def init_config(self, app):
"""Initialize configuration.
:param app: The Flask application.
"""
try:
pkg_resources.get_distribution("celery")
app.config.setdefault("ACCOUNTS_USE_CELERY",
not (app.debug or app.testing))
except pkg_resources.DistributionNotFound: # pragma: no cover
app.config.setdefault("ACCOUNTS_USE_CELERY", False)
# Register Invenio legacy password hashing
register_crypt_handler(InvenioAesEncryptedEmail)
# Change Flask defaults
app.config.setdefault("SESSION_COOKIE_SECURE", not app.debug)
# Change Flask-Security defaults
app.config.setdefault("SECURITY_PASSWORD_SALT",
app.config["SECRET_KEY"])
# Set JWT secret key
app.config.setdefault(
"ACCOUNTS_JWT_SECRET_KEY",
app.config.get("ACCOUNTS_JWT_SECRET_KEY",
app.config.get("SECRET_KEY")),
)
config_apps = ["ACCOUNTS", "SECURITY_"]
for k in dir(config):
if any([k.startswith(prefix) for prefix in config_apps]):
app.config.setdefault(k, getattr(config, k))
def test_get_crypt_handler(self):
"""test get_crypt_handler()"""
class dummy_1(uh.StaticHandler):
name = "dummy_1"
# without available handler
self.assertRaises(KeyError, get_crypt_handler, "dummy_1")
self.assertIs(get_crypt_handler("dummy_1", None), None)
# already loaded handler
register_crypt_handler(dummy_1)
self.assertIs(get_crypt_handler("dummy_1"), dummy_1)
with warnings.catch_warnings():
warnings.filterwarnings("ignore", "handler names should be lower-case, and use underscores instead of hyphens:.*", UserWarning)
# already loaded handler, using incorrect name
self.assertIs(get_crypt_handler("DUMMY-1"), dummy_1)
# lazy load of unloaded handler, using incorrect name
register_crypt_handler_path('dummy_0', __name__)
self.assertIs(get_crypt_handler("DUMMY-0"), dummy_0)
# check system & private names aren't returned
import passlib.hash # ensure module imported, so py3.3 sets __package__
passlib.hash.__dict__["_fake"] = "dummy" # so behavior seen under py2x also
for name in ["_fake", "__package__"]:
self.assertRaises(KeyError, get_crypt_handler, name)
self.assertIs(get_crypt_handler(name, None), None)
def test_get_crypt_handler(self):
"""test get_crypt_handler()"""
class dummy_1(uh.StaticHandler):
name = "dummy_1"
# without available handler
self.assertRaises(KeyError, get_crypt_handler, "dummy_1")
self.assertIs(get_crypt_handler("dummy_1", None), None)
# already loaded handler
register_crypt_handler(dummy_1)
self.assertIs(get_crypt_handler("dummy_1"), dummy_1)
with warnings.catch_warnings():
warnings.filterwarnings(
"ignore",
"handler names should be lower-case, and use underscores instead of hyphens:.*",
UserWarning)
# already loaded handler, using incorrect name
self.assertIs(get_crypt_handler("DUMMY-1"), dummy_1)
# lazy load of unloaded handler, using incorrect name
register_crypt_handler_path('dummy_0', __name__)
self.assertIs(get_crypt_handler("DUMMY-0"), dummy_0)
# check system & private names aren't returned
from passlib import hash
hash.__dict__["_fake"] = "dummy"
for name in ["_fake", "__package__"]:
self.assertRaises(KeyError, get_crypt_handler, name)
self.assertIs(get_crypt_handler(name, None), None)
def init_config(self, app):
"""Initialize configuration.
:param app: The Flask application.
