Remove LDAP password hashing code
Keystone should not be hashing passwords for LDAP users itself. Password hashing should be performed by the LDAP server, as password policies may not allow pre-hashed passwords to be set (they may enforce a scheme that is stronger that salted SHA-1). This removes the LDAP password hashing code. When using fakeldap for running unit tests, passwords will not be hashed. For this reason, the hashing tests are skipped for LDAP backends. Closes-bug: 1308793 Change-Id: Ia0998b7fd8fb5d01b86a947d18b7e79fcffd1228
This commit is contained in:
parent
0473e5ab75
commit
c94d19b486
|
@ -113,15 +113,6 @@ def hash_user_password(user):
|
|||
return dict(user, password=hash_password(password))
|
||||
|
||||
|
||||
def hash_ldap_user_password(user):
|
||||
"""Hash a user dict's password without modifying the passed-in dict."""
|
||||
password = user.get('password')
|
||||
if password is None:
|
||||
return user
|
||||
|
||||
return dict(user, password=ldap_hash_password(password))
|
||||
|
||||
|
||||
def hash_password(password):
|
||||
"""Hash a password. Hard."""
|
||||
password_utf8 = trunc_password(password).encode('utf-8')
|
||||
|
@ -129,20 +120,6 @@ def hash_password(password):
|
|||
password_utf8, rounds=CONF.crypt_strength)
|
||||
|
||||
|
||||
def ldap_hash_password(password):
|
||||
"""Hash a password. Hard."""
|
||||
password_utf8 = trunc_password(password).encode('utf-8')
|
||||
h = passlib.hash.ldap_salted_sha1.encrypt(password_utf8)
|
||||
return h
|
||||
|
||||
|
||||
def ldap_check_password(password, hashed):
|
||||
if password is None:
|
||||
return False
|
||||
password_utf8 = trunc_password(password).encode('utf-8')
|
||||
return passlib.hash.ldap_salted_sha1.verify(password_utf8, hashed)
|
||||
|
||||
|
||||
def check_password(password, hashed):
|
||||
"""Check that a plaintext password matches hashed.
|
||||
|
||||
|
|
|
@ -99,7 +99,6 @@ class Identity(identity.Driver):
|
|||
if 'name' in user and old_obj.get('name') != user['name']:
|
||||
raise exception.Conflict(_('Cannot change user name'))
|
||||
|
||||
user = utils.hash_ldap_user_password(user)
|
||||
if self.user.enabled_mask:
|
||||
self.user.mask_enabled_attribute(user)
|
||||
self.user.update(user_id, user, old_obj)
|
||||
|
@ -224,7 +223,6 @@ class UserApi(common_ldap.EnabledEmuMixIn, common_ldap.BaseLdap):
|
|||
del values['enabled_nomask']
|
||||
|
||||
def create(self, values):
|
||||
values = utils.hash_ldap_user_password(values)
|
||||
if self.enabled_mask:
|
||||
orig_enabled = values['enabled']
|
||||
self.mask_enabled_attribute(values)
|
||||
|
|
|
@ -30,7 +30,6 @@ import six
|
|||
from six import moves
|
||||
|
||||
from keystone.common.ldap import core
|
||||
from keystone.common import utils
|
||||
from keystone import exception
|
||||
from keystone.openstack.common.gettextutils import _
|
||||
from keystone.openstack.common import log
|
||||
|
@ -251,7 +250,7 @@ class FakeLdap(core.LDAPHandler):
|
|||
core.utf8_decode(who))
|
||||
raise ldap.INAPPROPRIATE_AUTH
|
||||
|
||||
if not utils.ldap_check_password(cred, db_password):
|
||||
if cred != db_password:
|
||||
LOG.debug('bind fail: password for who=%s does not match',
|
||||
core.utf8_decode(who))
|
||||
raise ldap.INVALID_CREDENTIALS
|
||||
|
|
|
@ -253,6 +253,9 @@ class BaseLDAPIdentity(test_backend.IdentityTests):
|
|||
def test_delete_group_with_user_project_domain_links(self):
|
||||
self.skipTest('N/A: LDAP does not support multiple domains')
|
||||
|
||||
def test_password_hashed(self):
|
||||
self.skipTest('N/A: hashing is left up to the LDAP server')
|
||||
|
||||
def test_list_projects_for_user(self):
|
||||
domain = self._get_domain_fixture()
|
||||
user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
|
||||
|
|
|
@ -99,23 +99,6 @@ class UtilsTestCase(tests.TestCase):
|
|||
password_hashed = user_hashed['password']
|
||||
self.assertTrue(utils.check_password(password, password_hashed))
|
||||
|
||||
def test_hash_ldap_user_password_without_password(self):
|
||||
user = self._create_test_user()
|
||||
hashed = utils.hash_ldap_user_password(user)
|
||||
self.assertEqual(user, hashed)
|
||||
|
||||
def test_hash_ldap_user_password_with_null_password(self):
|
||||
user = self._create_test_user(password=None)
|
||||
hashed = utils.hash_ldap_user_password(user)
|
||||
self.assertEqual(user, hashed)
|
||||
|
||||
def test_hash_ldap_user_password_with_empty_password(self):
|
||||
password = ''
|
||||
user = self._create_test_user(password=password)
|
||||
user_hashed = utils.hash_ldap_user_password(user)
|
||||
password_hashed = user_hashed['password']
|
||||
self.assertTrue(utils.ldap_check_password(password, password_hashed))
|
||||
|
||||
def test_hash_edge_cases(self):
|
||||
hashed = utils.hash_password('secret')
|
||||
self.assertFalse(utils.check_password('', hashed))
|
||||
|
|
Loading…
Reference in New Issue