Change unique_last_password_count default to 0

Changing the default value of unique_last_password_count from
1 to 0, so that it can handle a case(when set to 1) that the
password history check only check one previous password.

Change-Id: Id368c99ca4926c995ea47959a6c3a438fffe1823
Closes-Bug: #1787874
This commit is contained in:
wangxiyuan 2018-08-20 11:02:52 +08:00
parent c896f911ef
commit 34609d557e
5 changed files with 32 additions and 10 deletions

View File

@ -66,14 +66,14 @@ the `[identity] driver`.
unique_last_password_count = cfg.IntOpt(
'unique_last_password_count',
default=1,
min=1,
default=0,
min=0,
help=utils.fmt("""
This controls the number of previous user password iterations to keep in
history, in order to enforce that newly created passwords are unique. The total
number which includes the new password should not be greater or equal to this
value. Setting the value to one (the default) disables this feature. Thus, to
enable this feature, values must be greater than 1. This feature depends on
value. Setting the value to zero (the default) disables this feature. Thus, to
enable this feature, values must be greater than 0. This feature depends on
the `sql` backend for the `[identity] driver`.
"""))

View File

@ -233,12 +233,9 @@ class Identity(base.IdentityDriverBase):
def _validate_password_history(self, password, user_ref):
unique_cnt = CONF.security_compliance.unique_last_password_count
# Slice off all of the extra passwords.
user_ref.local_user.passwords = (
user_ref.local_user.passwords[-unique_cnt:])
# Validate the new password against the remaining passwords.
if unique_cnt > 1:
for password_ref in user_ref.local_user.passwords:
if unique_cnt > 0:
for password_ref in user_ref.local_user.passwords[-unique_cnt:]:
if password_hashing.check_password(
password,
password_ref.password_hash or password_ref.password):

View File

@ -140,6 +140,7 @@ class User(sql.ModelBase, sql.ModelDictMixinWithExtras):
# truncate extra passwords
if self.local_user.passwords:
unique_cnt = CONF.security_compliance.unique_last_password_count
unique_cnt = unique_cnt + 1 if unique_cnt == 0 else unique_cnt
self.local_user.passwords = self.local_user.passwords[-unique_cnt:]
# set all previous passwords to be expired
for ref in self.local_user.passwords:

View File

@ -421,6 +421,14 @@ class PasswordHistoryValidationTests(test_backend_sql.SqlTests):
# 1, 2, 3
self.assertValidChangePassword(user['id'], passwords[3], passwords[0])
def test_validate_password_history_with_valid_password_only_once(self):
self.config_fixture.config(group='security_compliance',
unique_last_password_count=1)
passwords = [uuid.uuid4().hex, uuid.uuid4().hex]
user = self._create_user(passwords[0])
self.assertValidChangePassword(user['id'], passwords[0], passwords[1])
self.assertValidChangePassword(user['id'], passwords[1], passwords[0])
def test_validate_password_history_but_start_with_password_none(self):
passwords = [uuid.uuid4().hex, uuid.uuid4().hex]
# Create user and confirm password is None
@ -442,7 +450,7 @@ class PasswordHistoryValidationTests(test_backend_sql.SqlTests):
def test_disable_password_history_and_repeat_same_password(self):
self.config_fixture.config(group='security_compliance',
unique_last_password_count=1)
unique_last_password_count=0)
password = uuid.uuid4().hex
user = self._create_user(password)
# Repeatedly change password with the same password

View File

@ -0,0 +1,16 @@
---
fixes:
- |
[`bug 1787874 <https://bugs.launchpad.net/keystone/+bug/1787874>`_]
The default value of the config option `unique_last_password_count` is
changed from 1 to 0. Now `unique_last_password_count = 0` means password
history check is disabled. `unique_last_password_count = 1` means
when changing password, the new one should be different than the current
one.
upgrade:
- |
[`bug 1787874 <https://bugs.launchpad.net/keystone/+bug/1787874>`_]
Please not that the deployment which set `unique_last_password_count = 1`
in the config file should update the value to 0 to keep the same behavior
as before.