Skip to content

Commit

Permalink
(PE-36933) strengthen default password policy
Browse files Browse the repository at this point in the history 
In Puppet Enterprise, the default password policy is being
tightened to require:

- password minimum length (password_minimum_length): 12 characters
- minimum lowercase letters (lowercase_letters_required) allowed: 1
- minimum uppercase letters (uppercase_letters_required) allowed: 1
- minimum numbers required (numbers_required): 1
- minimum special characters required (special_characters_required): 1
- required uniqueness of number of previous passwords
  (number_of_previous_passwords): 5

This commit updates the `q_puppet_enterpriseconsole_auth_password` property
that is used to populate the administrator RBAC password during PE installs
in beaker-pe to satisfy the updated policy.
  • Loading branch information
@steveax
steveax committed Jan 29, 2024
1 parent 13bdbfb commit 444f3ea
Show file tree
Hide file tree
Showing 9 changed files with 17 additions and 17 deletions.
3 changes: 1 addition & 2 deletions lib/beaker-answers/answers.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ class Answers
DEFAULT_ANSWERS = StringifyHash.new.merge({
:q_install => 'y',
:q_puppet_enterpriseconsole_auth_user_email => 'admin@example.com',
:q_puppet_enterpriseconsole_auth_password => '~!@#$%^*-/ aZ',
:q_puppet_enterpriseconsole_auth_password => 'Puppetlabs-1',
:q_puppet_enterpriseconsole_smtp_port => 25,
:q_puppet_enterpriseconsole_smtp_use_tls => 'n',
:q_verify_packages => 'y',
Expand Down Expand Up @@ -99,7 +99,6 @@ def self.create version, hosts, options
end
warn 'Only upgrades to version 3.8.x generate specific upgrade answers. Defaulting to full answers.'
end

# finds all potential version classes
# discovers new version classes as they are added, no more crazy case statement
version_classes = self.supported_versions
Expand Down
6 changes: 3 additions & 3 deletions spec/beaker-answers/beaker-answers_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -464,7 +464,7 @@

