Merge "Switch to direct usage of bcrypt"
This commit is contained in:
commit
bcd020f481
156
keystone/common/password_hashers/bcrypt.py
Normal file
156
keystone/common/password_hashers/bcrypt.py
Normal file
@ -0,0 +1,156 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
import base64
|
||||
import hmac
|
||||
|
||||
import bcrypt
|
||||
|
||||
from keystone import exception
|
||||
|
||||
|
||||
class Bcrypt:
|
||||
"""passlib transition class for implementing bcrypt password hashing"""
|
||||
|
||||
name: str = "bcrypt"
|
||||
ident_values: set[str] = {"$2$", "$2a$", "$2b$", "$2x$", "$2y$"}
|
||||
|
||||
@staticmethod
|
||||
def hash(
|
||||
password: bytes,
|
||||
rounds: int = 12,
|
||||
**kwargs,
|
||||
) -> str:
|
||||
"""Generate password hash string with ident and params
|
||||
|
||||
https://pypi.org/project/bcrypt/
|
||||
|
||||
:param bytes password: Password to be hashed.
|
||||
:param int round: Count of rounds.
|
||||
|
||||
:returns: String in format `$2b${rounds}${salt}{digest}`
|
||||
"""
|
||||
salt: bytes = bcrypt.gensalt(rounds)
|
||||
digest: bytes = bcrypt.hashpw(password, salt)
|
||||
return digest.decode("ascii")
|
||||
|
||||
@staticmethod
|
||||
def verify(password: bytes, hashed: str) -> bool:
|
||||
"""Verify hashing password would be equal to the `hashed` value
|
||||
|
||||
:param bytes password: Password to verify
|
||||
:param string hashed: Hashed password. Used to extract hashing
|
||||
parameters
|
||||
|
||||
:returns: boolean whether hashing password with the same parameters
|
||||
would match hashed value
|
||||
"""
|
||||
return bcrypt.checkpw(password, hashed.encode("ascii"))
|
||||
|
||||
|
||||
class Bcrypt_sha256:
|
||||
"""passlib transition class for bcrypt_sha256 password hashing"""
|
||||
|
||||
name: str = "bcrypt_sha256"
|
||||
ident_values: set[str] = {"$2a$", "$2b$"}
|
||||
prefix: str = "$bcrypt-sha256$"
|
||||
|
||||
@staticmethod
|
||||
def hash(
|
||||
password: bytes,
|
||||
rounds: int = 12,
|
||||
**kwargs,
|
||||
) -> str:
|
||||
"""Generate password hash string with ident and params
|
||||
|
||||
https://pypi.org/project/bcrypt/
|
||||
|
||||
:param bytes password: Password to be hashed.
|
||||
:param int round: Count of rounds.
|
||||
|
||||
:returns: String in format
|
||||
`$bcrypt-sha256$r={rounds},t={ident},v={version}${salt}${digest}`
|
||||
"""
|
||||
# generate salt with ident and options
|
||||
salt_with_opts: bytes = bcrypt.gensalt(rounds)
|
||||
# get the pure salt
|
||||
salt: bytes = salt_with_opts[-22:]
|
||||
# make a `str` salt
|
||||
salt_str: str = salt.decode("ascii")
|
||||
|
||||
# NOTE(gtema): passlib calculates sha256 hmac digest of the password
|
||||
# with the key set to salt
|
||||
# Calculate password hmac digest with salt as key
|
||||
hmac_digest: bytes = base64.b64encode(
|
||||
hmac.digest(salt, password, "sha256")
|
||||
)
|
||||
|
||||
# calculate bcrypt hash
|
||||
hashed: str = bcrypt.hashpw(hmac_digest, salt_with_opts).decode(
|
||||
"ascii"
|
||||
)
|
||||
# get the digest part of the hash
|
||||
digest: str = hashed[-31:]
|
||||
|
||||
# Construct `passlib` compatible format of the bcrypt-sha256 hash
|
||||
return f"{Bcrypt_sha256.prefix}v=2,t=2b,r={rounds}${salt_str}${digest}"
|
||||
|
||||
@staticmethod
|
||||
def verify(password: bytes, hashed: str) -> bool:
|
||||
"""Verify hashing password would be equal to the `hashed` value
|
||||
|
||||
