yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #36826
[Bug 1484366] [NEW] No way to specify password strength in keystone.
Public bug reported:
There is a way to set the regular expression for horizon for a
password, but there is no way to do this in keystone.
We need a configuration parameter in keystone for the regular expression
and another one for the message to be shown when the password is not
valid.
#password regularexpression for user password
password_regex=((?=(.*(\d|[~!@#$%^&*_=+])){2,})(?=.*[a-z])(?=.*[A-Z]).{8,20})
password_regex_message=Password is not strong enough
These then need to be validated in the respective controllers (both v2 and v3)
example in ./keystone/identity/controllers.py
209 @staticmethod
210 def check_syntax(password):
211 a = re.match(CONF.password_regex, password)
212 if not a:
213 raise exception.ValidationError(CONF.password_regex_message)
214
215 @staticmethod
216 def check_pwd_policies(password, name):
217
218 #if passsword is empty allow it,
219 #since empty password wont allow user to login
220 if password is None:
221 return
222 if name in password or password in name:
223 raise exception.ValidationError("Password not strong enough: user name cannot be part of the password")
224 User.check_syntax(password)
225
243 @controller.protected()
244 def create_user(self, context, user):
245 self._require_attribute(user, 'name')
246
247 if user.get('password') is not None:
248 User.check_pwd_policies(user['password'], user['name'])
249 # The manager layer will generate the unique ID for users
250 ref = self._normalize_dict(user)
251 ref = self._normalize_domain_id(context, ref)
252 ref = self.identity_api.create_user(ref)
253 return UserV3.wrap_member(context, ref)
254
276 def _update_user(self, context, user_id, user):
277
278 #if password is being changed
279 #then check if name is not part of password
280 if 'password' in user:
281 #if name is not present then get it from the backend
282 if 'name' not in user:
283 old_user_ref = self.identity_api.get_user(user_id)
284 name = old_user_ref['name']
285 else:
286 name = user['name']
287 User.check_pwd_policies(user['password'], name)
288
289 self._require_matching_id(user_id, user)
290 self._require_matching_domain_id(
291 user_id, user, self.identity_api.get_user)
292 ref = self.identity_api.update_user(user_id, user)
293 return UserV3.wrap_member(context, ref)
315 @controller.protected()
316 def change_password(self, context, user_id, user):
317 original_password = user.get('original_password')
318 if original_password is None:
319 raise exception.ValidationError(target='user',
320 attribute='original_password')
321
322 password = user.get('password')
323 if password is None:
324 raise exception.ValidationError(target='user',
325 attribute='password')
326 #if name is not present then get it from the backend
327 if 'name' not in user:
328 old_user_ref = self.identity_api.get_user(user_id)
329 name = old_user_ref['name']
330 else:
331 name = user['name']
332
333 User.check_pwd_policies(password, name)
334
335 try:
336 self.identity_api.change_password(
337 context, user_id, original_password, password)
338 except AssertionError:
339 raise exception.Unauthorized()
340
** Affects: keystone
Importance: Undecided
Status: New
** Project changed: bagpipe-l2 => keystone
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1484366
Title:
No way to specify password strength in keystone.
Status in Keystone:
New
Bug description:
There is a way to set the regular expression for horizon for a
password, but there is no way to do this in keystone.
We need a configuration parameter in keystone for the regular
expression and another one for the message to be shown when the
password is not valid.
#password regularexpression for user password
password_regex=((?=(.*(\d|[~!@#$%^&*_=+])){2,})(?=.*[a-z])(?=.*[A-Z]).{8,20})
password_regex_message=Password is not strong enough
These then need to be validated in the respective controllers (both v2 and v3)
example in ./keystone/identity/controllers.py
209 @staticmethod
210 def check_syntax(password):
211 a = re.match(CONF.password_regex, password)
212 if not a:
213 raise exception.ValidationError(CONF.password_regex_message)
214
215 @staticmethod
216 def check_pwd_policies(password, name):
217
218 #if passsword is empty allow it,
219 #since empty password wont allow user to login
220 if password is None:
221 return
222 if name in password or password in name:
223 raise exception.ValidationError("Password not strong enough: user name cannot be part of the password")
224 User.check_syntax(password)
225
243 @controller.protected()
244 def create_user(self, context, user):
245 self._require_attribute(user, 'name')
246
247 if user.get('password') is not None:
248 User.check_pwd_policies(user['password'], user['name'])
249 # The manager layer will generate the unique ID for users
250 ref = self._normalize_dict(user)
251 ref = self._normalize_domain_id(context, ref)
252 ref = self.identity_api.create_user(ref)
253 return UserV3.wrap_member(context, ref)
254
276 def _update_user(self, context, user_id, user):
277
278 #if password is being changed
279 #then check if name is not part of password
280 if 'password' in user:
281 #if name is not present then get it from the backend
282 if 'name' not in user:
283 old_user_ref = self.identity_api.get_user(user_id)
284 name = old_user_ref['name']
285 else:
286 name = user['name']
287 User.check_pwd_policies(user['password'], name)
288
289 self._require_matching_id(user_id, user)
290 self._require_matching_domain_id(
291 user_id, user, self.identity_api.get_user)
292 ref = self.identity_api.update_user(user_id, user)
293 return UserV3.wrap_member(context, ref)
315 @controller.protected()
316 def change_password(self, context, user_id, user):
317 original_password = user.get('original_password')
318 if original_password is None:
319 raise exception.ValidationError(target='user',
320 attribute='original_password')
321
322 password = user.get('password')
323 if password is None:
324 raise exception.ValidationError(target='user',
325 attribute='password')
326 #if name is not present then get it from the backend
327 if 'name' not in user:
328 old_user_ref = self.identity_api.get_user(user_id)
329 name = old_user_ref['name']
330 else:
331 name = user['name']
332
333 User.check_pwd_policies(password, name)
334
335 try:
336 self.identity_api.change_password(
337 context, user_id, original_password, password)
338 except AssertionError:
339 raise exception.Unauthorized()
340
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1484366/+subscriptions
Follow ups
