This is the squash of 2 patches related to bcrypt hashing settings.
1.
Force algo specific maximum length
The bcrypt algorithm that we use for password hashing silently
length limits the size of the password that is hashed giving the
user a false sense of security [0]. This patch adds a check
in the verify_length_and_trunc_password function for the hash in
use and updates the max_length accordingly, this will override
the configured value and log a warning if the password is truncated.
Conflicts:
* tox.ini
[0]: https://passlib.readthedocs.io/en/stable/lib/passlib.hash.bcrypt.html#security-issues
2.
Properly trimm bcrypt hashed passwords
bcrypt hashing algorythm has a limitation on length of passwords it
can hash on 72 bytes. In [1] a password trimm to 54 symbols has been
implemented, which resulted in password being invalidated after the
keystone upgrade, since passwords are trimmed differently by bcrypt
itself, as well as len(str()) is not always equal to
len(str().encode()) as trimming should be done based on bytes and not
string itself.
With the change we return a byte object from
`verify_length_and_trunc_password`, so it does not need to
be encoded afterwards, since we need to strip based on bytes
rather then on length of the string.
[1] https://review.opendev.org/c/openstack/keystone/+/828595
Closes-Bug: #2028809
Related-Bug: #1901891
original change id: Iea95a3c2df041a0046647b3d3dadead1a6d054d1
(cherry picked from commit 6730c761d1)
(cherry picked from commit 65f1fb6b4a)
Closes-bug: #1901891
Change-Id: I8d0bb2438b23227b5a66b94af6f8e198084fcd8d
(cherry picked from commit 3288af579d)
(cherry picked from commit 1b3536a7a4)