search

snowdrop / release-manager

Jira Java Client Tool
3 stars 6 forks source link

Document the restrictions on password characters #106

Open jacobdotcosta opened 3 years ago

jacobdotcosta commented 3 years ago

Document the restrictions that prevent logging in with passwords having certain characters and the instructions to change the pw.

cmoulliard commented 3 years ago

If you expriment an issue with your Red Hat SSO account linked to issues.redhat.com when your pwd includes special chars

java -jar ./target/issues-manager-1.0.0-SNAPSHOT-runner.jar get SB-123 -u <JIRA_ACCOUNT_LINKED> -p <PWD>
...
<p>Basic Authentication Failure - Reason : AUTHENTICATED_FAILED</p>

then perform the following steps to fix it 

- Log on and access: https://www.redhat.com/wapps/ugc/protected/personalInfo.html
- Change the pwd to use a >= 8 char pwd without symbols
- Do a curl request to check if it works also

curl -vL -u <JIRA_ACCOUNT_LINKED>:<PWD> https://issues.redhat.com/rest/api/2/issue/ENTSBT-424
java -jar ./target/issues-manager-1.0.0-SNAPSHOT-runner.jar get SB-123 -u <JIRA_ACCOUNT_LINKED> -p <PWD>
Mar 30, 2021 1:26:28 PM org.jboss.threads.Version <clinit>
INFO: JBoss Threads version 3.1.1.Final
Mar 30, 2021 1:26:28 PM io.quarkus.bootstrap.runner.Timing printStartupTime
INFO: issues-manager 1.0.0-SNAPSHOT on JVM (powered by Quarkus 1.8.1.Final) started in 0.566s.
Mar 30, 2021 1:26:28 PM io.quarkus.bootstrap.runner.Timing printStartupTime
INFO: Profile prod activated.
Mar 30, 2021 1:26:28 PM io.quarkus.bootstrap.runner.Timing printStartupTime
INFO: Installed features: [cdi, picocli]
Issue{self=https://issues.redhat.com/rest/api/latest/issue/12706309, key=SB-123, ...
metacosm commented 3 years ago

Ideally, there shouldn't be restrictions on the password. The proper fix is to provide an alternative way to provide the password because passing it as plain text on the CLI is a security issue anyway.

cmoulliard commented 3 years ago

The proper fix is to provide an alternative way to provide the password because passing it as plain text on the CLI is a security issue anyway.

Does picocli support that ?

cmoulliard commented 3 years ago

Can one of you test picolci pwd with special char when you change the parameters like this ?

    @CommandLine.Option(
            names = { "-p", "--password" },
            description = "JIRA password",
            interactive = true,
            scope = CommandLine.ScopeType.INHERIT)
    private String password;
metacosm commented 3 years ago

We don't want it to be interactive if the tool is supposed to be used for automation purposes… Some more information: https://www.netmeister.org/blog/passing-passwords.html

cmoulliard commented 3 years ago

We don't want it to be interactive if the tool is supposed to be used for automation purposes…

In this case we will retrieve the password using pass tool where gpg key has been used to encrypt it

metacosm commented 3 years ago

Whatever we do, the passwords/token should not appear on the command line.

cmoulliard commented 3 years ago

Since akamai migration, the following scenario dont work anymore for me

- Log on and access: https://www.redhat.com/wapps/ugc/protected/personalInfo.html
- Change the pwd to use a >= 8 char pwd without symbols
- Do a curl request to check if it works also

curl -vL -u <JIRA_ACCOUNT_LINKED>:<PWD> https://issues.redhat.com/rest/api/2/issue/ENTSBT-424

as I got now

...
                            <p>Encountered a <code>&quot;403 - Forbidden&quot;</code> error while loading this page.</p>
                            <p>Basic Authentication Failure - Reason : AUTHENTICATION_DENIED</p>
                            <p><a href="/secure/MyJiraHome.jspa">Go to Jira home</a></p>
...

Can you test this scenario please ? @jacobdotcosta

jacobdotcosta commented 3 years ago

I still have the same problem, the compressed response.