diff options
author | Eli Collins <elic@assurancetechnologies.com> | 2016-06-10 17:00:05 -0400 |
---|---|---|
committer | Eli Collins <elic@assurancetechnologies.com> | 2016-06-10 17:00:05 -0400 |
commit | cc883a81ab27931a05c319a05eac080d6afd9c2d (patch) | |
tree | 25a05514bdb5465a20960aad201ec9b319a0a229 /passlib/context.py | |
parent | e94db1b7b1d2b531f26cc4295e005daa7638b0f3 (diff) | |
download | passlib-cc883a81ab27931a05c319a05eac080d6afd9c2d.tar.gz |
passlib.context: deprecating the 'all' preset scheme --
only legitimate use was for 'vary_rounds' option, which is being phased out,
and other uses like 'min_rounds' were a security issue.
* fixed CryptContext() tests to stop uses "all" kwds
* issue dep warning if "all" scheme is used
* issue config warning if anything but "vary_rounds" is used,
since config needs to be changed (regardless of passlib version)
Diffstat (limited to 'passlib/context.py')
-rw-r--r-- | passlib/context.py | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/passlib/context.py b/passlib/context.py index d71137c..ddfd820 100644 --- a/passlib/context.py +++ b/passlib/context.py @@ -9,7 +9,7 @@ import logging; log = logging.getLogger(__name__) from warnings import warn # site # pkg -from passlib.exc import ExpectedStringError, ExpectedTypeError +from passlib.exc import ExpectedStringError, ExpectedTypeError, PasslibConfigWarning from passlib.registry import get_crypt_handler, _validate_handler_name from passlib.utils import handlers as uh, to_bytes, deprecated_method, \ to_unicode, splitcomma @@ -67,6 +67,9 @@ def _always_needs_update(hash, secret=None): """ return True +#: list of keys allowed under wildcard "all" scheme w/o a security warning +_global_safe_options = ["vary_rounds"] + #============================================================================= # crypt policy #============================================================================= @@ -679,6 +682,18 @@ class _CryptConfig(object): # normalize scheme option key, value = norm_scheme_option(key, value) + # this scheme is going away in 2.0; + # but most keys deserve an extra warning since it impacts security. + if scheme == "all": + if key not in _global_safe_options: + # e.g. things like "min_rounds" should never be set cross-scheme + warn("The '%s' option should be configured per-algorithm, and not set " + "globally using the 'all' scheme" % (key,), PasslibConfigWarning) + + warn("The 'all' scheme is deprecated as of Passlib 1.7, " + "and will be removed in Passlib 2.0; Please configure " + "options on a per-algorithm basis.", DeprecationWarning) + # store in scheme_options # map structure: scheme_options[scheme][category][key] = value try: @@ -746,6 +761,8 @@ class _CryptConfig(object): elif not isinstance(value, (list,tuple)): raise ExpectedTypeError(value, "str or seq", "deprecated") if 'auto' in value: + # XXX: have any statements been made about when this is default? + # should do it in 1.8 at latest. if len(value) > 1: raise ValueError("cannot list other schemes if " "``deprecated=['auto']`` is used") |