7852ca24a4
This is the squash of 2 patches related to bcrypt hashing settings. 1. Force algo specific maximum length The bcrypt algorithm that we use for password hashing silently length limits the size of the password that is hashed giving the user a false sense of security [0]. This patch adds a check in the verify_length_and_trunc_password function for the hash in use and updates the max_length accordingly, this will override the configured value and log a warning if the password is truncated. Conflicts: * tox.ini [0]: https://passlib.readthedocs.io/en/stable/lib/passlib.hash.bcrypt.html#security-issues 2. Properly trimm bcrypt hashed passwords bcrypt hashing algorythm has a limitation on length of passwords it can hash on 72 bytes. In [1] a password trimm to 54 symbols has been implemented, which resulted in password being invalidated after the keystone upgrade, since passwords are trimmed differently by bcrypt itself, as well as len(str()) is not always equal to len(str().encode()) as trimming should be done based on bytes and not string itself. With the change we return a byte object from `verify_length_and_trunc_password`, so it does not need to be encoded afterwards, since we need to strip based on bytes rather then on length of the string. [1] https://review.opendev.org/c/openstack/keystone/+/828595 Closes-Bug: #2028809 Related-Bug: #1901891 original change id: Iea95a3c2df041a0046647b3d3dadead1a6d054d1 (cherry picked from commit |
||
---|---|---|
api-ref/source | ||
config-generator | ||
devstack | ||
doc | ||
etc | ||
examples/pki | ||
httpd | ||
keystone | ||
keystone_tempest_plugin | ||
playbooks | ||
rally-jobs | ||
releasenotes | ||
tools | ||
.coveragerc | ||
.gitignore | ||
.gitreview | ||
.mailmap | ||
.stestr.conf | ||
.zuul.yaml | ||
CONTRIBUTING.rst | ||
HACKING.rst | ||
LICENSE | ||
README.rst | ||
babel.cfg | ||
bindep.txt | ||
lower-constraints.txt | ||
reno.yaml | ||
requirements.txt | ||
setup.cfg | ||
setup.py | ||
test-requirements.txt | ||
tox.ini |
README.rst
OpenStack Keystone
OpenStack Keystone provides authentication, authorization and service discovery mechanisms via HTTP primarily for use by projects in the OpenStack family. It is most commonly deployed as an HTTP interface to existing identity systems, such as LDAP.
Developer documentation, the source of which is in
doc/source/
, is published at:
The API reference and documentation are available at:
The canonical client library is available at:
Documentation for cloud administrators is available at:
The source of documentation for cloud administrators is available at:
Information about our team meeting is available at:
Release notes is available at:
Bugs and feature requests are tracked on Launchpad at:
Future design work is tracked at:
Contributors are encouraged to join IRC
(#openstack-keystone
on OFTC):
Source for the project:
For information on contributing to Keystone, see
CONTRIBUTING.rst
.