Always hash passwords on their way into the DB
Way back in ed793ad5
a feature was added to detect if a password was
already hashed. If it looked like it was already hashed the password
was put into the database as is. It appears that this was added to
support a migration that was using the identity API to store users
instead of direct database inserts.
Change-Id: I37b575e4db2fa7090c5171b8bc32cf2c57ad6e03
Fixes-bug: #1279849
This commit is contained in:
parent
e8f8c17749
commit
e492bbc68e
|
@ -106,11 +106,8 @@ def hash_ldap_user_password(user):
|
|||
def hash_password(password):
|
||||
"""Hash a password. Hard."""
|
||||
password_utf8 = trunc_password(password).encode('utf-8')
|
||||
if passlib.hash.sha512_crypt.identify(password_utf8):
|
||||
return password_utf8
|
||||
h = passlib.hash.sha512_crypt.encrypt(password_utf8,
|
||||
rounds=CONF.crypt_strength)
|
||||
return h
|
||||
return passlib.hash.sha512_crypt.encrypt(
|
||||
password_utf8, rounds=CONF.crypt_strength)
|
||||
|
||||
|
||||
def ldap_hash_password(password):
|
||||
|
|
|
@ -0,0 +1,44 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
import uuid
|
||||
|
||||
import testtools
|
||||
|
||||
from keystone.common import utils
|
||||
|
||||
|
||||
class TestPasswordHashing(testtools.TestCase):
|
||||
|
||||
def setUp(self):
|
||||
super(TestPasswordHashing, self).setUp()
|
||||
self.password = uuid.uuid4().hex
|
||||
self.hashed_password = utils.hash_password(self.password)
|
||||
|
||||
def test_that_we_can_verify_a_password_against_a_hash(self):
|
||||
self.assertTrue(utils.check_password(self.password,
|
||||
self.hashed_password))
|
||||
|
||||
def test_that_an_incorrect_password_fails_to_validate(self):
|
||||
bad_password = uuid.uuid4().hex
|
||||
self.assertFalse(utils.check_password(bad_password,
|
||||
self.hashed_password))
|
||||
|
||||
def test_that_a_hash_can_not_be_validated_against_a_hash(self):
|
||||
# NOTE(dstanek): Bug 1279849 reported a problem where passwords
|
||||
# were not being hashed if they already looked like a hash. This
|
||||
# would allow someone to hash their password ahead of time
|
||||
# (potentially getting around password requirements, like
|
||||
# length) and then they could auth with their original password.
|
||||
new_hashed_password = utils.hash_password(self.hashed_password)
|
||||
self.assertFalse(utils.check_password(self.password,
|
||||
new_hashed_password))
|
Loading…
Reference in New Issue