openstack/keystone
Code Issues Proposed changes
Files
victoria-eol
keystone/tox.ini
Dave Wilde (d34dh0r53) 0d5186cb49 Force algo specific maximum length & Properly trimm bcrypt hashed passwords 
This is the squash of 2 patches related to bcrypt hashing settings.

1.
Force algo specific maximum length

The bcrypt algorithm that we use for password hashing silently
length limits the size of the password that is hashed giving the
user a false sense of security [0].  This patch adds a check
in the verify_length_and_trunc_password function for the hash in
use and updates the max_length accordingly, this will override
the configured value and log a warning if the password is truncated.

Conflicts:
* tox.ini

[0]: https://passlib.readthedocs.io/en/stable/lib/passlib.hash.bcrypt.html#security-issues

2.
Properly trimm bcrypt hashed passwords

bcrypt  hashing algorythm has a limitation on length of passwords it
can hash on 72 bytes. In [1] a password trimm to 54 symbols has been
implemented, which resulted in password being invalidated after the
keystone upgrade, since passwords are trimmed differently by bcrypt
itself, as well as len(str()) is not always equal to
len(str().encode()) as trimming should be done based on bytes and not
string itself.

With the change we return a byte object from
`verify_length_and_trunc_password`, so it does not need to
be encoded afterwards, since we need to strip based on bytes
rather then on length of the string.

[1] https://review.opendev.org/c/openstack/keystone/+/828595

Closes-Bug: #2028809
Related-Bug: #1901891
original change id: Iea95a3c2df041a0046647b3d3dadead1a6d054d1
(cherry picked from commit 6730c761d1)
(cherry picked from commit 65f1fb6b4a)

Closes-bug: #1901891
Change-Id: I8d0bb2438b23227b5a66b94af6f8e198084fcd8d
(cherry picked from commit 3288af579d)
(cherry picked from commit 1b3536a7a4)
(cherry picked from commit 7852ca24a4)
(cherry picked from commit a38ba2a70c)
(cherry picked from commit 11e1258ccd)
2023-09-06 17:01:26 +00:00

