From 87f6b8a4e276f3254775058f4babe73be9e8d3e1 Mon Sep 17 00:00:00 2001 From: lamanotrama Date: Fri, 6 Sep 2019 12:36:22 +0900 Subject: [PATCH 1/2] Follow account password policy on make password --- lib/subiam/client.rb | 2 +- lib/subiam/driver.rb | 8 ++++++++ lib/subiam/password_manager.rb | 27 +++++++++++++++++++++++---- 3 files changed, 32 insertions(+), 5 deletions(-) diff --git a/lib/subiam/client.rb b/lib/subiam/client.rb index d78fc3a..9a1f89c 100644 --- a/lib/subiam/client.rb +++ b/lib/subiam/client.rb @@ -138,7 +138,7 @@ def walk_login_profile(user_name, expected_login_profile, actual_login_profile) end if expected_login_profile and not actual_login_profile - expected_login_profile[:password] ||= @password_manager.identify(user_name, :login_profile) + expected_login_profile[:password] ||= @password_manager.identify(user_name, :login_profile, @driver.password_policy) @driver.create_login_profile(user_name, expected_login_profile) updated = true elsif not expected_login_profile and actual_login_profile diff --git a/lib/subiam/driver.rb b/lib/subiam/driver.rb index eda324a..c380da0 100644 --- a/lib/subiam/driver.rb +++ b/lib/subiam/driver.rb @@ -431,6 +431,14 @@ def update_managed_policy(policy_name, policy_document, old_policy_document) end end + def password_policy + return @password_policy if instance_variable_defined?(:@password_policy) + + @password_policy = @iam.get_account_password_policy.password_policy + rescue Aws::IAM::Errors::NoSuchEntity + @password_policy = nil + end + private def encode_document(policy_document) diff --git a/lib/subiam/password_manager.rb b/lib/subiam/password_manager.rb index 515c8aa..42a0c30 100644 --- a/lib/subiam/password_manager.rb +++ b/lib/subiam/password_manager.rb @@ -1,13 +1,19 @@ class Subiam::PasswordManager include Subiam::Logger::Helper + LOWERCASES = ('a'..'z').to_a + UPPERCASES = ('A'..'Z').to_a + NUMBERS = ('0'..'9').to_a + SYMBOLS = "!@\#$%^&*()_+-=[]{}|'".split(//) + def initialize(output, options = {}) @output = output @options = options end - def identify(user, type) - password = mkpasswd + def identify(user, type, policy) + password = mkpasswd(policy) + log(:info, "mkpasswd: #{password}") puts_password(user, type, password) password end @@ -22,8 +28,21 @@ def puts_password(user, type, password) private - def mkpasswd(len = 8) - [*1..9, *'A'..'Z', *'a'..'z'].shuffle.slice(0, len).join + def mkpasswd(policy) + chars = [] + len = 8 + + if policy + len = policy.minimum_password_length if policy.minimum_password_length > len + chars << LOWERCASES.shuffle.first if policy.require_lowercase_characters + chars << UPPERCASES.shuffle.first if policy.require_uppercase_characters + chars << NUMBERS.shuffle.first if policy.require_numbers + chars << SYMBOLS.shuffle.first if policy.require_symbols + + len -= chars.length + end + + (chars + [*1..9, *'A'..'Z', *'a'..'z'].shuffle.slice(0, len)).shuffle.join end def open_output From a3c6e346b6619abbe9d68ac799fa810c8ff17c99 Mon Sep 17 00:00:00 2001 From: lamanotrama Date: Fri, 6 Sep 2019 12:36:45 +0900 Subject: [PATCH 2/2] Do not write password to info log --- lib/subiam/password_manager.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/subiam/password_manager.rb b/lib/subiam/password_manager.rb index 42a0c30..77de28c 100644 --- a/lib/subiam/password_manager.rb +++ b/lib/subiam/password_manager.rb @@ -13,7 +13,7 @@ def initialize(output, options = {}) def identify(user, type, policy) password = mkpasswd(policy) - log(:info, "mkpasswd: #{password}") + log(:debug, "mkpasswd: #{password}") puts_password(user, type, password) password end