it 'sets correct answers for a master' do
@ver = '3.0'
expect( @answers['vm1'] ).to be === { :q_install=>"y", :q_vendor_packages_install=>"y", :q_puppetagent_install=>"y", :q_puppet_cloud_install=>"n", :q_verify_packages=>"y", :q_puppet_symlinks_install=>"y", :q_puppetagent_certname=>hosts[0].to_s, :q_puppetagent_server=>hosts[0].to_s, :q_puppetmaster_install=>"y", :q_all_in_one_install=>"y", :q_puppet_enterpriseconsole_install=>"y", :q_puppetdb_install=>"y", :q_database_install=>"y", :q_puppetdb_hostname=>hosts[0].to_s, :q_puppetdb_port=>8081, :q_puppetmaster_dnsaltnames=>"#{hosts[0].to_s},#{hosts[0][:ip]},puppet", :q_puppetmaster_enterpriseconsole_hostname=>hosts[0].to_s, :q_puppetmaster_enterpriseconsole_port=>443, :q_puppetmaster_certname=>hosts[0].to_s, :q_puppetdb_database_name=>"pe-puppetdb", :q_puppetdb_database_user=>"mYpdBu3r", :q_puppetdb_database_password=>"'~!@\#$%^*-/ aZ'", :q_puppet_enterpriseconsole_auth_database_name=>"console_auth", :q_puppet_enterpriseconsole_auth_database_user=>"mYu7hu3r", :q_puppet_enterpriseconsole_auth_database_password=>"'~!@\#$%^*-/ aZ'", :q_puppet_enterpriseconsole_database_name=>"console", :q_puppet_enterpriseconsole_database_user=>"mYc0nS03u3r", :q_puppet_enterpriseconsole_database_password=>"'~!@\#$%^*-/ aZ'", :q_database_host=>hosts[0].to_s, :q_database_port=>5432, :q_pe_database=>"y", :q_puppet_enterpriseconsole_inventory_hostname=>hosts[0].to_s, :q_puppet_enterpriseconsole_inventory_certname=>hosts[0].to_s, :q_puppet_enterpriseconsole_inventory_dnsaltnames=>hosts[0].to_s, :q_puppet_enterpriseconsole_inventory_port=>8140, :q_puppet_enterpriseconsole_master_hostname=>hosts[0].to_s, :q_puppet_enterpriseconsole_auth_user_email=>"'admin@example.com'", :q_puppet_enterpriseconsole_auth_password=>"'~!@\#$%^*-/ aZ'", :q_puppet_enterpriseconsole_httpd_port=>443, :q_puppet_enterpriseconsole_smtp_host=>"'vm1'", :q_puppet_enterpriseconsole_smtp_use_tls=>"'n'", :q_puppet_enterpriseconsole_smtp_port=>"'25'", :q_database_root_password=>"'=ZYdjiP3jCwV5eo9s1MBd'", :q_database_root_user=>"pe-postgres" }
expect( @answers['vm1'] ).to be === { :q_install=>"y", :q_vendor_packages_install=>"y", :q_puppetagent_install=>"y", :q_puppet_cloud_install=>"n", :q_verify_packages=>"y", :q_puppet_symlinks_install=>"y", :q_puppetagent_certname=>hosts[0].to_s, :q_puppetagent_server=>hosts[0].to_s, :q_puppetmaster_install=>"y", :q_all_in_one_install=>"y", :q_puppet_enterpriseconsole_install=>"y", :q_puppetdb_install=>"y", :q_database_install=>"y", :q_puppetdb_hostname=>hosts[0].to_s, :q_puppetdb_port=>8081, :q_puppetmaster_dnsaltnames=>"#{hosts[0].to_s},#{hosts[0][:ip]},puppet", :q_puppetmaster_enterpriseconsole_hostname=>hosts[0].to_s, :q_puppetmaster_enterpriseconsole_port=>443, :q_puppetmaster_certname=>hosts[0].to_s, :q_puppetdb_database_name=>"pe-puppetdb", :q_puppetdb_database_user=>"mYpdBu3r", :q_puppetdb_database_password=>"'~!@\#$%^*-/ aZ'", :q_puppet_enterpriseconsole_auth_database_name=>"console_auth", :q_puppet_enterpriseconsole_auth_database_user=>"mYu7hu3r", :q_puppet_enterpriseconsole_auth_database_password=>"'Puppetlabs-1'", :q_puppet_enterpriseconsole_database_name=>"console", :q_puppet_enterpriseconsole_database_user=>"mYc0nS03u3r", :q_puppet_enterpriseconsole_database_password=>"'Puppetlabs-1'", :q_database_host=>hosts[0].to_s, :q_database_port=>5432, :q_pe_database=>"y", :q_puppet_enterpriseconsole_inventory_hostname=>hosts[0].to_s, :q_puppet_enterpriseconsole_inventory_certname=>hosts[0].to_s, :q_puppet_enterpriseconsole_inventory_dnsaltnames=>hosts[0].to_s, :q_puppet_enterpriseconsole_inventory_port=>8140, :q_puppet_enterpriseconsole_master_hostname=>hosts[0].to_s, :q_puppet_enterpriseconsole_auth_user_email=>"'admin@example.com'", :q_puppet_enterpriseconsole_auth_password=>"'Puppetlabs-1'", :q_puppet_enterpriseconsole_httpd_port=>443, :q_puppet_enterpriseconsole_smtp_host=>"'vm1'", :q_puppet_enterpriseconsole_smtp_use_tls=>"'n'", :q_puppet_enterpriseconsole_smtp_port=>"'25'", :q_database_root_password=>"'=ZYdjiP3jCwV5eo9s1MBd'", :q_database_root_user=>"pe-postgres" }
end

it 'generates nil answers for a windows host' do
Expand Down Expand Up @@ -505,7 +505,7 @@
end

