.RandomPassword(12)
+		isRandomPassword = true
 	}
 	deployArray := make([]*deployapi.DeployContent, 0)
 	if data.Contains("deploys") {
@@ -3077,7 +3079,7 @@ func (s *SBaremetalServer) DoDeploy(tool *disktool.SSHPartitionTool, term *ssh.C
 	}
 	userData, _ := s.desc.GetString("user_data")
 	deployInfo := deployapi.NewDeployInfo(publicKey, deployArray,
-		password, isInit, true, o.Options.LinuxDefaultRootUser, o.Options.WindowsDefaultAdminUser, false, "",
+		password, isRandomPassword, isInit, true, o.Options.LinuxDefaultRootUser, o.Options.WindowsDefaultAdminUser, false, "",
 		false, "",
 		userData,
 	)

pkg/hostman/guestfs/core.go

@@ -179,8 +179,7 @@ func DoDeployGuestFs(rootfs fsdriver.IRootFsDriver, guestDesc *deployapi.GuestDe
 				return nil, errors.Wrap(err, "DeployPublicKey")
 			}
 			var secret string
-			if secret, err = rootfs.ChangeUserPasswd(partition, account, gid,
-				deployInfo.PublicKey.PublicKey, deployInfo.Password); err != nil {
+			if secret, err = rootfs.ChangeUserPasswd(partition, account, gid, deployInfo.PublicKey.PublicKey, deployInfo.Password, deployInfo.IsRandomPassword); err != nil {
 				return nil, errors.Wrap(err, "ChangeUserPasswd")
 			}
 			if len(secret) > 0 {

pkg/hostman/guestfs/fsdriver/android.go

@@ -78,7 +78,7 @@ func (m *sBaseAndroidRootFs) DeployPublicKey(rootfs IDiskPartition, uname string
 	return nil
 }
 
-func (m *sBaseAndroidRootFs) ChangeUserPasswd(part IDiskPartition, account, gid, publicKey, password string) (string, error) {
+func (m *sBaseAndroidRootFs) ChangeUserPasswd(part IDiskPartition, account, gid, publicKey, password string, isRandomPassword bool) (string, error) {
 	return "", nil
 }
 

pkg/hostman/guestfs/fsdriver/esxi.go

@@ -56,7 +56,7 @@ func (m *SEsxiRootFs) GetOs() string {
 	return "VMWare"
 }
 
-func (m *SEsxiRootFs) ChangeUserPasswd(part IDiskPartition, account, gid, publicKey, password string) (string, error) {
+func (m *SEsxiRootFs) ChangeUserPasswd(part IDiskPartition, account, gid, publicKey, password string, isRandomPassword bool) (string, error) {
 	return utils.EncryptAESBase64(gid, "(blank)")
 }
 

pkg/hostman/guestfs/fsdriver/interface.go

@@ -83,7 +83,7 @@ type IRootFsDriver interface {
 	DeployFstabScripts(IDiskPartition, []*deployapi.Disk) error
 	GetLoginAccount(IDiskPartition, string, bool, bool) (string, error)
 	DeployPublicKey(IDiskPartition, string, *deployapi.SSHKeys) error
-	ChangeUserPasswd(part IDiskPartition, account, gid, publicKey, password string) (string, error)
+	ChangeUserPasswd(part IDiskPartition, account, gid, publicKey, password string, isRandomPassword bool) (string, error)
 	DeployYunionroot(rootFs IDiskPartition, pubkeys *deployapi.SSHKeys, isInit bool, enableCloudInit bool) error
 	EnableSerialConsole(IDiskPartition, *jsonutils.JSONDict) error
 	DisableSerialConsole(IDiskPartition) error

pkg/hostman/guestfs/fsdriver/linux.go

@@ -42,6 +42,7 @@ import (
 	"yunion.io/x/onecloud/pkg/util/fstabutils"
 	"yunion.io/x/onecloud/pkg/util/netutils2"
 	"yunion.io/x/onecloud/pkg/util/procutils"
+	"yunion.io/x/onecloud/pkg/util/pwquality"
 	"yunion.io/x/onecloud/pkg/util/seclib2"
 	"yunion.io/x/onecloud/pkg/util/sysutils"
 )
@@ -226,7 +227,24 @@ func (l *sLinuxRootFs) GetLoginAccount(rootFs IDiskPartition, sUser string, defa
 	return selUsr, nil
 }
 
