Ticket #14390: patch_ticket14390.diff

django/contrib/auth/models.py

@@ -2 +2 @@
 import urllib
 
 from django.contrib import auth
+from django.contrib.auth.utils import (get_hexdigest, make_password,
+                                    check_password, is_password_usable)
 from django.core.exceptions import ImproperlyConfigured
 from django.db import models
 from django.db.models.manager import EmptyManager
 from django.contrib.contenttypes.models import ContentType
 from django.utils.encoding import smart_str
-from django.utils.hashcompat import md5_constructor, sha_constructor
 from django.utils.translation import ugettext_lazy as _
 
 
-UNUSABLE_PASSWORD = '!' # This will never be a valid hash
-
-def get_hexdigest(algorithm, salt, raw_password):
-    """
-    Returns a string of the hexdigest of the given plaintext password and salt
-    using the given algorithm ('md5', 'sha1' or 'crypt').
-    """
-    raw_password, salt = smart_str(raw_password), smart_str(salt)
-    if algorithm == 'crypt':
-        try:
-            import crypt
-        except ImportError:
-            raise ValueError('"crypt" password algorithm not supported in this environment')
-        return crypt.crypt(raw_password, salt)
-
-    if algorithm == 'md5':
-        return md5_constructor(salt + raw_password).hexdigest()
-    elif algorithm == 'sha1':
-        return sha_constructor(salt + raw_password).hexdigest()
-    raise ValueError("Got unknown password algorithm type in password.")
-
-def check_password(raw_password, enc_password):
-    """
-    Returns a boolean of whether the raw_password was correct. Handles
-    encryption formats behind the scenes.
-    """
-    algo, salt, hsh = enc_password.split('$')
-    return hsh == get_hexdigest(algo, salt, raw_password)
-
 class SiteProfileNotAvailable(Exception):
     pass
 
@@ -234 +206 @@
         return full_name.strip()
 
     def set_password(self, raw_password):
-        if raw_password is None:
-            self.set_unusable_password()
-        else:
-            import random
-            algo = 'sha1'
-            salt = get_hexdigest(algo, str(random.random()), str(random.random()))[:5]
-            hsh = get_hexdigest(algo, salt, raw_password)
-            self.password = '%s$%s$%s' % (algo, salt, hsh)
+        self.password = make_password('sha1', raw_password)
 
     def check_password(self, raw_password):
         """
@@ -261 +226 @@
 
     def set_unusable_password(self):
         # Sets a value that will never be a valid hash
-        self.password = UNUSABLE_PASSWORD
+        self.password = make_password('sha1', None)
 
     def has_usable_password(self):
-        if self.password is None \
-            or self.password == UNUSABLE_PASSWORD:
-            return False
-        else:
-            return True
+        return is_password_usable(self.password)
 
     def get_group_permissions(self, obj=None):
         """

django/contrib/auth/tests/__init__.py

@@ -1 +1 @@
 from django.contrib.auth.tests.auth_backends import BackendTest, RowlevelBackendTest, AnonymousUserBackendTest, NoAnonymousUserBackendTest
-from django.contrib.auth.tests.basic import BasicTestCase
+from django.contrib.auth.tests.basic import BasicTestCase, PasswordUtilsTestCase
 from django.contrib.auth.tests.decorators import LoginRequiredTestCase
 from django.contrib.auth.tests.forms import UserCreationFormTest, AuthenticationFormTest, SetPasswordFormTest, PasswordChangeFormTest, UserChangeFormTest, PasswordResetFormTest
 from django.contrib.auth.tests.remote_user \

django/contrib/auth/tests/basic.py

@@ -1 +1 @@
 from django.test import TestCase
+from django.utils.unittest import skipUnless
 from django.contrib.auth.models import User, AnonymousUser
+from django.contrib.auth import utils
 from django.core.management import call_command
 from StringIO import StringIO
 
