diff --git a/keystone/common/password_hashers/sha512_crypt.py b/keystone/common/password_hashers/sha512_crypt.py new file mode 100644 index 0000000000..36cf602ad8 --- /dev/null +++ b/keystone/common/password_hashers/sha512_crypt.py @@ -0,0 +1,39 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import crypt + +from keystone.common import password_hashers + + +class Sha512_crypt(password_hashers.PasswordHasher): + """passlib transition class for sha512_crypt password hashing""" + + name: str = "sha512_crypt" + ident: str = "$6$" + + @staticmethod + def verify(password: bytes, hashed: str) -> bool: + """Verify hashing password would be equal to the `hashed` value + + :param bytes password: Password to verify + :param string hashed: Hashed password. Used to extract hashing + parameters + + :returns: boolean whether hashing password with the same parameters + would match hashed value + """ + + return ( + crypt.crypt(password.decode("utf8"), hashed[0 : hashed.rfind("$")]) + == hashed + ) diff --git a/keystone/common/password_hashing.py b/keystone/common/password_hashing.py index 0531f83259..b21a01ec7f 100644 --- a/keystone/common/password_hashing.py +++ b/keystone/common/password_hashing.py @@ -20,6 +20,7 @@ import passlib.hash from keystone.common.password_hashers import bcrypt from keystone.common.password_hashers import scrypt +from keystone.common.password_hashers import sha512_crypt import keystone.conf from keystone import exception from keystone.i18n import _ @@ -30,10 +31,10 @@ LOG = log.getLogger(__name__) SUPPORTED_HASHERS = frozenset( [ passlib.hash.pbkdf2_sha512, - passlib.hash.sha512_crypt, scrypt.Scrypt, bcrypt.Bcrypt, bcrypt.Bcrypt_sha256, + sha512_crypt.Sha512_crypt, ] ) diff --git a/keystone/tests/unit/common/test_password_hashing.py b/keystone/tests/unit/common/test_password_hashing.py index 137162ae60..677a495590 100644 --- a/keystone/tests/unit/common/test_password_hashing.py +++ b/keystone/tests/unit/common/test_password_hashing.py @@ -134,3 +134,23 @@ class TestPasswordHashing(unit.BaseTestCase): self.assertTrue( password_hashing.check_password(password, hashed_passlib) ) + + def test_sha512_crypt_passlib_compat(self): + self.config_fixture.config(strict_password_check=True) + # sha512_crypt is deprecated and is not supported to be set. + # We want to ensure that user is still able to login, thus + # set algo to whatever and go verify pwd + self.config_fixture.config( + group="identity", password_hash_algorithm="bcrypt" + ) + self.config_fixture.config(group="identity", max_password_length="72") + # few iterations to test multiple random values + for _ in range(self.ITERATIONS): + password: str = "".join( # type: ignore + secrets.choice(string.printable) + for i in range(random.randint(1, 72)) + ) + hashed_passlib = passlib.hash.sha512_crypt.hash(password) + self.assertTrue( + password_hashing.check_password(password, hashed_passlib) + ) diff --git a/releasenotes/notes/sha512_crypt_deprecation-91a19080f1e884e4.yaml b/releasenotes/notes/sha512_crypt_deprecation-91a19080f1e884e4.yaml new file mode 100644 index 0000000000..f4bd314a48 --- /dev/null +++ b/releasenotes/notes/sha512_crypt_deprecation-91a19080f1e884e4.yaml @@ -0,0 +1,7 @@ +--- +deprecations: + - | + This is the last release where passwords hashed using sha512_crypt + algorithm are supported. Since even support of that is being dropped in + python 3.13 it would be physically dropped from Keystone in the next + release (`Epoxy`).