Adds **kwargs parameter to password_hash to support more algorithms. #45692
Conversation
|
Please do separate PR if you start to do multiple change, or at least, multiple commits. |
ansibot
added
affects_2.8
bug
docs
needs_revision
support:community
support:core
labels
| @@ -170,7 +174,10 @@ def _hash(self, secret, salt, salt_size, rounds): | |||
|
|
|||
| # starting with passlib 1.7 'using' and 'hash' should be used instead of 'encrypt' | |||
| if hasattr(self.crypt_algo, 'hash'): | |||
| result = self.crypt_algo.using(**settings).hash(secret) | |||
| if self.algorithm in ('msdcc', 'msdcc2'): | |||
| result = self.crypt_algo.hash(secret, **settings) | |||
There was a problem hiding this comment.
So, this doesn't verify anymore that user is set, unlike the previous PR, I think that should be corrected.
There was a problem hiding this comment.
It is done implicitly by passlib.
So if the user is not set an exception would be thrown, similar to what #45392 experienced.
This is the same behaviour as for all other hashing algorithms.
I.e. the checking of what parameters are supported/needed is done by passlib.
There was a problem hiding this comment.
Throwing a exception do not seems like great UX for users.
There was a problem hiding this comment.
I think from a maintenance point it is easier to let passlib handle the parameters.
Otherwise we would have to take care of each algorithm ourselves and have a list of required and optional parameters for them.
It becomes worse if algorithms retrieve new paramters that we already support.
Now iff new algorithms are added to passlib we support them automatically.
Given that they use the 'using' and 'hash' functions.
|
I would add the parameters. Kwargs don't actually mean we haven't added
the parameters... It just means that we haven't made those parameters easy
to see and easy to error check. If it doesn't make sense to add more
parameters explicitly then it would also not make sense to add them via
kwargs.
…On Sun, Sep 16, 2018, 7:19 AM Matthias Fuchs ***@***.***> wrote:
@abadger <https://github.com/abadger> I know you were not a fan of
**kwargs in #21215 <#21215>.
But I am not sure if it is good to add even further parameters to the
functions (i.e. 'user' and 'ident').
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#45692 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAMxWti0TMZwabwws2Btbq9bRpqP9AUiks5ubl36gaJpZM4Wq3wB>
.
|
|
Yes, so it is easier to see the meaning of each, and review them. |
|
@mscherer I split the commit into two parts. |
|
@mfuchs Sorry for the delays. Can you rebase and resolve any open review comments on this PR? Thanks! |
The ident parameter, as described in the documentation, was not supported.
This is done by adding the 'user' parameters for msdcc/msdcc2. Furthermore msdcc/msdcc2 does not support the 'using' function with passlib 1.7 and newer. Thus there is specific handling if these algorithms are used. Fixes ansible#45392
|
@samccann rebased and also resolved all comments. |
| @@ -848,6 +848,13 @@ Some hash types allow providing a rounds parameter:: | |||
|
|
|||
| {{ 'secretpassword' | password_hash('sha256', 'mysecretsalt', rounds=10000) }} | |||
|
|
|||
| When`Passlib <https://passlib.readthedocs.io/en/stable/>`_ is installed | |||
| `password_hash` supports more crypt schematas:: | |||
There was a problem hiding this comment.
Small typo (not blocking, but since I review)
|
You should also add a changelog fragment (IIRC the new merging rule, I am a bit out of touch) |
|
Hi @mfuchs , thanks a lot for the nice job! Is there any news that when this can be merged? The |
|
waiting_on_contributor |
SUMMARY
Adds **kwargs parameter to password_hash to support more algorithms.
This adds support for the bcrypt algorithm as described in the documentation.
The msdcc and msdcc2 algorithm are also supported now.
Fixes #45392
ISSUE TYPE
COMPONENT NAME
utils/encrypt
ANSIBLE VERSION