[IMP] auth_crypt: upgrade default kdf to pbkdf2_sha512
Applies to new and yet-to-be-encrypted users, existing already-encrypted will keep logging in as usual, their password storage will be upgraded on next password *change*.
This commit is contained in:
parent
cf41752470
commit
d9d8c94412
|
@ -1,19 +1,32 @@
|
|||
import logging
|
||||
|
||||
from passlib.hash import md5_crypt
|
||||
from passlib.context import CryptContext
|
||||
|
||||
import openerp
|
||||
from openerp.osv import fields, osv
|
||||
|
||||
_logger = logging.getLogger(__name__)
|
||||
|
||||
default_crypt_context = CryptContext(
|
||||
# kdf which can be verified by the context. The default encryption kdf is
|
||||
# the first of the list
|
||||
['pbkdf2_sha512', 'md5_crypt'],
|
||||
)
|
||||
|
||||
class res_users(osv.osv):
|
||||
_inherit = "res.users"
|
||||
|
||||
def _crypt_context(self, cr, uid, id, context=None):
|
||||
""" Passlib PasswordHash (or CryptContext) instance used to encrypt
|
||||
and verify passwords. Can be overridden if technical, legal or
|
||||
political matters require different kdfs than the provided default.
|
||||
"""
|
||||
return default_crypt_context
|
||||
|
||||
def set_pw(self, cr, uid, id, name, value, args, context):
|
||||
if value:
|
||||
encrypted = md5_crypt.encrypt(value)
|
||||
encrypted = self._crypt_context(cr, uid, id, context=context)\
|
||||
.encrypt(value)
|
||||
cr.execute("update res_users set password='', password_crypt=%s where id=%s", (encrypted, id))
|
||||
|
||||
def get_pw( self, cr, uid, ids, name, args, context ):
|
||||
|
@ -38,14 +51,14 @@ class res_users(osv.osv):
|
|||
if cr.rowcount:
|
||||
stored_password, stored_password_crypt = cr.fetchone()
|
||||
if stored_password and not stored_password_crypt:
|
||||
stored_password_crypt = md5_crypt.encrypt(stored_password)
|
||||
stored_password_crypt = self._crypt_context(cr, uid, id).encrypt(stored_password)
|
||||
cr.execute("UPDATE res_users SET password='', password_crypt=%s WHERE id=%s", (stored_password_crypt, uid))
|
||||
try:
|
||||
return super(res_users, self).check_credentials(cr, uid, password)
|
||||
except openerp.exceptions.AccessDenied:
|
||||
# check md5crypt
|
||||
if stored_password_crypt:
|
||||
if md5_crypt.verify(password, stored_password_crypt):
|
||||
if self._crypt_context(cr, uid, id).verify(password, stored_password_crypt):
|
||||
return
|
||||
# Reraise password incorrect
|
||||
raise
|
||||
|
|
Loading…
Reference in New Issue