server: skip password policies check on empty password (#8370)

JoaoJandre · web-flow · commit 08749d8354f2 · 2023-12-22T15:43:39.000+05:30
This PR changes the password.policy.regex default value to empty. With an empty value for the configuration, it is skipped during the password policy check, only when the configuration is set to something different than a blank string, the regex will get checked.
This way, when creating a user on org.apache.cloudstack.ldap.LdapAuthenticator#authenticate() we won't get an error by default, as an empty value for the password is passed.
diff --git a/server/src/main/java/com/cloud/user/PasswordPolicyImpl.java b/server/src/main/java/com/cloud/user/PasswordPolicyImpl.java
@@ -27,6 +27,12 @@ public class PasswordPolicyImpl implements PasswordPolicy, Configurable {
     private Logger logger = Logger.getLogger(PasswordPolicyImpl.class);
 
     public void verifyIfPasswordCompliesWithPasswordPolicies(String password, String username, Long domainId) {
+        if (StringUtils.isEmpty(password)) {
+            logger.warn(String.format("User [%s] has an empty password, skipping password policy checks. " +
+                    "If this is not a LDAP user, there is something wrong.", username));
+            return;
+        }
+
         int numberOfSpecialCharactersInPassword = 0;
         int numberOfUppercaseLettersInPassword = 0;
         int numberOfLowercaseLettersInPassword = 0;
@@ -188,12 +194,12 @@ protected void validateIfPasswordMatchesRegex(String password, String username,
         logger.trace(String.format("Validating if the new password for user [%s] matches regex [%s] defined in the configuration [%s].",
                 username, passwordPolicyRegex, PasswordPolicyRegex.key()));
 
-        if (passwordPolicyRegex == null){
-            logger.trace(String.format("Regex is null; therefore, we will not validate if the new password matches with regex for user [%s].", username));
+        if (StringUtils.isEmpty(passwordPolicyRegex)) {
+            logger.trace(String.format("Regex is empty; therefore, we will not validate if the new password matches with regex for user [%s].", username));
             return;
         }
 
-        if (!password.matches(passwordPolicyRegex)){
+        if (!password.matches(passwordPolicyRegex)) {
             logger.error(String.format("User [%s] informed a new password that does not match with regex [%s]. Refusing the user's new password.", username, passwordPolicyRegex));
             throw new InvalidParameterValueException("User password does not match with password policy regex.");
         }