it 'sets correct answers for a master' do
expect( @answers['vm1'] ).to be === { :q_install=>"y", :q_puppetagent_install=>"y", :q_puppet_cloud_install=>"y", :q_puppet_symlinks_install=>"y", :q_vendor_packages_install=>"y", :q_puppetagent_certname=>hosts[0].to_s, :q_puppetagent_server=>hosts[0].to_s, :q_puppetmaster_install=>"y", :q_puppet_enterpriseconsole_install=>"y", :q_puppetmaster_certname=>hosts[0].to_s, :q_puppetmaster_dnsaltnames=>"#{hosts[0].to_s},#{hosts[0][:ip]},puppet", :q_puppetmaster_enterpriseconsole_hostname=>hosts[0].to_s, :q_puppetmaster_enterpriseconsole_port=>443, :q_puppetmaster_forward_facts=>"y", :q_puppet_enterpriseconsole_database_install=>"y", :q_puppet_enterpriseconsole_auth_database_name=>"console_auth", :q_puppet_enterpriseconsole_auth_database_user=>"mYu7hu3r", :q_puppet_enterpriseconsole_auth_database_password=>"'~!@\#$%^*-/ aZ'", :q_puppet_enterpriseconsole_database_name=>"console", :q_puppet_enterpriseconsole_database_user=>"mYc0nS03u3r", :q_puppet_enterpriseconsole_database_password=>"'~!@\#$%^*-/ aZ'", :q_puppet_enterpriseconsole_inventory_hostname=>hosts[0].to_s, :q_puppet_enterpriseconsole_inventory_certname=>hosts[0].to_s, :q_puppet_enterpriseconsole_inventory_dnsaltnames=>hosts[0].to_s, :q_puppet_enterpriseconsole_inventory_port=>8140, :q_puppet_enterpriseconsole_master_hostname=>hosts[0].to_s, :q_puppet_enterpriseconsole_auth_user_email=>"'admin@example.com'", :q_puppet_enterpriseconsole_auth_password=>"'~!@\#$%^*-/ aZ'", :q_puppet_enterpriseconsole_httpd_port=>443, :q_puppet_enterpriseconsole_smtp_host=>"'vm1'", :q_puppet_enterpriseconsole_smtp_use_tls=>"'n'", :q_puppet_enterpriseconsole_smtp_port=>"'25'", :q_puppet_enterpriseconsole_auth_user=>"'admin@example.com'" }
expect( @answers['vm1'] ).to be === { :q_install=>"y", :q_puppetagent_install=>"y", :q_puppet_cloud_install=>"y", :q_puppet_symlinks_install=>"y", :q_vendor_packages_install=>"y", :q_puppetagent_certname=>hosts[0].to_s, :q_puppetagent_server=>hosts[0].to_s, :q_puppetmaster_install=>"y", :q_puppet_enterpriseconsole_install=>"y", :q_puppetmaster_certname=>hosts[0].to_s, :q_puppetmaster_dnsaltnames=>"#{hosts[0].to_s},#{hosts[0][:ip]},puppet", :q_puppetmaster_enterpriseconsole_hostname=>hosts[0].to_s, :q_puppetmaster_enterpriseconsole_port=>443, :q_puppetmaster_forward_facts=>"y", :q_puppet_enterpriseconsole_database_install=>"y", :q_puppet_enterpriseconsole_auth_database_name=>"console_auth", :q_puppet_enterpriseconsole_auth_database_user=>"mYu7hu3r", :q_puppet_enterpriseconsole_auth_database_password=>"'Puppetlabs-1'", :q_puppet_enterpriseconsole_database_name=>"console", :q_puppet_enterpriseconsole_database_user=>"mYc0nS03u3r", :q_puppet_enterpriseconsole_database_password=>"'Puppetlabs-1'", :q_puppet_enterpriseconsole_inventory_hostname=>hosts[0].to_s, :q_puppet_enterpriseconsole_inventory_certname=>hosts[0].to_s, :q_puppet_enterpriseconsole_inventory_dnsaltnames=>hosts[0].to_s, :q_puppet_enterpriseconsole_inventory_port=>8140, :q_puppet_enterpriseconsole_master_hostname=>hosts[0].to_s, :q_puppet_enterpriseconsole_auth_user_email=>"'admin@example.com'", :q_puppet_enterpriseconsole_auth_password=>"'Puppetlabs-1'", :q_puppet_enterpriseconsole_httpd_port=>443, :q_puppet_enterpriseconsole_smtp_host=>"'vm1'", :q_puppet_enterpriseconsole_smtp_use_tls=>"'n'", :q_puppet_enterpriseconsole_smtp_port=>"'25'", :q_puppet_enterpriseconsole_auth_user=>"'admin@example.com'" }
end

it 'generates nil answers for a windows host' do
Expand Down Expand Up @@ -538,7 +538,7 @@
end

