Configurable max password length (bug 1175906)

DocImpact

Change-Id: I1b1de8f7e07afe8af8a5cbb83de7f935cea04670

5 files changed, 15 insertions, 13 deletions

diff --git a/etc/keystone.conf.sample b/etc/keystone.conf.sample
index a49a9a5e..90efe5f6 100644
--- a/etc/keystone.conf.sample
+++ b/etc/keystone.conf.sample
@@ -100,6 +100,9 @@
 # exist to order to maintain support for your v2 clients.
 # default_domain_id = default
 
+# Maximum supported length for user passwords; decrease to improve performance.
+# max_password_length = 4096
+
 [credential]
 # driver = keystone.credential.backends.sql.Credential
 
diff --git a/keystone/common/config.py b/keystone/common/config.py
index 10c47a35..cd525369 100644
--- a/keystone/common/config.py
+++ b/keystone/common/config.py
@@ -210,6 +210,7 @@ def configure():
 
     # identity
     register_str('default_domain_id', group='identity', default='default')
+    register_int('max_password_length', group='identity', default=4096)
 
     # trust
     register_bool('enabled', group='trust', default=True)
diff --git a/keystone/common/utils.py b/keystone/common/utils.py
index fd2d7567..9966ee67 100644
--- a/keystone/common/utils.py
+++ b/keystone/common/utils.py
@@ -36,8 +36,6 @@ config.register_int('crypt_strength', default=40000)
 
 LOG = logging.getLogger(__name__)
 
-MAX_PASSWORD_LENGTH = 4096
-
 
 def read_cached_file(filename, cache_info, reload_func=None):
     """Read from a file if it has been modified.
@@ -68,12 +66,13 @@ class SmarterEncoder(json.JSONEncoder):
 
 
 def trunc_password(password):
-    """Truncate passwords to the MAX_PASSWORD_LENGTH."""
+    """Truncate passwords to the max_length."""
+    max_length = CONF.identity.max_password_length
     try:
-        if len(password) > MAX_PASSWORD_LENGTH:
-            return password[:MAX_PASSWORD_LENGTH]
-        else:
-            return password
+        if len(password) > max_length:
+            LOG.warning(
+                _('Truncating user password to %s characters.') % max_length)
+        return password[:max_length]
     except TypeError:
         raise exception.ValidationError(attribute='string', target='password')
 
diff --git a/keystone/token/controllers.py b/keystone/token/controllers.py
index 9ebc29fe..91514493 100644
--- a/keystone/token/controllers.py
+++ b/keystone/token/controllers.py
@@ -4,7 +4,6 @@ from keystone.common import cms
 from keystone.common import controller
 from keystone.common import dependency
 from keystone.common import logging
-from keystone.common import utils
 from keystone.common import wsgi
 from keystone import config
 from keystone import exception
@@ -215,10 +214,9 @@ class Auth(controller.V2Controller):
                 attribute='password', target='passwordCredentials')
 
         password = auth['passwordCredentials']['password']
-        max_pw_size = utils.MAX_PASSWORD_LENGTH
-        if password and len(password) > max_pw_size:
-            raise exception.ValidationSizeError(attribute='password',
-                                                size=max_pw_size)
+        if password and len(password) > CONF.identity.max_password_length:
+            raise exception.ValidationSizeError(
+                attribute='password', size=CONF.identity.max_password_length)
 
         if ("userId" not in auth['passwordCredentials'] and
                 "username" not in auth['passwordCredentials']):
diff --git a/tests/test_auth.py b/tests/test_auth.py
index db5314be..e8e6c7a9 100644
--- a/tests/test_auth.py
+++ b/tests/test_auth.py
@@ -179,7 +179,8 @@ class AuthBadRequests(AuthTest):
 
     def test_authenticate_password_too_large(self):
         """Verify sending large 'password' raises the right exception."""
-        body_dict = _build_user_auth(username='FOO', password='0' * 8193)
+        length = CONF.identity.max_password_length + 1
+        body_dict = _build_user_auth(username='FOO', password='0' * length)
         self.assertRaises(exception.ValidationSizeError,
                           self.controller.authenticate,
                           {}, body_dict)