25124 enforcing password requirements

[Serp1co]

What does this PR change?

Enforce password requirement for server users, comes with a new admin panel to manage local users password policy.

GUI diff

Before:

After:

• DONE

Documentation

• Documentation issue was created: Link for SUSE Manager contributors, Link for community contributors.

• API documentation added: please review the Wiki page Writing Documentation for the API if you have any changes to API documentation.

• (OPTIONAL) Documentation PR

• DONE

Test coverage

• Unit tests were added

• DONE

Links

Issue(s): #
Port(s): # add downstream PR(s), if any

• DONE

Changelogs

Make sure the changelogs entries you are adding are compliant with https://github.com/uyuni-project/uyuni/wiki/Contributing#changelogs and https://github.com/uyuni-project/uyuni/wiki/Contributing#uyuni-projectuyuni-repository

If you don't need a changelog check, please mark this checkbox:

• No changelog needed

If you uncheck the checkbox after the PR is created, you will need to re-run changelog_test (see below)

Re-run a test

If you need to re-run a test, please mark the related checkbox, it will be unchecked automatically once it has re-run:

• Re-run test "changelog_test"
• Re-run test "backend_unittests_pgsql"
• Re-run test "java_pgsql_tests"
• Re-run test "schema_migration_test_pgsql"
• Re-run test "susemanager_unittests"
• Re-run test "javascript_lint"
• Re-run test "spacecmd_unittests"

Before you merge

Check How to branch and merge properly!

[github-actions]

👋 Hello! Thanks for contributing to our project.
Acceptance tests will take some time (aprox. 1h), please be patient ☕
You can see the progress at the end of this page and at https://github.com/uyuni-project/uyuni/pull/9423/checks
Once tests finish, if they fail, you can check 👀 the cucumber report. See the link at the output of the action.
You can also check the artifacts section, which contains the logs at https://github.com/uyuni-project/uyuni/pull/9423/checks.

If you are unsure the failing tests are related to your code, you can check the "reference jobs". These are jobs that run on a scheduled time with code from master. If they fail for the same reason as your build, it means the tests or the infrastructure are broken. If they do not fail, but yours do, it means it is related to your code.

Reference tests:

• https://github.com/uyuni-project/uyuni/actions/workflows/acceptance_tests_secondary_parallel.yml?query=event%3Aschedule

• https://github.com/uyuni-project/uyuni/actions/workflows/acceptance_tests_secondary.yml?query=event%3Aschedule

KNOWN ISSUES

Sometimes the build can fail when pulling new jar files from download.opensuse.org . This is a known limitation. Given this happens rarely, when it does, all you need to do is rerun the test. Sorry for the inconvenience.

For more tips on troubleshooting, see the troubleshooting guide.

Happy hacking!
⚠️ You should not merge if acceptance tests fail to pass. ⚠️

[github-actions]