it 'sets correct answers for a master' do
expect( @answers['vm1'] ).to be === { :q_install=>"y", :q_puppetagent_install=>"y", :q_puppet_cloud_install=>"y", :q_puppet_symlinks_install=>"y", :q_vendor_packages_install=>"y", :q_puppetagent_certname=>hosts[0].to_s, :q_puppetagent_server=>hosts[0].to_s, :q_puppetmaster_install=>"y", :q_puppet_enterpriseconsole_install=>"y", :q_puppetmaster_certname=>hosts[0].to_s, :q_puppetmaster_dnsaltnames=>"#{hosts[0].to_s},#{hosts[0][:ip]},puppet", :q_puppetmaster_enterpriseconsole_hostname=>hosts[0].to_s, :q_puppetmaster_enterpriseconsole_port=>443, :q_puppetmaster_forward_facts=>"y", :q_puppet_enterpriseconsole_database_install=>"y", :q_puppet_enterpriseconsole_auth_database_name=>"console_auth", :q_puppet_enterpriseconsole_auth_database_user=>"mYu7hu3r", :q_puppet_enterpriseconsole_auth_database_password=>"'~!@\#$%^*-/ aZ'", :q_puppet_enterpriseconsole_database_name=>"console", :q_puppet_enterpriseconsole_database_user=>"mYc0nS03u3r", :q_puppet_enterpriseconsole_database_root_password=>"'~!@\#$%^*-/ aZ'", :q_puppet_enterpriseconsole_database_password=>"'~!@\#$%^*-/ aZ'", :q_puppet_enterpriseconsole_inventory_hostname=>hosts[0].to_s, :q_puppet_enterpriseconsole_inventory_certname=>hosts[0].to_s, :q_puppet_enterpriseconsole_inventory_dnsaltnames=>hosts[0].to_s, :q_puppet_enterpriseconsole_inventory_port=>8140, :q_puppet_enterpriseconsole_master_hostname=>hosts[0].to_s, :q_puppet_enterpriseconsole_auth_user_email=>"'admin@example.com'", :q_puppet_enterpriseconsole_auth_password=>"'~!@\#$%^*-/ aZ'", :q_puppet_enterpriseconsole_httpd_port=>443, :q_puppet_enterpriseconsole_smtp_host=>"'vm1'", :q_puppet_enterpriseconsole_smtp_use_tls=>"'n'", :q_puppet_enterpriseconsole_smtp_port=>"'25'", :q_puppet_enterpriseconsole_auth_user=>"'admin@example.com'" }
expect( @answers['vm1'] ).to be === { :q_install=>"y", :q_puppetagent_install=>"y", :q_puppet_cloud_install=>"y", :q_puppet_symlinks_install=>"y", :q_vendor_packages_install=>"y", :q_puppetagent_certname=>hosts[0].to_s, :q_puppetagent_server=>hosts[0].to_s, :q_puppetmaster_install=>"y", :q_puppet_enterpriseconsole_install=>"y", :q_puppetmaster_certname=>hosts[0].to_s, :q_puppetmaster_dnsaltnames=>"#{hosts[0].to_s},#{hosts[0][:ip]},puppet", :q_puppetmaster_enterpriseconsole_hostname=>hosts[0].to_s, :q_puppetmaster_enterpriseconsole_port=>443, :q_puppetmaster_forward_facts=>"y", :q_puppet_enterpriseconsole_database_install=>"y", :q_puppet_enterpriseconsole_auth_database_name=>"console_auth", :q_puppet_enterpriseconsole_auth_database_user=>"mYu7hu3r", :q_puppet_enterpriseconsole_auth_database_password=>"'Puppetlabs-1'", :q_puppet_enterpriseconsole_database_name=>"console", :q_puppet_enterpriseconsole_database_user=>"mYc0nS03u3r", :q_puppet_enterpriseconsole_database_root_password=>"'Puppetlabs-1'", :q_puppet_enterpriseconsole_database_password=>"'Puppetlabs-1'", :q_puppet_enterpriseconsole_inventory_hostname=>hosts[0].to_s, :q_puppet_enterpriseconsole_inventory_certname=>hosts[0].to_s, :q_puppet_enterpriseconsole_inventory_dnsaltnames=>hosts[0].to_s, :q_puppet_enterpriseconsole_inventory_port=>8140, :q_puppet_enterpriseconsole_master_hostname=>hosts[0].to_s, :q_puppet_enterpriseconsole_auth_user_email=>"'admin@example.com'", :q_puppet_enterpriseconsole_auth_password=>"'Puppetlabs-1'", :q_puppet_enterpriseconsole_httpd_port=>443, :q_puppet_enterpriseconsole_smtp_host=>"'vm1'", :q_puppet_enterpriseconsole_smtp_use_tls=>"'n'", :q_puppet_enterpriseconsole_smtp_port=>"'25'", :q_puppet_enterpriseconsole_auth_user=>"'admin@example.com'" }
end

