OpenStack Identity (keystone)

Password history constraints not enforced via /v3/users/<user_id>/password path

Bug #1628692 reported by Rodrigo Duarte
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Ron De Rose
OpenStack Identity (keystone) newton-rc1 "RC1"

Bug Description

Differently from the /v3/user/<user_id> route [1], the /v3/user/<user_id>/password is not enforcing the password history [2].

At [3] we are able to change a password that breaks the password history constraints

[1] https://github.com/openstack/keystone/blob/master/keystone/identity/backends/sql.py#L161
[2] https://github.com/openstack/keystone/blob/master/keystone/identity/backends/sql.py#L189
[3] http://paste.openstack.org/show/583366/

Rodrigo Duarte (rodrigodsousa)
summary: - Password constraints not enforced via /v3/users/<user_id>/password path
+ Password history constraints not enforced via
+ /v3/users/<user_id>/password path
Ron De Rose (ronald-de-rose)
Changed in keystone:
assignee: nobody → Ron De Rose (ronald-de-rose)
Ron De Rose (ronald-de-rose)
Changed in keystone:
importance: Undecided → Medium
status: New → Confirmed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/379018

Changed in keystone:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/379018
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=4be9164e53403b863f8c717b58227c9fcbd13f7c
Submitter: Jenkins
Branch: master

commit 4be9164e53403b863f8c717b58227c9fcbd13f7c
Author: Ronald De Rose <email address hidden>
Date: Wed Sep 28 21:57:23 2016 +0000

    Validate password history for self-service password changes

    This patch adds password history validation to the change_password
    (self-service) backend method.

    backport: newton
    Closes-Bug: #1628692
    Change-Id: I6a21eb355a60b96da0615e64f57fa64289c0221e

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/379607

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/newton)

Reviewed: https://review.openstack.org/379607
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=4a604529a82db04d9ab2225005dbaf836f4a079a
Submitter: Jenkins
Branch: stable/newton

commit 4a604529a82db04d9ab2225005dbaf836f4a079a
Author: Ronald De Rose <email address hidden>
Date: Wed Sep 28 21:57:23 2016 +0000

    Validate password history for self-service password changes

    This patch adds password history validation to the change_password
    (self-service) backend method.

    backport: newton
    Closes-Bug: #1628692
    Change-Id: I6a21eb355a60b96da0615e64f57fa64289c0221e
    (cherry picked from commit 4be9164e53403b863f8c717b58227c9fcbd13f7c)

tags: added: in-stable-newton
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 10.0.0.0rc3

This issue was fixed in the openstack/keystone 10.0.0.0rc3 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 10.0.0

This issue was fixed in the openstack/keystone 10.0.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 11.0.0.0b1

This issue was fixed in the openstack/keystone 11.0.0.0b1 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 10.0.0

This issue was fixed in the openstack/keystone 10.0.0 release.

Steve Martinelli (stevemar)
Changed in keystone:
milestone: none → newton-rc1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.