Change unique_last_password_count default to 0

Changing the default value of unique_last_password_count from 1 to 0, so that it can handle a case(when set to 1) that the password history check only check one previous password. Change-Id: Id368c99ca4926c995ea47959a6c3a438fffe1823 Closes-Bug: #1787874
2018-08-20 11:02:52 +08:00 · 2018-08-20 11:02:52 +08:00 · 34609d557e
parent c896f911ef
commit 34609d557e
5 changed files with 32 additions and 10 deletions
--- a/keystone/conf/security_compliance.py
+++ b/keystone/conf/security_compliance.py
@ -66,14 +66,14 @@ the `[identity] driver`.

 unique_last_password_count = cfg.IntOpt(
    'unique_last_password_count',
-    default=1,
-    min=1,
+    default=0,
+    min=0,
    help=utils.fmt("""
 This controls the number of previous user password iterations to keep in
 history, in order to enforce that newly created passwords are unique. The total
 number which includes the new password should not be greater or equal to this
-value. Setting the value to one (the default) disables this feature. Thus, to
-enable this feature, values must be greater than 1. This feature depends on
+value. Setting the value to zero (the default) disables this feature. Thus, to
+enable this feature, values must be greater than 0. This feature depends on
 the `sql` backend for the `[identity] driver`.
 """))

--- a/keystone/identity/backends/sql.py
+++ b/keystone/identity/backends/sql.py
@ -233,12 +233,9 @@ class Identity(base.IdentityDriverBase):

    def _validate_password_history(self, password, user_ref):
        unique_cnt = CONF.security_compliance.unique_last_password_count
-        # Slice off all of the extra passwords.
-        user_ref.local_user.passwords = (
-            user_ref.local_user.passwords[-unique_cnt:])
        # Validate the new password against the remaining passwords.
-        if unique_cnt > 1:
-            for password_ref in user_ref.local_user.passwords:
+        if unique_cnt > 0:
+            for password_ref in user_ref.local_user.passwords[-unique_cnt:]:
                if password_hashing.check_password(
                        password,
                        password_ref.password_hash or password_ref.password):
--- a/keystone/identity/backends/sql_model.py
+++ b/keystone/identity/backends/sql_model.py
@ -140,6 +140,7 @@ class User(sql.ModelBase, sql.ModelDictMixinWithExtras):
        # truncate extra passwords
        if self.local_user.passwords:
            unique_cnt = CONF.security_compliance.unique_last_password_count
+            unique_cnt = unique_cnt + 1 if unique_cnt == 0 else unique_cnt
            self.local_user.passwords = self.local_user.passwords[-unique_cnt:]
        # set all previous passwords to be expired
        for ref in self.local_user.passwords:
--- a/keystone/tests/unit/identity/test_backend_sql.py
+++ b/keystone/tests/unit/identity/test_backend_sql.py
@ -421,6 +421,14 @@ class PasswordHistoryValidationTests(test_backend_sql.SqlTests):
        # 1, 2, 3
        self.assertValidChangePassword(user['id'], passwords[3], passwords[0])

+    def test_validate_password_history_with_valid_password_only_once(self):
+        self.config_fixture.config(group='security_compliance',
+                                   unique_last_password_count=1)
+        passwords = [uuid.uuid4().hex, uuid.uuid4().hex]
+        user = self._create_user(passwords[0])
+        self.assertValidChangePassword(user['id'], passwords[0], passwords[1])
+        self.assertValidChangePassword(user['id'], passwords[1], passwords[0])
+
    def test_validate_password_history_but_start_with_password_none(self):
        passwords = [uuid.uuid4().hex, uuid.uuid4().hex]
        # Create user and confirm password is None
@ -442,7 +450,7 @@ class PasswordHistoryValidationTests(test_backend_sql.SqlTests):

    def test_disable_password_history_and_repeat_same_password(self):
        self.config_fixture.config(group='security_compliance',
-                                   unique_last_password_count=1)
+                                   unique_last_password_count=0)
        password = uuid.uuid4().hex
        user = self._create_user(password)
        # Repeatedly change password with the same password
--- a/releasenotes/notes/bug-1787874-13499ec227b8e26c.yaml
+++ b/releasenotes/notes/bug-1787874-13499ec227b8e26c.yaml
@ -0,0 +1,16 @@
+---
+fixes:
+  - |
+    [`bug 1787874 <https://bugs.launchpad.net/keystone/+bug/1787874>`_]
+    The default value of the config option `unique_last_password_count` is
+    changed from 1 to 0. Now `unique_last_password_count = 0` means password
+    history check is disabled. `unique_last_password_count = 1` means
+    when changing password, the new one should be different than the current
+    one.
+
+upgrade:
+  - |
+    [`bug 1787874 <https://bugs.launchpad.net/keystone/+bug/1787874>`_]
+    Please not that the deployment which set `unique_last_password_count = 1`
+    in the config file should update the value to 0 to keep the same behavior
+    as before.