Changes to prevent blank passwords

1 files changed, 12 insertions, 15 deletions

diff --git a/freeradius3-model.lua b/freeradius3-model.lua
index 078268b..9f87224 100644
--- a/freeradius3-model.lua
+++ b/freeradius3-model.lua
@@ -235,8 +235,7 @@ local get_passwd_entry_private = function(self, clientdata, create)
 			if label == "Crypt-Password" then
 				hash = entryline[i]
 				-- We do not return the encrypted password, but will leave unchanged if blank
-				retval.value.fields.value[tostring(i)] = cfe({ type="password", label=label, seq=i })
-				-- FIXME - this leads to inconsistent handling of blank password since this function is reused
+				retval.value.fields.value[tostring(i)] = cfe({ type="password", label=label, descr="Must not be blank", seq=i })
 				if not create then retval.value.fields.value[tostring(i)].descr="Leave blank to leave unchanged" end
 				retval.value.fields.value["algorithm"..i] = cfe({ type="select", value="$6$", label="Algorithm", option={{value="", label="DES"}, {value="$1$", label="MD5"}, {value="$2a$07$", label="Blowfish"}, {value="$5$", label="SHA-256"}, {value="$6$", label="SHA-512"}}, seq=i })
 				-- Hide the algorithm so user does not use insecure algorithms unless they REALLY want to
@@ -250,15 +249,19 @@ local get_passwd_entry_private = function(self, clientdata, create)
 end
 
 local update_passwd_entry_private = function(self, entry, create)
-	-- The password/index fields have already been validated
+	-- The filename/entry fields have already been validated
 	if not entry.value.fields then
 		entry.errtxt = "Invalid passwd entry"
 	else
 		-- The only fields we can validate are the password algorithms
 		-- Don't search for 'select' cfe's because they have been changed to hidden
+		-- And check for blank password
 		for n,v in pairs(entry.value.fields.value) do
 			if v.option and not modelfunctions.validateselect(v) then
-				entry.errtxt = "Invalid passwd entry"				
+				entry.errtxt = "Invalid passwd entry"
+			elseif v.type == "password" and v.value == "" and create then
+				v.errtxt = "Cannot be blank"
+				entry.errtxt = "Invalid passwd entry"
 			end
 		end
 		if not entry.errtxt then
@@ -266,7 +269,6 @@ local update_passwd_entry_private = function(self, entry, create)
 			local content = fs.read_file_as_array(entry.value.filename.value) or {}
 			local values = {}
 			for n,v in pairs(entry.value.fields.value) do
-				-- FIXME - this leads to inconsistent handling of blank password since this function is reused
 				if v.type=="password" and v.value=="" then
 					-- Keep the same password
 					local line = {}
@@ -576,14 +578,11 @@ function mymodule.get_passwd(self, clientdata)
 end
 
 function mymodule.update_passwd(self, passwd)
-	if not passwd.value.entry then
-		passwd.errtxt = "Failed to set password"
-		return passwd
-	end
-	-- The password/index fields have already been validated
-	if not passwd.value.password then
-		passwd.errtxt = "Invalid passwd entry"
-	else
+	-- The filename/entry fields have already been validated
+	passwd.errtxt = "Failed to set password"
+	if passwd.value.password and passwd.value.password.value == "" then
+		passwd.value.password.errtxt = "Cannot be blank"
+	elseif passwd.value.entry and passwd.value.password then
 		-- Get the entry form and current password hash
 		local form,pwhash = get_passwd_entry_private(self, {filename=passwd.value.filename.value, entry=passwd.value.entry.value}, false)
 
@@ -613,8 +612,6 @@ function mymodule.update_passwd(self, passwd)
 			end
 			form = update_passwd_entry_private(self, form, false)
 			passwd.errtxt = form.errtxt
-		else
-			passwd.errtxt = "Failed to set password"
 		end
 	end
 	return passwd