Always hash passwords on their way into the DB

Way back in ed793ad5 a feature was added to detect if a password was already hashed. If it looked like it was already hashed the password was put into the database as is. It appears that this was added to support a migration that was using the identity API to store users instead of direct database inserts. Change-Id: I37b575e4db2fa7090c5171b8bc32cf2c57ad6e03 Fixes-bug: #1279849
2014-02-19 18:26:58 +00:00 · 2014-02-19 18:26:58 +00:00 · e492bbc68e
parent e8f8c17749
commit e492bbc68e
4 changed files with 46 additions and 5 deletions
--- a/keystone/common/utils.py
+++ b/keystone/common/utils.py
@ -106,11 +106,8 @@ def hash_ldap_user_password(user):
 def hash_password(password):
    """Hash a password. Hard."""
    password_utf8 = trunc_password(password).encode('utf-8')
-    if passlib.hash.sha512_crypt.identify(password_utf8):
-        return password_utf8
-    h = passlib.hash.sha512_crypt.encrypt(password_utf8,
-                                          rounds=CONF.crypt_strength)
-    return h
+    return passlib.hash.sha512_crypt.encrypt(
+        password_utf8, rounds=CONF.crypt_strength)


 def ldap_hash_password(password):
--- a/keystone/tests/unit/init.py
+++ b/keystone/tests/unit/init.py
--- a/keystone/tests/unit/common/init.py
+++ b/keystone/tests/unit/common/init.py
--- a/keystone/tests/unit/common/test_utils.py
+++ b/keystone/tests/unit/common/test_utils.py
@ -0,0 +1,44 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+import uuid
+
+import testtools
+
+from keystone.common import utils
+
+
+class TestPasswordHashing(testtools.TestCase):
+
+    def setUp(self):
+        super(TestPasswordHashing, self).setUp()
+        self.password = uuid.uuid4().hex
+        self.hashed_password = utils.hash_password(self.password)
+
+    def test_that_we_can_verify_a_password_against_a_hash(self):
+        self.assertTrue(utils.check_password(self.password,
+                                             self.hashed_password))
+
+    def test_that_an_incorrect_password_fails_to_validate(self):
+        bad_password = uuid.uuid4().hex
+        self.assertFalse(utils.check_password(bad_password,
+                                              self.hashed_password))
+
+    def test_that_a_hash_can_not_be_validated_against_a_hash(self):
+        # NOTE(dstanek): Bug 1279849 reported a problem where passwords
+        # were not being hashed if they already looked like a hash. This
+        # would allow someone to hash their password ahead of time
+        # (potentially getting around password requirements, like
+        # length) and then they could auth with their original password.
+        new_hashed_password = utils.hash_password(self.hashed_password)
+        self.assertFalse(utils.check_password(self.password,
+                                              new_hashed_password))