Change unique_last_password_count default to 0
Changing the default value of unique_last_password_count from 1 to 0, so that it can handle a case(when set to 1) that the password history check only check one previous password. Change-Id: Id368c99ca4926c995ea47959a6c3a438fffe1823 Closes-Bug: #1787874
This commit is contained in:
parent
c896f911ef
commit
34609d557e
@ -66,14 +66,14 @@ the `[identity] driver`.
|
||||
|
||||
unique_last_password_count = cfg.IntOpt(
|
||||
'unique_last_password_count',
|
||||
default=1,
|
||||
min=1,
|
||||
default=0,
|
||||
min=0,
|
||||
help=utils.fmt("""
|
||||
This controls the number of previous user password iterations to keep in
|
||||
history, in order to enforce that newly created passwords are unique. The total
|
||||
number which includes the new password should not be greater or equal to this
|
||||
value. Setting the value to one (the default) disables this feature. Thus, to
|
||||
enable this feature, values must be greater than 1. This feature depends on
|
||||
value. Setting the value to zero (the default) disables this feature. Thus, to
|
||||
enable this feature, values must be greater than 0. This feature depends on
|
||||
the `sql` backend for the `[identity] driver`.
|
||||
"""))
|
||||
|
||||
|
@ -233,12 +233,9 @@ class Identity(base.IdentityDriverBase):
|
||||
|
||||
def _validate_password_history(self, password, user_ref):
|
||||
unique_cnt = CONF.security_compliance.unique_last_password_count
|
||||
# Slice off all of the extra passwords.
|
||||
user_ref.local_user.passwords = (
|
||||
user_ref.local_user.passwords[-unique_cnt:])
|
||||
# Validate the new password against the remaining passwords.
|
||||
if unique_cnt > 1:
|
||||
for password_ref in user_ref.local_user.passwords:
|
||||
if unique_cnt > 0:
|
||||
for password_ref in user_ref.local_user.passwords[-unique_cnt:]:
|
||||
if password_hashing.check_password(
|
||||
password,
|
||||
password_ref.password_hash or password_ref.password):
|
||||
|
@ -140,6 +140,7 @@ class User(sql.ModelBase, sql.ModelDictMixinWithExtras):
|
||||
# truncate extra passwords
|
||||
if self.local_user.passwords:
|
||||
unique_cnt = CONF.security_compliance.unique_last_password_count
|
||||
unique_cnt = unique_cnt + 1 if unique_cnt == 0 else unique_cnt
|
||||
self.local_user.passwords = self.local_user.passwords[-unique_cnt:]
|
||||
# set all previous passwords to be expired
|
||||
for ref in self.local_user.passwords:
|
||||
|
@ -421,6 +421,14 @@ class PasswordHistoryValidationTests(test_backend_sql.SqlTests):
|
||||
# 1, 2, 3
|
||||
self.assertValidChangePassword(user['id'], passwords[3], passwords[0])
|
||||
|
||||
def test_validate_password_history_with_valid_password_only_once(self):
|
||||
self.config_fixture.config(group='security_compliance',
|
||||
unique_last_password_count=1)
|
||||
passwords = [uuid.uuid4().hex, uuid.uuid4().hex]
|
||||
user = self._create_user(passwords[0])
|
||||
self.assertValidChangePassword(user['id'], passwords[0], passwords[1])
|
||||
self.assertValidChangePassword(user['id'], passwords[1], passwords[0])
|
||||
|
||||
def test_validate_password_history_but_start_with_password_none(self):
|
||||
passwords = [uuid.uuid4().hex, uuid.uuid4().hex]
|
||||
# Create user and confirm password is None
|
||||
@ -442,7 +450,7 @@ class PasswordHistoryValidationTests(test_backend_sql.SqlTests):
|
||||
|
||||
def test_disable_password_history_and_repeat_same_password(self):
|
||||
self.config_fixture.config(group='security_compliance',
|
||||
unique_last_password_count=1)
|
||||
unique_last_password_count=0)
|
||||
password = uuid.uuid4().hex
|
||||
user = self._create_user(password)
|
||||
# Repeatedly change password with the same password
|
||||
|
16
releasenotes/notes/bug-1787874-13499ec227b8e26c.yaml
Normal file
16
releasenotes/notes/bug-1787874-13499ec227b8e26c.yaml
Normal file
@ -0,0 +1,16 @@
|
||||
---
|
||||
fixes:
|
||||
- |
|
||||
[`bug 1787874 <https://bugs.launchpad.net/keystone/+bug/1787874>`_]
|
||||
The default value of the config option `unique_last_password_count` is
|
||||
changed from 1 to 0. Now `unique_last_password_count = 0` means password
|
||||
history check is disabled. `unique_last_password_count = 1` means
|
||||
when changing password, the new one should be different than the current
|
||||
one.
|
||||
|
||||
upgrade:
|
||||
- |
|
||||
[`bug 1787874 <https://bugs.launchpad.net/keystone/+bug/1787874>`_]
|
||||
Please not that the deployment which set `unique_last_password_count = 1`
|
||||
in the config file should update the value to 0 to keep the same behavior
|
||||
as before.
|
Loading…
Reference in New Issue
Block a user