:param bytes password: Password to verify
|
||||
:param string hashed: Hashed password. Used to extract hashing
|
||||
parameters
|
||||
|
||||
:returns: boolean whether hashing password with the same parameters
|
||||
would match hashed value
|
||||
"""
|
||||
opts: dict = {}
|
||||
data: str = hashed
|
||||
# Strip the ident from the hashed value
|
||||
if hashed.startswith(Bcrypt_sha256.prefix):
|
||||
data = hashed[len(Bcrypt_sha256.prefix) :]
|
||||
# split hashed string to extract parameters
|
||||
parts: list[str] = data.split("$")
|
||||
salt: str
|
||||
digest: str
|
||||
|
||||
if len(parts) == 3:
|
||||
params, salt, digest = parts
|
||||
else:
|
||||
raise exception.PasswordValidationError("malformed password hash")
|
||||
|
||||
for param in params.split(","):
|
||||
if param.startswith("r="):
|
||||
# Extract rounds passlib applied
|
||||
opts["r"] = int(param[2:])
|
||||
if param.startswith("t="):
|
||||
# indent applied during hashing
|
||||
opts["t"] = param[2:]
|
||||
|
||||
# Calculate password hmac digest with salt as key
|
||||
hmac_digest: bytes = base64.b64encode(
|
||||
hmac.digest(salt.encode("ascii"), password, "sha256")
|
||||
)
|
||||
|
||||
# Normalize salt to whatever bcrypt expects it to be
|
||||
new_salt: str = f"${opts['t']}${opts['r']}${salt}"
|
||||
|
||||
# verify_digest: str = bcrypt.hashpw(
|
||||
# hmac_digest.encode("ascii"), new_salt.encode("ascii")
|
||||
# )[-31:].decode("ascii")
|
||||
|
||||
# Invoke bcrypt checkpw with the re-calculated salt
|
||||
return bcrypt.checkpw(
|
||||
hmac_digest, f"{new_salt}{digest}".encode("ascii")
|
||||
)
|
@ -18,6 +18,7 @@ import itertools
|
||||
from oslo_log import log
|
||||
import passlib.hash
|
||||
|
||||
from keystone.common.password_hashers import bcrypt
|
||||
from keystone.common.password_hashers import scrypt
|
||||
import keystone.conf
|
||||
from keystone import exception
|
||||
@ -28,11 +29,11 @@ LOG = log.getLogger(__name__)
|
||||
|
||||
SUPPORTED_HASHERS = frozenset(
|
||||
[
|
||||
passlib.hash.bcrypt,
|
||||
passlib.hash.bcrypt_sha256,
|
||||
passlib.hash.pbkdf2_sha512,
|
||||
passlib.hash.sha512_crypt,
|
||||
scrypt.Scrypt,
|
||||
bcrypt.Bcrypt,
|
||||
bcrypt.Bcrypt_sha256,
|
||||
]
|
||||
)
|
||||
|
||||
@ -170,5 +171,9 @@ def hash_password(password: str) -> str:
|
||||
if CONF.identity.salt_bytesize:
|
||||
params["salt_size"] = CONF.identity.salt_bytesize
|
||||
return scrypt.Scrypt.hash(password_utf8, **params)
|
||||
elif hasher is bcrypt.Bcrypt:
|
||||
return bcrypt.Bcrypt.hash(password_utf8, **params)
|
||||
elif hasher is bcrypt.Bcrypt_sha256:
|
||||
return bcrypt.Bcrypt_sha256.hash(password_utf8, **params)
|
||||
|
||||
return hasher.using(**params).hash(password_utf8)
|
||||
|
@ -26,6 +26,7 @@ CONF = keystone.conf.CONF
|
||||
|
||||
class TestPasswordHashing(unit.BaseTestCase):
|
||||
OPTIONAL = object()
|
||||
ITERATIONS: int = 10
|
||||
|
||||
def setUp(self):
|
||||
super().setUp()
|
||||
@ -38,10 +39,10 @@ class TestPasswordHashing(unit.BaseTestCase):
|
||||
)
|
||||
self.config_fixture.config(group="identity", max_password_length="96")
|
||||
# Few iterations to test different inputs
|
||||
for _ in range(10):
|
||||
for _ in range(self.ITERATIONS):
|
||||
password: str = "".join( # type: ignore
|
||||
secrets.choice(string.printable)
|
||||
for i in range(random.randint(1, 96))
|
||||
for i in range(random.randint(1, 72))
|
||||
)
|
||||
hashed = password_hashing.hash_password(password)
