From e435e96b23baa53d59dac786dd8c782e1acb5bbf Mon Sep 17 00:00:00 2001
From: William Brown <william@blackhats.net.au>
Date: Jan 30 2018 05:46:33 +0000
Subject: Ticket 49544 - Double check pw prompts


Bug Description:  We did not prompt for password change twice.

Fix Description:  Prompt twice when requested to ensure we don't
mess up inputs.

https://pagure.io/389-ds-base/issue/49544

Author: wibrown

Review by: spicugi (Thanks!)

---

diff --git a/src/lib389/cli/dsidm b/src/lib389/cli/dsidm
index d6a43ab..9bb21e1 100755
--- a/src/lib389/cli/dsidm
+++ b/src/lib389/cli/dsidm
@@ -12,6 +12,7 @@ import ldap
 import argparse
 # import argcomplete
 import logging
+import sys
 
 # This has to happen before we import  DirSrv else it tramples our config ... :(
 logging.basicConfig(format='%(message)s')
diff --git a/src/lib389/lib389/cli_base/__init__.py b/src/lib389/lib389/cli_base/__init__.py
index 2736305..24e8741 100644
--- a/src/lib389/lib389/cli_base/__init__.py
+++ b/src/lib389/lib389/cli_base/__init__.py
@@ -11,6 +11,7 @@ import sys
 
 from getpass import getpass
 from lib389 import DirSrv
+from lib389.utils import assert_c
 from lib389.properties import SER_LDAP_URL, SER_ROOT_DN, SER_ROOT_PW
 
 MAJOR, MINOR, _, _, _ = sys.version_info
@@ -23,7 +24,7 @@ def _input(msg):
         return raw_input(msg)
 
 
-def _get_arg(args, msg=None, hidden=False):
+def _get_arg(args, msg=None, hidden=False, confirm=False):
     if args is not None and len(args) > 0:
         if type(args) is list:
             return args[0]
@@ -31,7 +32,13 @@ def _get_arg(args, msg=None, hidden=False):
             return args
     else:
         if hidden:
-            return getpass("%s : " % msg)
+            if confirm:
+                x = getpass("%s : " % msg)
+                y = getpass("CONFIRM - %s : " % msg)
+                assert_c(x == y, "inputs do not match, aborting.")
+                return y
+            else:
+                return getpass("%s : " % msg)
         else:
             return _input("%s : " % msg)
 
diff --git a/src/lib389/lib389/cli_conf/directory_manager.py b/src/lib389/lib389/cli_conf/directory_manager.py
index 56c3e73..c3015d9 100644
--- a/src/lib389/lib389/cli_conf/directory_manager.py
+++ b/src/lib389/lib389/cli_conf/directory_manager.py
@@ -16,7 +16,7 @@ def password_change(inst, basedn, log, args):
     # Due to an issue, we can't use extended op, so we have to
     # submit the password directly to the field.
 
-    password = _get_arg(args.password, msg="Enter new directory manager password", hidden=True)
+    password = _get_arg(args.password, msg="Enter new directory manager password", hidden=True, confirm=True)
     dm = DirectoryManager(inst)
     dm.change_password(password)