it 'generates nil answers for a windows host' do
Expand Down
2 changes: 1 addition & 1 deletion spec/beaker-answers/upgrade_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@
expect(answer[:q_puppetdb_database_name]).to eq('pe-puppetdb')
expect(answer[:q_puppetdb_database_user]).to eq('mYpdBu3r')
expect(answer[:q_puppetdb_database_password]).to eq("'~!@#$%^*-/ aZ'")
expect(answer[:q_puppet_enterpriseconsole_auth_password]).to eq("'~!@#$%^*-/ aZ'")
expect(answer[:q_puppet_enterpriseconsole_auth_password]).to eq("'Puppetlabs-1'")
expect(answer[:q_puppetdb_port]).to eq(8081)
expect(answer[:q_install]).to eq('y')
expect(answer[:q_enable_future_parser]).to eq('y')
Expand Down
4 changes: 2 additions & 2 deletions spec/beaker-answers/versions/version20162_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
basic_hosts }
let( :gold_role_answers ) do
{
"console_admin_password" => default_password,
"console_admin_password" => default_console_password,
"puppet_enterprise::use_application_services" => true,
"puppet_enterprise::puppet_master_host" => basic_hosts[0].hostname,
}
Expand All @@ -32,7 +32,7 @@
context 'for a split install' do
let( :gold_role_answers ) do
{
"console_admin_password" => default_password,
"console_admin_password" => default_console_password,
"puppet_enterprise::use_application_services" => true,
"puppet_enterprise::puppet_master_host" => basic_hosts[0].hostname,
"puppet_enterprise::console_host" => basic_hosts[1].hostname,
Expand Down
4 changes: 2 additions & 2 deletions spec/beaker-answers/versions/version20163_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
basic_hosts }
let( :gold_role_answers ) do
{
"console_admin_password" => default_password,
"console_admin_password" => default_console_password,
"puppet_enterprise::puppet_master_host" => basic_hosts[0].hostname,
}
end
Expand All @@ -31,7 +31,7 @@
context 'for a split install' do
let( :gold_role_answers ) do
{
"console_admin_password" => default_password,
"console_admin_password" => default_console_password,
"puppet_enterprise::puppet_master_host" => basic_hosts[0].hostname,
"puppet_enterprise::console_host" => basic_hosts[1].hostname,
"puppet_enterprise::puppetdb_host" => basic_hosts[2].hostname,
Expand Down
2 changes: 1 addition & 1 deletion spec/beaker-answers/versions/version20171_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@
let(:hosts) { mono_hosts }
let(:gold_role_answers) do
{
"console_admin_password" => default_password,
"console_admin_password" => default_console_password,
"puppet_enterprise::puppet_master_host" => hosts[0].hostname,
}
end
Expand Down
8 changes: 4 additions & 4 deletions spec/beaker-answers/versions/version20172_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@
let(:hosts) { mono_hosts }
let(:gold_role_answers) do
{
"console_admin_password" => default_password,
"console_admin_password" => default_console_password,
"puppet_enterprise::puppet_master_host" => hosts[0].hostname,
}
end
Expand All @@ -43,7 +43,7 @@
let(:hosts) { split_hosts }
let( :gold_role_answers ) do
{
"console_admin_password" => default_password,
"console_admin_password" => default_console_password,
"puppet_enterprise::puppet_master_host" => hosts[0].hostname,
"puppet_enterprise::console_host" => hosts[1].hostname,
"puppet_enterprise::puppetdb_host" => hosts[2].hostname,
Expand All @@ -64,7 +64,7 @@
let(:hosts) { mono_hosts }
let(:gold_role_answers) do
{
"console_admin_password" => default_password,
"console_admin_password" => default_console_password,
"node_roles" => {
"pe_role::monolithic::primary_master" => [hosts[0].hostname],
},
Expand All @@ -81,7 +81,7 @@
let(:hosts) { split_hosts }
let( :gold_role_answers ) do
{
"console_admin_password" => default_password,
"console_admin_password" => default_console_password,
"node_roles" => {
"pe_role::split::primary_master" => [hosts[0].hostname],
"pe_role::split::console" => [hosts[1].hostname],
Expand Down
4 changes: 2 additions & 2 deletions spec/beaker-answers/versions/version20173_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@
let(:hosts) { mono_hosts }
let(:gold_role_answers) do
{
"console_admin_password" => default_password,
"console_admin_password" => default_console_password,
"puppet_enterprise::puppet_master_host" => hosts[0].hostname,
}
end
Expand All @@ -60,7 +60,7 @@
let(:hosts) { mono_hosts }
let(:gold_role_answers) do
{
"console_admin_password" => default_password,
"console_admin_password" => default_console_password,
"node_roles" => {
"pe_role::monolithic::primary_master" => [hosts[0].hostname],
},
Expand Down
1 change: 1 addition & 0 deletions spec/shared/context.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
let( :options ) { { :format => 'hiera' } }
let( :answer_hiera ) { answers.answer_hiera }
let( :default_password ) { '~!@#$%^*-/ aZ' }
let( :default_console_password ) { 'Puppetlabs-1' }
let( :gold_db_answers ) do
{
"puppet_enterprise::activity_database_user" => 'adsfglkj',
Expand Down

0 comments on commit 444f3ea

Please sign in to comment.