Merge "Remove password history validation from admin password resets"

2016-10-06 20:41:36 +00:00
parent 4888a11c4d 432fa4acd6
commit 0285b40f9d
3 changed files with 69 additions and 54 deletions
--- a/keystone/identity/backends/sql.py
+++ b/keystone/identity/backends/sql.py
@@ -157,8 +157,6 @@ class Identity(base.IdentityDriverBase):
    def update_user(self, user_id, user):
        with sql.session_for_write() as session:
            user_ref = self._get_user(session, user_id)
-            if 'password' in user:
-                self._validate_password_history(user['password'], user_ref)
            old_user_dict = user_ref.to_dict()
            user = utils.hash_user_password(user)
            for k in user:
--- a/keystone/identity/backends/sql_model.py
+++ b/keystone/identity/backends/sql_model.py
@@ -109,6 +109,10 @@ class User(sql.ModelBase, sql.DictBase):
        now = datetime.datetime.utcnow()
        if not self.local_user:
            self.local_user = LocalUser()
+        # truncate extra passwords
+        if self.local_user.passwords:
+            unique_cnt = CONF.security_compliance.unique_last_password_count
+            self.local_user.passwords = self.local_user.passwords[-unique_cnt:]
        # set all previous passwords to be expired
        for ref in self.local_user.passwords:
            if not ref.expires_at or ref.expires_at > now: