odoo/addons/auth_crypt/auth_crypt.py

import logging

from passlib.context import CryptContext

import openerp
from openerp.osv import fields, osv

_logger = logging.getLogger(__name__)

default_crypt_context = CryptContext(
    # kdf which can be verified by the context. The default encryption kdf is
    # the first of the list
    ['pbkdf2_sha512', 'md5_crypt'],
    # deprecated algorithms are still verified as usual, but ``needs_update``
    # will indicate that the stored hash should be replaced by a more recent
    # algorithm. Passlib 1.6 supports an `auto` value which deprecates any
    # algorithm but the default, but Debian only provides 1.5 so...
    deprecated=['md5_crypt'],
)

class res_users(osv.osv):
    _inherit = "res.users"

    def _crypt_context(self, cr, uid, id, context=None):
        """ Passlib CryptContext instance used to encrypt and verify
        passwords. Can be overridden if technical, legal or political matters
        require different kdfs than the provided default.

        Requires a CryptContext as deprecation and upgrade notices are used
        internally
        """
        return default_crypt_context

    def _store_encrypted_password(self, cr, uid, id, encrypted, context=None):
        """
        :param uid: id of the current user
        :param id: id of the user on which the password should be set
        """
        cr.execute(
            "UPDATE res_users SET password='', password_crypt=%s WHERE id=%s",
            (encrypted, id))

    def set_pw(self, cr, uid, id, name, value, args, context):
        if value:
            encrypted = self._crypt_context(cr, uid, id, context=context)\
                .encrypt(value)
            self._store_encrypted_password(
                cr, uid, id, encrypted, context=context)

    def get_pw( self, cr, uid, ids, name, args, context ):
        cr.execute('select id, password from res_users where id in %s', (tuple(map(int, ids)),))
        return dict(cr.fetchall())

    _columns = {
        'password': fields.function(get_pw, fnct_inv=set_pw, type='char', string='Password', invisible=True, store=True),
        'password_crypt': fields.char(string='Encrypted Password', invisible=True),
    }

    def check_credentials(self, cr, uid, password):
        # convert to base_crypt if needed
        cr.execute('SELECT password, password_crypt FROM res_users WHERE id=%s AND active', (uid,))
        stored_password_crypt = None
        if cr.rowcount:
            stored_password, stored_password_crypt = cr.fetchone()
            if stored_password and not stored_password_crypt:
                stored_password_crypt = self._crypt_context(cr, uid, uid).encrypt(stored_password)
                self._store_encrypted_password(cr, uid, uid, stored_password_crypt)
        try:
            return super(res_users, self).check_credentials(cr, uid, password)
        except openerp.exceptions.AccessDenied:
            if stored_password_crypt:
                valid, replacement = self._crypt_context(cr, uid, uid)\
                        .verify_and_update(password, stored_password_crypt)
                if replacement:
                    self._store_encrypted_password(cr, uid, uid, replacement)
                if valid:
                    return
            # Reraise password incorrect
            raise


# vim:expandtab:smartindent:tabstop=4:softtabstop=4:shiftwidth=4:
[IMP] auth_crypt base_crypt cleanup bzr revid: al@openerp.com-20121219112031-mtogxyq1fxsbopz0 2012-12-19 11:20:31 +00:00			`import logging`
[IMP] auth_crypt: port to passlib instead of using embedded/hand-rolled md5crypt 2014-06-19 06:39:22 +00:00
[IMP] auth_crypt: upgrade default kdf to pbkdf2_sha512 Applies to new and yet-to-be-encrypted users, existing already-encrypted will keep logging in as usual, their password storage will be upgraded on next password change. 2014-06-19 06:46:15 +00:00			`from passlib.context import CryptContext`
[IMP] auth_crypt base_crypt cleanup bzr revid: al@openerp.com-20121219112031-mtogxyq1fxsbopz0 2012-12-19 11:20:31 +00:00
			`import openerp`
			`from openerp.osv import fields, osv`

			`_logger = logging.getLogger(__name__)`

[IMP] auth_crypt: upgrade default kdf to pbkdf2_sha512 Applies to new and yet-to-be-encrypted users, existing already-encrypted will keep logging in as usual, their password storage will be upgraded on next password change. 2014-06-19 06:46:15 +00:00			`default_crypt_context = CryptContext(`
			`# kdf which can be verified by the context. The default encryption kdf is`
			`# the first of the list`
			`['pbkdf2_sha512', 'md5_crypt'],`
[IMP] auth_crypt: automatically upgrde deprecated hashes on login 2014-06-19 07:12:17 +00:00			# deprecated algorithms are still verified as usual, but ``needs_update``
			`# will indicate that the stored hash should be replaced by a more recent`
			# algorithm. Passlib 1.6 supports an `auto` value which deprecates any
			`# algorithm but the default, but Debian only provides 1.5 so...`
			`deprecated=['md5_crypt'],`
[IMP] auth_crypt: upgrade default kdf to pbkdf2_sha512 Applies to new and yet-to-be-encrypted users, existing already-encrypted will keep logging in as usual, their password storage will be upgraded on next password change. 2014-06-19 06:46:15 +00:00			`)`
[IMP] auth_crypt add sha256 from enhance_base_crypt_trunk (not enabled by default) bzr revid: al@openerp.com-20121219113339-vhstwyo51jw0znqw 2012-12-19 11:33:39 +00:00
[IMP] auth_crypt base_crypt cleanup bzr revid: al@openerp.com-20121219112031-mtogxyq1fxsbopz0 2012-12-19 11:20:31 +00:00			`class res_users(osv.osv):`
			`_inherit = "res.users"`

[IMP] auth_crypt: upgrade default kdf to pbkdf2_sha512 Applies to new and yet-to-be-encrypted users, existing already-encrypted will keep logging in as usual, their password storage will be upgraded on next password change. 2014-06-19 06:46:15 +00:00			`def _crypt_context(self, cr, uid, id, context=None):`
[IMP] auth_crypt: automatically upgrde deprecated hashes on login 2014-06-19 07:12:17 +00:00			`""" Passlib CryptContext instance used to encrypt and verify`
			`passwords. Can be overridden if technical, legal or political matters`
			`require different kdfs than the provided default.`

			`Requires a CryptContext as deprecation and upgrade notices are used`
			`internally`
[IMP] auth_crypt: upgrade default kdf to pbkdf2_sha512 Applies to new and yet-to-be-encrypted users, existing already-encrypted will keep logging in as usual, their password storage will be upgraded on next password change. 2014-06-19 06:46:15 +00:00			`"""`
			`return default_crypt_context`

[IMP] auth_crypt: automatically upgrde deprecated hashes on login 2014-06-19 07:12:17 +00:00			`def _store_encrypted_password(self, cr, uid, id, encrypted, context=None):`
			`"""`
			`:param uid: id of the current user`
			`:param id: id of the user on which the password should be set`
			`"""`
			`cr.execute(`
			`"UPDATE res_users SET password='', password_crypt=%s WHERE id=%s",`
			`(encrypted, id))`

