| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
PasswordHash
-------------
* .truncate_size now used to indicate general "max password size";
* .truncate_error now defined for all hashers, indicates .hash() policy
* added .truncate_verify_reject as companion, indicates corresponding .verify() policy.
HandlerTestCase
---------------
* expanded test functions to check all combinations of truncation policy flags
* fixed fuzzer so it doesn't generate passwords which would throw PasswordSizeError.
|
| |
|
|
| |
about invalid escape sequences (e.g. "\s")
|
| | |
|
| |
|
|
|
|
| |
now stored in public Hash.deprecated attr of returned hashers,
instead of monkeypatching Hash.needs_update().
this removes some cruft from a bunch of places.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
passlib.ext.django
------------------
* everything in .models relocated to the DjangoContextAdapter() class in .utils.
all that's left in models is a couple of hooks. This consolidates all
the model state into a single object, making it a lot easier to inspect
and optimize.
* consolidated a bunch of (undocumented) helper functions into DjangoTranslator()
class, which now acts as based for DjangoContextAdapter. Translator instances
handle converted passlib <-> django hashers, including caching speed-critical bits.
* wrapper class now has guards against wrong type of hasher being passed in
* wrapper class uses .using() instead of deprecated .hash(**kwds) format.
* updated and confirmed passing tests w/ django 1.10.3
passlib.ext.django tests
------------------------
* split test wrapper for django's internal tests (HashersTest) into separate file,
test_ext_django_source.py, to make it easier to run independantly.
reworked to use patchAttr(wraps=True) rather than less flexible ContextHook() hack
* tries to clean up HashersTest - adapts to django settings,
fixed code syncing .iteration settings back to passlib hashers,
* blocked out some django tests that we can't / won't pass,
documented reasons why.
other
-----
* CryptContext: added temporary hack to access unpatched Hasher.needs_update() method.
* PrefixWrapper: now proxies attr writes if it owns the wrapped hasher.
* test utils: added wrap=True support to patchAttr(), for wrapping arbitrary functions.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Added PasswordHash.truncate_size info attribute, to detect hashes
which truncate the password.
* All such hashes (bcrypt, des_crypt, some others) now accept a "truncate_error"
option, allowing them to be switched from silent truncation to throwing
an error instead. This option is also supported by CryptContext.
* tests/HandlerCase:
- removed .secret_size config flag, can now just read handler.truncate_size instead.
- reworked truncation tests to use new API, and test 'truncate_error' policy support.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* PasswordHash.is_disabled flag now present, to programmatically detect
disabled hashers (unix_disabled, etc)
* CryptContext now offers methods for disabling, enabling, and testing
hashes to see if they're tied to a real hash or not.
* disabled hashers now offer .disable() and .enable() helpers,
as backend for CryptContext methods.
* django_disabled now appends random alphanumeric string, per Django.
* adjusted HandlerCase:
- checks handler.is_disabled,
- handle django_disabled via disabled_contains_salt flag
- tests .disable() and .enable() api if present
|
| |
|
|
| |
.hash()
|
| |
|
|
|
| |
this basically reversed rev 5c41b0153d4f; after using it a bit more,
decided the name didn't indicate as well what the method was doing.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
callers should use handler.replace(**settings).hash() instead.
this is being done because it greatly streamlines the internals of the .hash()
implementation, and allows some redundant configuration parsing to be extracted
from the .hash() methods and merged in with existing code in .replace().
this also opens things up for alternate code architectures for implementing new hashers,
making it easier to wrap existing libraries (e.g. argon2).
internals
---------
* replaced a bunch of internal .hash(**settings) calls
* GenericHandler
- stripped out 'relaxed' keyword from constructor, since it's no longer
passed by hash() etc.
- _norm_checksum() now only invoked if checksum is specified (simplifies logic).
keeping support for 'relaxed' mode, but only as explicit keyword.
- removed some unused comments about .from_string() & .to_string()
* HasSalt mixin:
- .replace() now supports 'salt' keyword, creates variant
which has a fixed salt string.
- 'salt size' keyword removed from ctor, now handled by .replace() call
- _norm_salt() converted to class method so it can be
used by .replace() 'salt' keyword code.
- per-instance bits of _norm_salt() relocated to HasSalt.__init__ proper
- _generate_salt() converted to class method, since no longer depends on instance config.
* HasRounds mixin:
- similar to HasSalt, relocates per-instance bits of _norm_rounds()
into HasRounds.__init__() proper.
- remainder of _norm_rounds() turned into class method, merged
with ._clip_to_valid_rounds() helper to reduce duplication.
- _generate_rounds() converted to class method, since no longer depends on instance config.
hashers
-------
* fshp: added support for 'variant' keyword to replace()
* unix_disabled: added support for 'marker' keyword to replace(), added UTs.
* cisco_type7: to match HasSalt, added support for 'salt' keyword to replace(), added UTs.
