#8566 support newer pwd hashs, remove deprecated 'crypt' AUTH PLUGIN CHANGES

unreleased
in-progress
None
General
nobody
5 days ago
2024-07-02
No

our LDAP plugin's password handling uses crypt which is deprecated since 3.11 and removed in 3.13 https://docs.python.org/3/library/crypt.html

crypt only supports a few algorithms anyway, it'd be good to support argon2, scrypt, bcrypt, pbkdf2_sha512

local password storage does sha256 and definitely should be updated. Similar/same config options for local & ldap hashing?

https://passlib.readthedocs.io/en/stable/ seems pretty good and supports a lot of algorithms, but it isn't maintained the best :(

If an admin configures a new password hashing algorithm, we should make it be a seamless transition, including when someone logs in to re-hash the password, when needed.

Discussion

  • Dave Brondsema

    Dave Brondsema - 5 days ago
    • summary: support newer pwd hashs, remove deprecated 'crypt' --> support newer pwd hashs, remove deprecated 'crypt' AUTH PLUGIN CHANGES
     
  • Dave Brondsema

    Dave Brondsema - 5 days ago

    allura:db/8566

    QA: After switching to this branch, you should be able to log in as a user, and then see that the password automatically got re-hashed with the new preferred algorithm.

    There are breaking AuthenticationProvider plugin changes, for any custom Auth implementations:

    • set_password takes a set_timestamp=True which should be checked before setting user.last_password_updated
    • rename def validate_password to def _validate_password since the base class implements a high-level validate_password now
    • when creating a User record, should set password_algorithm field
    • if code does password validation directly (e.g. ldap's _login) it now should call self.rehash_password_if_needed too
     

Log in to post a comment.