[IMP] auth_crypt base_crypt cleanup bzr revid: al@openerp.com-20121219112031-mtogxyq1fxsbopz0 2012-12-19 11:20:31 +00:00			`def set_pw(self, cr, uid, id, name, value, args, context):`
			`if value:`
[IMP] auth_crypt: upgrade default kdf to pbkdf2_sha512 Applies to new and yet-to-be-encrypted users, existing already-encrypted will keep logging in as usual, their password storage will be upgraded on next password change. 2014-06-19 06:46:15 +00:00			`encrypted = self._crypt_context(cr, uid, id, context=context)\`
			`.encrypt(value)`
[IMP] auth_crypt: automatically upgrde deprecated hashes on login 2014-06-19 07:12:17 +00:00			`self._store_encrypted_password(`
			`cr, uid, id, encrypted, context=context)`
[IMP] auth_crypt base_crypt cleanup bzr revid: al@openerp.com-20121219112031-mtogxyq1fxsbopz0 2012-12-19 11:20:31 +00:00
			`def get_pw( self, cr, uid, ids, name, args, context ):`
			`cr.execute('select id, password from res_users where id in %s', (tuple(map(int, ids)),))`
[IMP] auth_crypt: simplify get_pw 2014-06-19 07:14:21 +00:00			`return dict(cr.fetchall())`
[IMP] auth_crypt base_crypt cleanup bzr revid: al@openerp.com-20121219112031-mtogxyq1fxsbopz0 2012-12-19 11:20:31 +00:00
			`_columns = {`
			`'password': fields.function(get_pw, fnct_inv=set_pw, type='char', string='Password', invisible=True, store=True),`
			`'password_crypt': fields.char(string='Encrypted Password', invisible=True),`
			`}`

			`def check_credentials(self, cr, uid, password):`
			`# convert to base_crypt if needed`
			`cr.execute('SELECT password, password_crypt FROM res_users WHERE id=%s AND active', (uid,))`
[IMP] auth_crypt: port to passlib instead of using embedded/hand-rolled md5crypt 2014-06-19 06:39:22 +00:00			`stored_password_crypt = None`
[IMP] auth_crypt base_crypt cleanup bzr revid: al@openerp.com-20121219112031-mtogxyq1fxsbopz0 2012-12-19 11:20:31 +00:00			`if cr.rowcount:`
			`stored_password, stored_password_crypt = cr.fetchone()`
[FIX]auth_crypt: check_credentials checking if there is a password stored, if not, not trying to crypt anything and raise bzr revid: dle@openerp.com-20130801151539-z0bes7ylx5qwa8tw 2013-08-01 15:15:39 +00:00			`if stored_password and not stored_password_crypt:`
[IMP] auth_crypt: automatically upgrde deprecated hashes on login 2014-06-19 07:12:17 +00:00			`stored_password_crypt = self._crypt_context(cr, uid, uid).encrypt(stored_password)`
			`self._store_encrypted_password(cr, uid, uid, stored_password_crypt)`
[IMP] auth_crypt base_crypt cleanup bzr revid: al@openerp.com-20121219112031-mtogxyq1fxsbopz0 2012-12-19 11:20:31 +00:00			`try:`
			`return super(res_users, self).check_credentials(cr, uid, password)`
			`except openerp.exceptions.AccessDenied:`
[FIX]auth_crypt: check_credentials checking if there is a password stored, if not, not trying to crypt anything and raise bzr revid: dle@openerp.com-20130801151539-z0bes7ylx5qwa8tw 2013-08-01 15:15:39 +00:00			`if stored_password_crypt:`
[IMP] auth_crypt: automatically upgrde deprecated hashes on login 2014-06-19 07:12:17 +00:00			`valid, replacement = self._crypt_context(cr, uid, uid)\`
			`.verify_and_update(password, stored_password_crypt)`
			`if replacement:`
			`self._store_encrypted_password(cr, uid, uid, replacement)`
			`if valid:`
[IMP] auth_crypt: port to passlib instead of using embedded/hand-rolled md5crypt 2014-06-19 06:39:22 +00:00			`return`
[IMP] auth_crypt base_crypt cleanup bzr revid: al@openerp.com-20121219112031-mtogxyq1fxsbopz0 2012-12-19 11:20:31 +00:00			`# Reraise password incorrect`
			`raise`

[IMP] auth_crypt add sha256 from enhance_base_crypt_trunk (not enabled by default) bzr revid: al@openerp.com-20121219113339-vhstwyo51jw0znqw 2012-12-19 11:33:39 +00:00
[IMP] auth_crypt base_crypt cleanup bzr revid: al@openerp.com-20121219112031-mtogxyq1fxsbopz0 2012-12-19 11:20:31 +00:00			`# vim:expandtab:smartindent:tabstop=4:softtabstop=4:shiftwidth=4:`