openerp-community-reviewer team mailing list archive

[Nicolas Bessi - Camptocamp <nicolas.bessi@xxxxxxxxxxxxxx>]

Nicolas Bessi - Camptocamp has proposed merging lp:~camptocamp/ocb-addons/improve_auth_crypt-nbi into lp:ocb-addons.

Commit message:
[IMP] module auth_crypt use sha256 by default to encrypt password. The modification keeps retro compatibility.

[IMP] Add an init function on res.users to encrypt all passwords when installing module and avoid plain password for deactivated users.

Requested reviews:
  OpenERP Community Backports Team (ocb)

For more details, see:
https://code.launchpad.net/~camptocamp/ocb-addons/improve_auth_crypt-nbi/+merge/206364

Improve module auth_crypt use sha256 by default to encrypt password. The modification keeps retro compatibility.

Add an init function on res.users to encrypt all passwords when installing module and avoid plain password for deactivated users.
-- 
https://code.launchpad.net/~camptocamp/ocb-addons/improve_auth_crypt-nbi/+merge/206364
Your team OpenERP Community Backports Team is requested to review the proposed merge of lp:~camptocamp/ocb-addons/improve_auth_crypt-nbi into lp:ocb-addons.

=== modified file 'auth_crypt/auth_crypt.py'
--- auth_crypt/auth_crypt.py	2013-08-12 10:29:50 +0000
+++ auth_crypt/auth_crypt.py	2014-02-14 09:28:44 +0000
@@ -105,11 +105,11 @@
 
     return magic + salt + '$' + rearranged
 
-def sh256crypt(cls, password, salt, magic=magic_sha256):
+def sha256crypt( password, salt, magic=magic_sha256):
     iterations = 1000
     # see http://en.wikipedia.org/wiki/PBKDF2
     result = password.encode('utf8')
-    for i in xrange(cls.iterations):
+    for i in xrange(iterations):
         result = hmac.HMAC(result, salt, hashlib.sha256).digest() # uses HMAC (RFC 2104) to apply salt
     result = result.encode('base64') # doesnt seem to be crypt(3) compatible
     return '%s%s$%s' % (magic_sha256, salt, result)
@@ -117,6 +117,18 @@
 class res_users(osv.osv):
     _inherit = "res.users"
 
+    def init(self, cr):
+        """encrypt all password"""
+        cr.execute("SELECT id, password FROM res_users WHERE password != ''",)
+        to_encrypt = cr.fetchall()
+        if to_encrypt:
+            for user in to_encrypt:
+                salt = gen_salt()
+                stored_password_crypt = sha256crypt(user[1], salt)
+                cr.execute("UPDATE res_users SET password='', password_crypt=%s WHERE id=%s",
+                           (stored_password_crypt, user[0]))
+        return True
+
     def set_pw(self, cr, uid, id, name, value, args, context):
         if value:
             encrypted = md5crypt(value, gen_salt())
@@ -145,7 +157,7 @@
             stored_password, stored_password_crypt = cr.fetchone()
             if stored_password and not stored_password_crypt:
                 salt = gen_salt()
-                stored_password_crypt = md5crypt(stored_password, salt)
+                stored_password_crypt = sha256crypt(stored_password, salt)
                 cr.execute("UPDATE res_users SET password='', password_crypt=%s WHERE id=%s", (stored_password_crypt, uid))
         try:
             return super(res_users, self).check_credentials(cr, uid, password)
@@ -158,7 +170,7 @@
                         return
                 elif stored_password_crypt[:len(magic_md5)] == magic_sha256:
                     salt = stored_password_crypt[len(magic_md5):11]
-                    if stored_password_crypt == md5crypt(password, salt):
+                    if stored_password_crypt == sha256crypt(password, salt):
                         return
             # Reraise password incorrect
             raise