* sha256/512_crypt: now uses custom salt & rounds parsing, rather than relaxed kwd,
to handle correctable-but-invalid config strings.
unittests
---------
* removed checks for PasslibConfigWarning when setting hash(rounds=) out of policy bounds,
since that now *is* setting the policy.
* adapted some handler ctor to deal w/ lack of 'relaxed' kwd
docs
----
* updated docstrings listing hash() keywords for each scheme to list them
as .replace() keywords.
* updated example code to use .replace()
* fleshed out api docs about the change
|
| |
|
|
|
| |
made behavior of various bits (rounds etc) default to relaxed=False,
updated UTs accordingly.
|
| |
|
|
| |
to match stdlib's convention (for things like str, namedtuple, etc)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
after further consideration (while implementing a handler for argon2),
decided that rolling .genconfig() and .genhash() into the .hash() method
(as was done in rev 1f7421b35b75) put too much complexity into the .hash() method.
this commit walks back those portions of rev 1f7421b35b75 -- .genconfig()
and .genhash() are now implemented for each handler directly.
however, going a little further and completely deprecating .genconfig()
and .genhash() support entirely -- decided there's no need for them in
the public api whatsoever. apps shouldn't need/use them, and the unittests
can use their own workarounds.
* removed "config" keyword from handler.hash() ifc
* removed support for config=None from handler.genhash() -- nothing should use it
now that handler.genconfig() always returns a string.
* marked .genhash() and .genconfig() as completely deprecated, w/ no alternative
* uts: factored out calls which need config only into a .do_stub_encrypt() helper,
as replacement for internal uses of .genconfig()
|
| | |
|
| |
|
|
|
| |
removed _CryptRecord proxy object completely. CryptContext now just
worked with custom handler instances directly.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
.encrypt()
----------
hash.encrypt() & context.encrypt() have been renamed to .hash().
this should take care of the long-standing issue 21 (the poor naming of .encrypt).
per docs, legacy aliases will remain in place until passlib 2.0.
.genhash() / .genconfig()
-------------------------
taking advantage of this reorganization to also deprecate .genconfig()
and .genhash() -- they're not really useful in a modern system,
nor as needed for historical support as initially thought:
.genconfig() will be retired completely in passlib 2.0;
.genhash() is rolled into the new .hash() method along with .encrypt().
|
| |\ |
|
| | |
| |
| |
| | |
which abstracts out job of parsing rounds value from hash.
|
| | |
| |
| |
| | |
that always returns False.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* relocated all hash._bind_needs_update() into the new hash.needs_update()
interface.
* des_crypt._generate_rounds() now makes default_rounds odd,
even if vary_round is unset (to prevent cyclic issue w/ needs_update).
* CryptRecord.needs_update() is now direct proxy for hash.needs_update().
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This is first part of relocation seeking to move most of the functionality
from inside the _CryptRecord class, into a public interface of the PasswordHash
class. This would give a number of benefits, including reducing the amount
of hash-specific hacks contained within CryptContext's internals.
* added PasswordHash.using(), which creates a subclass configured
with CryptContext options. Mixins can then provide
helpers to customize based on various parameters.
* added PasswordHash.needs_update(), a frontend for checking if a hash
needs updating per configuration provided via using().
* moved all the rounds generation code from _CryptRecord to HasRounds.using()'s
wrapper, and HasRounds._generate_rounds().
* moved all the rounds needs_update() code to HasRounds._calc_needs_update().
* _CryptRecord now calls hash.using() to configure rounds behavior,
and uses the methods of that custom handler, instead of the original,
so that rounds are taken into account.
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
support;
as well as PyPy 1.x and Jython 2.5.
shims removed
-------------
* b() shim replaced with b'' (py25)
* 'bytes' alias no longer needed (py25)
* callable() shim no longer needed (py30,31)
* PY_MIN_32 flag replaced with PY3 flag (py30,31)
* removed 'abc' module stub used by passlib.ifc (py25)
* removed chain_from_iterable() backport (py25)
* tests: removed catch_warnings() backport,
replaced refs with real warnings.catch_warnings() (py25)
* tests: removed unittest2 backports (py25, py30, py31) --
now throw hard error if unittest2 not present under py26
(the only release remaining which lacks the unittest2 features)
* removed SUPPORTS_DIR_METHOD conditional (py25, pypy 1.x)
* some other minor workarounds
other
-----
* added check in passlib.compat which now throws error telling user
version isn't supported (to prevent spurious errors later)
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
- monkeypatching now formalized w/ a patch manager,
and should be *much* more resilient.
- patch states reduced greatly, simplified code and tests
- now handles django 1.4 correctly - patches hashers module as well
(had to write some new wrappers)
- added experimental methods GenericHandler.parsehash() to back our wrapper of Hasher.safe_summary()
- XXX: doesn't currently import current HASHER state,
- XXX: can't import hashers into passlib either -- though left initial notes on this
|
|
|
passlib.ifc.PasswordHash
(also had to make some tweaks to fix class repr due to ABCMeta)
|
