Source code for keystone.common.password_hashing

# Copyright 2017 Red Hat
# All Rights Reserved.
#    Licensed under the Apache License, Version 2.0 (the "License"); you may
#    not use this file except in compliance with the License. You may obtain
#    a copy of the License at
#    Unless required by applicable law or agreed to in writing, software
#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#    License for the specific language governing permissions and limitations
#    under the License.

import itertools

from oslo_log import log
import passlib.hash

import keystone.conf
from keystone import exception
from keystone.i18n import _

CONF = keystone.conf.CONF
LOG = log.getLogger(__name__)

SUPPORTED_HASHERS = frozenset([passlib.hash.bcrypt,

_HASHER_NAME_MAP = { hasher for hasher in SUPPORTED_HASHERS}

# NOTE(notmorgan): Build the list of prefixes. This comprehension builds
# a dictionary where the keys are the prefix (all hashedpasswords are
# '$<ident>$<metadata>$<hash>') so we can do a fast-lookup on the hasher to
# use. If has hasher has multiple ident options it is encoded in the
# .ident_values attribute whereas hashers that have a single option
# ( ) only has the .ident attribute.
# NOTE(noonedeadpunk): Though bcrypt_sha256 does define <ident> as part of
# the metadata, actual indent is represented with a <prefix> instead.
def _get_hash_ident(hashers):
    for hasher in hashers:
        if hasattr(hasher, 'prefix'):
            ident = (getattr(hasher, 'prefix'),)
        elif hasattr(hasher, 'ident_values'):
            ident = getattr(hasher, 'ident_values')
            ident = (getattr(hasher, 'ident'),)
        yield (hasher, ident)

    prefix: module for module, prefix in itertools.chain(
        *[zip([mod] * len(ident), ident)
            for mod, ident in _get_hash_ident(SUPPORTED_HASHERS)]

def _get_hasher_from_ident(hashed):
        return _HASHER_IDENT_MAP[hashed[0:hashed.index('$', 1) + 1]]
    except KeyError:
        raise ValueError(
            _('Unsupported password hashing algorithm ident: %s') %
            hashed[0:hashed.index('$', 1) + 1])

[docs] def verify_length_and_trunc_password(password): """Verify and truncate the provided password to the max_password_length. We also need to check that the configured password hashing algorithm does not silently truncate the password. For example, passlib.hash.bcrypt does this: """ # When using bcrypt, we limit the password length to 54 to ensure all # bytes are fully mixed. See: # BCRYPT_MAX_LENGTH = 72 if (CONF.identity.password_hash_algorithm == 'bcrypt' and # nosec: B105 CONF.identity.max_password_length > BCRYPT_MAX_LENGTH): msg = "Truncating password to algorithm specific maximum length %d characters." LOG.warning(msg, BCRYPT_MAX_LENGTH) max_length = BCRYPT_MAX_LENGTH else: max_length = CONF.identity.max_password_length try: password_utf8 = password.encode('utf-8') if len(password_utf8) > max_length: if CONF.strict_password_check: raise exception.PasswordVerificationError(size=max_length) else: msg = "Truncating user password to %d characters." LOG.warning(msg, max_length) return password_utf8[:max_length] else: return password_utf8 except AttributeError: raise exception.ValidationError(attribute='string', target='password')
[docs] def check_password(password, hashed): """Check that a plaintext password matches hashed. hashpw returns the salt value concatenated with the actual hash value. It extracts the actual salt if this value is then passed as the salt. """ if password is None or hashed is None: return False password_utf8 = verify_length_and_trunc_password(password) hasher = _get_hasher_from_ident(hashed) return hasher.verify(password_utf8, hashed)
[docs] def hash_user_password(user): """Hash a user dict's password without modifying the passed-in dict.""" password = user.get('password') if password is None: return user return dict(user, password=hash_password(password))
[docs] def hash_password(password): """Hash a password. Harder.""" params = {} password_utf8 = verify_length_and_trunc_password(password) conf_hasher = CONF.identity.password_hash_algorithm hasher = _HASHER_NAME_MAP.get(conf_hasher) if hasher is None: raise RuntimeError( _('Password Hash Algorithm %s not found') % CONF.identity.password_hash_algorithm) if CONF.identity.password_hash_rounds: params['rounds'] = CONF.identity.password_hash_rounds if hasher is passlib.hash.scrypt: if CONF.identity.scrypt_block_size: params['block_size'] = CONF.identity.scrypt_block_size if CONF.identity.scrypt_parallelism: params['parallelism'] = CONF.identity.scrypt_parallelism if CONF.identity.salt_bytesize: params['salt_size'] = CONF.identity.salt_bytesize if hasher is passlib.hash.pbkdf2_sha512: if CONF.identity.salt_bytesize: params['salt_size'] = CONF.identity.salt_bytesize return hasher.using(**params).hash(password_utf8)