create_user: Receive password input from a file instead of shell arg.

This is to be used for the case of container orchestration instead of
shell arg to prevent snooping by any user account on the server via `ps
-ef` or any superuser with read access to the user\'s bash history.
This commit is contained in:
rht 2017-07-18 05:50:54 +02:00 committed by Tim Abbott
parent b8b0cd41d0
commit ca960da58f
1 changed files with 15 additions and 3 deletions

View File

@ -41,9 +41,16 @@ Omit both <email> and <full name> for interactive user creation.
dest='password', dest='password',
type=str, type=str,
default='', default='',
help='password of new user. Note that we recommend against setting ' help='password of new user. For development only.'
'Note that we recommend against setting '
'passwords this way, since they can be snooped by any user account ' 'passwords this way, since they can be snooped by any user account '
'on the server via `ps -ef`.') 'on the server via `ps -ef` or by any superuser with'
'read access to the user\'s bash history.')
parser.add_argument('--password-file',
dest='password_file',
type=str,
default='',
help='The file containing the password of the new user.')
parser.add_argument('email', metavar='<email>', type=str, nargs='?', default=argparse.SUPPRESS, parser.add_argument('email', metavar='<email>', type=str, nargs='?', default=argparse.SUPPRESS,
help='email address of new user') help='email address of new user')
parser.add_argument('full_name', metavar='<full name>', type=str, nargs='?', default=argparse.SUPPRESS, parser.add_argument('full_name', metavar='<full name>', type=str, nargs='?', default=argparse.SUPPRESS,
@ -85,7 +92,12 @@ parameters, or specify no parameters for interactive user creation.""")
full_name = input("Full name: ") full_name = input("Full name: ")
try: try:
pw = options.get('password', initial_password(email)) if 'password' in options:
pw = options['password']
if 'password_file' in options:
pw = open(options['password_file'], 'r').read()
else:
pw = initial_password(email).encode()
notify_new_user(do_create_user(email, pw, notify_new_user(do_create_user(email, pw,
realm, full_name, email_to_username(email)), realm, full_name, email_to_username(email)),
internal=True) internal=True)