Skip password verification for PAM users

This commit changes how PAM users password verification works.
Instead of relying on additional variable, which was not correctly
set, always rely on user PAM settings.
Also use PAM settings only in the actual password set routine in
order not to hide some potentional future errors.

Author: aaannz

java/code/src/com/redhat/rhn/frontend/action/user/CreateUserAction.java

@@ -1,5 +1,6 @@
 /*
  * Copyright (c) 2009--2014 Red Hat, Inc.
+ * Copyright (c) 2025 SUSE LLC
  *
  * This software is licensed to you under the GNU General Public License,
  * version 2 (GPLv2). There is NO WARRANTY for this software, express or
@@ -46,7 +47,7 @@ public class CreateUserAction extends RhnAction {
     public static final String FAILURE = "failure";
     public static final String SUCCESS_INTO_ORG = "existorgsuccess";
 
-    private ActionErrors populateCommand(DynaActionForm form, CreateUserCommand command, boolean validatePassword) {
+    private ActionErrors populateCommand(DynaActionForm form, CreateUserCommand command) {
         ActionErrors errors = new ActionErrors();
 
         command.setEmail(form.getString("email"));
@@ -67,7 +68,7 @@ private ActionErrors populateCommand(DynaActionForm form, CreateUserCommand comm
         String passwd = (String)form.get(UserActionHelper.DESIRED_PASS);
         String passwdConfirm = (String)form.get(UserActionHelper.DESIRED_PASS_CONFIRM);
         if (passwd.equals(passwdConfirm)) {
-            command.setPassword(passwd, validatePassword);
+            command.setPassword(passwd);
         }
         else {
             errors.add(ActionMessages.GLOBAL_MESSAGE,
@@ -122,7 +123,6 @@ public ActionForward execute(ActionMapping mapping,
          * in the db (even though it won't be used), we'll just validate it like a regular
          * password and allow it.
          */
-        boolean validatePassword = true;
         if (form.get("usepam") != null && (Boolean) form.get("usepam")) {
             String fakePassword = CryptHelper.getRandomPasswordForPamAuth();
             if (form.get(UserActionHelper.DESIRED_PASS) == null ||
@@ -144,7 +144,7 @@ public ActionForward execute(ActionMapping mapping,
 
         // Create the user and do some more validation
         CreateUserCommand command = getCommand();
-        ActionErrors errors = populateCommand(form, command, validatePassword);
+        ActionErrors errors = populateCommand(form, command);
         if (!errors.isEmpty()) {
             return returnError(mapping, request, errors);
         }

java/code/src/com/redhat/rhn/frontend/action/user/test/CreateUserActionTest.java

@@ -1,5 +1,6 @@
 /*
  * Copyright (c) 2009--2014 Red Hat, Inc.
+ * Copyright (c) 2025 SUSE LLC
  *
  * This software is licensed to you under the GNU General Public License,
  * version 2 (GPLv2). There is NO WARRANTY for this software, express or
@@ -18,6 +19,8 @@
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import com.redhat.rhn.common.messaging.MessageQueue;
+import com.redhat.rhn.domain.common.RhnConfiguration;
+import com.redhat.rhn.domain.common.RhnConfigurationFactory;
 import com.redhat.rhn.frontend.action.user.UserActionHelper;
 import com.redhat.rhn.testing.RhnMockDynaActionForm;
 import com.redhat.rhn.testing.RhnPostMockStrutsTestCase;
@@ -54,10 +57,23 @@ public void testMessageQueueRegistration() {
 
     @Test
     public void testNewUserIntoOrgSatellite() {
+        setRequestPathInfo("/newlogin/CreateUserSubmit");
+        RhnMockDynaActionForm form = fillOutForm("userCreateForm", false);
+        setActionForm(form);
+        actionPerform();
+        String forwardPath = getActualForward();
+        assertNotNull(forwardPath);
+        assertTrue(forwardPath.startsWith("/users/ActiveList.do?uid="));
+    }
 
