Document the restrictions on password characters

[jacobdotcosta]

Document the restrictions that prevent logging in with passwords having certain characters and the instructions to change the pw.

[cmoulliard]

If you expriment an issue with your Red Hat SSO account linked to issues.redhat.com when your pwd includes special chars

java -jar ./target/issues-manager-1.0.0-SNAPSHOT-runner.jar get SB-123 -u <JIRA_ACCOUNT_LINKED> -p <PWD>
...
<p>Basic Authentication Failure - Reason : AUTHENTICATED_FAILED</p>

then perform the following steps to fix it

- Log on and access: https://www.redhat.com/wapps/ugc/protected/personalInfo.html
- Change the pwd to use a >= 8 char pwd without symbols
- Do a curl request to check if it works also

curl -vL -u <JIRA_ACCOUNT_LINKED>:<PWD> https://issues.redhat.com/rest/api/2/issue/ENTSBT-424
java -jar ./target/issues-manager-1.0.0-SNAPSHOT-runner.jar get SB-123 -u <JIRA_ACCOUNT_LINKED> -p <PWD>
Mar 30, 2021 1:26:28 PM org.jboss.threads.Version <clinit>
INFO: JBoss Threads version 3.1.1.Final
Mar 30, 2021 1:26:28 PM io.quarkus.bootstrap.runner.Timing printStartupTime
INFO: issues-manager 1.0.0-SNAPSHOT on JVM (powered by Quarkus 1.8.1.Final) started in 0.566s.
Mar 30, 2021 1:26:28 PM io.quarkus.bootstrap.runner.Timing printStartupTime
INFO: Profile prod activated.
Mar 30, 2021 1:26:28 PM io.quarkus.bootstrap.runner.Timing printStartupTime
INFO: Installed features: [cdi, picocli]
Issue{self=https://issues.redhat.com/rest/api/latest/issue/12706309, key=SB-123, ...

[metacosm]

Ideally, there shouldn't be restrictions on the password. The proper fix is to provide an alternative way to provide the password because passing it as plain text on the CLI is a security issue anyway.

[cmoulliard]

The proper fix is to provide an alternative way to provide the password because passing it as plain text on the CLI is a security issue anyway.

Does picocli support that ?

[cmoulliard]

Can one of you test picolci pwd with special char when you change the parameters like this ?

    @CommandLine.Option(
            names = { "-p", "--password" },
            description = "JIRA password",
            interactive = true,
            scope = CommandLine.ScopeType.INHERIT)
    private String password;

[metacosm]

We don't want it to be interactive if the tool is supposed to be used for automation purposes… Some more information: https://www.netmeister.org/blog/passing-passwords.html

[cmoulliard]

We don't want it to be interactive if the tool is supposed to be used for automation purposes…

In this case we will retrieve the password using pass tool where gpg key has been used to encrypt it

[metacosm]

Whatever we do, the passwords/token should not appear on the command line.

[cmoulliard]

Since akamai migration, the following scenario dont work anymore for me

- Log on and access: https://www.redhat.com/wapps/ugc/protected/personalInfo.html
- Change the pwd to use a >= 8 char pwd without symbols
- Do a curl request to check if it works also

curl -vL -u <JIRA_ACCOUNT_LINKED>:<PWD> https://issues.redhat.com/rest/api/2/issue/ENTSBT-424

as I got now

...
                            <p>Encountered a <code>&quot;403 - Forbidden&quot;</code> error while loading this page.</p>
                            <p>Basic Authentication Failure - Reason : AUTHENTICATION_DENIED</p>
                            <p><a href="/secure/MyJiraHome.jspa">Go to Jira home</a></p>
...

Can you test this scenario please ? @jacobdotcosta

[jacobdotcosta]

I still have the same problem, the compressed response.