Password reveal feature should be configurable

Horizon has a password reveal eye button which allows the password field to be viewed in plain text. This is a security risk because a malicious user can check the OpenStack password at an unattended computer. Add new DISABLE_PASSWORD_REVEAL setting which is by default, False. DocImpact Change-Id: I21a2eaedbff4c1ee73d97c5674eca43c0258ca1a Closes-Bug: #1400872
2015-01-08 11:39:43 -08:00 · 2015-01-08 11:39:43 -08:00 · afbca3d431
parent a88bdb6643
commit afbca3d431
4 changed files with 20 additions and 3 deletions
--- a/doc/source/topics/settings.rst
+++ b/doc/source/topics/settings.rst
@ -182,6 +182,16 @@ element, do not close the modal after clicking outside of it) and ``"static"``
 (show backdrop element outside the modal, do not close the modal after
 clicking on backdrop).

+``disable_password_reveal``
+---------------------------
+
+.. versionadded:: 2015.1(Kilo)
+
+Default: ``False``
+
+Setting this to True will disable the reveal button for password fields,
+including on the login form.
+
 ``password_validator``
 ----------------------

--- a/horizon/static/horizon/js/horizon.forms.js
+++ b/horizon/static/horizon/js/horizon.forms.js
@ -197,9 +197,11 @@ horizon.addInitFunction(horizon.forms.init = function () {
  horizon.forms.handle_object_upload_source();
  horizon.forms.datepicker();

-  horizon.forms.add_password_fields_reveal_buttons($("body"));
-  horizon.modals.addModalInitFunction(
-    horizon.forms.add_password_fields_reveal_buttons);
+  if (!horizon.conf.disable_password_reveal) {
+    horizon.forms.add_password_fields_reveal_buttons($("body"));
+    horizon.modals.addModalInitFunction(
+      horizon.forms.add_password_fields_reveal_buttons);
+  }

  // Bind event handlers to confirm dangerous actions.
  $("body").on("click", "form button.btn-danger", function (evt) {
--- a/horizon/templates/horizon/_conf.html
+++ b/horizon/templates/horizon/_conf.html
@ -42,6 +42,7 @@ angular.module('hz')
      fade_duration: {{ HORIZON_CONFIG.auto_fade_alerts.fade_duration|default:"1500" }},
      types: {{ HORIZON_CONFIG.auto_fade_alerts.types|default:"[]"|safe }}
    };
+    hzConfig.disable_password_reveal = {{ HORIZON_CONFIG.disable_password_reveal|yesno:"true,false" }};
 }]);

 </script>
--- a/openstack_dashboard/local/local_settings.py.example
+++ b/openstack_dashboard/local/local_settings.py.example
@ -82,6 +82,10 @@ HORIZON_CONFIG = {
 # the database creation workflow if so desired.
 # HORIZON_CONFIG["password_autocomplete"] = "off"

+# Setting this to True will disable the reveal button for password fields,
+# including on the login form.
+# HORIZON_CONFIG["disable_password_reveal"] = False
+
 LOCAL_PATH = os.path.dirname(os.path.abspath(__file__))

 # Set custom secret key: