Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-74858

Missing password length validation for users in jenkins own database (In FIPS mode)

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • core
    • None

      1. Go to Manage Jenkins > Users

      2. Configure an existing user

      3. Update the password with a short value (less than 14 characters)

      4. You don’t get a validation message → You should get the validation

      Click on the Save button → The password is updated

      NOTE: Another way of updating the password with a non-compliant value:

      1. Log in

      2. Go to User > Configure through the top menu

      3. Update the password with a short value (less than 14 characters)

      4. You don’t get a validation message → You should get the validation

      5. Click on the Save button → The password is updated

      Acceptance criteria
      Fix the error

          [JENKINS-74858] Missing password length validation for users in jenkins own database (In FIPS mode)

          Tejas created issue -
          Tejas made changes -
          Issue Type Original: Task [ 3 ] New: Bug [ 1 ]
          Tejas made changes -
          Description Original: 1. Go to Manage Jenkins > Security and make sure the Security Realm is “Jenkins' own 
          user database”

          2. Go to Manage Jenkins > Users

          3. Click on Create User

          4. Add a new user with a short password (less than 14 characters)

          5. You don’t get the validation until you don’t click the button → Validations should
          happen when losing the focus.

          Once it is created it is possible to update to a non-compliant password

          1. Go to Manage Jenkins > Users

          2. Configure an existing user

          3. Update the password with a short value (less than 14 characters)

          4. You don’t get a validation message → You should get the validation

          Click on the Save button → The password is updated

          {*}NOTE{*}: Another way of updating the password with a non-compliant value:

          1. Log in

          2. Go to User > Configure through the top menu

          3. Update the password with a short value (less than 14 characters)

          4. You don’t get a validation message → You should get the validation

          5. Click on the Save button → The password is updated

          *Acceptance criteria*
          Fix the error

          Make sure beescloud documentation is updated

          Note: ticket created as bug but it could be a task if we don’t want to add any release notes
          New: 1. Go to Manage Jenkins > Users

          2. Configure an existing user

          3. Update the password with a short value (less than 14 characters)

          4. You don’t get a validation message → You should get the validation

          Click on the Save button → The password is updated

          {*}NOTE{*}: Another way of updating the password with a non-compliant value:

          1. Log in

          2. Go to User > Configure through the top menu

          3. Update the password with a short value (less than 14 characters)

          4. You don’t get a validation message → You should get the validation

          5. Click on the Save button → The password is updated

          *Acceptance criteria*
          Fix the error

          Make sure beescloud documentation is updated

          Note: ticket created as bug but it could be a task if we don’t want to add any release notes

          Tejas added a comment -

          Updated the description (Removed "adding validations when user loses focus" which was initially part of ticket description)

          To provide more context:

          1. Adding the validation when the focus is lost implies to re-write the HudsonPrivateSecurityRealm class, which effort is not worth only to gain the validation on the onblur event
          1. The rest of validations don’t display error/warning message when losing the focus, so adding it for FIPS would make a lost of coherence

          Tejas added a comment - Updated the description (Removed "adding validations when user loses focus" which was initially part of ticket description) To provide more context: Adding the validation when the focus is lost implies to re-write the HudsonPrivateSecurityRealm class, which effort is not worth only to gain the validation on the onblur event The rest of validations don’t display error/warning message when losing the focus, so adding it for FIPS would make a lost of coherence
          Tejas made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]
          Tejas made changes -
          Assignee New: Tejas [ tejas_drolia ]

          Tejas added a comment -

          Tejas added a comment - PR --> https://github.com/jenkinsci/jenkins/pull/9995
          Tejas made changes -
          Status Original: In Progress [ 3 ] New: In Review [ 10005 ]
          Tejas made changes -
          Link New: This issue is related to JENKINS-74918 [ JENKINS-74918 ]
          Tejas made changes -
          Remote Link New: This issue links to "OSS PR (Web Link)" [ 30254 ]

            tejas_drolia Tejas
            tejas_drolia Tejas
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: