diff options
| author | Eli Collins <elic@assurancetechnologies.com> | 2016-06-26 16:20:04 -0400 |
|---|---|---|
| committer | Eli Collins <elic@assurancetechnologies.com> | 2016-06-26 16:20:04 -0400 |
| commit | 7c8af0a27ca1a8dbfec8aca488ad68608e7f05c5 (patch) | |
| tree | fc35336f44a2a4c9294c7ded2bcc2a62f528e105 /passlib/handlers/misc.py | |
| parent | ce4fabb2fd0b1fdbe2d2a3547d906e8fb0c0c9a4 (diff) | |
| download | passlib-7c8af0a27ca1a8dbfec8aca488ad68608e7f05c5.tar.gz | |
Enhanced disabled hash management
* PasswordHash.is_disabled flag now present, to programmatically detect
disabled hashers (unix_disabled, etc)
* CryptContext now offers methods for disabling, enabling, and testing
hashes to see if they're tied to a real hash or not.
* disabled hashers now offer .disable() and .enable() helpers,
as backend for CryptContext methods.
* django_disabled now appends random alphanumeric string, per Django.
* adjusted HandlerCase:
- checks handler.is_disabled,
- handle django_disabled via disabled_contains_salt flag
- tests .disable() and .enable() api if present
Diffstat (limited to 'passlib/handlers/misc.py')
| -rw-r--r-- | passlib/handlers/misc.py | 33 |
1 files changed, 30 insertions, 3 deletions
diff --git a/passlib/handlers/misc.py b/passlib/handlers/misc.py index 2ff0470..c133651 100644 --- a/passlib/handlers/misc.py +++ b/passlib/handlers/misc.py @@ -22,7 +22,7 @@ __all__ = [ #============================================================================= # handler #============================================================================= -class unix_fallback(uh.StaticHandler): +class unix_fallback(uh.ifc.DisabledHash, uh.StaticHandler): """This class provides the fallback behavior for unix shadow files, and follows the :ref:`password-hash-api`. This class does not implement a hash, but instead provides fallback @@ -79,7 +79,7 @@ class unix_fallback(uh.StaticHandler): _MARKER_CHARS = u("*!") _MARKER_BYTES = b"*!" -class unix_disabled(uh.MinimalHandler): +class unix_disabled(uh.ifc.DisabledHash, uh.MinimalHandler): """This class provides disabled password behavior for unix shadow files, and follows the :ref:`password-hash-api`. @@ -106,6 +106,8 @@ class unix_disabled(uh.MinimalHandler): setting_kwds = ("marker",) context_kwds = () + _disable_prefixes = tuple(str(_MARKER_CHARS)) + # TODO: rename attr to 'marker'... if 'bsd' in sys.platform: # pragma: no cover -- runtime detection default_marker = u("*") @@ -138,7 +140,8 @@ class unix_disabled(uh.MinimalHandler): # * linux uses "!" # * bsd uses "*" # * linux may use "!" + hash to disable but preserve original hash - # * linux counts empty string as "any password" + # * linux counts empty string as "any password"; + # this code recognizes it, but treats it the same as "!" if isinstance(hash, unicode): start = _MARKER_CHARS elif isinstance(hash, bytes): @@ -178,6 +181,30 @@ class unix_disabled(uh.MinimalHandler): cls = cls.using(marker=marker) return cls.hash(secret) + @classmethod + def disable(cls, hash=None): + out = cls.hash("") + if hash is not None: + hash = to_native_str(hash, param="hash") + if cls.identify(hash): + # extract original hash, so that we normalize marker + hash = cls.enable(hash) + if hash: + out += hash + return out + + @classmethod + def enable(cls, hash): + hash = to_native_str(hash, param="hash") + for prefix in cls._disable_prefixes: + if hash.startswith(prefix): + orig = hash[len(prefix):] + if orig: + return orig + else: + raise ValueError("cannot restore original hash") + raise uh.exc.InvalidHashError(cls) + class plaintext(uh.MinimalHandler): """This class stores passwords in plaintext, and follows the :ref:`password-hash-api`. |