From ae19eb551eb6733ea7a4cf7a4e526371971f1663 Mon Sep 17 00:00:00 2001
From: Vratislav Podzimek <vpodzime@redhat.com>
Date: Wed, 16 Sep 2015 14:36:23 +0200
Subject: [PATCH] Do not remove the root password behind user's back (#1263254)

If the chosen profile requires a longer password than what was set in kickstart,
consider it a misconfiguration like any other such issue instead of silently
removing the password and going on. Removing password brings two problems:

1) in text mode it causes a system with no (empty) root password to be installed

2) in graphical mode it causes the installation with a complete kickstart to
hang waiting for a new root password

Signed-off-by: Vratislav Podzimek <vpodzime@redhat.com>
---
 org_fedora_oscap/rule_handling.py | 29 ++++++-----------------------
 1 file changed, 6 insertions(+), 23 deletions(-)

diff --git a/org_fedora_oscap/rule_handling.py b/org_fedora_oscap/rule_handling.py
index a969b16..6a67e8a 100644
--- a/org_fedora_oscap/rule_handling.py
+++ b/org_fedora_oscap/rule_handling.py
@@ -392,7 +392,6 @@ class PasswdRules(RuleHandler):
         """Constructor initializing attributes."""
 
         self._minlen = 0
-        self._removed_password = None
 
     def __str__(self):
         """Standard method useful for debugging and testing."""
@@ -415,7 +414,7 @@ class PasswdRules(RuleHandler):
             # no password restrictions, nothing to be done here
             return []
 
-        if not ksdata.rootpw.password and self._removed_password is None:
+        if not ksdata.rootpw.password:
             # root password was not set
 
             # password length enforcement is not suported in the Anaconda yet
@@ -427,30 +426,14 @@ class PasswdRules(RuleHandler):
             if ksdata.rootpw.isCrypted:
                 msg = _("cannot check root password length (password is crypted)")
                 return [RuleMessage(common.MESSAGE_TYPE_WARNING, msg)]
-            elif len(ksdata.rootpw.password) < self._minlen or \
-                    self._removed_password is not None:
-                # too short or already removed
-                msg = _("root password was too short, a longer one with at "
-                        "least %d characters will be required" % self._minlen)
-                if not report_only and self._removed_password is None:
-                    # remove the password and reset the seen flag no to confuse Anaconda
-                    self._removed_password = ksdata.rootpw.password
-                    ksdata.rootpw.password = ""
-                    ksdata.rootpw.seen = False
-                return [RuleMessage(common.MESSAGE_TYPE_WARNING, msg)]
+            elif len(ksdata.rootpw.password) < self._minlen:
+                # too short
+                msg = _("root password is too short, a longer one with at "
+                        "least %d characters is required" % self._minlen)
+                return [RuleMessage(common.MESSAGE_TYPE_FATAL, msg)]
             else:
                 return []
 
-    def revert_changes(self, ksdata, storage):
-        """:see: RuleHandler.revert_changes"""
-
-        # set the old password back
-        if self._removed_password is not None:
-            ksdata.rootpw.password = self._removed_password
-            ksdata.rootpw.seen = True
-
-            self._removed_password = None
-
 class PackageRules(RuleHandler):
     """Simple class holding data from the rules affecting installed packages."""
 
-- 
2.1.0