"""
try:
pkg_resources.get_distribution('celery')
app.config.setdefault("ACCOUNTS_USE_CELERY",
not (app.debug or app.testing))
except pkg_resources.DistributionNotFound: # pragma: no cover
app.config.setdefault("ACCOUNTS_USE_CELERY", False)
app.config.setdefault('ACCOUNTS', True)
# Register Invenio legacy password hashing
register_crypt_handler(InvenioAesEncryptedEmail)
# Change Flask-Security defaults
app.config.setdefault('SECURITY_CHANGEABLE', True)
app.config.setdefault('SECURITY_CONFIRMABLE', True)
app.config.setdefault('SECURITY_PASSWORD_HASH', 'pbkdf2_sha512')
app.config.setdefault('SECURITY_PASSWORD_SCHEMES',
['pbkdf2_sha512', 'invenio_aes_encrypted_email'])
app.config.setdefault('SECURITY_DEPRECATED_PASSWORD_SCHEMES',
['invenio_aes_encrypted_email'])
app.config.setdefault('SECURITY_RECOVERABLE', True)
app.config.setdefault('SECURITY_REGISTERABLE', True)
app.config.setdefault('SECURITY_TRACKABLE', True)
app.config.setdefault('SECURITY_LOGIN_WITHOUT_CONFIRMATION', True)
app.config.setdefault('SECURITY_PASSWORD_SALT',
app.config['SECRET_KEY'])
# Change default templates
app.config.setdefault("SECURITY_FORGOT_PASSWORD_TEMPLATE",
"invenio_accounts/forgot_password.html")
app.config.setdefault("SECURITY_LOGIN_USER_TEMPLATE",
"invenio_accounts/login_user.html")
app.config.setdefault("SECURITY_REGISTER_USER_TEMPLATE",
"invenio_accounts/register_user.html")
app.config.setdefault("SECURITY_RESET_PASSWORD_TEMPLATE",
"invenio_accounts/reset_password.html")
app.config.setdefault("SECURITY_CHANGE_PASSWORD_TEMPLATE",
"invenio_accounts/change_password.html")
app.config.setdefault("SECURITY_SEND_CONFIRMATION_TEMPLATE",
"invenio_accounts/send_confirmation.html")
app.config.setdefault("SECURITY_SEND_LOGIN_TEMPLATE",
"invenio_accounts/send_login.html")
app.config.setdefault("SECURITY_REGISTER_URL", "/signup/")
app.config.setdefault("SECURITY_RESET_URL", "/lost-password/")
app.config.setdefault("SECURITY_LOGIN_URL", "/login/")
app.config.setdefault("SECURITY_LOGOUT_URL", "/logout/")
app.config.setdefault("SECURITY_CHANGE_URL",
"/accounts/settings/password/")
for k in dir(config):
if k.startswith('ACCOUNTS_'):
app.config.setdefault(k, getattr(config, k))
def init_app(self, app):
"""Initialize application."""
# Register Invenio legacy password hashing.
register_crypt_handler(invenio_aes_encrypted_email)
app.config.setdefault('PASSLIB_SCHEMES',
['sha512_crypt', 'invenio_aes_encrypted_email'])
app.config.setdefault('PASSLIB_DEPRECATED_SCHEMES',
['invenio_aes_encrypted_email'])
# Create password context.
app.extensions['passlib'] = CryptContext(
schemes=app.config['PASSLIB_SCHEMES'],
deprecated=app.config['PASSLIB_DEPRECATED_SCHEMES'])
def test_get_crypt_handler(self):
"test get_crypt_handler()"
class dummy_1(uh.StaticHandler):
name = "dummy_1"
self.assertRaises(KeyError, get_crypt_handler, "dummy_1")
register_crypt_handler(dummy_1)
self.assertIs(get_crypt_handler("dummy_1"), dummy_1)
with catch_warnings():
warnings.filterwarnings("ignore", "handler names should be lower-case, and use underscores instead of hyphens:.*", UserWarning)
self.assertIs(get_crypt_handler("DUMMY-1"), dummy_1)
def init_config(self, app):
"""Initialize configuration.
:param app: The Flask application.
"""
try:
pkg_resources.get_distribution('celery')
app.config.setdefault("ACCOUNTS_USE_CELERY",
not (app.debug or app.testing))
except pkg_resources.DistributionNotFound: # pragma: no cover
app.config.setdefault("ACCOUNTS_USE_CELERY", False)
# Register Invenio legacy password hashing
register_crypt_handler(InvenioAesEncryptedEmail)
# Change Flask defaults
app.config.setdefault('SESSION_COOKIE_SECURE', not app.debug)
# Change Flask-Security defaults
app.config.setdefault('SECURITY_PASSWORD_SALT',
app.config['SECRET_KEY'])
# Set JWT secret key
app.config.setdefault(
'ACCOUNTS_JWT_SECRET_KEY',
app.config.get('ACCOUNTS_JWT_SECRET_KEY',
app.config.get('SECRET_KEY')))
config_apps = ['ACCOUNTS', 'SECURITY_']
for k in dir(config):
if any([k.startswith(prefix) for prefix in config_apps]):
app.config.setdefault(k, getattr(config, k))
# Set Session KV store
if app.config.get('ACCOUNTS_SESSION_REDIS_URL'):
import redis
from simplekv.memory.redisstore import RedisStore
session_kvstore = RedisStore(
redis.StrictRedis.from_url(
app.config['ACCOUNTS_SESSION_REDIS_URL']))
else:
from simplekv.memory import DictStore
session_kvstore = DictStore()
self.kvsession_extension = KVSessionExtension(session_kvstore, app)
def init_app(self, app):
"""Initialize application."""
