diff options
author | Eli Collins <elic@assurancetechnologies.com> | 2015-07-20 16:06:22 -0400 |
---|---|---|
committer | Eli Collins <elic@assurancetechnologies.com> | 2015-07-20 16:06:22 -0400 |
commit | 379cdaec5a3853485ea203b4c318c8308a28bfd7 (patch) | |
tree | 9556299a2a758f00be8a168d720b8de071f74892 /passlib/apache.py | |
parent | 39ac4c212175100e85d996babeff7d36adb60cc3 (diff) | |
download | passlib-379cdaec5a3853485ea203b4c318c8308a28bfd7.tar.gz |
HtpasswdFile's default context now recognized bcrypt, sha256_crypt (fixes issue 55);
also added default_scheme="portable" to ease transition to passlib 1.7's new default behavior.
Diffstat (limited to 'passlib/apache.py')
-rw-r--r-- | passlib/apache.py | 54 |
1 files changed, 43 insertions, 11 deletions
diff --git a/passlib/apache.py b/passlib/apache.py index ad39704..516deeb 100644 --- a/passlib/apache.py +++ b/passlib/apache.py @@ -370,19 +370,39 @@ class _CommonFile(object): # htpasswd editing #============================================================================= -# FIXME: apr_md5_crypt technically the default only for windows, netware and tpf. -# TODO: find out if htpasswd's "crypt" mode is a crypt() *call* or just des_crypt implementation. -# if the former, we can support anything supported by passlib.hosts.host_context, -# allowing more secure hashes than apr_md5_crypt to be used. -# could perhaps add this behavior as an option to the constructor. +#: default CryptContext used by HtpasswdFile +# TODO: update this to support everything in host_context (where available), +# and note in the documentation that the default is no longer guaranteed to be portable +# across platforms. # c.f. http://httpd.apache.org/docs/2.2/programs/htpasswd.html htpasswd_context = CryptContext([ - "apr_md5_crypt", # man page notes supported everywhere, default on Windows, Netware, TPF - "des_crypt", # man page notes server does NOT support this on Windows, Netware, TPF - "ldap_sha1", # man page notes only for transitioning <-> ldap - "plaintext" # man page notes server ONLY supports this on Windows, Netware, TPF + # man page notes supported everywhere; is default on Windows, Netware, TPF + "apr_md5_crypt", + + # [added in passlib 1.6.3] + # apache requires host crypt() support; but can generate natively + # (as of https://bz.apache.org/bugzilla/show_bug.cgi?id=49288) + "bcrypt", + + # [added in passlib 1.6.3] + # apache requires host crypt() support; and can't generate natively + "sha256_crypt", + "sha512_crypt", + + # man page notes apache does NOT support this on Windows, Netware, TPF + "des_crypt", + + # man page notes intended only for transitioning htpasswd <-> ldap + "ldap_sha1", + + # man page notes apache ONLY supports this on Windows, Netware, TPF + "plaintext" ]) +#: scheme that will be used when 'portable' is requested. +portable_scheme = "apr_md5_crypt" + + class HtpasswdFile(_CommonFile): """class for reading & writing Htpasswd files. @@ -444,13 +464,23 @@ class HtpasswdFile(_CommonFile): :type default_scheme: str :param default_scheme: Optionally specify default scheme to use when encoding new passwords. - Must be one of ``"apr_md5_crypt"``, ``"des_crypt"``, ``"ldap_sha1"``, - ``"plaintext"``. It defaults to ``"apr_md5_crypt"``. + May be any of ``"bcrypt"``, ``"sha256_crypt"``, ``"apr_md5_crypt"``, ``"des_crypt"``, + ``"ldap_sha1"``, ``"plaintext"``. It defaults to ``"apr_md5_crypt"``. + + .. note:: + + Some hashes are only supported by apache / htpasswd on certain operating systems + (e.g. bcrypt on BSD, sha256_crypt on linux). To get the strongest + hash that's still portable, applications can specify ``default_scheme="portable"``. .. versionadded:: 1.6 This keyword was previously named ``default``. That alias has been deprecated, and will be removed in Passlib 1.8. + .. versionchanged:: 1.6.3 + + Added support for ``"bcrypt"``, ``"sha256_crypt"``, and ``"portable"``. + :type context: :class:`~passlib.context.CryptContext` :param context: :class:`!CryptContext` instance used to encrypt @@ -546,6 +576,8 @@ class HtpasswdFile(_CommonFile): DeprecationWarning, stacklevel=2) default_scheme = kwds.pop("default") if default_scheme: + if default_scheme == "portable": + default_scheme = portable_scheme context = context.copy(default=default_scheme) self.context = context super(HtpasswdFile, self).__init__(path, **kwds) |