Allow secure user password update.

This patch allows the ability for user password to be updated via a command prompt so the password doesnt show up in the bash history. The prompted password is asked twice to verify the match. If user cntl-D's the prompt a message appears suggesting user to use either of the options to update the password. Fixes: bug#938315 Change-Id: I4271ae569b922f33c34f9b015a7ee6f760414e39
2013-05-09 09:29:02 -07:00
parent 1130dd70df
commit f2e0818bc9
2 changed files with 30 additions and 3 deletions
--- a/keystoneclient/utils.py
+++ b/keystoneclient/utils.py
@@ -1,5 +1,7 @@
-import uuid
+import getpass
 import hashlib
+import sys
+import uuid

 import prettytable

@@ -128,3 +130,22 @@ def hash_signed_token(signed_text):
    hash_ = hashlib.md5()
    hash_.update(signed_text)
    return hash_.hexdigest()
+
+
+def prompt_for_password():
+    """
+     Prompt user for password if not provided so the password
+     doesn't show up in the bash history.
+    """
+    if not (hasattr(sys.stdin, 'isatty') and sys.stdin.isatty()):
+        # nothing to do
+        return
+
+    while True:
+        try:
+            new_passwd = getpass.getpass('New Password: ')
+            rep_passwd = getpass.getpass('Repeat New Password: ')
+            if new_passwd == rep_passwd:
+                return new_passwd
+        except EOFError:
+            return
--- a/keystoneclient/v2_0/shell.py
+++ b/keystoneclient/v2_0/shell.py
@@ -17,6 +17,7 @@

 import argparse
 import getpass
+import sys

 from keystoneclient.v2_0 import client
 from keystoneclient import utils
@@ -103,14 +104,19 @@ def do_user_update(kc, args):
        print 'Unable to update user: %s' % e


-@utils.arg('--pass', metavar='<password>', dest='passwd', required=True,
+@utils.arg('--pass', metavar='<password>', dest='passwd', required=False,
           help='Desired new password')
@utils.arg('user', metavar='<user>',
           help='Name or ID of user to update password')
 def do_user_password_update(kc, args):
    """Update user password"""
    user = utils.find_resource(kc.users, args.user)
-    kc.users.update_password(user, args.passwd)
+    new_passwd = args.passwd or utils.prompt_for_password()
+    if new_passwd is None:
+        msg = ("\nPlease specify password using the --pass option "
+               "or using the prompt")
+        sys.exit(msg)
+    kc.users.update_password(user, new_passwd)


@utils.arg('--current-password', metavar='<current-password>',