# Register Invenio legacy password hashing.
register_crypt_handler(invenio_aes_encrypted_email)
app.config.setdefault(
'PASSLIB_SCHEMES',
['sha512_crypt', 'invenio_aes_encrypted_email']
)
app.config.setdefault(
'PASSLIB_DEPRECATED_SCHEMES',
['invenio_aes_encrypted_email']
)
# Create password context.
app.extensions['passlib'] = CryptContext(
schemes=app.config['PASSLIB_SCHEMES'],
deprecated=app.config['PASSLIB_DEPRECATED_SCHEMES']
)
def test_register_crypt_handler(self):
"""test register_crypt_handler()"""
self.assertRaises(TypeError, register_crypt_handler, {})
self.assertRaises(ValueError, register_crypt_handler, type('x', (uh.StaticHandler,), dict(name=None)))
self.assertRaises(ValueError, register_crypt_handler, type('x', (uh.StaticHandler,), dict(name="AB_CD")))
self.assertRaises(ValueError, register_crypt_handler, type('x', (uh.StaticHandler,), dict(name="ab-cd")))
self.assertRaises(ValueError, register_crypt_handler, type('x', (uh.StaticHandler,), dict(name="ab__cd")))
self.assertRaises(ValueError, register_crypt_handler, type('x', (uh.StaticHandler,), dict(name="default")))
class dummy_1(uh.StaticHandler):
name = "dummy_1"
class dummy_1b(uh.StaticHandler):
name = "dummy_1"
self.assertTrue('dummy_1' not in list_crypt_handlers())
register_crypt_handler(dummy_1)
register_crypt_handler(dummy_1)
self.assertIs(get_crypt_handler("dummy_1"), dummy_1)
self.assertRaises(KeyError, register_crypt_handler, dummy_1b)
self.assertIs(get_crypt_handler("dummy_1"), dummy_1)
register_crypt_handler(dummy_1b, force=True)
self.assertIs(get_crypt_handler("dummy_1"), dummy_1b)
self.assertTrue('dummy_1' in list_crypt_handlers())
def test_register_crypt_handler(self):
"""test register_crypt_handler()"""
self.assertRaises(TypeError, register_crypt_handler, {})
self.assertRaises(ValueError, register_crypt_handler, type('x', (uh.StaticHandler,), dict(name=None)))
self.assertRaises(ValueError, register_crypt_handler, type('x', (uh.StaticHandler,), dict(name="AB_CD")))
self.assertRaises(ValueError, register_crypt_handler, type('x', (uh.StaticHandler,), dict(name="ab-cd")))
self.assertRaises(ValueError, register_crypt_handler, type('x', (uh.StaticHandler,), dict(name="ab__cd")))
self.assertRaises(ValueError, register_crypt_handler, type('x', (uh.StaticHandler,), dict(name="default")))
class dummy_1(uh.StaticHandler):
name = "dummy_1"
class dummy_1b(uh.StaticHandler):
name = "dummy_1"
self.assertTrue('dummy_1' not in list_crypt_handlers())
register_crypt_handler(dummy_1)
register_crypt_handler(dummy_1)
self.assertIs(get_crypt_handler("dummy_1"), dummy_1)
self.assertRaises(KeyError, register_crypt_handler, dummy_1b)
self.assertIs(get_crypt_handler("dummy_1"), dummy_1)
register_crypt_handler(dummy_1b, force=True)
self.assertIs(get_crypt_handler("dummy_1"), dummy_1b)
self.assertTrue('dummy_1' in list_crypt_handlers())
def init_config(self, app):
"""Initialize configuration.
:param app: The Flask application.
