Mercurial > p > roundup > code

changeset 7163:0b52ee664580

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
tests are breaking with last commit. Restore a hopefully working tree while I figure out what's going on
author John Rouillard <rouilj@ieee.org>
date Fri, 24 Feb 2023 00:37:37 -0500
parents cfdcaf8b5936
children 5487882ff17a
files CHANGES.txt roundup/cgi/actions.py roundup/password.py test/test_security.py
diffstat 4 files changed, 3 insertions(+), 21 deletions(-) [+]
line wrap: on
line diff
--- a/CHANGES.txt	Thu Feb 23 19:34:39 2023 -0500
+++ b/CHANGES.txt	Fri Feb 24 00:37:37 2023 -0500
@@ -74,9 +74,6 @@
   make sure that an 'X-Content-Type-Options: nosniff' header is sent.
 - issue2551252 - default number of rounds for PKDF2 password increased
   to 2,000,000.
-- issue2551251 - migrate/re-encrypt PBKDF2 password if stored
-  password used a smaller number of rounds than set in
-  password_pbkdf2_default_rounds.
 
 Features:
 
--- a/roundup/cgi/actions.py	Thu Feb 23 19:34:39 2023 -0500
+++ b/roundup/cgi/actions.py	Fri Feb 24 00:37:37 2023 -0500
@@ -1399,8 +1399,7 @@
         db = self.db
         stored = db.user.get(userid, 'password')
         if givenpw == stored:
-            if (db.config.WEB_MIGRATE_PASSWORDS and
-                stored.needs_migration(config=db.config)):
+            if db.config.WEB_MIGRATE_PASSWORDS and stored.needs_migration():
                 newpw = password.Password(givenpw, config=db.config)
                 db.user.set(userid, password=newpw)
                 db.commit()
--- a/roundup/password.py	Thu Feb 23 19:34:39 2023 -0500
+++ b/roundup/password.py	Fri Feb 24 00:37:37 2023 -0500
@@ -190,7 +190,7 @@
             if config:
                 rounds = config.PASSWORD_PBKDF2_DEFAULT_ROUNDS
             else:
-                rounds = 2000000
+                rounds = 10000
         if rounds < 1000:
             raise PasswordValueError("invalid PBKDF2 hash (rounds too low)")
         raw_digest = pbkdf2(plaintext, raw_salt, rounds, 20)
@@ -325,7 +325,7 @@
     def __repr__(self):
         return self.__str__()
 
-    def needs_migration(self, config):
+    def needs_migration(self):
         """ Password has insecure scheme or other insecure parameters
             and needs migration to new password scheme
         """
@@ -334,10 +334,6 @@
         rounds, salt, raw_salt, digest = pbkdf2_unpack(self.password)
         if rounds < 1000:
             return True
-        if (self.scheme == "PBKDF2"):
-            new_rounds = config.PASSWORD_PBKDF2_DEFAULT_ROUNDS
-            if rounds < int(new_rounds):
-                return True
         return False
 
     def unpack(self, encrypted, scheme=None, strict=False, config=None):
--- a/test/test_security.py	Thu Feb 23 19:34:39 2023 -0500
+++ b/test/test_security.py	Fri Feb 24 00:37:37 2023 -0500
@@ -422,14 +422,4 @@
             roundup.password.test_missing_crypt()
         roundup.password.crypt = orig_crypt
 
-    def test_pbkdf2_migrate_rounds(self):
-        self.db.config.PASSWORD_PBKDF2_DEFAULT_ROUNDS = 10000
-
-        p = roundup.password.Password('sekrit', 'PBKDF2',
-                                      config=self.db.config)
-
-        self.db.config.PASSWORD_PBKDF2_DEFAULT_ROUNDS = 2000000
-
-        self.assertEqual(p.needs_migration(config=self.db.config), True)
-
 # vim: set filetype=python sts=4 sw=4 et si :
Roundup Issue Tracker: http://roundup-tracker.org/