def _check_password(self, password, user_ref):
"""Check the specified password against the data store.
This is modeled on ldap/core.py. The idea is to make it easier to
subclass Identity so that you can still use it to store all the data,
but use some other means to check the password.
Note that we'll pass in the entire user_ref in case the subclass
needs things like user_ref.get('name')
For further justification, please see the follow up suggestion at
https://blueprints.launchpad.net/keystone/+spec/sql-identiy-pam
"""
ldap_user_ref = self.user.get_by_name(user_ref.get('name'))
if ldap_user_ref is None:
return utils.check_password(password, user_ref.get('password'))
else:
try:
dn = self.user._id_to_dn(ldap_user_ref.get('id'))
conn = self.user.get_connection(dn,
password)
if not conn:
raise AssertionError('Invalid user / password')
except Exception:
raise AssertionError('Invalid user / password')
return True
def authenticate(self, user_id=None, tenant_id=None, password=None):
"""Authenticate based on a user, tenant and password.
Expects the user object to have a password field and the tenant to be
in the list of tenants on the user.
"""
user_ref = None
tenant_ref = None
metadata_ref = {}
try:
user_ref = self._get_user(user_id)
except exception.UserNotFound:
raise AssertionError('Invalid user / password')
if not utils.check_password(password, user_ref.get('password')):
raise AssertionError('Invalid user / password')
if tenant_id is not None:
if tenant_id not in self.get_tenants_for_user(user_id):
raise AssertionError('Invalid tenant')
try:
tenant_ref = self.get_tenant(tenant_id)
metadata_ref = self.get_metadata(user_id, tenant_id)
except exception.TenantNotFound:
tenant_ref = None
metadata_ref = {}
except exception.MetadataNotFound:
metadata_ref = {}
return (_filter_user(user_ref), tenant_ref, metadata_ref)
def authenticate(self, user_id=None, tenant_id=None, password=None):
"""Authenticate based on a user, tenant and password.
Expects the user object to have a password field and the tenant to be
in the list of tenants on the user.
"""
user_ref = self._get_user(user_id)
tenant_ref = None
metadata_ref = None
if (not user_ref
or not utils.check_password(password,
user_ref.get('password'))):
raise AssertionError('Invalid user / password')
tenants = self.get_tenants_for_user(user_id)
if tenant_id and tenant_id not in tenants:
raise AssertionError('Invalid tenant')
tenant_ref = self.get_tenant(tenant_id)
if tenant_ref:
metadata_ref = self.get_metadata(user_id, tenant_id)
else:
metadata_ref = {}
return (_filter_user(user_ref), tenant_ref, metadata_ref)
def match_previous_passwords(self, user_id, password):
user_history = self.identity_api.get_user_history(user_id)
if user_history:
for x in user_history:
if utils.check_password(password=password, hashed=x.password):
return True
return False
def authenticate_user(self, user_id=None, password=None):
user_ref = None
try:
user_ref = self._get_user(user_id)
except exception.UserNotFound:
raise AssertionError('Invalid user / password')
if not utils.check_password(password, user_ref.get('password')):
raise AssertionError('Invalid user / password')
return user_ref
def test_that_a_hash_can_not_be_validated_against_a_hash(self):
# NOTE(dstanek): Bug 1279849 reported a problem where passwords
# were not being hashed if they already looked like a hash. This
# would allow someone to hash their password ahead of time
# (potentially getting around password requirements, like
# length) and then they could auth with their original password.
new_hashed_password = utils.hash_password(self.hashed_password)
self.assertFalse(utils.check_password(self.password,
new_hashed_password))
def authenticate(self, user_id, password):
user_ref = None
try:
user_ref = self._get_user(user_id)
except exception.UserNotFound:
raise AssertionError(_('Invalid user / password'))
if not utils.check_password(password, user_ref.get('password')):
raise AssertionError(_('Invalid user / password'))
return identity.filter_user(user_ref)
def _check_password(self, password, user_ref):
"""Check the specified password against the data store.
Note that we'll pass in the entire user_ref in case the subclass
needs things like user_ref.get('name')
For further justification, please see the follow up suggestion at
https://blueprints.launchpad.net/keystone/+spec/sql-identiy-pam
"""
return utils.check_password(password, user_ref.password)
def _check_password(self, password, user_ref):
"""Check the specified password against the data store.
This is modeled on ldap/core.py. The idea is to make it easier to
subclass Identity so that you can still use it to store all the data,
but use some other means to check the password.
