blueprint: Don't allow empty password

If the password is set to "" it will get hashed, allowing access to the account in some circumstances. Console and ssh login don't appear to work in practice, but su to the account from another user account is possible. This sets the empty password to nil which makes sure that it ends up as a locked account.
2022-07-15 09:27:20 -07:00 · 2022-07-15 09:27:20 -07:00 · 6adf3f5b7b
commit 6adf3f5b7b
parent 20bf0c4836
2 changed files with 9 additions and 2 deletions
--- a/internal/blueprint/blueprint.go
+++ b/internal/blueprint/blueprint.go
@ -144,9 +144,16 @@ func (b *Blueprint) CryptPasswords() error {
 	// Any passwords for users?
 	for i := range b.Customizations.User {
 		// Missing or empty password
-		if b.Customizations.User[i].Password == nil || len(*b.Customizations.User[i].Password) == 0 {
+		if b.Customizations.User[i].Password == nil {
 			continue
 		}
+
+		// Prevent empty password from being hashed
+		if len(*b.Customizations.User[i].Password) == 0 {
+			b.Customizations.User[i].Password = nil
+			continue
+		}
+
 		if !crypt.PasswordIsCrypted(*b.Customizations.User[i].Password) {
 			pw, err := crypt.CryptSHA512(*b.Customizations.User[i].Password)
 			if err != nil {
--- a/internal/blueprint/blueprint_test.go
+++ b/internal/blueprint/blueprint_test.go
@ -247,5 +247,5 @@ password = ""
 	assert.Equal(t, "lisa", users[1].Name)
 	assert.Equal(t, "$6$RWdHzrPfoM6BMuIP$gKYlBXQuJgP.G2j2twbOyxYjFDPUQw8Jp.gWe1WD/obX0RMyfgw5vt.Mn/tLLX4mQjaklSiIzoAW3HrVQRg4Q.", *users[1].Password)
 	assert.Equal(t, "maggie", users[2].Name)
-	assert.Equal(t, "", *users[2].Password)
+	assert.Nil(t, users[2].Password)
 }