-func (l *sLinuxRootFs) ChangeUserPasswd(rootFs IDiskPartition, account, gid, publicKey, password string) (string, error) {
+func (l *sLinuxRootFs) checkInputPasswd(rootFs IDiskPartition, config *pwquality.Config, account, gid, publicKey, password string) string {
+	if config == nil {
+		return password
+	}
+
+	err := config.Validate(password, account)
+	if err != nil && errors.Cause(err) == pwquality.ErrPasswordTooWeak {
+		log.Infof("password %s too weak, try regenerate password", password)
+		npassword := config.GeneratePassword(seclib2.RandomPassword2)
+		if len(npassword) > 0 {
+			log.Infof("regenerate password %s", npassword)
+			password = npassword
+		}
+	}
+	return password
+}
+
+func (l *sLinuxRootFs) ChangeUserPasswd(rootFs IDiskPartition, account, gid, publicKey, password string, isRandomPassword bool) (string, error) {
 	var secret string
 	var err error
 	err = rootFs.Passwd(account, password, false)
@@ -1099,6 +1117,27 @@ func (d *sDebianLikeRootFs) DeployNetworkingScripts(rootFs IDiskPartition, nics
 	return rootFs.FilePutContents(fn, cmds.String(), false, false)
 }
 
+func (r *sDebianLikeRootFs) ChangeUserPasswd(rootFs IDiskPartition, account, gid, publicKey, password string, isRandomPassword bool) (string, error) {
+	if isRandomPassword {
+		var pwqualityConf *pwquality.Config
+		if rootFs.Exists("/etc/security/pwquality.conf", false) {
+			pwConfig, err := rootFs.FileGetContents("/etc/security/pwquality.conf", false)
+			if err == nil {
+				pwqualityConf = pwquality.ParseConfig(pwConfig)
+			}
+		}
+		if rootFs.Exists("/etc/pam.d/common-password", false) {
+			pamConfig, err := rootFs.FileGetContents("/etc/pam.d/common-password", false)
+			if err == nil {
+				pwqualityConf = pwquality.ParsePAMConfig(pamConfig, pwqualityConf)
+			}
+		}
+		password = r.checkInputPasswd(rootFs, pwqualityConf, account, gid, publicKey, password)
+	}
+
+	return r.sLinuxRootFs.ChangeUserPasswd(rootFs, account, gid, publicKey, password, isRandomPassword)
+}
+
 type SDebianRootFs struct {
 	*sDebianLikeRootFs
 }
@@ -1394,6 +1433,26 @@ func (r *sRedhatLikeRootFs) Centos5DeployNetworkingScripts(rootFs IDiskPartition
 	return nil
 }
 
+func (r *sRedhatLikeRootFs) ChangeUserPasswd(rootFs IDiskPartition, account, gid, publicKey, password string, isRandomPassword bool) (string, error) {
+	if isRandomPassword {
+		var pwqualityConf *pwquality.Config
+		if rootFs.Exists("/etc/security/pwquality.conf", false) {
+			pwConfig, err := rootFs.FileGetContents("/etc/security/pwquality.conf", false)
+			if err == nil {
+				pwqualityConf = pwquality.ParseConfig(pwConfig)
+			}
+		}
+		if rootFs.Exists("/etc/pam.d/system-auth", false) {
+			pamConfig, err := rootFs.FileGetContents("/etc/pam.d/system-auth", false)
+			if err == nil {
+				pwqualityConf = pwquality.ParsePAMConfig(pamConfig, pwqualityConf)
+			}
+		}
+		password = r.checkInputPasswd(rootFs, pwqualityConf, account, gid, publicKey, password)
+	}
+	return r.sLinuxRootFs.ChangeUserPasswd(rootFs, account, gid, publicKey, password, isRandomPassword)
+}
+
 func getMainNic(nics []*types.SServerNic) *types.SServerNic {
 	for i := range nics {
 		if nics[i].IsDefault {
@@ -2375,7 +2434,7 @@ func (d *SCoreOsRootFs) DeployFstabScripts(rootFs IDiskPartition, disks []*deplo
 	return nil
 }
 
-func (d *SCoreOsRootFs) ChangeUserPasswd(rootFs IDiskPartition, account, gid, publicKey, password string) (string, error) {
+func (d *SCoreOsRootFs) ChangeUserPasswd(part IDiskPartition, account, gid, publicKey, password string, isRandomPassword bool) (string, error) {
 	keys := []string{}
 	if len(publicKey) > 0 {
 		keys = append(keys, publicKey)

pkg/hostman/guestfs/fsdriver/macos.go

@@ -86,7 +86,7 @@ func (m *SMacOSRootFs) addScripts(lines []string) {
 	m.scripts = append(m.scripts, "")
 }
 