|
||||
self.assertTrue(password_hashing.check_password(password, hashed))
|
||||
@ -57,7 +58,7 @@ class TestPasswordHashing(unit.BaseTestCase):
|
||||
)
|
||||
self.config_fixture.config(group="identity", max_password_length="96")
|
||||
# Few iterations to test different inputs
|
||||
for _ in range(10):
|
||||
for _ in range(self.ITERATIONS):
|
||||
# Would be nice to check all pass lengths from 1 till max, but it
|
||||
# takes too much time, thus using rand to pick up the password
|
||||
# length
|
||||
@ -69,3 +70,67 @@ class TestPasswordHashing(unit.BaseTestCase):
|
||||
self.assertTrue(
|
||||
password_hashing.check_password(password, hashed_passlib)
|
||||
)
|
||||
|
||||
def test_bcrypt(self):
|
||||
self.config_fixture.config(strict_password_check=True)
|
||||
self.config_fixture.config(
|
||||
group="identity", password_hash_algorithm="bcrypt"
|
||||
)
|
||||
self.config_fixture.config(group="identity", max_password_length="72")
|
||||
# Few iterations to test different inputs
|
||||
for _ in range(self.ITERATIONS):
|
||||
password: str = "".join( # type: ignore
|
||||
secrets.choice(string.printable)
|
||||
for i in range(random.randint(1, 72))
|
||||
)
|
||||
hashed = password_hashing.hash_password(password)
|
||||
self.assertTrue(password_hashing.check_password(password, hashed))
|
||||
|
||||
def test_bcrypt_passlib_compat(self):
|
||||
self.config_fixture.config(strict_password_check=True)
|
||||
self.config_fixture.config(
|
||||
group="identity", password_hash_algorithm="bcrypt"
|
||||
)
|
||||
self.config_fixture.config(group="identity", max_password_length="72")
|
||||
# Few iterations to test different inputs
|
||||
for _ in range(self.ITERATIONS):
|
||||
password: str = "".join( # type: ignore
|
||||
secrets.choice(string.printable)
|
||||
for i in range(random.randint(1, 72))
|
||||
)
|
||||
hashed_passlib = passlib.hash.bcrypt.hash(password)
|
||||
self.assertTrue(
|
||||
password_hashing.check_password(password, hashed_passlib)
|
||||
)
|
||||
|
||||
def test_bcrypt_sha256(self):
|
||||
self.config_fixture.config(strict_password_check=True)
|
||||
self.config_fixture.config(
|
||||
group="identity", password_hash_algorithm="bcrypt_sha256"
|
||||
)
|
||||
self.config_fixture.config(group="identity", max_password_length="96")
|
||||
# Few iterations to test different inputs
|
||||
for _ in range(self.ITERATIONS):
|
||||
password: str = "".join( # type: ignore
|
||||
secrets.choice(string.printable)
|
||||
for i in range(random.randint(1, 96))
|
||||
)
|
||||
hashed = password_hashing.hash_password(password)
|
||||
self.assertTrue(password_hashing.check_password(password, hashed))
|
||||
|
||||
def test_bcrypt_sha256_passlib_compat(self):
|
||||
self.config_fixture.config(strict_password_check=True)
|
||||
self.config_fixture.config(
|
||||
group="identity", password_hash_algorithm="bcrypt_sha256"
|
||||
)
|
||||
self.config_fixture.config(group="identity", max_password_length="96")
|
||||
# Few iterations to test different inputs
|
||||
for _ in range(self.ITERATIONS):
|
||||
password: str = "".join( # type: ignore
|
||||
secrets.choice(string.printable)
|
||||
for i in range(random.randint(1, 96))
|
||||
)
|
||||
hashed_passlib = passlib.hash.bcrypt_sha256.hash(password)
|
||||
self.assertTrue(
|
||||
password_hashing.check_password(password, hashed_passlib)
|
||||
)
|
||||
|
Loading…
Reference in New Issue
Block a user