# HG changeset patch # User Marcin Kuzminski # Date 2010-08-20 08:59:18 # Node ID 04e8b31fb2454ae6decca4e8770578f006ac5258 # Parent 27f801e03489428fecad773de680e1ec492dfb43 Changed password crypting scheme to bcrypt, added dependency for setup diff --git a/pylons_app/lib/auth.py b/pylons_app/lib/auth.py --- a/pylons_app/lib/auth.py +++ b/pylons_app/lib/auth.py @@ -30,7 +30,7 @@ from pylons_app.model import meta from pylons_app.model.db import User, RepoToPerm, Repository, Permission from sqlalchemy.exc import OperationalError from sqlalchemy.orm.exc import NoResultFound, MultipleResultsFound -import hashlib +import bcrypt from decorator import decorator import logging @@ -39,9 +39,11 @@ log = logging.getLogger(__name__) def get_crypt_password(password): """Cryptographic function used for password hashing based on sha1 @param password: password to hash - """ - hashed = hashlib.sha1(password).hexdigest() - return hashed[3:] + hashed[:3] + """ + return bcrypt.hashpw(password, bcrypt.gensalt(10)) + +def check_password(password, hashed): + return bcrypt.hashpw(password, hashed) == hashed @cache_region('super_short_term', 'cached_user') def get_user_cached(username): @@ -53,7 +55,6 @@ def get_user_cached(username): return user def authfunc(environ, username, password): - password_crypt = get_crypt_password(password) try: user = get_user_cached(username) except (NoResultFound, MultipleResultsFound, OperationalError) as e: @@ -62,7 +63,7 @@ def authfunc(environ, username, password if user: if user.active: - if user.username == username and user.password == password_crypt: + if user.username == username and check_password(password, user.password): log.info('user %s authenticated correctly', username) return True else: diff --git a/pylons_app/model/forms.py b/pylons_app/model/forms.py --- a/pylons_app/model/forms.py +++ b/pylons_app/model/forms.py @@ -24,7 +24,7 @@ from formencode.validators import Unicod Email, Bool, StringBoolean from pylons import session from pylons.i18n.translation import _ -from pylons_app.lib.auth import get_crypt_password +from pylons_app.lib.auth import check_password from pylons_app.model import meta from pylons_app.model.db import User, Repository from sqlalchemy.exc import OperationalError @@ -94,7 +94,7 @@ class ValidAuth(formencode.validators.Fa def validate_python(self, value, state): sa = meta.Session - crypted_passwd = get_crypt_password(value['password']) + password = value['password'] username = value['username'] try: user = sa.query(User).filter(User.username == username).one() @@ -106,7 +106,7 @@ class ValidAuth(formencode.validators.Fa error_dict=self.e_dict) if user: if user.active: - if user.username == username and user.password == crypted_passwd: + if user.username == username and check_password(password, user.password): from pylons_app.lib.auth import AuthUser auth_user = AuthUser() auth_user.username = username diff --git a/setup.py b/setup.py --- a/setup.py +++ b/setup.py @@ -24,6 +24,7 @@ setup( "mercurial>=1.6", "pysqlite", "whoosh>=1.0.0b5", + "py-bcrypt", ], setup_requires=["PasteScript>=1.6.3"], packages=find_packages(exclude=['ez_setup']),