OpenStack Identity (Keystone)

Go to file

Dave Wilde (d34dh0r53) 7852ca24a4 Force algo specific maximum length & Properly trimm bcrypt hashed passwords This is the squash of 2 patches related to bcrypt hashing settings. 1. Force algo specific maximum length The bcrypt algorithm that we use for password hashing silently length limits the size of the password that is hashed giving the user a false sense of security [0]. This patch adds a check in the verify_length_and_trunc_password function for the hash in use and updates the max_length accordingly, this will override the configured value and log a warning if the password is truncated. Conflicts: * tox.ini [0]: https://passlib.readthedocs.io/en/stable/lib/passlib.hash.bcrypt.html#security-issues 2. Properly trimm bcrypt hashed passwords bcrypt hashing algorythm has a limitation on length of passwords it can hash on 72 bytes. In [1] a password trimm to 54 symbols has been implemented, which resulted in password being invalidated after the keystone upgrade, since passwords are trimmed differently by bcrypt itself, as well as len(str()) is not always equal to len(str().encode()) as trimming should be done based on bytes and not string itself. With the change we return a byte object from `verify_length_and_trunc_password`, so it does not need to be encoded afterwards, since we need to strip based on bytes rather then on length of the string. [1] https://review.opendev.org/c/openstack/keystone/+/828595 Closes-Bug: #2028809 Related-Bug: #1901891 original change id: Iea95a3c2df041a0046647b3d3dadead1a6d054d1 (cherry picked from commit `6730c761d1`) (cherry picked from commit `65f1fb6b4a`) Closes-bug: #1901891 Change-Id: I8d0bb2438b23227b5a66b94af6f8e198084fcd8d (cherry picked from commit `3288af579d`) (cherry picked from commit `1b3536a7a4`)		2023-08-22 15:07:05 +02:00
api-ref/source	Fix response code of 'Revoke Token' in api-ref	2021-11-29 15:02:53 -05:00
config-generator	Move policy generator config to config-generator/	2017-04-21 21:47:32 +00:00
devstack	Merge "Use enforce_new_defaults when setting up keystone protection tests"	2021-02-05 06:45:20 +00:00
doc	Remove the note of training-labs	2022-04-22 15:18:17 +08:00
etc	Remove policy.v3cloudsample.json	2019-10-02 20:26:05 +00:00
examples/pki	Remove support for PKI and PKIz tokens	2016-11-01 22:05:01 +00:00
httpd	Remove admin interface in sample Apache file	2018-03-24 12:56:02 +01:00
keystone	Force algo specific maximum length & Properly trimm bcrypt hashed passwords	2023-08-22 15:07:05 +02:00
keystone_tempest_plugin	Replace git.openstack.org URLs with opendev.org URLs	2019-04-24 11:51:00 +08:00
playbooks	Add FIPS check job	2021-08-04 14:25:06 -04:00
rally-jobs	fix rally docs url	2018-05-21 16:24:51 +08:00
releasenotes	Force algo specific maximum length & Properly trimm bcrypt hashed passwords	2023-08-22 15:07:05 +02:00
tools	sql: Move migrations to 'legacy_migrations'	2022-01-21 13:39:30 +00:00
.coveragerc	Change ignore-errors to ignore_errors	2015-09-21 14:27:58 +00:00
.gitignore	Tell reno to ignore the kilo branch	2020-02-21 13:51:02 -05:00
.gitreview	Update .gitreview for stable/yoga	2022-03-11 11:29:40 +00:00
.mailmap	update mailmap with gyee's new email	2015-11-03 16:12:01 -08:00
.stestr.conf	Migrate to stestr	2017-09-22 11:07:09 -05:00
.zuul.yaml	Move fips job to centos-9	2022-08-09 11:01:36 +00:00
CONTRIBUTING.rst	Use https for docs.openstack.org references	2017-01-30 16:05:08 -08:00
HACKING.rst	Merge "Update links in keystone"	2017-10-06 16:10:56 +00:00
LICENSE	Added Apache 2.0 License information.	2012-02-15 17:48:33 -08:00
README.rst	Moving IRC network reference to OFTC	2021-07-16 13:58:33 +00:00
babel.cfg	setting up babel for i18n work	2012-06-21 18:03:09 -07:00
bindep.txt	Fix bindep.txt for current RPM based distributions	2022-02-21 15:53:33 +01:00
lower-constraints.txt	Explicitly check policy name in policy warning tests	2021-12-16 18:26:00 -06:00
reno.yaml	Tell reno to ignore the kilo branch	2020-02-21 13:51:02 -05:00
requirements.txt	Explicitly check policy name in policy warning tests	2021-12-16 18:26:00 -06:00
setup.cfg	setup.cfg: Replace dashes with underscores	2021-04-26 15:53:22 +08:00
setup.py	Cleanup py27 support	2020-04-08 08:37:30 +02:00
test-requirements.txt	[goal] Migrate testing to ubuntu focal	2020-09-16 15:33:44 -05:00
tox.ini	Force algo specific maximum length & Properly trimm bcrypt hashed passwords	2023-08-22 15:07:05 +02:00

README.rst

OpenStack Keystone

OpenStack Keystone provides authentication, authorization and service discovery mechanisms via HTTP primarily for use by projects in the OpenStack family. It is most commonly deployed as an HTTP interface to existing identity systems, such as LDAP.

Developer documentation, the source of which is in doc/source/, is published at:

https://docs.openstack.org/keystone/latest

The API reference and documentation are available at:

https://docs.openstack.org/api-ref/identity

The canonical client library is available at:

https://opendev.org/openstack/python-keystoneclient

Documentation for cloud administrators is available at:

https://docs.openstack.org/

The source of documentation for cloud administrators is available at:

https://opendev.org/openstack/openstack-manuals

Information about our team meeting is available at:

https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting

Release notes is available at:

https://docs.openstack.org/releasenotes/keystone

Bugs and feature requests are tracked on Launchpad at:

https://bugs.launchpad.net/keystone

Future design work is tracked at:

https://specs.openstack.org/openstack/keystone-specs

Contributors are encouraged to join IRC (#openstack-keystone on OFTC):

https://wiki.openstack.org/wiki/IRC

Source for the project:

https://opendev.org/openstack/keystone

For information on contributing to Keystone, see CONTRIBUTING.rst.