diff options
author | Donald Stufft <donald@stufft.io> | 2013-02-12 03:36:06 -0500 |
---|---|---|
committer | Donald Stufft <donald@stufft.io> | 2013-02-12 03:36:06 -0500 |
commit | 41362f694af6851b1f3428ba38ebc495e60cad73 (patch) | |
tree | c10119bd7343ff498df9996420c009ade99464de /tools | |
parent | 622d5b0defc2c08e58a5544c0423cc7d98538cf3 (diff) | |
download | decorator-41362f694af6851b1f3428ba38ebc495e60cad73.tar.gz |
Include a migration path for moving legacy users to a stronger hash
* Includes a method for hashing the sha1 passwords with bcrypt to
increase their security
* bcrypt_sha1 will upgrade to standard bcrypt as per usual with
passlib
* Provides a script that migrates 20 users at a time to bcrypt_sha1
Migration script was modified from one written by Giovanni Bajo
Diffstat (limited to 'tools')
-rw-r--r-- | tools/upgradepw.py | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/tools/upgradepw.py b/tools/upgradepw.py new file mode 100644 index 0000000..cbdf4fd --- /dev/null +++ b/tools/upgradepw.py @@ -0,0 +1,49 @@ +#!/usr/bin/python +import base64 +import os +import sys + +# Workaround current bug in docutils: +# http://permalink.gmane.org/gmane.text.docutils.devel/6324 +import docutils.utils + + +root = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) +sys.path.append(root) + +import config +import store +import passlib.registry + +bcrypt = passlib.registry.get_crypt_handler("bcrypt") +bcrypt_sha1 = passlib.registry.get_crypt_handler("bcrypt_sha1") + +cfg = config.Config(os.path.join(root, "config.ini")) +st = store.Store(cfg) + +print "Migrating passwords to bcrypt_sha1 from unsalted sha1....", + +st.open() +for i, u in enumerate(st.get_users()): + user = st.get_user(u['name']) + # basic sanity check to allow it to run concurrent with users accessing + if len(user['password']) == 40 and "$" not in user["password"]: + # Hash the existing sha1 password with bcrypt + bcrypted = bcrypt.encrypt(user["password"]) + + # Base64 encode the bcrypted password so that it's just a blob of data + encoded = base64.b64encode(bcrypted) + + st.setpasswd(user['name'], bcrypt_sha1._hash_prefix + encoded, + hashed=True, + ) + + # Commit every 20 users + if not i % 20: + st.commit() + st.open() + +st.commit() +st.close() + +print "[ok]" |