From 6010a1bcf9ac9f81a3a10fb958940b377454a085 Mon Sep 17 00:00:00 2001 From: Mark McCormick Date: Wed, 8 May 2024 00:20:25 +0100 Subject: [PATCH 1/3] change password hash method Signed-off-by: Mark McCormick --- bin/hash_db_password.py | 2 +- flask_appbuilder/security/manager.py | 2 +- flask_appbuilder/security/mongoengine/manager.py | 4 ++-- flask_appbuilder/security/sqla/apis/user/api.py | 4 ++-- flask_appbuilder/security/sqla/manager.py | 4 ++-- flask_appbuilder/security/views.py | 2 +- tests/test_security_api.py | 2 +- 7 files changed, 10 insertions(+), 10 deletions(-) diff --git a/bin/hash_db_password.py b/bin/hash_db_password.py index 2aa399f161..bc3c057e7f 100644 --- a/bin/hash_db_password.py +++ b/bin/hash_db_password.py @@ -38,7 +38,7 @@ for user in users: log.info("Hashing password for {0}".format(user.username)) - user.password = generate_password_hash(user.password) + user.password = generate_password_hash(user.password, method='pbkdf2:sha256') try: db.session.merge(user) db.session.commit() diff --git a/flask_appbuilder/security/manager.py b/flask_appbuilder/security/manager.py index a25b63ae72..70ec550ce2 100644 --- a/flask_appbuilder/security/manager.py +++ b/flask_appbuilder/security/manager.py @@ -915,7 +915,7 @@ def reset_password(self, userid, password): The clear text password to reset and save hashed on the db """ user = self.get_user_by_id(userid) - user.password = generate_password_hash(password) + user.password = generate_password_hash(password, method='pbkdf2:sha256') self.update_user(user) def update_user_auth_stat(self, user, success=True): diff --git a/flask_appbuilder/security/mongoengine/manager.py b/flask_appbuilder/security/mongoengine/manager.py index 6ad4fabcdd..44bf5c12b6 100644 --- a/flask_appbuilder/security/mongoengine/manager.py +++ b/flask_appbuilder/security/mongoengine/manager.py @@ -84,7 +84,7 @@ def add_register_user( if hashed_password: register_user.password = hashed_password else: - register_user.password = generate_password_hash(password) + register_user.password = generate_password_hash(password, method='pbkdf2:sha256') register_user.registration_hash = str(uuid.uuid1()) register_user.save() return register_user @@ -131,7 +131,7 @@ def add_user( if hashed_password: user.password = hashed_password else: - user.password = generate_password_hash(password) + user.password = generate_password_hash(password, method='pbkdf2:sha256') user.save() log.info(c.LOGMSG_INF_SEC_ADD_USER, username) return user diff --git a/flask_appbuilder/security/sqla/apis/user/api.py b/flask_appbuilder/security/sqla/apis/user/api.py index 94f250123d..90b0672a01 100644 --- a/flask_appbuilder/security/sqla/apis/user/api.py +++ b/flask_appbuilder/security/sqla/apis/user/api.py @@ -69,10 +69,10 @@ def pre_update(self, item): item.changed_on = datetime.now() item.changed_by_fk = g.user.id if item.password: - item.password = generate_password_hash(item.password) + item.password = generate_password_hash(item.password, method='pbkdf2:sha256') def pre_add(self, item): - item.password = generate_password_hash(item.password) + item.password = generate_password_hash(item.password, method='pbkdf2:sha256') @expose("/", methods=["POST"]) @protect() diff --git a/flask_appbuilder/security/sqla/manager.py b/flask_appbuilder/security/sqla/manager.py index 550cf8a72e..a66ecccaea 100755 --- a/flask_appbuilder/security/sqla/manager.py +++ b/flask_appbuilder/security/sqla/manager.py @@ -137,7 +137,7 @@ def add_register_user( if hashed_password: register_user.password = hashed_password else: - register_user.password = generate_password_hash(password) + register_user.password = generate_password_hash(password, method='pbkdf2:sha256') register_user.registration_hash = str(uuid.uuid1()) try: self.get_session.add(register_user) @@ -224,7 +224,7 @@ def add_user( if hashed_password: user.password = hashed_password else: - user.password = generate_password_hash(password) + user.password = generate_password_hash(password, method='pbkdf2:sha256') self.get_session.add(user) self.get_session.commit() log.info(c.LOGMSG_INF_SEC_ADD_USER, username) diff --git a/flask_appbuilder/security/views.py b/flask_appbuilder/security/views.py index 86fa1021fe..5bd122ea59 100644 --- a/flask_appbuilder/security/views.py +++ b/flask_appbuilder/security/views.py @@ -408,7 +408,7 @@ def pre_update(self, item: Any) -> None: item.changed_by_fk = g.user.id def pre_add(self, item: Any) -> None: - item.password = generate_password_hash(item.password) + item.password = generate_password_hash(item.password, method='pbkdf2:sha256') class UserStatsChartView(DirectByChartView): diff --git a/tests/test_security_api.py b/tests/test_security_api.py index 18606e9f60..6693854f91 100644 --- a/tests/test_security_api.py +++ b/tests/test_security_api.py @@ -51,7 +51,7 @@ def _create_test_user( user.username = username user.email = email user.roles = roles - user.password = generate_password_hash(password) + user.password = generate_password_hash(password, method='pbkdf2:sha256') self.session.commit() return user From 5d417cf6708baee438027fc9bccf4fbce56ceaa6 Mon Sep 17 00:00:00 2001 From: Mark McCormick Date: Wed, 8 May 2024 00:30:39 +0100 Subject: [PATCH 2/3] lint Signed-off-by: Mark McCormick --- flask_appbuilder/baseviews.py | 3 +-- flask_appbuilder/console.py | 1 + flask_appbuilder/security/manager.py | 2 +- flask_appbuilder/security/mongoengine/manager.py | 6 ++++-- flask_appbuilder/security/sqla/apis/user/api.py | 6 ++++-- flask_appbuilder/security/sqla/manager.py | 6 ++++-- flask_appbuilder/security/views.py | 2 +- 7 files changed, 16 insertions(+), 10 deletions(-) diff --git a/flask_appbuilder/baseviews.py b/flask_appbuilder/baseviews.py index ad1dc73795..9ca39f0712 100644 --- a/flask_appbuilder/baseviews.py +++ b/flask_appbuilder/baseviews.py @@ -82,8 +82,7 @@ def create_blueprint( appbuilder: "AppBuilder", endpoint: Optional[str] = None, static_folder: Optional[str] = None, - ): - ... + ): ... def get_uninit_inner_views(self): """ diff --git a/flask_appbuilder/console.py b/flask_appbuilder/console.py index cd10679778..f3910b9cea 100644 --- a/flask_appbuilder/console.py +++ b/flask_appbuilder/console.py @@ -5,6 +5,7 @@ $ fabmanager --help """ + from io import BytesIO import os import shutil diff --git a/flask_appbuilder/security/manager.py b/flask_appbuilder/security/manager.py index 70ec550ce2..47f88653a1 100644 --- a/flask_appbuilder/security/manager.py +++ b/flask_appbuilder/security/manager.py @@ -915,7 +915,7 @@ def reset_password(self, userid, password): The clear text password to reset and save hashed on the db """ user = self.get_user_by_id(userid) - user.password = generate_password_hash(password, method='pbkdf2:sha256') + user.password = generate_password_hash(password, method="pbkdf2:sha256") self.update_user(user) def update_user_auth_stat(self, user, success=True): diff --git a/flask_appbuilder/security/mongoengine/manager.py b/flask_appbuilder/security/mongoengine/manager.py index 44bf5c12b6..e4d7a11ac6 100644 --- a/flask_appbuilder/security/mongoengine/manager.py +++ b/flask_appbuilder/security/mongoengine/manager.py @@ -84,7 +84,9 @@ def add_register_user( if hashed_password: register_user.password = hashed_password else: - register_user.password = generate_password_hash(password, method='pbkdf2:sha256') + register_user.password = generate_password_hash( + password, method="pbkdf2:sha256" + ) register_user.registration_hash = str(uuid.uuid1()) register_user.save() return register_user @@ -131,7 +133,7 @@ def add_user( if hashed_password: user.password = hashed_password else: - user.password = generate_password_hash(password, method='pbkdf2:sha256') + user.password = generate_password_hash(password, method="pbkdf2:sha256") user.save() log.info(c.LOGMSG_INF_SEC_ADD_USER, username) return