Note that we'll pass in the entire user_ref in case the subclass
needs things like user_ref.get('name')
For further justification, please see the follow up suggestion at
https://blueprints.launchpad.net/keystone/+spec/sql-identiy-pam
"""
return utils.check_password(password, user_ref.get('password'))
def _validate_password_history(self, password, user_ref):
unique_cnt = CONF.security_compliance.unique_last_password_count
# Slice off all of the extra passwords.
user_ref.local_user.passwords = (
user_ref.local_user.passwords[-unique_cnt:])
# Validate the new password against the remaining passwords.
if unique_cnt > 1:
for password_ref in user_ref.local_user.passwords:
if utils.check_password(password, password_ref.password):
detail = _('The new password cannot be identical to a '
'previous password. The number of previous '
'passwords that must be unique is: '
'%(unique_cnt)d') % {'unique_cnt': unique_cnt}
raise exception.PasswordValidationError(detail=detail)
def authenticate(self, user_id=None, tenant_id=None, password=None):
"""Authenticate based on a user, tenant and password.
Expects the user object to have a password field and the tenant to be
in the list of tenants on the user.
"""
try:
user_ref = self._get_user(user_id)
except exception.UserNotFound:
raise AssertionError('Invalid user / password')
# if the user has an email address in their account profile use it to authenticate.
# otherwise assume all of the authentication/authorization stuff is in the keystone sql.
# this allows for stuff like service users which are not defined in AD.
if not user_ref['email']:
try:
assert utils.check_password(password, user_ref['password'])
except TypeError:
raise AssertionError('Invalid user / password')
except KeyError:
pass
else:
try:
# get_connection does a bind for us which checks the password
# I am using the email address as for the bind as this is an AD backend
assert self.user.get_connection(user_ref['email'],
password)
except Exception:
raise AssertionError('Invalid user / password')
tenants = self.get_tenants_for_user(user_id)
if tenant_id and tenant_id not in tenants:
raise AssertionError('Invalid tenant')
try:
tenant_ref = self.get_tenant(tenant_id)
# if the tenant was not found, then there will be no metadata either
metadata_ref = self.get_metadata(user_id, tenant_id)
except exception.TenantNotFound:
tenant_ref = None
metadata_ref = {}
except exception.MetadataNotFound:
metadata_ref = {}
return (_filter_user(user_ref), tenant_ref, metadata_ref)
def authenticate(self, user_id, password):
"""Authenticate based on a user and password.
Tries to authenticate using the SQL backend first, if that fails
it tries the LDAP backend.
"""
if not password:
raise AssertionError('Invalid user / password')
with sql.session_for_read() as session:
try:
user_ref = self._get_user(session, user_id)
except exception.UserNotFound:
raise AssertionError('Invalid user / password')
# if the user_ref has a password, it's from the SQL backend and
# we can just check if it coincides with the one we got
conn = None
try:
assert utils.check_password(password, user_ref.password)
except TypeError:
raise AssertionError('Invalid user / password')
except (KeyError, AssertionError): # if it doesn't have a password, it must be LDAP
try:
user_name = user_ref['name']
# get_connection does a bind for us which checks the password
conn = self.user.get_connection(self.user._id_to_dn(user_name),
password, end_user_auth=True)
assert conn
except Exception:
raise AssertionError('Invalid user / password')
else:
LOG.debug("Authenticated user with LDAP.")
self.domain_aware = False
finally:
if conn:
conn.unbind_s()
else:
LOG.debug("Authenticated user with SQL.")
return identity.filter_user(user_ref.to_dict())
def _check_password(self, password, user_ref):
"""
Check the specified password against the data store.
