Error using a custom ESXi password complexity policy with drift

[dgr-en]

Code of Conduct

• [X] I have read and agree to the project's Code of Conduct.
• [X] Vote on this issue by adding a 👍 reaction to the original issue initial description to help the maintainers prioritize.
• [X] Do not leave "+1" or other comments that do not add relevant information or questions.
• [X] If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

If I give the Invoke-PasswordPolicyManager a drift JSON that does not explicitly contain the ESXi policy "retry=3 min=disabled,disabled,disabled,7,7," then the cmdlet fails.

I suspect there is an ESXi policy check.

I would like to check against my specifications and not be bound by the default specifications of the module.

Use Case(s)

I would like to be free in my decision whether I use a password with 15 characters from 4 character classes or a password with 20 characters from 3 character classes. (lenth beats complexity).

I don't want to be restricted by the module.

A check against your own PasswordPolicyConfig JSON should be possible with all values.

Potential Configuration

Removed the hard ESXi policy check which causes the cmdlet to fail if the drift JSON does not contain specific ESXi policy values.

References

If I check against a JSON which contains the ESXi Policy "retry=3 min=disabled,disabled,disabled,20,20" then the cmdlet failed with the following messages:

Test-PasswordPolicyConfig : The recommended policy configuration should be retry=3 min=disabled,disabled,disabled,disbled,15
At C:\Program Files\WindowsPowerShell\Modules\VMware.CloudFoundation.PasswordManagement\1.2.0.1005\VMware.CloudFoundation.PasswordManagement.psm1:861 char:27
+ ...   $result = Test-PasswordPolicyConfig -customConfig $customConfig -ve ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Test-PasswordPolicyConfig

Test-PasswordPolicyConfig : Password Policy Configuration File Defined as (retry=3 min=disabled,disabled,disabled,20,20)
At C:\Program Files\WindowsPowerShell\Modules\VMware.CloudFoundation.PasswordManagement\1.2.0.1005\VMware.CloudFoundation.PasswordManagement.psm1:861 char:27
+ ...   $result = Test-PasswordPolicyConfig -customConfig $customConfig -ve ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Test-PasswordPolicyConfig

Test-PasswordPolicyConfig : Validate Errors Found in the Password Policy Configuration File
At C:\Program Files\WindowsPowerShell\Modules\VMware.CloudFoundation.PasswordManagement\1.2.0.1005\VMware.CloudFoundation.PasswordManagement.psm1:861 char:27
+ ...   $result = Test-PasswordPolicyConfig -customConfig $customConfig -ve ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Test-PasswordPolicyConfig

Get-PasswordPolicyConfig : Validation of Password Policy Configuration File: FAILED
At line:1 char:2
+ (Get-PasswordPolicyConfig  -version $version -reportPath $reportPath  ...
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-PasswordPolicyConfig

[tenthirtyam]

After further investigation, this appears to be a bug and not an enhancement and a fix is underway.

[tenthirtyam]

Upon further review, we've noticed that there need to be some modifications to Test-PasswordPolicyConfig.

While it won't make the v1.3.0 release, it has been set to the v1.4.0 milestone.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.