user diff --git a/flask_appbuilder/security/sqla/apis/user/api.py b/flask_appbuilder/security/sqla/apis/user/api.py index 90b0672a01..c0449122cc 100644 --- a/flask_appbuilder/security/sqla/apis/user/api.py +++ b/flask_appbuilder/security/sqla/apis/user/api.py @@ -69,10 +69,12 @@ def pre_update(self, item): item.changed_on = datetime.now() item.changed_by_fk = g.user.id if item.password: - item.password = generate_password_hash(item.password, method='pbkdf2:sha256') + item.password = generate_password_hash( + item.password, method="pbkdf2:sha256" + ) def pre_add(self, item): - item.password = generate_password_hash(item.password, method='pbkdf2:sha256') + item.password = generate_password_hash(item.password, method="pbkdf2:sha256") @expose("/", methods=["POST"]) @protect() diff --git a/flask_appbuilder/security/sqla/manager.py b/flask_appbuilder/security/sqla/manager.py index a66ecccaea..8a9717fab5 100755 --- a/flask_appbuilder/security/sqla/manager.py +++ b/flask_appbuilder/security/sqla/manager.py @@ -137,7 +137,9 @@ def add_register_user( if hashed_password: register_user.password = hashed_password else: - register_user.password = generate_password_hash(password, method='pbkdf2:sha256') + register_user.password = generate_password_hash( + password, method="pbkdf2:sha256" + ) register_user.registration_hash = str(uuid.uuid1()) try: self.get_session.add(register_user) @@ -224,7 +226,7 @@ def add_user( if hashed_password: user.password = hashed_password else: - user.password = generate_password_hash(password, method='pbkdf2:sha256') + user.password = generate_password_hash(password, method="pbkdf2:sha256") self.get_session.add(user) self.get_session.commit() log.info(c.LOGMSG_INF_SEC_ADD_USER, username) diff --git a/flask_appbuilder/security/views.py b/flask_appbuilder/security/views.py index 5bd122ea59..d8bf244a30 100644 --- a/flask_appbuilder/security/views.py +++ b/flask_appbuilder/security/views.py @@ -408,7 +408,7 @@ def pre_update(self, item: Any) -> None: item.changed_by_fk = g.user.id def pre_add(self, item: Any) -> None: - item.password = generate_password_hash(item.password, method='pbkdf2:sha256') + item.password = generate_password_hash(item.password, method="pbkdf2:sha256") class UserStatsChartView(DirectByChartView): From 76bd16ebe9f7fc283227a8f363924d513d73a0ea Mon Sep 17 00:00:00 2001 From: Mark McCormick Date: Wed, 8 May 2024 00:59:03 +0100 Subject: [PATCH 3/3] remove trailing :sha256 as werkzeug jsut expects pbkdf2 Signed-off-by: Mark McCormick --- bin/hash_db_password.py | 2 +- flask_appbuilder/security/manager.py | 4 ++-- flask_appbuilder/security/mongoengine/manager.py | 4 ++-- flask_appbuilder/security/sqla/apis/user/api.py | 6 ++---- flask_appbuilder/security/sqla/manager.py | 6 ++---- flask_appbuilder/security/views.py | 2 +- tests/test_security_api.py | 2 +- 7 files changed, 11 insertions(+), 15 deletions(-) diff --git a/bin/hash_db_password.py b/bin/hash_db_password.py index bc3c057e7f..9705bb56fc 100644 --- a/bin/hash_db_password.py +++ b/bin/hash_db_password.py @@ -38,7 +38,7 @@ for user in users: log.info("Hashing password for {0}".format(user.username)) - user.password = generate_password_hash(user.password, method='pbkdf2:sha256') + user.password = generate_password_hash(user.password, method='pbkdf2') try: db.session.merge(user) db.session.commit() diff --git a/flask_appbuilder/security/manager.py b/flask_appbuilder/security/manager.py index 47f88653a1..755e8bc18e 100644 --- a/flask_appbuilder/security/manager.py +++ b/flask_appbuilder/security/manager.py @@ -915,7 +915,7 @@ def reset_password(self, userid, password): The clear text password to reset and save hashed on the db """ user = self.get_user_by_id(userid) - user.password = generate_password_hash(password, method="pbkdf2:sha256") + user.password = generate_password_hash(password, method="pbkdf2") self.update_user(user) def