Configurable max password length (bug 1175906)
DocImpact Change-Id: I1b1de8f7e07afe8af8a5cbb83de7f935cea04670
This commit is contained in:
parent
a4243e14b8
commit
55ca347e25
@ -100,6 +100,9 @@
|
||||
# exist to order to maintain support for your v2 clients.
|
||||
# default_domain_id = default
|
||||
|
||||
# Maximum supported length for user passwords; decrease to improve performance.
|
||||
# max_password_length = 4096
|
||||
|
||||
[credential]
|
||||
# driver = keystone.credential.backends.sql.Credential
|
||||
|
||||
|
@ -210,6 +210,7 @@ def configure():
|
||||
|
||||
# identity
|
||||
register_str('default_domain_id', group='identity', default='default')
|
||||
register_int('max_password_length', group='identity', default=4096)
|
||||
|
||||
# trust
|
||||
register_bool('enabled', group='trust', default=True)
|
||||
|
@ -36,8 +36,6 @@ config.register_int('crypt_strength', default=40000)
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
MAX_PASSWORD_LENGTH = 4096
|
||||
|
||||
|
||||
def read_cached_file(filename, cache_info, reload_func=None):
|
||||
"""Read from a file if it has been modified.
|
||||
@ -68,12 +66,13 @@ class SmarterEncoder(json.JSONEncoder):
|
||||
|
||||
|
||||
def trunc_password(password):
|
||||
"""Truncate passwords to the MAX_PASSWORD_LENGTH."""
|
||||
"""Truncate passwords to the max_length."""
|
||||
max_length = CONF.identity.max_password_length
|
||||
try:
|
||||
if len(password) > MAX_PASSWORD_LENGTH:
|
||||
return password[:MAX_PASSWORD_LENGTH]
|
||||
else:
|
||||
return password
|
||||
if len(password) > max_length:
|
||||
LOG.warning(
|
||||
_('Truncating user password to %s characters.') % max_length)
|
||||
return password[:max_length]
|
||||
except TypeError:
|
||||
raise exception.ValidationError(attribute='string', target='password')
|
||||
|
||||
|
@ -4,7 +4,6 @@ from keystone.common import cms
|
||||
from keystone.common import controller
|
||||
from keystone.common import dependency
|
||||
from keystone.common import logging
|
||||
from keystone.common import utils
|
||||
from keystone.common import wsgi
|
||||
from keystone import config
|
||||
from keystone import exception
|
||||
@ -215,10 +214,9 @@ class Auth(controller.V2Controller):
|
||||
attribute='password', target='passwordCredentials')
|
||||
|
||||
password = auth['passwordCredentials']['password']
|
||||
max_pw_size = utils.MAX_PASSWORD_LENGTH
|
||||
if password and len(password) > max_pw_size:
|
||||
raise exception.ValidationSizeError(attribute='password',
|
||||
size=max_pw_size)
|
||||
if password and len(password) > CONF.identity.max_password_length:
|
||||
raise exception.ValidationSizeError(
|
||||
attribute='password', size=CONF.identity.max_password_length)
|
||||
|
||||
if ("userId" not in auth['passwordCredentials'] and
|
||||
"username" not in auth['passwordCredentials']):
|
||||
|
@ -179,7 +179,8 @@ class AuthBadRequests(AuthTest):
|
||||
|
||||
def test_authenticate_password_too_large(self):
|
||||
"""Verify sending large 'password' raises the right exception."""
|
||||
body_dict = _build_user_auth(username='FOO', password='0' * 8193)
|
||||
length = CONF.identity.max_password_length + 1
|
||||
body_dict = _build_user_auth(username='FOO', password='0' * length)
|
||||
self.assertRaises(exception.ValidationSizeError,
|
||||
self.controller.authenticate,
|
||||
{}, body_dict)
|
||||
|
Loading…
x
Reference in New Issue
Block a user