Suggested tests to cover this Pull Request

• min_timezone
• srv_first_settings
• srv_docker_advanced_content_management
• srv_users
• srv_change_password
• srv_maintenance_windows
• srv_osimage
• srv_docker
• srv_user_api
• proxy_traditional
• proxy_container
• proxy_traditional_branch_network
• proxy_container_branch_network
• sle_minion
• sle_ssh_minion
• min_rhlike_salt
• min_deblike_salt
• min_virthost
• srv_menu
• srv_monitoring
• srv_virtual_host_manager
• srv_power_management
• srv_power_management_api
• srv_power_management_redfish
• srv_delete_channel_from_ui
• srv_delete_channel_with_tool
• srv_user_configuration_salt_states
• srv_handle_software_channels_with_ISS_v2
• srv_handle_config_channels_with_ISS_v2
• buildhost_osimage_build_image
• allcli_reboot
• min_rhlike_openscap_audit
• min_rhlike_remote_command
• min_rhlike_ssh
• min_deblike_openscap_audit
• min_deblike_remote_command
• min_deblike_ssh
• minssh_bootstrap_api
• min_bootstrap_ssh_key
• min_bootstrap_script
• minssh_tunnel
• min_activationkey
• min_salt_minions_page
• min_salt_mgrcompat_state
• min_salt_lock_packages
• min_empty_system_profiles
• min_action_chain
• minssh_action_chain
• allcli_action_chain
• buildhost_docker_build_image
• buildhost_docker_auth_registry
• min_docker_api
• min_recurring_action
• min_change_software_channel
• min_retracted_patches
• proxy_traditional_cobbler_pxeboot
• proxy_container_cobbler_pxeboot
• srv_restart
• min_move_from_and_to_proxy
• minssh_move_from_and_to_proxy
• srv_logfile
• srv_cobbler_sync
• srv_cobbler_distro
• srv_cobbler_buildiso
• srv_check_sync_source_packages
• srv_clone_channel_npn
• srv_manage_activationkey
• srv_activationkey_api
• srv_mainpage
• srv_salt_download_endpoint
• srv_docker_cve_audit
• srv_datepicker
• srv_group_union_intersection
• srv_custom_system_info
• srv_salt
• srv_check_channels_page
• srv_manage_channels_page
• srv_menu_filter
• srv_channel_api
• srv_patches_page
• srv_content_lifecycle
• srv_change_task_schedule
• srv_notifications
• srv_payg_ssh_connection
• srv_push_package
• srv_reportdb
• srv_dist_channel_mapping
• srv_task_status_engine
• srv_errata_api
• proxy_traditional_retail_pxeboot
• proxy_container_retail_pxeboot
• proxy_traditional_retail_mass_import
• proxy_container_retail_mass_import
• allcli_overview_systems_details
• allcli_system_group
• allcli_config_channel
• allcli_software_channels
• allcli_software_channels_dependencies
• min_rhlike_salt_install_package_and_patch
• min_rhlike_monitoring
• minssh_salt_install_package
• minssh_ansible_control_node
• min_deblike_monitoring
• min_deblike_salt_install_with_staging
• min_deblike_salt_install_package
• min_bootstrap_api
• min_bootstrap_negative
• min_bootstrap_reactivation
• min_salt_software_states
• min_salt_install_with_staging
• min_salt_formulas
• min_salt_formulas_advanced
• min_salt_install_package
• min_salt_openscap_audit
• min_salt_user_states
• min_salt_minion_details
• min_config_state_channel
• min_config_state_channel_subscriptions
• min_config_state_channel_api
• min_salt_pkgset_beacon
• min_custom_pkg_download_endpoint
• min_monitoring
• min_ansible_control_node
• srv_scc_user_credentials
• min_cve_audit
• min_cve_id_new_syntax
• min_check_patches_install
• min_project_lotus
• srv_sync_fake_channels
• srv_rename_hostname
• srv_create_repository
• srv_advanced_search
• srv_enable_sync_products
• srv_user_preferences
• srv_disable_scheduled_reposync
• allcli_update_activationkeys
• srv_cobbler_profile
• proxy_retail_pxeboot_and_mass_import
• srv_sync_products
• minkvm_guests
• proxy_register_as_minion_with_script
• srv_sync_channels
• srv_distro_cobbler
• srv_wait_for_reposync
• min_salt_migration
• proxy_branch_network
• buildhost_bootstrap
• min_ssh_tunnel
• proxy_as_pod_basic_tests
• srv_security
• srv_add_rocky8_repositories
• proxy_cobbler_pxeboot
• srv_check_reposync
• allcli_sanity
• srv_disable_local_repos_off
• srv_create_fake_channels
• srv_create_activationkey
• srv_organization_credentials
• srv_create_fake_repositories
• srv_channels_add

[Etheryte]

The frontend parts that are currently there look good. 👍

I assume there will be followup work to fix the build etc.

[rjmateus]

Some small notes

[rjmateus]

Should we validate if the user enters something crazy in here? Like a negative max length? Or a min length bigger then max length?

[Serp1co]

yeah we should, i didn't think about that. Also for better ux we should enforce this rules in the frontend.

[rjmateus]

We can check that in the front-end, but all validations must also be done in the backend also.

[mcalmer]

We need to think about the defaults. What policy do we want to configure as default?
Maybe something what NIST, BSI & Co suggest?

[Serp1co]

I think we should keep the old defaults, as agreed with @admd, so that we don't break the old tests and the automations already in place

[mcalmer]

@Serp1co You need to implement DB schema migration and also think about how to migrate from current configuration file values to DB. We have at least min and max password length. If they are changed, we should set it the DB configuration

[cbbayburt]

Once the default values are decided, we need a button in the UI to reset everything to default. If you want to go one step further for convenience, we can decide on a few sensible presets with varying levels of restriction, and add buttons for each, which set all the fields accordingly.

Ideally, all those individual fields must be filled only if the user has some specific rules in mind. Otherwise, we should offer shortcuts like I mentioned above.

[mcalmer]

We also need an API for the user (XMLRCP/JSON over HTTP) to get and modify the policy

[rjmateus]

@cbbayburt what about showing the default value in front, maybe in gray, so customers know what was the default value, and if they want come back to that value for a few fields?

[cbbayburt]

@cbbayburt what about showing the default value in front, maybe in gray, so customers know what was the default value, and if they want come back to that value for a few fields?

I'm not sure. Especially the "special chars" field is not so convenient to type in manually. Maybe @bisht-richa or @Etheryte has some ideas?

[bisht-richa]

@cbbayburt what about showing the default value in front, maybe in gray, so customers know what was the default value, and if they want come back to that value for a few fields?

I'm not sure. Especially the "special chars" field is not so convenient to type in manually. Maybe @bisht-richa or @Etheryte has some ideas?

Some rough idea