Password is not strong enough failures

Hmm, interesting. How are these password enforcement rules set? Is it something that someone is adding ontop of keystone, or a backend specific thing.

I'm trying to figure out how this enforcement is enabled and what it entails. For example, if they're static rules like enforcing the first character is a capital letter, I'm not sure how we would handle that in a generic way. Because rules like that will definitely be deployment specific

But, if it's just a generic password strength checker we can probably handle that by just having a better algorithm used to improve the password strength. A first thought at a fix would be to add a random_password option to tempest-lib's data utils module and have it used for tenant isolation's passwords.

Also, sorry I can't help but put this on the bug. It was the first thing that came to my mind:

https://xkcd.com/936/

Keystone allows the use of an LDAP backend for storing user credentials. Complex password policies can be setup on the LDAP. I agree that it would be very difficult to setup a password that can map to any of these password policies users could setup in LDAP, but a good place to start would be a random password generator that adds a UpperCase letter, a lowercase letter, a special character, a number and is at least 8 characters in length.

Just want to mention that the failures were collected with the test runs which had allow_tenant_isolation set to "false" in the tempest.conf file

@Matthew Treinish, Nikhil Gupta (guptani) ,
Here is my propose for the password policy to fix this issue, if you have any concern let me know.

1: use of both upper- and lower-case letters (case sensitivity)
2: inclusion of one or more numerical digits
3: inclusion of special characters, e.g. @, #, $ etc.
4: at least 15 characters in length

Here is an example
self.test_password = data_utils.rand_name('Sm4rtcl0ud!Pass_')

@yuxingw

I think it would be better to make a separate data_utils function to just generate a random password which meets all of these criteria you outlined instead of just passing a garbage input into random name.

@Catherine

Sure, but the internal tempest mechanism is the same IsolatedCreds code path for the quotas tests (or any other test which requires a new clean tenant) this is just for code reuse purposes since it was easier to just always use isolated creds there rather than duplicating the tenant creation code in each test that needs it.

The only way I can really see this being addressed is by telling users to use an accounts.yaml file with pre-created users with valid passwords and just skip the quotas tests. (which are admin only anyway)

Hi Matthew Treinish ,
Thanks.
According to your advice, below is my plan and i tested it on my local environment.
1: Add a new method in tempest\common\utils\data_utils.py
    def rand_password():
    """
    Generate a random password representing:
      use of both upper- and lower-case letters (string.ascii_letters)
      inclusion of one or more numerical digits(string.digits)
      inclusion of special characters, e.g. @, #, $ etc.(string.punctuation)
      at least 15 characters in length (range(15))
    """
    password = choice(string.ascii_uppercase)+ ''.join(choice(string.ascii_letters + string.digits + '!@#$%^&*()') for x in range(15))
    return password

2: Call this new method in other test cases like tempest\api\identity\admin\test_users.py
     def resource_setup(cls):
        super(UsersTestJSON, cls).resource_setup()
        cls.alt_user = data_utils.rand_name('test_user_')
        cls.alt_password = data_utils.rand_name('pass_') --------> modify it as cls.alt_password = data_utils.rand_password()
        cls.alt_email = cls.alt_user + '@testmail.tm'

Test result
2015-04-28 06:19:33.586 7937 DEBUG tempest.common.rest_client [-] Request (UsersV3TestJSON:test_user_update): 201 POST https://172.20.48.10:35357/v3/users 0.080s
    Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': '<omitted>'}
        Body: {"user": {"name": "user--597373330", "enabled": false, "email": "<email address hidden>", "default_project_id": null, "password": "PLzqD^$)o9toS6V5", "domain_id": "default", "description": "user--597373330description"}}

    Response - Headers: {'status': '201', 'content-length': '326', 'vary': 'X-Auth-Token', 'connection': 'close', 'date': 'Tue, 28 Apr 2015 06:19:33 GMT', 'content-type': 'application/json'}
        Body: {"user": {"email": "<email address hidden>", "name": "user--597373330", "links": {"self": "https://192.168.101.10:5000/v3/users/dd64398ac6f74288ba160367e37d0a4a"}, "domain_id": "default", "default_project_id": null, "enabled": false, "id": "dd64398ac6f74288ba160367e37d0a4a", "description": "user--597373330description"}}

Tempest patches:
https://review.openstack.org/#/c/178546/
https://review.openstack.org/#/c/178561/

Reviewed: https://review.openstack.org/178546
Committed: https://git.openstack.org/cgit/openstack/tempest-lib/commit/?id=0e0d39d40be762a26319d65e3458cf8640aa49ce
Submitter: Jenkins
Branch: master

commit 0e0d39d40be762a26319d65e3458cf8640aa49ce
Author: Yuxing wang <email address hidden>
Date: Wed Apr 29 00:44:07 2015 -0700

    Password is not strong enough failures

    Add a method to generate password with
    1: use of both upper- and lower-case letters (case sensitivity)
    2: inclusion of one or more numerical digits
    3: inclusion of special characters, e.g. @, #, $ etc.
    4: at least 15 characters in length

    Closes-Bug: 1448217

    Change-Id: I86bf157f1bdb44f5fc579dc5317784fe31df8521

Reviewed: https://review.openstack.org/178561
Committed: https://git.openstack.org/cgit/openstack/tempest/commit/?id=d8c5f7afb319075667659e70dc0360a37ae5420b
Submitter: Jenkins
Branch: master

commit d8c5f7afb319075667659e70dc0360a37ae5420b
Author: Zack Feldstein <email address hidden>
Date: Mon Dec 14 10:44:07 2015 -0600

    Fix password not strong enough failures

    Use rand_password method to create users with more complex
    passwords.

    Closes-Bug: 1448217
    Depends-On: I86bf157f1bdb44f5fc579dc5317784fe31df8521
    Change-Id: I57649f5aac9b1abe1a9961d4b35479372ebee519

Related fix proposed to branch: master
Review: https://review.openstack.org/258843

Reviewed: https://review.openstack.org/258843
Committed: https://git.openstack.org/cgit/openstack/tempest/commit/?id=808e8ec1c718730d67150dd9d995e6dbd40f0b4f
Submitter: Jenkins
Branch: master

commit 808e8ec1c718730d67150dd9d995e6dbd40f0b4f
Author: Marc Koderer <email address hidden>
Date: Wed Dec 16 15:38:46 2015 +0100

    Fix password not strong enough for cmd

    Also uses strong passwords for cmd/accout_generator.py.

    Change-Id: I44486414e075a8abaebf8371c4c94c908f156ea0
    Related-Bug: 1448217

Related fix proposed to branch: master
Review: https://review.openstack.org/259424

Reviewed: https://review.openstack.org/259424
Committed: https://git.openstack.org/cgit/openstack/tempest/commit/?id=6f6f53226daca8af241244d23f33975a1d2ed7c2
Submitter: Jenkins
Branch: master

commit 6f6f53226daca8af241244d23f33975a1d2ed7c2
Author: Alexander Gubanov <email address hidden>
Date: Fri Dec 18 14:47:34 2015 +0200

    Fix password not strong enough for identity test_groups

    Use rand_password method to create users with more complex passwords.
    This part was missed in commit I57649f5aac9b1abe1a9961d4b35479372ebee519

    Change-Id: I9b06e4f1f026ab6795263969aa10e4ddfc5bae92
    Related-Bug: 1448217