Include a migration path for moving legacy users to a stronger hash

* Includes a method for hashing the sha1 passwords with bcrypt to
  increase their security
* bcrypt_sha1 will upgrade to standard bcrypt as per usual with
  passlib
* Provides a script that migrates 20 users at a time to bcrypt_sha1

Migration script was modified from one written by Giovanni Bajo

1 files changed, 49 insertions, 0 deletions

diff --git a/tools/upgradepw.py b/tools/upgradepw.py
new file mode 100644
index 0000000..cbdf4fd
--- /dev/null
+++ b/tools/upgradepw.py
@@ -0,0 +1,49 @@
+#!/usr/bin/python
+import base64
+import os
+import sys
+
+# Workaround current bug in docutils:
+# http://permalink.gmane.org/gmane.text.docutils.devel/6324
+import docutils.utils
+
+
+root = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+sys.path.append(root)
+
+import config
+import store
+import passlib.registry
+
+bcrypt = passlib.registry.get_crypt_handler("bcrypt")
+bcrypt_sha1 = passlib.registry.get_crypt_handler("bcrypt_sha1")
+
+cfg = config.Config(os.path.join(root, "config.ini"))
+st = store.Store(cfg)
+
+print "Migrating passwords to bcrypt_sha1 from unsalted sha1....",
+
+st.open()
+for i, u in enumerate(st.get_users()):
+    user = st.get_user(u['name'])
+    # basic sanity check to allow it to run concurrent with users accessing
+    if len(user['password']) == 40 and "$" not in user["password"]:
+        # Hash the existing sha1 password with bcrypt
+        bcrypted = bcrypt.encrypt(user["password"])
+
+        # Base64 encode the bcrypted password so that it's just a blob of data
+        encoded = base64.b64encode(bcrypted)
+
+        st.setpasswd(user['name'], bcrypt_sha1._hash_prefix + encoded,
+                hashed=True,
+            )
+
+    # Commit every 20 users
+    if not i % 20:
+        st.commit()
+        st.open()
+
+st.commit()
+st.close()
+
+print "[ok]"