+    @Test
+    public void testPasswordNotValidatedOnPAM() {
+        // setup strict password policy requiring special character
+        RhnConfigurationFactory factory = RhnConfigurationFactory.getSingleton();
+        factory.updateConfigurationValue(RhnConfiguration.KEYS.PSW_CHECK_SPECIAL_CHAR_FLAG, true);
 
         setRequestPathInfo("/newlogin/CreateUserSubmit");
-        RhnMockDynaActionForm form = fillOutForm("userCreateForm");
+        RhnMockDynaActionForm form = fillOutForm("userCreateForm", true);
         setActionForm(form);
         actionPerform();
         String forwardPath = getActualForward();
@@ -68,7 +84,7 @@ public void testNewUserIntoOrgSatellite() {
     /**
      * @return Properly filled out user creation form.
      */
-    private RhnMockDynaActionForm fillOutForm(String formName) {
+    private RhnMockDynaActionForm fillOutForm(String formName, boolean usePAM) {
         RhnMockDynaActionForm f = new RhnMockDynaActionForm(formName);
         f.set("login", "testUser" + TestUtils.randomString());
         f.set("address1", "123 somewhere ln");
@@ -83,15 +99,20 @@ private RhnMockDynaActionForm fillOutForm(String formName) {
         f.set("fax", "");
         f.set("firstNames", "CreateUserActionTest fname");
         f.set("lastName", "CreateUserActionTest lname");
-        f.set(UserActionHelper.DESIRED_PASS, "password");
-        f.set(UserActionHelper.DESIRED_PASS_CONFIRM, "password");
         f.set("phone", "123-123-1234");
         f.set("prefix", "Mr.");
         f.set("state", "OH");
         f.set("title", "Heavyweight");
         f.set("zip", "45241");
         f.set("timezone", 7010);
         f.set("preferredLocale", "en_US");
+        if (usePAM) {
+            f.set("usepam", Boolean.TRUE);
+        }
+        else {
+            f.set(UserActionHelper.DESIRED_PASS, "password");
+            f.set(UserActionHelper.DESIRED_PASS_CONFIRM, "password");
+        }
         return f;
     }
 }

java/code/src/com/redhat/rhn/manager/user/CreateUserCommand.java

@@ -1,5 +1,6 @@
 /*
  * Copyright (c) 2009--2015 Red Hat, Inc.
+ * Copyright (c) 2025 SUSE LLC
  *
  * This software is licensed to you under the GNU General Public License,
  * version 2 (GPLv2). There is NO WARRANTY for this software, express or
@@ -85,7 +86,7 @@ public CreateUserCommand() {
     public ValidatorError[] validate() {
         errors = new ArrayList<>(); //clear validation errors
 
-        if (passwordErrors != null && !user.getUsePamAuthentication()) {
+        if (passwordErrors != null) {
             errors.addAll(passwordErrors); //add any password validation errors
         }
         validateEmail();
@@ -305,11 +306,13 @@ public void setRawPassword(String passwordIn) {
     }
 
     /**
+     * Set password to the user if passed validation.
+     *
+     * PAM enabled users will skip verification of the password
      * @param passwordIn The password to set
-     * @param validate if password requirements should be validated
      */
-    public void setPassword(String passwordIn, boolean validate) {
-        if (!validate) {
+    public void setPassword(String passwordIn) {
+        if (user.getUsePamAuthentication()) {
             user.setPassword(passwordIn);
         }
         else {
@@ -322,13 +325,6 @@ public void setPassword(String passwordIn, boolean validate) {
         }
     }
 
-    /**
-     * @param passwordIn The password to set
-     */
-    public void setPassword(String passwordIn) {
-        setPassword(passwordIn, true);
-    }
-
     /**
      * @param prefixIn The prefix to set
      */
@@ -365,6 +361,8 @@ public void setFax(String faxIn) {
     }
 
     /**
+     * PAM enabled user
+     * Setting this to true will skip password policy verification
      * @param val Should this user use pam authentication?
      */
     public void setUsePamAuthentication(boolean val) {

java/spacewalk-java.changes.oholecek.no-password-validation-on-pam

@@ -0,0 +1,2 @@
+- Do not validate random password when using PAM
+  (bsc#1245398)