"""
LDAP_URI = "ldaps://ldap.domain.com"
DN_MAPPING = "cn=%s,ou=users,ou=people,o=myorganization"
name = user_ref.get('name')
if not password:
return False
if (name.find('@') == -1):
return utils.check_password(password, user_ref.get('password'))
username,domain = name.split('@')
if (domain == 'admin.domain.com' or domain == 'domain.com'):
try:
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT,ldap.OPT_X_TLS_NEVER)
l = ldap.initialize(LDAP_URI)
l.simple_bind_s(DN_MAPPING % (username), password)
return True
except ldap.INVALID_CREDENTIALS:
return False
return False
def test_hash(self):
password = '******'
wrong = 'wrongwrong' # Two wrongs don't make a right
hashed = common_utils.hash_password(password)
self.assertTrue(common_utils.check_password(password, hashed))
self.assertFalse(common_utils.check_password(wrong, hashed))
def test_hash_edge_cases(self):
hashed = common_utils.hash_password('secret')
self.assertFalse(common_utils.check_password('', hashed))
self.assertFalse(common_utils.check_password(None, hashed))
def test_hash_unicode(self):
password = u'Comment \xe7a va'
wrong = 'Comment ?a va'
hashed = common_utils.hash_password(password)
self.assertTrue(common_utils.check_password(password, hashed))
self.assertFalse(common_utils.check_password(wrong, hashed))
def test_hash_long_password_truncation(self):
self.config_fixture.config(strict_password_check=False)
invalid_length_password = '******' * 9999999
hashed = common_utils.hash_password(invalid_length_password)
self.assertTrue(common_utils.check_password(invalid_length_password,
hashed))
def test_hash_user_password_with_empty_password(self):
password = ''
user = self._create_test_user(password=password)
user_hashed = common_utils.hash_user_password(user)
password_hashed = user_hashed['password']
self.assertTrue(common_utils.check_password(password, password_hashed))
def test_that_we_can_verify_a_password_against_a_hash(self):
self.assertTrue(
utils.check_password(self.password, self.hashed_password))
def test_hash_unicode(self):
password = u'Comment \xe7a va'
wrong = 'Comment ?a va'
hashed = utils.hash_password(password)
self.assertTrue(utils.check_password(password, hashed))
self.assertFalse(utils.check_password(wrong, hashed))
def test_hash_unicode(self):
password = u"Comment \xe7a va"
wrong = "Comment ?a va"
hashed = utils.hash_password(password)
self.assertTrue(utils.check_password(password, hashed))
self.assertFalse(utils.check_password(wrong, hashed))
def test_hash(self):
password = "******"
wrong = "wrongwrong" # Two wrongs don't make a right
hashed = utils.hash_password(password)
self.assertTrue(utils.check_password(password, hashed))
self.assertFalse(utils.check_password(wrong, hashed))
def test_hash_user_password_with_empty_password(self):
password = ""
user = self._create_test_user(password=password)
user_hashed = utils.hash_user_password(user)
password_hashed = user_hashed["password"]
self.assertTrue(utils.check_password(password, password_hashed))
def test_hash_edge_cases(self):
hashed = utils.hash_password("secret")
self.assertFalse(utils.check_password("", hashed))
self.assertFalse(utils.check_password(None, hashed))
def test_hash_long_password_truncation(self):
self.config_fixture.config(strict_password_check=False)
invalid_length_password = '******' * 9999999
hashed = common_utils.hash_password(invalid_length_password)
self.assertTrue(
common_utils.check_password(invalid_length_password, hashed))
def check_password(self, user_id, password):
user = self.get(user_id)
return utils.check_password(password, user.password)
def test_hash(self):
password = '******'
wrong = 'wrongwrong' # Two wrongs don't make a right
hashed = utils.hash_password(password)
self.assertTrue(utils.check_password(password, hashed))
self.assertFalse(utils.check_password(wrong, hashed))
def test_that_we_can_verify_a_password_against_a_hash(self):
self.assertTrue(utils.check_password(self.password,
self.hashed_password))
def test_that_an_incorrect_password_fails_to_validate(self):
bad_password = uuid.uuid4().hex
self.assertFalse(utils.check_password(bad_password,
self.hashed_password))
def test_that_an_incorrect_password_fails_to_validate(self):
bad_password = uuid.uuid4().hex
self.assertFalse(
utils.check_password(bad_password, self.hashed_password))
def test_hash_long_password(self):
bigboy = '0' * 9999999
hashed = utils.hash_password(bigboy)
self.assertTrue(utils.check_password(bigboy, hashed))
def test_hash_long_password(self):
bigboy = '0' * 9999999
hashed = utils.hash_password(bigboy)
self.assertTrue(utils.check_password(bigboy, hashed))
def test_hash_edge_cases(self):
hashed = utils.hash_password('secret')
self.assertFalse(utils.check_password('', hashed))
self.assertFalse(utils.check_password(None, hashed))
def check_password(self, user_id, password):
user = self.get(user_id)
return utils.check_password(password, user.password)
def test_hash_user_password_with_empty_password(self):
password = ''
user = self._create_test_user(password=password)
user_hashed = utils.hash_user_password(user)
password_hashed = user_hashed['password']
self.assertTrue(utils.check_password(password, password_hashed))