"""
try:
pkg_resources.get_distribution('celery')
app.config.setdefault("ACCOUNTS_USE_CELERY",
not (app.debug or app.testing))
except pkg_resources.DistributionNotFound: # pragma: no cover
app.config.setdefault("ACCOUNTS_USE_CELERY", False)
# Register Invenio legacy password hashing
register_crypt_handler(InvenioAesEncryptedEmail)
# Change Flask-Security defaults
app.config.setdefault('SECURITY_PASSWORD_SALT',
app.config['SECRET_KEY'])
config_apps = ['ACCOUNTS', 'SECURITY_']
for k in dir(config):
if any([k.startswith(prefix) for prefix in config_apps]):
app.config.setdefault(k, getattr(config, k))
def test_get_crypt_handler(self):
"test get_crypt_handler()"
class dummy_1(uh.StaticHandler):
name = "dummy_1"
# without available handler
self.assertRaises(KeyError, get_crypt_handler, "dummy_1")
self.assertIs(get_crypt_handler("dummy_1", None), None)
# already loaded handler
register_crypt_handler(dummy_1)
self.assertIs(get_crypt_handler("dummy_1"), dummy_1)
with catch_warnings():
warnings.filterwarnings("ignore", "handler names should be lower-case, and use underscores instead of hyphens:.*", UserWarning)
# already loaded handler, using incorrect name
self.assertIs(get_crypt_handler("DUMMY-1"), dummy_1)
# lazy load of unloaded handler, using incorrect name
register_crypt_handler_path('dummy_0', __name__)
self.assertIs(get_crypt_handler("DUMMY-0"), dummy_0)
def init_config(self, app):
"""Initialize configuration.
:param app: The Flask application.
"""
try:
pkg_resources.get_distribution('celery')
app.config.setdefault(
"ACCOUNTS_USE_CELERY", not (app.debug or app.testing))
except pkg_resources.DistributionNotFound: # pragma: no cover
app.config.setdefault("ACCOUNTS_USE_CELERY", False)
app.config.setdefault('ACCOUNTS', True)
# Register Invenio legacy password hashing
register_crypt_handler(InvenioAesEncryptedEmail)
# Change Flask-Security defaults
app.config.setdefault('SECURITY_CHANGEABLE', True)
app.config.setdefault('SECURITY_CONFIRMABLE', True)
app.config.setdefault('SECURITY_PASSWORD_HASH', 'pbkdf2_sha512')
app.config.setdefault('SECURITY_PASSWORD_SCHEMES',
['pbkdf2_sha512', 'invenio_aes_encrypted_email'])
app.config.setdefault('SECURITY_DEPRECATED_PASSWORD_SCHEMES',
['invenio_aes_encrypted_email'])
app.config.setdefault('SECURITY_RECOVERABLE', True)
app.config.setdefault('SECURITY_REGISTERABLE', True)
app.config.setdefault('SECURITY_TRACKABLE', True)
app.config.setdefault('SECURITY_LOGIN_WITHOUT_CONFIRMATION', True)
app.config.setdefault('SECURITY_PASSWORD_SALT',
app.config['SECRET_KEY'])
# Change default templates
app.config.setdefault("SECURITY_FORGOT_PASSWORD_TEMPLATE",
"invenio_accounts/forgot_password.html")
app.config.setdefault("SECURITY_LOGIN_USER_TEMPLATE",
"invenio_accounts/login_user.html")
app.config.setdefault("SECURITY_REGISTER_USER_TEMPLATE",
"invenio_accounts/register_user.html")
app.config.setdefault("SECURITY_RESET_PASSWORD_TEMPLATE",
"invenio_accounts/reset_password.html")
app.config.setdefault("SECURITY_CHANGE_PASSWORD_TEMPLATE",
"invenio_accounts/change_password.html")
app.config.setdefault("SECURITY_SEND_CONFIRMATION_TEMPLATE",
"invenio_accounts/send_confirmation.html")
app.config.setdefault("SECURITY_SEND_LOGIN_TEMPLATE",
"invenio_accounts/send_login.html")
app.config.setdefault("SECURITY_REGISTER_URL",
"/signup/")
app.config.setdefault("SECURITY_RESET_URL",
"/lost-password/")
app.config.setdefault("SECURITY_LOGIN_URL",
"/login/")
app.config.setdefault("SECURITY_LOGOUT_URL",
"/logout/")
app.config.setdefault("SECURITY_CHANGE_URL",
"/accounts/settings/password/")
for k in dir(config):
if k.startswith('ACCOUNTS_'):
app.config.setdefault(k, getattr(config, k))
"helper for method in test_registry.py"
from passlib.registry import register_crypt_handler
import passlib.utils.handlers as uh
class dummy_bad(uh.StaticHandler):
name = "dummy_bad"
class alt_dummy_bad(uh.StaticHandler):
name = "dummy_bad"