+try:
+    import crypt as crypt_module
+except ImportError:
+    crypt_module = None
+
+class PasswordUtilsTestCase(TestCase):
+
+    def _test_make_password(self, algo):
+        password = utils.make_password(algo, "foobar")
+        self.assertTrue(utils.is_password_usable(password))
+        self.assertTrue(utils.check_password("foobar", password))
+
+    def test_make_unusable(self):
+        "Check that you can create an unusable password."
+        password = utils.make_password("any", None)
+        self.assertFalse(utils.is_password_usable(password))
+        self.assertFalse(utils.check_password("foobar", password))
+
+    def test_make_password_sha1(self):
+        "Check creating passwords with SHA1 algorithm."
+        self._test_make_password("sha1")
+
+    def test_make_password_md5(self):
+        "Check creating passwords with MD5 algorithm."
+        self._test_make_password("md5")
+
+    @skipUnless(crypt_module, "no crypt module to generate password.")
+    def test_make_password_crypt(self):
+        "Check creating passwords with CRYPT algorithm."
+        self._test_make_password("crypt")
+
+
 class BasicTestCase(TestCase):
     def test_user(self):
         "Check that users can be created and can set their password"

new file django/contrib/auth/utils.py

@@ +1 @@
+from django.utils.encoding import smart_str
+from django.utils.hashcompat import md5_constructor, sha_constructor
+import random
+
+
+UNUSABLE_PASSWORD = '!' # This will never be a valid hash
+
+
+def get_hexdigest(algorithm, salt, raw_password):
+    """
+    Returns a string of the hexdigest of the given plaintext password and salt
+    using the given algorithm ('md5', 'sha1' or 'crypt').
+    """
+    raw_password, salt = smart_str(raw_password), smart_str(salt)
+    if algorithm == 'crypt':
+        try:
+            import crypt
+        except ImportError:
+            raise ValueError('"crypt" password algorithm not supported in this environment')
+        return crypt.crypt(raw_password, salt)
+    if algorithm == 'md5':
+        return md5_constructor(salt + raw_password).hexdigest()
+    elif algorithm == 'sha1':
+        return sha_constructor(salt + raw_password).hexdigest()
+    raise ValueError("Got unknown password algorithm type in password.")
+
+
+def check_password(raw_password, enc_password):
+    """
+    Returns a boolean of whether the raw_password was correct. Handles
+    encryption formats behind the scenes.
+    """
+    parts = enc_password.split('$')
+    if len(parts) != 3:
+        return False
+    algo, salt, hsh = parts
+    return hsh == get_hexdigest(algo, salt, raw_password)
+
+
+def is_password_usable(enc_password):
+    return enc_password is not None and enc_password != UNUSABLE_PASSWORD
+
+
+def make_password(algo, raw_password):
+    """
+    Produce a new password string in this format: algorithm$salt$hash
+    """
+    if raw_password is None:
+        return UNUSABLE_PASSWORD
+    salt = get_hexdigest(algo, str(random.random()), str(random.random()))[:5]
+    hsh = get_hexdigest(algo, salt, raw_password)
+    return '%s$%s$%s' % (algo, salt, hsh)

docs/topics/auth.txt

@@ -621 +621 @@
 
 .. _backends documentation: #other-authentication-sources
 
-Manually checking a user's password
+Manually managing user's password
 -----------------------------------
 
+.. versionchanged:: 1.3
+
+Function :func:`django.contrib.auth.models.check_password` has been moved to the
+:mod:`django.contrib.auth.utils` module. Importing it from the old location
+will still work, but you should update your imports.
+
+.. versionadded:: 1.3
+
+The :mod:`django.contrib.auth.utils` module provides a set of functions to
+create and validate hashed password. You can use them independently from
+the ``User`` model.
+
 .. function:: check_password()
 
     If you'd like to manually authenticate a user by comparing a plain-text
     password to the hashed password in the database, use the convenience
-    function :func:`django.contrib.auth.models.check_password`. It takes two
+    function :func:`django.contrib.auth.utils.check_password`. It takes two
     arguments: the plain-text password to check, and the full value of a user's
     ``password`` field in the database to check against, and returns ``True``
     if they match, ``False`` otherwise.
 
+.. function:: make_password()
+
+    Creates a hashed password in the format used by this application. It takes
+    two arguments: hashing algorithm to use and the password in plain-text.
+    Currently supported algorithms are: `sha1`, `md5` and `crypt` if you have
+    the `crypt` library installed. If the second argument is ``None``, an
+    unusable password is returned (a one that will be never accepted by
+    :func:`django.contrib.auth.utils.check_password`).
+
+.. function:: is_password_usable()
+
+    Checks if the given string is a hashed password that has a chance
+    of being verified against :func:`django.contrib.auth.utils.check_password`.
+
+
 How to log a user out
 ---------------------