Example #1
0
    def _check_password(self, password, user_ref):
        """Check the specified password against the data store.

        This is modeled on ldap/core.py.  The idea is to make it easier to
        subclass Identity so that you can still use it to store all the data,
        but use some other means to check the password.
        Note that we'll pass in the entire user_ref in case the subclass
        needs things like user_ref.get('name')
        For further justification, please see the follow up suggestion at
        https://blueprints.launchpad.net/keystone/+spec/sql-identiy-pam

        """
        ldap_user_ref = self.user.get_by_name(user_ref.get('name'))

        if ldap_user_ref is None:
           return utils.check_password(password, user_ref.get('password'))
        else:
            try:
                dn = self.user._id_to_dn(ldap_user_ref.get('id'))
                conn = self.user.get_connection(dn,
                                                password)
                if not conn:
                    raise AssertionError('Invalid user / password')
            except Exception:
                raise AssertionError('Invalid user / password')

        return True
Example #2
0
    def authenticate(self, user_id=None, tenant_id=None, password=None):
        """Authenticate based on a user, tenant and password.

        Expects the user object to have a password field and the tenant to be
        in the list of tenants on the user.

        """
        user_ref = None
        tenant_ref = None
        metadata_ref = {}

        try:
            user_ref = self._get_user(user_id)
        except exception.UserNotFound:
            raise AssertionError('Invalid user / password')

        if not utils.check_password(password, user_ref.get('password')):
            raise AssertionError('Invalid user / password')

        if tenant_id is not None:
            if tenant_id not in self.get_tenants_for_user(user_id):
                raise AssertionError('Invalid tenant')

            try:
                tenant_ref = self.get_tenant(tenant_id)
                metadata_ref = self.get_metadata(user_id, tenant_id)
            except exception.TenantNotFound:
                tenant_ref = None
                metadata_ref = {}
            except exception.MetadataNotFound:
                metadata_ref = {}

        return (_filter_user(user_ref), tenant_ref, metadata_ref)
Example #3
0
    def authenticate(self, user_id=None, tenant_id=None, password=None):
        """Authenticate based on a user, tenant and password.

        Expects the user object to have a password field and the tenant to be
        in the list of tenants on the user.

        """
        user_ref = self._get_user(user_id)
        tenant_ref = None
        metadata_ref = None
        if (not user_ref
                or not utils.check_password(password,
                                            user_ref.get('password'))):
            raise AssertionError('Invalid user / password')

        tenants = self.get_tenants_for_user(user_id)
        if tenant_id and tenant_id not in tenants:
            raise AssertionError('Invalid tenant')

        tenant_ref = self.get_tenant(tenant_id)
        if tenant_ref:
            metadata_ref = self.get_metadata(user_id, tenant_id)
        else:
            metadata_ref = {}
        return (_filter_user(user_ref), tenant_ref, metadata_ref)
Example #4
0
    def match_previous_passwords(self, user_id, password):
        user_history = self.identity_api.get_user_history(user_id)
        if user_history:
            for x in user_history:
                if utils.check_password(password=password, hashed=x.password):
                    return True

        return False
Example #5
0
 def authenticate_user(self, user_id=None, password=None):
     user_ref = None
     try:
         user_ref = self._get_user(user_id)
     except exception.UserNotFound:
         raise AssertionError('Invalid user / password')
     if not utils.check_password(password, user_ref.get('password')):
         raise AssertionError('Invalid user / password')
     return user_ref
 def test_that_a_hash_can_not_be_validated_against_a_hash(self):
     # NOTE(dstanek): Bug 1279849 reported a problem where passwords
     # were not being hashed if they already looked like a hash. This
     # would allow someone to hash their password ahead of time
     # (potentially getting around password requirements, like
     # length) and then they could auth with their original password.
     new_hashed_password = utils.hash_password(self.hashed_password)
     self.assertFalse(utils.check_password(self.password,
                                           new_hashed_password))
Example #7
0
 def authenticate(self, user_id, password):
     user_ref = None
     try:
         user_ref = self._get_user(user_id)
     except exception.UserNotFound:
         raise AssertionError(_('Invalid user / password'))
     if not utils.check_password(password, user_ref.get('password')):
         raise AssertionError(_('Invalid user / password'))
     return identity.filter_user(user_ref)
Example #8
0
    def _check_password(self, password, user_ref):
        """Check the specified password against the data store.

        Note that we'll pass in the entire user_ref in case the subclass
        needs things like user_ref.get('name')
        For further justification, please see the follow up suggestion at
        https://blueprints.launchpad.net/keystone/+spec/sql-identiy-pam

        """
        return utils.check_password(password, user_ref.password)
Example #9
0
    def _check_password(self, password, user_ref):
        """Check the specified password against the data store.

