From e67bab4f12eb448b10b0a9939924ec42a7d7a58f Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jjohnson2@lenovo.com>
Date: Tue, 8 Mar 2022 09:15:13 -0500
Subject: [PATCH] Place cap on api password length

No more than 48 characters should ever be in
an api token. Cap it to avoid outrageous crypt
behavior at large password length.
---
 confluent_server/confluent/selfservice.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/confluent_server/confluent/selfservice.py b/confluent_server/confluent/selfservice.py
index 9fef4c70..81316c44 100644
--- a/confluent_server/confluent/selfservice.py
+++ b/confluent_server/confluent/selfservice.py
@@ -66,6 +66,10 @@ def handle_request(env, start_response):
         start_response('401 Unauthorized', [])
         yield 'Unauthorized'
         return
+    if len(apikey) > 48:
+        start_response('401', [])
+        yield 'Unauthorized'
+        return
     cfg = configmanager.ConfigManager(None)
     ea = cfg.get_node_attributes(nodename, ['crypted.selfapikey', 'deployment.apiarmed'])
     eak = ea.get(