Remove LDAP password hashing code

Keystone should not be hashing passwords for LDAP users
itself.  Password hashing should be performed by the LDAP
server, as password policies may not allow pre-hashed
passwords to be set (they may enforce a scheme that is
stronger that salted SHA-1).

This removes the LDAP password hashing code.  When using
fakeldap for running unit tests, passwords will not be
hashed.  For this reason, the hashing tests are skipped
for LDAP backends.

Closes-bug: 1308793
Change-Id: Ia0998b7fd8fb5d01b86a947d18b7e79fcffd1228
This commit is contained in:
Nathan Kinder 2014-04-16 16:21:25 -07:00
parent 0473e5ab75
commit c94d19b486
5 changed files with 4 additions and 44 deletions

View File

@ -113,15 +113,6 @@ def hash_user_password(user):
return dict(user, password=hash_password(password))
def hash_ldap_user_password(user):
"""Hash a user dict's password without modifying the passed-in dict."""
password = user.get('password')
if password is None:
return user
return dict(user, password=ldap_hash_password(password))
def hash_password(password):
"""Hash a password. Hard."""
password_utf8 = trunc_password(password).encode('utf-8')
@ -129,20 +120,6 @@ def hash_password(password):
password_utf8, rounds=CONF.crypt_strength)
def ldap_hash_password(password):
"""Hash a password. Hard."""
password_utf8 = trunc_password(password).encode('utf-8')
h = passlib.hash.ldap_salted_sha1.encrypt(password_utf8)
return h
def ldap_check_password(password, hashed):
if password is None:
return False
password_utf8 = trunc_password(password).encode('utf-8')
return passlib.hash.ldap_salted_sha1.verify(password_utf8, hashed)
def check_password(password, hashed):
"""Check that a plaintext password matches hashed.

View File

@ -99,7 +99,6 @@ class Identity(identity.Driver):
if 'name' in user and old_obj.get('name') != user['name']:
raise exception.Conflict(_('Cannot change user name'))
user = utils.hash_ldap_user_password(user)
if self.user.enabled_mask:
self.user.mask_enabled_attribute(user)
self.user.update(user_id, user, old_obj)
@ -224,7 +223,6 @@ class UserApi(common_ldap.EnabledEmuMixIn, common_ldap.BaseLdap):
del values['enabled_nomask']
def create(self, values):
values = utils.hash_ldap_user_password(values)
if self.enabled_mask:
orig_enabled = values['enabled']
self.mask_enabled_attribute(values)

View File

@ -30,7 +30,6 @@ import six
from six import moves
from keystone.common.ldap import core
from keystone.common import utils
from keystone import exception
from keystone.openstack.common.gettextutils import _
from keystone.openstack.common import log
@ -251,7 +250,7 @@ class FakeLdap(core.LDAPHandler):
core.utf8_decode(who))
raise ldap.INAPPROPRIATE_AUTH
if not utils.ldap_check_password(cred, db_password):
if cred != db_password:
LOG.debug('bind fail: password for who=%s does not match',
core.utf8_decode(who))
raise ldap.INVALID_CREDENTIALS

View File

@ -253,6 +253,9 @@ class BaseLDAPIdentity(test_backend.IdentityTests):
def test_delete_group_with_user_project_domain_links(self):
self.skipTest('N/A: LDAP does not support multiple domains')
def test_password_hashed(self):
self.skipTest('N/A: hashing is left up to the LDAP server')
def test_list_projects_for_user(self):
domain = self._get_domain_fixture()
user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,

View File

@ -99,23 +99,6 @@ class UtilsTestCase(tests.TestCase):
password_hashed = user_hashed['password']
self.assertTrue(utils.check_password(password, password_hashed))
def test_hash_ldap_user_password_without_password(self):
user = self._create_test_user()
hashed = utils.hash_ldap_user_password(user)
self.assertEqual(user, hashed)
def test_hash_ldap_user_password_with_null_password(self):
user = self._create_test_user(password=None)
hashed = utils.hash_ldap_user_password(user)
self.assertEqual(user, hashed)
def test_hash_ldap_user_password_with_empty_password(self):
password = ''
user = self._create_test_user(password=password)
user_hashed = utils.hash_ldap_user_password(user)
password_hashed = user_hashed['password']
self.assertTrue(utils.ldap_check_password(password, password_hashed))
def test_hash_edge_cases(self):
hashed = utils.hash_password('secret')
self.assertFalse(utils.check_password('', hashed))