update_user_auth_stat(self, user, success=True): @@ -965,7 +965,7 @@ def auth_user_db(self, username, password): if user is None or (not user.is_active): # Balance failure and success check_password_hash( - "pbkdf2:sha256:150000$Z3t6fmj2$22da622d94a1f8118" + "pbkdf2:150000$Z3t6fmj2$22da622d94a1f8118" "c0976a03d2f18f680bfff877c9a965db9eedc51bc0be87c", "password", ) diff --git a/flask_appbuilder/security/mongoengine/manager.py b/flask_appbuilder/security/mongoengine/manager.py index e4d7a11ac6..6042930acc 100644 --- a/flask_appbuilder/security/mongoengine/manager.py +++ b/flask_appbuilder/security/mongoengine/manager.py @@ -85,7 +85,7 @@ def add_register_user( register_user.password = hashed_password else: register_user.password = generate_password_hash( - password, method="pbkdf2:sha256" + password, method="pbkdf2" ) register_user.registration_hash = str(uuid.uuid1()) register_user.save() @@ -133,7 +133,7 @@ def add_user( if hashed_password: user.password = hashed_password else: - user.password = generate_password_hash(password, method="pbkdf2:sha256") + user.password = generate_password_hash(password, method="pbkdf2") user.save() log.info(c.LOGMSG_INF_SEC_ADD_USER, username) return user diff --git a/flask_appbuilder/security/sqla/apis/user/api.py b/flask_appbuilder/security/sqla/apis/user/api.py index c0449122cc..1d6c999341 100644 --- a/flask_appbuilder/security/sqla/apis/user/api.py +++ b/flask_appbuilder/security/sqla/apis/user/api.py @@ -69,12 +69,10 @@ def pre_update(self, item): item.changed_on = datetime.now() item.changed_by_fk = g.user.id if item.password: - item.password = generate_password_hash( - item.password, method="pbkdf2:sha256" - ) + item.password = generate_password_hash(item.password, method="pbkdf2") def pre_add(self, item): - item.password = generate_password_hash(item.password, method="pbkdf2:sha256") + item.password = generate_password_hash(item.password, method="pbkdf2") @expose("/", methods=["POST"]) @protect() diff --git a/flask_appbuilder/security/sqla/manager.py b/flask_appbuilder/security/sqla/manager.py index 8a9717fab5..8afcd6890e 100755 --- a/flask_appbuilder/security/sqla/manager.py +++ b/flask_appbuilder/security/sqla/manager.py @@ -137,9 +137,7 @@ def add_register_user( if hashed_password: register_user.password = hashed_password else: - register_user.password = generate_password_hash( - password, method="pbkdf2:sha256" - ) + register_user.password = generate_password_hash(password, method="pbkdf2") register_user.registration_hash = str(uuid.uuid1()) try: self.get_session.add(register_user) @@ -226,7 +224,7 @@ def add_user( if hashed_password: user.password = hashed_password else: - user.password = generate_password_hash(password, method="pbkdf2:sha256") + user.password = generate_password_hash(password, method="pbkdf2") self.get_session.add(user) self.get_session.commit() log.info(c.LOGMSG_INF_SEC_ADD_USER, username) diff --git a/flask_appbuilder/security/views.py b/flask_appbuilder/security/views.py index d8bf244a30..8aecf8cc66 100644 --- a/flask_appbuilder/security/views.py +++ b/flask_appbuilder/security/views.py @@ -408,7 +408,7 @@ def pre_update(self, item: Any) -> None: item.changed_by_fk = g.user.id def pre_add(self, item: Any) -> None: - item.password = generate_password_hash(item.password, method="pbkdf2:sha256") + item.password = generate_password_hash(item.password, method="pbkdf2") class UserStatsChartView(DirectByChartView): diff --git a/tests/test_security_api.py b/tests/test_security_api.py index 6693854f91..ecf8437fc9 100644 --- a/tests/test_security_api.py +++ b/tests/test_security_api.py @@ -51,7 +51,7 @@ def _create_test_user( user.username = username user.email = email user.roles = roles - user.password = generate_password_hash(password, method='pbkdf2:sha256') + user.password = generate_password_hash(password, method='pbkdf2') self.session.commit() return user