kallithea Changeset - 023d9202481e

Changeset - 023d9202481e

Parent rev.

Child rev.

[Not reviewed]

default

0 2 0

Andrew Shadura - 9 years ago 2016-07-03 12:21:00
andrew@shadura.me

setup: use modern bcrypt implementation instead of unsupported old one

py-bcrypt has been deprecated by bcrypt, and is no longer developed
or supported.

bcrypt requires bytestrings instead of strings, use safe_str to ensure
they're encoded before they're passed to bcrypt. Also, use check_pw
to minimise the number of manual conversions and comparisons.

Installation of bcrypt will probably compile a C extension and require
libffi-dev.

2 files changed with 4 insertions and 4 deletions:

kallithea/lib/auth.py

setup.py

0 comments (0 inline, 0 general)

kallithea/lib/auth.py

➞

Show inline comments

@@ @@ -31,49 +31,49 @@ import traceback @@
 import hashlib
 import itertools
 import collections
 from decorator import decorator
 from pylons import url, request, session
 from pylons.i18n.translation import _
 from webhelpers.pylonslib import secure_form
 from sqlalchemy import or_
 from sqlalchemy.orm.exc import ObjectDeletedError
 from sqlalchemy.orm import joinedload
 from webob.exc import HTTPFound, HTTPBadRequest, HTTPForbidden, HTTPMethodNotAllowed
 from kallithea import __platform__, is_windows, is_unix
 from kallithea.lib.vcs.utils.lazy import LazyProperty
 from kallithea.model import meta
 from kallithea.model.meta import Session
 from kallithea.model.user import UserModel
 from kallithea.model.db import User, Repository, Permission, \
     UserToPerm, UserGroupRepoToPerm, UserGroupToPerm, UserGroupMember, \
     RepoGroup, UserGroupRepoGroupToPerm, UserIpMap, UserGroupUserGroupToPerm, \
     UserGroup, UserApiKeys
 from kallithea.lib.utils2 import safe_unicode, aslist
+from kallithea.lib.utils2 import safe_str, safe_unicode, aslist
 from kallithea.lib.utils import get_repo_slug, get_repo_group_slug, \
     get_user_group_slug, conditional_cache
 from kallithea.lib.caching_query import FromCache
 log = logging.getLogger(__name__)
 class PasswordGenerator(object):
     """
     This is a simple class for generating password from different sets of
     characters
     usage::
         passwd_gen = PasswordGenerator()
         #print 8-letter password containing only big and small letters
             of alphabet
         passwd_gen.gen_password(8, passwd_gen.ALPHABETS_BIG_SMALL)
     """
     ALPHABETS_NUM = r'''1234567890'''
     ALPHABETS_SMALL = r'''qwertyuiopasdfghjklzxcvbnm'''
     ALPHABETS_BIG = r'''QWERTYUIOPASDFGHJKLZXCVBNM'''
     ALPHABETS_SPECIAL = r'''`-=[]\;',./~!@#$%^&*()_+{}|:"<>?'''
     ALPHABETS_FULL = ALPHABETS_BIG + ALPHABETS_SMALL \
@@ @@ -86,68 +86,68 @@ class PasswordGenerator(object): @@
     def gen_password(self, length, alphabet=ALPHABETS_FULL):
         assert len(alphabet) <= 256, alphabet
         l = []
         while len(l) < length:
             i = ord(os.urandom(1))
             if i < len(alphabet):
                 l.append(alphabet[i])
         return ''.join(l)
 class KallitheaCrypto(object):
     @classmethod
     def hash_string(cls, str_):
         """
         Cryptographic function used for password hashing based on pybcrypt
         or Python's own OpenSSL wrapper on windows
         :param password: password to hash
         """
         if is_windows:
             return hashlib.sha256(str_).hexdigest()
         elif is_unix:
             import bcrypt
             return bcrypt.hashpw(str_, bcrypt.gensalt(10))
+            return bcrypt.hashpw(safe_str(str_), bcrypt.gensalt(10))
         else:
             raise Exception('Unknown or unsupported platform %s' \
                             % __platform__)
     @classmethod
     def hash_check(cls, password, hashed):
         """
         Checks matching password with it's hashed value, runs different
         implementation based on platform it runs on
         :param password: password
         :param hashed: password in hashed form
         """
         if is_windows:
             return hashlib.sha256(password).hexdigest() == hashed
         elif is_unix:
             import bcrypt
-            return bcrypt.hashpw(password, hashed) == hashed
+            return bcrypt.checkpw(safe_str(password), safe_str(hashed))
         else:
             raise Exception('Unknown or unsupported platform %s' \
                             % __platform__)
 def get_crypt_password(password):
     return KallitheaCrypto.hash_string(password)
 def check_password(password, hashed):
     return KallitheaCrypto.hash_check(password, hashed)
 def _cached_perms_data(user_id, user_is_admin, user_inherit_default_permissions,
                        explicit, algo):
     RK = 'repositories'
     GK = 'repositories_groups'
     UK = 'user_groups'
     GLOBAL = 'global'
     PERM_WEIGHTS = Permission.PERM_WEIGHTS
     permissions = {RK: {}, GK: {}, UK: {}, GLOBAL: set()}
     def _choose_perm(new_perm, cur_perm):

setup.py

➞

Show inline comments

@@ @@ -45,49 +45,49 @@ requirements = [ @@
     "SQLAlchemy>=0.7.10,<1.1",
     "Mako>=0.9.0,<=1.0.0",
     "pygments>=1.5",
     "whoosh>=2.4.0,<=2.5.7",
     "celery>=2.2.5,<2.3",
     "babel>=0.9.6,<=1.3",
     "python-dateutil>=1.5.0,<2.0.0",
     "markdown==2.2.1",
     "docutils>=0.8.1,<=0.11",
     "mock",
     "URLObject==2.3.4",
     "Routes==1.13",
     "pytest>=2.7.0,<3.0",
     "pytest-sugar>=0.7.0,<1.0.0",
     "dulwich>=0.9.9,<=0.9.9",
     "mercurial>=2.9,<3.9",
+]
 if sys.version_info < (2, 7):
     requirements.append("importlib==1.0.1")
     requirements.append("unittest2")
     requirements.append("argparse")
 if not is_windows:
-    requirements.append("py-bcrypt>=0.3.0,<=0.4")
+    requirements.append("bcrypt>=2.0.0")
 dependency_links = [
+]
 classifiers = [
     'Development Status :: 4 - Beta',
     'Environment :: Web Environment',
     'Framework :: Pylons',
     'Intended Audience :: Developers',
     'License :: OSI Approved :: GNU General Public License (GPL)',
     'Operating System :: OS Independent',
     'Programming Language :: Python',
     'Programming Language :: Python :: 2.6',
     'Programming Language :: Python :: 2.7',
     'Topic :: Software Development :: Version Control',
+]
 # additional files from project that goes somewhere in the filesystem
 # relative to sys.prefix
 data_files = []
 description = ('Kallithea is a fast and powerful management tool '

0 comments (0 inline, 0 general)