Skip to content

KC-1304: Enforce enterprise password and restrict record-type policies on nsf-record commands#2132

Merged
sshrushanth-ks merged 1 commit into
nsf-password-complexity-enforcementfrom
nsf-password-complexity-enforcement-int
Jun 15, 2026
Merged

KC-1304: Enforce enterprise password and restrict record-type policies on nsf-record commands#2132
sshrushanth-ks merged 1 commit into
nsf-password-complexity-enforcementfrom
nsf-password-complexity-enforcement-int

Conversation

@sshrushanth-ks

Copy link
Copy Markdown
Contributor

Summary

The nsf-record-add and nsf-record-update now enforce GENERATED_PASSWORD_COMPLEXITY and RESTRICT_RECORD_TYPES, matching Vault UI. Weak passwords warn and block unless --force; restricted record types always block. $GEN uses the role password policy.

Changes

  • Added RecordTypeEnforcer.enforce() to nsf-record-add and nsf-record-update to reject restricted record types before the API call
  • Added PasswordComplexityEnforcer.get_policy() and validate_record() to nsf-record-add and nsf-record-update to validate passwords against the role complexity policy
  • Wired $GEN in NSF commands to pass policy=self._password_policy so generated passwords follow enterprise rules
  • Added merged-record validation in nsf-record-update so password checks apply to the full updated record, not just changed fields
  • Fixed RecordTypeEnforcer.get_restricted_record_types() to resolve record-type IDs using scoped record_type_cache keys from sync_down (recordTypeId + scope * 1_000_000)
  • Fixed legacy/general $GEN in record_edit.py to pass the password policy into generate_password()
  • Added unit tests for restricted record types, weak-password blocking, --force bypass, and policy-driven $GEN on NSF record add/update

@sshrushanth-ks sshrushanth-ks self-assigned this Jun 8, 2026
@sshrushanth-ks
sshrushanth-ks marked this pull request as ready for review June 8, 2026 11:13
@sshrushanth-ks
sshrushanth-ks merged commit 1fe6bac into nsf-password-complexity-enforcement Jun 15, 2026
4 checks passed
sshrushanth-ks added a commit that referenced this pull request Jun 15, 2026
sk-keeper pushed a commit that referenced this pull request Jun 15, 2026
@sshrushanth-ks
sshrushanth-ks deleted the nsf-password-complexity-enforcement-int branch June 16, 2026 10:01
sk-keeper pushed a commit that referenced this pull request Jun 23, 2026
jpkeepersecurity pushed a commit that referenced this pull request Jul 3, 2026
pvagare-ks pushed a commit that referenced this pull request Jul 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants