← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1484366] [NEW] No way to specify password strength in keystone.

 

Public bug reported:

There is a way to set the regular expression for horizon for  a
password, but there is no way to do this in keystone.

We need a configuration parameter in keystone for the regular expression
and another one for the message to be shown when the password is not
valid.

#password regularexpression for user password
password_regex=((?=(.*(\d|[~!@#$%^&*_=+])){2,})(?=.*[a-z])(?=.*[A-Z]).{8,20})
password_regex_message=Password is not strong enough


These then need to be validated in the respective controllers (both v2 and v3)
example in ./keystone/identity/controllers.py


209     @staticmethod
210     def check_syntax(password):
211         a = re.match(CONF.password_regex, password)
212         if not a:
213             raise exception.ValidationError(CONF.password_regex_message)
214
215     @staticmethod
216     def check_pwd_policies(password, name):
217
218         #if passsword is empty allow it,
219         #since empty password wont allow user to login
220         if password is None:
221             return
222         if name in password or password in name:
223             raise exception.ValidationError("Password not strong enough: user name cannot be part of the password")
224         User.check_syntax(password)
225


243     @controller.protected()
244     def create_user(self, context, user):
245         self._require_attribute(user, 'name')
246
247         if user.get('password') is not None:
248             User.check_pwd_policies(user['password'], user['name'])
249         # The manager layer will generate the unique ID for users
250         ref = self._normalize_dict(user)
251         ref = self._normalize_domain_id(context, ref)
252         ref = self.identity_api.create_user(ref)
253         return UserV3.wrap_member(context, ref)
254

276     def _update_user(self, context, user_id, user):
277
278         #if password is being changed
279         #then check if name is not part of password
280         if 'password' in user:
281             #if name is not present then get it from the backend
282             if 'name' not in user:
283                 old_user_ref = self.identity_api.get_user(user_id)
284                 name = old_user_ref['name']
285             else:
286                 name = user['name']
287             User.check_pwd_policies(user['password'], name)
288
289         self._require_matching_id(user_id, user)
290         self._require_matching_domain_id(
291             user_id, user, self.identity_api.get_user)
292         ref = self.identity_api.update_user(user_id, user)
293         return UserV3.wrap_member(context, ref)


315     @controller.protected()
316     def change_password(self, context, user_id, user):
317         original_password = user.get('original_password')
318         if original_password is None:
319             raise exception.ValidationError(target='user',
320                                             attribute='original_password')
321
322         password = user.get('password')
323         if password is None:
324             raise exception.ValidationError(target='user',
325                                             attribute='password')
326         #if name is not present then get it from the backend
327         if 'name' not in user:
328             old_user_ref = self.identity_api.get_user(user_id)
329             name = old_user_ref['name']
330         else:
331             name = user['name']
332
333         User.check_pwd_policies(password, name)
334
335         try:
336             self.identity_api.change_password(
337                 context, user_id, original_password, password)
338         except AssertionError:
339             raise exception.Unauthorized()
340

** Affects: keystone
     Importance: Undecided
         Status: New

** Project changed: bagpipe-l2 => keystone

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1484366

Title:
  No way to specify password strength in keystone.

Status in Keystone:
  New

Bug description:
  There is a way to set the regular expression for horizon for  a
  password, but there is no way to do this in keystone.

  We need a configuration parameter in keystone for the regular
  expression and another one for the message to be shown when the
  password is not valid.

  #password regularexpression for user password
  password_regex=((?=(.*(\d|[~!@#$%^&*_=+])){2,})(?=.*[a-z])(?=.*[A-Z]).{8,20})
  password_regex_message=Password is not strong enough

  
  These then need to be validated in the respective controllers (both v2 and v3)
  example in ./keystone/identity/controllers.py

  
  209     @staticmethod
  210     def check_syntax(password):
  211         a = re.match(CONF.password_regex, password)
  212         if not a:
  213             raise exception.ValidationError(CONF.password_regex_message)
  214
  215     @staticmethod
  216     def check_pwd_policies(password, name):
  217
  218         #if passsword is empty allow it,
  219         #since empty password wont allow user to login
  220         if password is None:
  221             return
  222         if name in password or password in name:
  223             raise exception.ValidationError("Password not strong enough: user name cannot be part of the password")
  224         User.check_syntax(password)
  225


  
  243     @controller.protected()
  244     def create_user(self, context, user):
  245         self._require_attribute(user, 'name')
  246
  247         if user.get('password') is not None:
  248             User.check_pwd_policies(user['password'], user['name'])
  249         # The manager layer will generate the unique ID for users
  250         ref = self._normalize_dict(user)
  251         ref = self._normalize_domain_id(context, ref)
  252         ref = self.identity_api.create_user(ref)
  253         return UserV3.wrap_member(context, ref)
  254

  276     def _update_user(self, context, user_id, user):
  277
  278         #if password is being changed
  279         #then check if name is not part of password
  280         if 'password' in user:
  281             #if name is not present then get it from the backend
  282             if 'name' not in user:
  283                 old_user_ref = self.identity_api.get_user(user_id)
  284                 name = old_user_ref['name']
  285             else:
  286                 name = user['name']
  287             User.check_pwd_policies(user['password'], name)
  288
  289         self._require_matching_id(user_id, user)
  290         self._require_matching_domain_id(
  291             user_id, user, self.identity_api.get_user)
  292         ref = self.identity_api.update_user(user_id, user)
  293         return UserV3.wrap_member(context, ref)

  
  315     @controller.protected()
  316     def change_password(self, context, user_id, user):
  317         original_password = user.get('original_password')
  318         if original_password is None:
  319             raise exception.ValidationError(target='user',
  320                                             attribute='original_password')
  321
  322         password = user.get('password')
  323         if password is None:
  324             raise exception.ValidationError(target='user',
  325                                             attribute='password')
  326         #if name is not present then get it from the backend
  327         if 'name' not in user:
  328             old_user_ref = self.identity_api.get_user(user_id)
  329             name = old_user_ref['name']
  330         else:
  331             name = user['name']
  332
  333         User.check_pwd_policies(password, name)
  334
  335         try:
  336             self.identity_api.change_password(
  337                 context, user_id, original_password, password)
  338         except AssertionError:
  339             raise exception.Unauthorized()
  340

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1484366/+subscriptions


Follow ups