From 55ca347e2527249aab82a3e98afed06f95490b7c Mon Sep 17 00:00:00 2001 From: Dolph Mathews Date: Fri, 17 May 2013 08:39:10 -0500 Subject: Configurable max password length (bug 1175906) DocImpact Change-Id: I1b1de8f7e07afe8af8a5cbb83de7f935cea04670 --- etc/keystone.conf.sample | 3 +++ keystone/common/config.py | 1 + keystone/common/utils.py | 13 ++++++------- keystone/token/controllers.py | 8 +++----- tests/test_auth.py | 3 ++- 5 files changed, 15 insertions(+), 13 deletions(-) diff --git a/etc/keystone.conf.sample b/etc/keystone.conf.sample index a49a9a5e..90efe5f6 100644 --- a/etc/keystone.conf.sample +++ b/etc/keystone.conf.sample @@ -100,6 +100,9 @@ # exist to order to maintain support for your v2 clients. # default_domain_id = default +# Maximum supported length for user passwords; decrease to improve performance. +# max_password_length = 4096 + [credential] # driver = keystone.credential.backends.sql.Credential diff --git a/keystone/common/config.py b/keystone/common/config.py index 10c47a35..cd525369 100644 --- a/keystone/common/config.py +++ b/keystone/common/config.py @@ -210,6 +210,7 @@ def configure(): # identity register_str('default_domain_id', group='identity', default='default') + register_int('max_password_length', group='identity', default=4096) # trust register_bool('enabled', group='trust', default=True) diff --git a/keystone/common/utils.py b/keystone/common/utils.py index fd2d7567..9966ee67 100644 --- a/keystone/common/utils.py +++ b/keystone/common/utils.py @@ -36,8 +36,6 @@ config.register_int('crypt_strength', default=40000) LOG = logging.getLogger(__name__) -MAX_PASSWORD_LENGTH = 4096 - def read_cached_file(filename, cache_info, reload_func=None): """Read from a file if it has been modified. @@ -68,12 +66,13 @@ class SmarterEncoder(json.JSONEncoder): def trunc_password(password): - """Truncate passwords to the MAX_PASSWORD_LENGTH.""" + """Truncate passwords to the max_length.""" + max_length = CONF.identity.max_password_length try: - if len(password) > MAX_PASSWORD_LENGTH: - return password[:MAX_PASSWORD_LENGTH] - else: - return password + if len(password) > max_length: + LOG.warning( + _('Truncating user password to %s characters.') % max_length) + return password[:max_length] except TypeError: raise exception.ValidationError(attribute='string', target='password') diff --git a/keystone/token/controllers.py b/keystone/token/controllers.py index 9ebc29fe..91514493 100644 --- a/keystone/token/controllers.py +++ b/keystone/token/controllers.py @@ -4,7 +4,6 @@ from keystone.common import cms from keystone.common import controller from keystone.common import dependency from keystone.common import logging -from keystone.common import utils from keystone.common import wsgi from keystone import config from keystone import exception @@ -215,10 +214,9 @@ class Auth(controller.V2Controller): attribute='password', target='passwordCredentials') password = auth['passwordCredentials']['password'] - max_pw_size = utils.MAX_PASSWORD_LENGTH - if password and len(password) > max_pw_size: - raise exception.ValidationSizeError(attribute='password', - size=max_pw_size) + if password and len(password) > CONF.identity.max_password_length: + raise exception.ValidationSizeError( + attribute='password', size=CONF.identity.max_password_length) if ("userId" not in auth['passwordCredentials'] and "username" not in auth['passwordCredentials']): diff --git a/tests/test_auth.py b/tests/test_auth.py index db5314be..e8e6c7a9 100644 --- a/tests/test_auth.py +++ b/tests/test_auth.py @@ -179,7 +179,8 @@ class AuthBadRequests(AuthTest): def test_authenticate_password_too_large(self): """Verify sending large 'password' raises the right exception.""" - body_dict = _build_user_auth(username='FOO', password='0' * 8193) + length = CONF.identity.max_password_length + 1 + body_dict = _build_user_auth(username='FOO', password='0' * length) self.assertRaises(exception.ValidationSizeError, self.controller.authenticate, {}, body_dict) -- cgit