-func (m *SMacOSRootFs) ChangeUserPasswd(part IDiskPartition, account, gid, publicKey, password string) (string, error) {
+func (m *SMacOSRootFs) ChangeUserPasswd(part IDiskPartition, account, gid, publicKey, password string, isRandomPassword bool) (string, error) {
 	lines := []string{
 		fmt.Sprintf("dscl . -passwd /Users/%s %s", account, password),
 		fmt.Sprintf("rm -fr /Users/%s/Library/Keychains/*", account),

pkg/hostman/guestfs/fsdriver/windows.go

@@ -444,7 +444,7 @@ func (w *SWindowsRootFs) CommitChanges(part IDiskPartition) error {
 	return nil
 }
 
-func (w *SWindowsRootFs) ChangeUserPasswd(part IDiskPartition, account, gid, publicKey, password string) (string, error) {
+func (w *SWindowsRootFs) ChangeUserPasswd(part IDiskPartition, account, gid, publicKey, password string, isRandomPassword bool) (string, error) {
 	rinfo := w.GetReleaseInfo(part)
 	confPath := part.GetLocalPath("/windows/system32/config", true)
 	tool := winutils.NewWinRegTool(confPath)

pkg/hostman/guestfs/kvmpart/localfs.go

@@ -16,9 +16,9 @@ package kvmpart
 
 import (
 	"fmt"
-	"io"
 	"io/ioutil"
 	"os"
+	"os/exec"
 	"path"
 	"strings"
 
@@ -139,40 +139,17 @@ func (f *SLocalGuestFS) Zerofiles(dir string, caseInsensitive bool) error {
 }
 
 func (f *SLocalGuestFS) Passwd(account, password string, caseInsensitive bool) error {
-	var proc = procutils.NewCommand("chroot", f.mountPath, "passwd", account)
-	stdin, err := proc.StdinPipe()
-	if err != nil {
-		return err
-	}
-	defer stdin.Close()
+	var proc = exec.Command("chroot", f.mountPath, "passwd", account)
 
-	outb, err := proc.StdoutPipe()
-	if err != nil {
-		return err
-	}
-	defer outb.Close()
+	passwordInput := fmt.Sprintf("%s\n%s\n", password, password)
+	proc.Stdin = strings.NewReader(passwordInput)
 
-	errb, err := proc.StderrPipe()
+	out, err := proc.CombinedOutput()
 	if err != nil {
-		return err
-	}
-	defer errb.Close()
-
-	if err := proc.Start(); err != nil {
-		return err
+		return errors.Wrapf(err, "failed change passwd %s", out)
 	}
-	io.WriteString(stdin, fmt.Sprintf("%s\n", password))
-	io.WriteString(stdin, fmt.Sprintf("%s\n", password))
-	stdoutPut, err := ioutil.ReadAll(outb)
-	if err != nil {
-		return err
-	}
-	stderrOutPut, err := ioutil.ReadAll(errb)
-	if err != nil {
-		return err
-	}
-	log.Infof("Passwd %s %s", stdoutPut, stderrOutPut)
-	return proc.Wait()
+	log.Infof("Passwd %s", out)
+	return nil
 }
 
 func (f *SLocalGuestFS) Stat(usrDir string, caseInsensitive bool) os.FileInfo {

pkg/hostman/guestman/guestman.go

@@ -986,10 +986,13 @@ func (m *SGuestManager) startDeploy(
 			return nil, errors.Wrapf(err, "unmarshal to array of deployapi.DeployContent")
 		}
 	}
+
+	isRandomPassword := false
 	password, _ := deployParams.Body.GetString("password")
 	resetPassword := jsonutils.QueryBoolean(deployParams.Body, "reset_password", false)
 	if resetPassword && len(password) == 0 {
 		password = seclib.RandomPassword2(14)
+		isRandomPassword = true
 	}
 	enableCloudInit := jsonutils.QueryBoolean(deployParams.Body, "enable_cloud_init", false)
 	loginAccount, _ := deployParams.Body.GetString("login_account")
@@ -1007,7 +1010,7 @@ func (m *SGuestManager) startDeploy(
 	guestInfo, err := guest.DeployFs(ctx, deployParams.UserCred,
 		deployapi.NewDeployInfo(
 			publicKey, deployArray,
-			password, deployParams.IsInit, false,
+			password, isRandomPassword, deployParams.IsInit, false,
 			options.HostOptions.LinuxDefaultRootUser, options.HostOptions.WindowsDefaultAdminUser,
 			enableCloudInit, loginAccount, deployTelegraf, telegrafConfig,
 			guest.GetDesc().UserData,