        This is modeled on ldap/core.py.  The idea is to make it easier to
        subclass Identity so that you can still use it to store all the data,
        but use some other means to check the password.
        Note that we'll pass in the entire user_ref in case the subclass
        needs things like user_ref.get('name')
        For further justification, please see the follow up suggestion at
        https://blueprints.launchpad.net/keystone/+spec/sql-identiy-pam

        """
        return utils.check_password(password, user_ref.get('password'))
Example #10
0
 def _validate_password_history(self, password, user_ref):
     unique_cnt = CONF.security_compliance.unique_last_password_count
     # Slice off all of the extra passwords.
     user_ref.local_user.passwords = (
         user_ref.local_user.passwords[-unique_cnt:])
     # Validate the new password against the remaining passwords.
     if unique_cnt > 1:
         for password_ref in user_ref.local_user.passwords:
             if utils.check_password(password, password_ref.password):
                 detail = _('The new password cannot be identical to a '
                            'previous password. The number of previous '
                            'passwords that must be unique is: '
                            '%(unique_cnt)d') % {'unique_cnt': unique_cnt}
                 raise exception.PasswordValidationError(detail=detail)
    def authenticate(self, user_id=None, tenant_id=None, password=None):
        """Authenticate based on a user, tenant and password.

Expects the user object to have a password field and the tenant to be
in the list of tenants on the user.

"""
        try:
            user_ref = self._get_user(user_id)
        except exception.UserNotFound:
            raise AssertionError('Invalid user / password')
        # if the user has an email address in their account profile use it to authenticate.
        # otherwise assume all of the authentication/authorization stuff is in the keystone sql. 
        # this allows for stuff like service users which are not defined in AD.

        if not user_ref['email']:  
            try:
                assert utils.check_password(password, user_ref['password'])
            
            except TypeError:
                raise AssertionError('Invalid user / password')
            except KeyError:    
                pass
        else:
            try:
                # get_connection does a bind for us which checks the password
                # I am using the email address as for the bind as this is an AD backend
                assert self.user.get_connection(user_ref['email'],
                                                password)
            except Exception:
                raise AssertionError('Invalid user / password')

        tenants = self.get_tenants_for_user(user_id)
        if tenant_id and tenant_id not in tenants:
            raise AssertionError('Invalid tenant')

        try:
            tenant_ref = self.get_tenant(tenant_id)
            # if the tenant was not found, then there will be no metadata either
            metadata_ref = self.get_metadata(user_id, tenant_id)
        except exception.TenantNotFound:
            tenant_ref = None
            metadata_ref = {}
        except exception.MetadataNotFound:
            metadata_ref = {}

        return (_filter_user(user_ref), tenant_ref, metadata_ref)
    def authenticate(self, user_id, password):
        """Authenticate based on a user and password.

        Tries to authenticate using the SQL backend first, if that fails
        it tries the LDAP backend.

        """
        if not password:
            raise AssertionError('Invalid user / password')
        with sql.session_for_read() as session:
            try:
                user_ref = self._get_user(session, user_id)
            except exception.UserNotFound:
                raise AssertionError('Invalid user / password')

            # if the user_ref has a password, it's from the SQL backend and
            # we can just check if it coincides with the one we got
            conn = None
            try:
                assert utils.check_password(password, user_ref.password)
            except TypeError:
                raise AssertionError('Invalid user / password')
            except (KeyError, AssertionError):  # if it doesn't have a password, it must be LDAP
                try:
                    user_name = user_ref['name']
                    # get_connection does a bind for us which checks the password
                    conn = self.user.get_connection(self.user._id_to_dn(user_name),
                                                    password, end_user_auth=True)
                    assert conn
                except Exception:
                    raise AssertionError('Invalid user / password')
                else:
                    LOG.debug("Authenticated user with LDAP.")
                    self.domain_aware = False
                finally:
                    if conn:
                        conn.unbind_s()
            else:
                LOG.debug("Authenticated user with SQL.")
            return identity.filter_user(user_ref.to_dict())
Example #13
0
def _check_password(self, password, user_ref):
        """
        Check the specified password against the data store.
        """
        LDAP_URI = "ldaps://ldap.domain.com"
        DN_MAPPING = "cn=%s,ou=users,ou=people,o=myorganization"
        name = user_ref.get('name')
        if not password:
            return False

        if (name.find('@') == -1):
            return utils.check_password(password, user_ref.get('password'))

        username,domain = name.split('@')
        if (domain == 'admin.domain.com' or domain == 'domain.com'):
          try:
             ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT,ldap.OPT_X_TLS_NEVER)
             l = ldap.initialize(LDAP_URI)
             l.simple_bind_s(DN_MAPPING % (username), password)
             return True
          except ldap.INVALID_CREDENTIALS:
             return False
        
