# HG changeset patch # User John Rouillard # Date 1774575979 14400 # Node ID 98011edc6c600d0449277ae75f0fc57433714301 # Parent 05e21949657a03060fd3a0dbc5c46679538c39f2 refactor: remove duplicate code block Had the same code inside two different if statements. Replaced with 'if X in [ a, b ] ' and only one copy of the code. diff -r 05e21949657a -r 98011edc6c60 roundup/password.py --- a/roundup/password.py Wed Mar 25 18:00:19 2026 -0400 +++ b/roundup/password.py Thu Mar 26 21:46:19 2026 -0400 @@ -430,21 +430,10 @@ if rounds < 1000: return True - - if (self.scheme == "PBKDF2"): + if self.scheme in ["PBKDF2S5", "PBKDF2"]: new_rounds = config.PASSWORD_PBKDF2_DEFAULT_ROUNDS - if ("pytest" in sys.modules and - "PYTEST_CURRENT_TEST" in os.environ): - if ("PYTEST_USE_CONFIG" in os.environ): - new_rounds = config.PASSWORD_PBKDF2_DEFAULT_ROUNDS - else: - # for testing - new_rounds = 1000 - if rounds < int(new_rounds): - return True - - if (self.scheme == "PBKDF2S5"): - new_rounds = config.PASSWORD_PBKDF2_DEFAULT_ROUNDS + # PYTEST_CURRENT_TEST is set when pytest is running + # a test case. if ("pytest" in sys.modules and "PYTEST_CURRENT_TEST" in os.environ): if ("PYTEST_USE_CONFIG" in os.environ): diff -r 05e21949657a -r 98011edc6c60 test/test_security.py --- a/test/test_security.py Wed Mar 25 18:00:19 2026 -0400 +++ b/test/test_security.py Thu Mar 26 21:46:19 2026 -0400 @@ -473,22 +473,64 @@ p.setPassword("sekret", config=self.db.config) self.assertEqual(p.scheme, default_scheme) - def test_pbkdf2_migrate_rounds(self): - '''Check that migration happens when number of rounds in - config is larger than number of rounds in current password. - ''' + def test_migrate_deprecated(self): + + # migrate: deprecated encryption + + # force test to use config file settings + # rather than the testing default of 1000 + os.environ["PYTEST_USE_CONFIG"] = "True" + self.db.config.PASSWORD_PBKDF2_DEFAULT_ROUNDS = 2000 + + p = roundup.password.Password('sekrit', 'SSHA', + config=self.db.config) + self.assertEqual(p.needs_migration(config=self.db.config), True) p = roundup.password.Password('sekrit', 'PBKDF2', config=self.db.config) - self.db.config.PASSWORD_PBKDF2_DEFAULT_ROUNDS = 2000000 + self.assertEqual(p.needs_migration(config=self.db.config), True) + + # no need to migrate + self.db.config.PASSWORD_PBKDF2_DEFAULT_ROUNDS = 200000 + + p = roundup.password.Password('sekrit', 'PBKDF2S5', + config=self.db.config) + + self.assertEqual(p.needs_migration(config=self.db.config), False) + + self.assertEqual(p.password.find('200000$'), 0) + del(os.environ["PYTEST_USE_CONFIG"]) + def test_pbkdf2_migrate_rounds(self): + '''Check that migration happens when number of rounds in + config is larger than number of rounds in current password. + ''' + default_scheme = roundup.password.Password.default_scheme + # will only have 1000 rounds since it's running under + # pytest but without PYTEST_USE_CONFIG set in environment. + p = roundup.password.Password('sekrit', default_scheme, + config=self.db.config) + + self.assertEqual(p.password.find('1000$'), 0) + + # reduce it a bit to save runtime + self.db.config.PASSWORD_PBKDF2_DEFAULT_ROUNDS = 200000 + + # now set PYTEST_USE_CONFIG so we test rounds against + # config setting. os.environ["PYTEST_USE_CONFIG"] = "True" self.assertEqual(p.needs_migration(config=self.db.config), True) del(os.environ["PYTEST_USE_CONFIG"]) - # set up p with rounds under 1000. This is usually prevented, + + # Set up p with rounds under 1000. This is usually prevented, # but older software could generate smaller rounds. + p = roundup.password.Password('sekrit', default_scheme, + config=self.db.config) + + # Can't actaully generate a password with fewer than 1000 rounds. + # so edit p.password to fake 900 rounds. p.password = p.password.replace('1000$', '900$') self.assertEqual(p.needs_migration(config=self.db.config), True)