# NOTE: if passlib.tests is being run from symlink (e.g. via gaeunit),
# this module may be imported a second time as test._test_bad_registry.
# we don't want it to do anything in that case.
if __name__.startswith("passlib.tests"):
register_crypt_handler(alt_dummy_bad)
class LegacyPassword(pbkdf2_sha256):
name = "frappe_legacy"
ident = "$frappel$"
def _calc_checksum(self, secret):
# check if this is a mysql hash
# it is possible that we will generate a false positive if the users password happens to be 40 hex chars proceeded
# by an * char, but this seems highly unlikely
if not (secret[0] == "*" and len(secret) == 41
and all(c in string.hexdigits for c in secret[1:])):
secret = mysql41.hash(secret + self.salt.decode('utf-8'))
return super(LegacyPassword, self)._calc_checksum(secret)
register_crypt_handler(LegacyPassword, force=True)
passlibctx = CryptContext(
schemes=[
"pbkdf2_sha256",
"argon2",
"frappe_legacy",
],
deprecated=[
"frappe_legacy",
],
)
def get_decrypted_password(doctype,
name,
fieldname="password",
def includeme(config):
register_crypt_handler(EDWHash)
checksum_size = 32
max_salt_size = 32
_hash_func = hashlib.sha256
_hash_regex = re.compile(u(r"^\{SSHA256\}(?P<tmp>[+/a-zA-Z0-9]{48,}={0,2})$"))
class ldap_salted_sha512(_SaltedBase64DigestHelper):
name = 'ldap_salted_sha512'
ident = u'{SSHA512}'
checksum_size = 64
max_salt_size = 64
_hash_func = hashlib.sha512
_hash_regex = re.compile(u(r"^\{SSHA512\}(?P<tmp>[+/a-zA-Z0-9]{88,}={0,2})$"))
register_crypt_handler(phpass_drupal)
register_crypt_handler(ldap_salted_sha256)
register_crypt_handler(ldap_salted_sha512)
# The list of supported password hash types for verification (passlib handler)
pw_ctx = CryptContext(schemes=['phpass',
'phpass_drupal',
'ldap_salted_sha1',
'ldap_salted_sha256',
'ldap_salted_sha512',
'ldap_sha1',
'md5_crypt',
'bcrypt',
'sha512_crypt',
'sha256_crypt',
'hex_sha256',
_hash_func = hashlib.sha256
_hash_regex = re.compile(
u(r"^\{SSHA256\}(?P<tmp>[+/a-zA-Z0-9]{48,}={0,2})$"))
class ldap_salted_sha512(_SaltedBase64DigestHelper):
name = 'ldap_salted_sha512'
ident = u'{SSHA512}'
checksum_size = 64
max_salt_size = 64
_hash_func = hashlib.sha512
_hash_regex = re.compile(
u(r"^\{SSHA512\}(?P<tmp>[+/a-zA-Z0-9]{88,}={0,2})$"))
register_crypt_handler(phpass_drupal)
register_crypt_handler(ldap_salted_sha256)
register_crypt_handler(ldap_salted_sha512)
# The list of supported password hash types for verification (passlib handler)
pw_ctx = CryptContext(schemes=[
'phpass',
'phpass_drupal',
'ldap_salted_sha1',
'ldap_salted_sha256',
'ldap_salted_sha512',
'ldap_sha1',
'md5_crypt',
'bcrypt',
'sha512_crypt',
'sha256_crypt',
def __enter__(self):
from passlib import registry
registry._unload_handler_name(self.name, locations=False)
registry.register_crypt_handler(self.dummy)
assert registry.get_crypt_handler(self.name) is self.dummy
return self.dummy
class LegacyPassword(pbkdf2_sha256):
name = "frappe_legacy"
ident = "$frappel$"
def _calc_checksum(self, secret):
# check if this is a mysql hash
# it is possible that we will generate a false positive if the users password happens to be 40 hex chars proceeded
# by an * char, but this seems highly unlikely
if not (secret[0] == "*" and len(secret) == 41 and all(c in string.hexdigits for c in secret[1:])):
secret = mysql41.hash(secret + self.salt.decode('utf-8'))
return super(LegacyPassword, self)._calc_checksum(secret)
register_crypt_handler(LegacyPassword, force=True)
passlibctx = CryptContext(
schemes=[
"pbkdf2_sha256",
"argon2",
"frappe_legacy",
],
deprecated=[
"frappe_legacy",
],
)
def get_decrypted_password(doctype, name, fieldname='password', raise_exception=True):
auth = frappe.db.sql('''select `password` from `__Auth`
where doctype=%(doctype)s and name=%(name)s and fieldname=%(fieldname)s and encrypted=1''',
def __enter__(self):
from passlib import registry
registry._unload_handler_name(self.name, locations=False)
registry.register_crypt_handler(self.dummy)
assert registry.get_crypt_handler(self.name) is self.dummy
return self.dummy
def includeme(config):
register_crypt_handler(SNOWHash)