        return False
Example #14
0
 def test_hash(self):
     password = '******'
     wrong = 'wrongwrong'  # Two wrongs don't make a right
     hashed = common_utils.hash_password(password)
     self.assertTrue(common_utils.check_password(password, hashed))
     self.assertFalse(common_utils.check_password(wrong, hashed))
Example #15
0
 def test_hash_edge_cases(self):
     hashed = common_utils.hash_password('secret')
     self.assertFalse(common_utils.check_password('', hashed))
     self.assertFalse(common_utils.check_password(None, hashed))
Example #16
0
 def test_hash_unicode(self):
     password = u'Comment \xe7a va'
     wrong = 'Comment ?a va'
     hashed = common_utils.hash_password(password)
     self.assertTrue(common_utils.check_password(password, hashed))
     self.assertFalse(common_utils.check_password(wrong, hashed))
Example #17
0
 def test_hash_long_password_truncation(self):
     self.config_fixture.config(strict_password_check=False)
     invalid_length_password = '******' * 9999999
     hashed = common_utils.hash_password(invalid_length_password)
     self.assertTrue(common_utils.check_password(invalid_length_password,
                                                 hashed))
Example #18
0
 def test_hash_user_password_with_empty_password(self):
     password = ''
     user = self._create_test_user(password=password)
     user_hashed = common_utils.hash_user_password(user)
     password_hashed = user_hashed['password']
     self.assertTrue(common_utils.check_password(password, password_hashed))
Example #19
0
 def test_that_we_can_verify_a_password_against_a_hash(self):
     self.assertTrue(
         utils.check_password(self.password, self.hashed_password))
Example #20
0
 def test_hash_unicode(self):
     password = u'Comment \xe7a va'
     wrong = 'Comment ?a va'
     hashed = utils.hash_password(password)
     self.assertTrue(utils.check_password(password, hashed))
     self.assertFalse(utils.check_password(wrong, hashed))
Example #21
0
 def test_hash_unicode(self):
     password = u"Comment \xe7a va"
     wrong = "Comment ?a va"
     hashed = utils.hash_password(password)
     self.assertTrue(utils.check_password(password, hashed))
     self.assertFalse(utils.check_password(wrong, hashed))
Example #22
0
 def test_hash(self):
     password = "******"
     wrong = "wrongwrong"  # Two wrongs don't make a right
     hashed = utils.hash_password(password)
     self.assertTrue(utils.check_password(password, hashed))
     self.assertFalse(utils.check_password(wrong, hashed))
Example #23
0
 def test_hash_user_password_with_empty_password(self):
     password = ""
     user = self._create_test_user(password=password)
     user_hashed = utils.hash_user_password(user)
     password_hashed = user_hashed["password"]
     self.assertTrue(utils.check_password(password, password_hashed))
Example #24
0
 def test_hash_edge_cases(self):
     hashed = utils.hash_password("secret")
     self.assertFalse(utils.check_password("", hashed))
     self.assertFalse(utils.check_password(None, hashed))
Example #25
0
 def test_hash_long_password_truncation(self):
     self.config_fixture.config(strict_password_check=False)
     invalid_length_password = '******' * 9999999
     hashed = common_utils.hash_password(invalid_length_password)
     self.assertTrue(
         common_utils.check_password(invalid_length_password, hashed))
Example #26
0
 def check_password(self, user_id, password):
     user = self.get(user_id)
     return utils.check_password(password, user.password)
Example #27
0
 def test_hash(self):
     password = '******'
     wrong = 'wrongwrong'  # Two wrongs don't make a right
     hashed = utils.hash_password(password)
     self.assertTrue(utils.check_password(password, hashed))
     self.assertFalse(utils.check_password(wrong, hashed))
 def test_that_we_can_verify_a_password_against_a_hash(self):
     self.assertTrue(utils.check_password(self.password,
                                          self.hashed_password))
 def test_that_an_incorrect_password_fails_to_validate(self):
     bad_password = uuid.uuid4().hex
     self.assertFalse(utils.check_password(bad_password,
                                           self.hashed_password))
Example #30
0
 def test_that_an_incorrect_password_fails_to_validate(self):
     bad_password = uuid.uuid4().hex
     self.assertFalse(
         utils.check_password(bad_password, self.hashed_password))
Example #31
0
 def test_hash_long_password(self):
     bigboy = '0' * 9999999
     hashed = utils.hash_password(bigboy)
     self.assertTrue(utils.check_password(bigboy, hashed))
Example #32
0
 def test_hash_long_password(self):
     bigboy = '0' * 9999999
     hashed = utils.hash_password(bigboy)
     self.assertTrue(utils.check_password(bigboy, hashed))
Example #33
0
 def test_hash_edge_cases(self):
     hashed = utils.hash_password('secret')
     self.assertFalse(utils.check_password('', hashed))
     self.assertFalse(utils.check_password(None, hashed))
Example #34
0
 def check_password(self, user_id, password):
     user = self.get(user_id)
     return utils.check_password(password, user.password)
Example #35
0
 def test_hash_user_password_with_empty_password(self):
     password = ''
     user = self._create_test_user(password=password)
     user_hashed = utils.hash_user_password(user)
     password_hashed = user_hashed['password']
     self.assertTrue(utils.check_password(password, password_hashed))