206 lines
6.0 KiB
INI
Raw Permalink Blame History

[tox]
minversion = 3.2.0
skipsdist = True
envlist = py37,pep8,api-ref,docs,genconfig,genpolicy,releasenotes,protection
# Cap setuptools via virtualenv to prevent compatibility issue with victoria
# branch's upper constraint of pbr package (5.5.0). Tox is also needed to be
# constrained for the 'inner' tox to be installed with the constrained venv.
requires =
virtualenv<20.24.0
tox<4
[testenv]
usedevelop = True
basepython = python3
setenv = VIRTUAL_ENV={envdir}
deps = -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/victoria}
-r{toxinidir}/test-requirements.txt
-r{toxinidir}/requirements.txt
.[ldap,memcache,mongodb]
commands =
find keystone -type f -name "*.pyc" -delete
stestr run {posargs}
whitelist_externals =
bash
find
passenv = http_proxy HTTP_PROXY https_proxy HTTPS_PROXY no_proxy NO_PROXY PBR_VERSION
[testenv:api-ref]
deps = -r{toxinidir}/doc/requirements.txt
commands =
bash -c "rm -rf api-ref/build"
sphinx-build -W -b html -d api-ref/build/doctrees api-ref/source api-ref/build/html
[testenv:pep8]
deps =
.[bandit]
{[testenv]deps}
commands =
flake8 --ignore=D100,D101,D102,D103,D104,E305,E402,W503,W504,W605
# Run bash8 during pep8 runs to ensure violations are caught by
# the check and gate queues
bashate devstack/plugin.sh
# Run security linter
bandit -r keystone -x 'keystone/tests/*'
[testenv:fast8]
envdir = {toxworkdir}/pep8
commands =
{toxinidir}/tools/fast8.sh
passenv = FAST8_NUM_COMMITS
[testenv:bandit]
# NOTE(browne): This is required for the integration test job of the bandit
# project. Please do not remove.
deps = -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/victoria}
-r{toxinidir}/requirements.txt
.[bandit]
commands = bandit -r keystone -x 'keystone/tests/*'
[testenv:cover]
# Also do not run test_coverage_ext tests while gathering coverage as those
# tests conflict with coverage.
setenv =
{[testenv]setenv}
PYTHON=coverage run --source keystone --parallel-mode
commands =
find keystone -type f -name "*.pyc" -delete
stestr run {posargs}
coverage combine
coverage html -d cover
coverage xml -o cover/coverage.xml
[testenv:patch_cover]
commands =
bash tools/cover.sh
[testenv:venv]
commands = {posargs}
[testenv:debug]
commands =
find keystone -type f -name "*.pyc" -delete
oslo_debug_helper {posargs}
passenv =
KSTEST_ADMIN_URL
KSTEST_ADMIN_USERNAME
KSTEST_ADMIN_PASSWORD
KSTEST_ADMIN_DOMAIN_ID
KSTEST_PUBLIC_URL
KSTEST_USER_USERNAME
KSTEST_USER_PASSWORD
KSTEST_USER_DOMAIN_ID
KSTEST_PROJECT_ID
[testenv:functional]
deps = -r{toxinidir}/test-requirements.txt
setenv = OS_TEST_PATH=./keystone/tests/functional
commands =
find keystone -type f -name "*.pyc" -delete
stestr run {posargs}
stestr slowest
passenv =
KSTEST_ADMIN_URL
KSTEST_ADMIN_USERNAME
KSTEST_ADMIN_PASSWORD
KSTEST_ADMIN_DOMAIN_ID
KSTEST_PUBLIC_URL
KSTEST_USER_USERNAME
KSTEST_USER_PASSWORD
KSTEST_USER_DOMAIN_ID
KSTEST_PROJECT_ID
[flake8]
filename= *.py,keystone-manage
show-source = true
enable-extensions = H203,H904
# D100: Missing docstring in public module
# D101: Missing docstring in public class
# D102: Missing docstring in public method
# D103: Missing docstring in public function
# D104: Missing docstring in public package
# D203: 1 blank line required before class docstring (deprecated in pep257)
# TODO(wxy): Fix the pep8 issue.
# E402: module level import not at top of file
# W503: line break before binary operator
# W504 line break after binary operator
ignore = D100,D101,D102,D103,D104,D203,E402,W503,W504
exclude=.venv,.git,.tox,build,dist,*lib/python*,*egg,tools,vendor,.update-venv,*.ini,*.po,*.pot
max-complexity=24
per-file-ignores =
# URL lines too long
keystone/common/password_hashing.py: E501
[testenv:docs]
deps =
-c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/victoria}
-r{toxinidir}/doc/requirements.txt
.[ldap,memcache,mongodb]
commands=
bash -c "rm -rf doc/build"
bash -c "rm -rf doc/source/api"
sphinx-build -W -b html -d doc/build/doctrees doc/source doc/build/html
# FIXME(gyee): we need to pre-create the doc/build/pdf/_static directory as a
# workaround because sphinx_feature_classification.support_matrix extension
# is operating under the assumption that the _static directory already exist
# and trying to copy support-matrix.css into it. We need to remove
# the workaround after this patch has merged:
# https://review.opendev.org/#/c/679860
[testenv:pdf-docs]
envdir = {toxworkdir}/docs
deps = {[testenv:docs]deps}
whitelist_externals =
make
mkdir
rm
commands =
rm -rf doc/build/pdf
mkdir -p doc/build/pdf/_static
sphinx-build -W -b latex doc/source doc/build/pdf
make -C doc/build/pdf
[testenv:releasenotes]
deps = -r{toxinidir}/doc/requirements.txt
commands = sphinx-build -a -E -W -d releasenotes/build/doctrees -b html releasenotes/source releasenotes/build/html
[testenv:genconfig]
commands = oslo-config-generator --config-file=config-generator/keystone.conf
[testenv:genpolicy]
commands = oslopolicy-sample-generator --config-file config-generator/keystone-policy-generator.conf
[hacking]
import_exceptions =
keystone.i18n
six.moves
[flake8:local-plugins]
extension =
K001 = checks:CheckForMutableDefaultArgs
K002 = checks:block_comments_begin_with_a_space
K005 = checks:CheckForTranslationIssues
K008 = checks:dict_constructor_with_sequence_copy
paths = ./keystone/tests/hacking
[testenv:bindep]
# Do not install any requirements. We want this to be fast and work even if
# system dependencies are missing, since it's used to tell you what system
# dependencies are missing! This also means that bindep must be installed
# separately, outside of the requirements files.
deps = bindep
commands = bindep test
[testenv:lower-constraints]
deps =
-c{toxinidir}/lower-constraints.txt
-r{toxinidir}/test-requirements.txt
.[ldap,memcache,mongodb]
[testenv:protection]
commands =
find keystone -type f -name "*.pyc" -delete
stestr run --test-path=./keystone/tests/protection {posargs}
View Git Blame Copy Permalink