fwenzel / django-sha2 Goto Github PK

I have no idea why yet, but:

[TOX] /home/mat/work/django-sha2$ .tox/py27-13/bin/python setup.py test13
running test13
nosetests --verbosity 1
Creating test database for alias 'default'...
......E
======================================================================
ERROR: Test various password hashes.
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/mat/work/django-sha2/test/django13/../django13/tests/test_sha2.py", line 45, in test_hexdigest
    eq_(get_hexdigest(algo, self.SALT, pw), hashed)
  File "/home/mat/work/django-sha2/.tox/py27-13/local/lib/python2.7/site-packages/django/contrib/auth/models.py", line 35, in get_hexdigest
    raise ValueError("Got unknown password algorithm type in password.")
ValueError: Got unknown password algorithm type in password.

----------------------------------------------------------------------
Ran 7 tests in 8.983s

FAILED (errors=1)
Destroying test database for alias 'default'...
[TOX] ERROR: InvocationError: '.tox/py27-13/bin/python setup.py test13'

Do you know why I'd be getting this error?

Traceback (most recent call last):
  File "/Users/kumar/dev/jstestnet/jstestnet/system/tests/test_views.py", line 320, in setUp
    a.set_password('test')
  File "/Users/kumar/dev/jstestnet/vendor/lib/python/django/contrib/auth/models.py", line 294, in set_password
    self.password = make_password(raw_password)
  File "/Users/kumar/dev/jstestnet/vendor/lib/python/django/contrib/auth/hashers.py", line 62, in make_password
    hasher = get_hasher(hasher)
  File "/Users/kumar/dev/jstestnet/vendor/lib/python/django/contrib/auth/hashers.py", line 107, in get_hasher
    load_hashers()
  File "/Users/kumar/dev/jstestnet/vendor/lib/python/django/contrib/auth/hashers.py", line 84, in load_hashers
    raise ImproperlyConfigured("hasher not found: %s" % backend)
ImproperlyConfigured: hasher not found: django_sha2.hashers.bcrypt2012_06_01

I'm using the latest Playdoh and have this is my local settings per instructions from django-sha2:

HMAC_KEYS = {
    '2012-06-01': 'Example of shared key',
}

# Use sha 256 by default but support any other algorithm:
BASE_PASSWORD_HASHERS = (
    'django_sha2.hashers.SHA256PasswordHasher',
    'django_sha2.hashers.BcryptHMACCombinedPasswordVerifier',
    'django_sha2.hashers.SHA512PasswordHasher',
    'django.contrib.auth.hashers.SHA1PasswordHasher',
    'django.contrib.auth.hashers.MD5PasswordHasher',
    'django.contrib.auth.hashers.UnsaltedMD5PasswordHasher',
)

from django_sha2 import get_password_hashers
PASSWORD_HASHERS = get_password_hashers(BASE_PASSWORD_HASHERS, HMAC_KEYS)

If I comment out the HMAC keys I no longer get the hasher not found error.

Hi Fred,

I have installed the patch using easy_install and added AUTHENTICATION_BACKENDS and BCRYPT_ROUNDS to my settings.py file as well as HMAC_KEYS to my settings_local.py.

However the code does not seem to be run and patch Django unless I explicitly call it in my application:

from django_sha2.auth import BcBackend

Am I missing something here?

If we leave hex_digest untouched and put the new hashing code into User.check_password instead, django_sha2 can be used with different authentication backends and would stop relying on ModelBackend. Which would be hawt.

Is there a reason this project isn't released on PyPI?

Django removed django.utils.datastructures.SortedDict, we need to use collections.OrderedDict. Is this project accepting pull requests ? Will there ever be new release ?

Traceback (most recent call last):

File "/data/www/affiliates.mozilla.org/affiliates-app/vendor/src/django/django/core/handlers/base.py", line 111, in get_response
response = callback(request, _callback_args, *_callback_kwargs)

File "/data/www/affiliates.mozilla.org/affiliates-app/vendor/src/django-session-csrf/session_csrf/init.py", line 107, in wrapper
response = f(request, _args, *_kw)

File "/data/www/affiliates.mozilla.org/affiliates-app/apps/users/views.py", line 54, in register
form.cleaned_data['password'])

File "/data/www/affiliates.mozilla.org/affiliates-app/apps/users/models.py", line 95, in create_profile
profile.set_password(password)

File "/data/www/affiliates.mozilla.org/affiliates-app/apps/users/models.py", line 172, in set_password
self.password = hash_password(raw_password)

File "/data/www/affiliates.mozilla.org/affiliates-app/apps/users/utils.py", line 7, in hash_password
u.set_password(raw_password)

File "/data/www/affiliates.mozilla.org/affiliates-app/vendor/src/django-sha2/django_sha2/auth.py", line 53, in set_password
hsh = get_hexdigest(algo, salt, raw_password)

File "/data/www/affiliates.mozilla.org/affiliates-app/vendor/src/django-sha2/django_sha2/auth.py", line 87, in get_hexdigest
return getattr(hashlib, algorithm)(salt + raw_password).hexdigest()

UnicodeEncodeError: 'ascii' codec can't encode character u'\xe0' in position 29: ordinal not in range(128)

When logging in with an outdated HMAC key, we should detect it and automatically on login and update the hash to the latest HMAC key.

Having separate auth backends with no actual content might do more harm than good. It would be easier to use a setting for the desired algorithm and default to bcrypt.

Currently we just hand off SHA1 (and such) to the built-in Django PW mechanism, even if bcrypt is enabled. We should have a setting that enables auto-updating of hashes on login.

Creating a new superuser will not work automatically with sha_256 yet. Sadface!