59 from cubicweb import transaction as tx, server, neg_role |
59 from cubicweb import transaction as tx, server, neg_role |
60 from cubicweb.utils import QueryCache |
60 from cubicweb.utils import QueryCache |
61 from cubicweb.schema import VIRTUAL_RTYPES |
61 from cubicweb.schema import VIRTUAL_RTYPES |
62 from cubicweb.cwconfig import CubicWebNoAppConfiguration |
62 from cubicweb.cwconfig import CubicWebNoAppConfiguration |
63 from cubicweb.server import hook |
63 from cubicweb.server import hook |
64 from cubicweb.server.utils import crypt_password, eschema_eid |
64 from cubicweb.server.utils import crypt_password, eschema_eid, verify_and_update |
65 from cubicweb.server.sqlutils import SQL_PREFIX, SQLAdapterMixIn |
65 from cubicweb.server.sqlutils import SQL_PREFIX, SQLAdapterMixIn |
66 from cubicweb.server.rqlannotation import set_qdata |
66 from cubicweb.server.rqlannotation import set_qdata |
67 from cubicweb.server.hook import CleanupDeletedEidsCacheOp |
67 from cubicweb.server.hook import CleanupDeletedEidsCacheOp |
68 from cubicweb.server.edition import EditedEntity |
68 from cubicweb.server.edition import EditedEntity |
69 from cubicweb.server.sources import AbstractSource, dbg_st_search, dbg_results |
69 from cubicweb.server.sources import AbstractSource, dbg_st_search, dbg_results |
1627 # passwords are stored using the Bytes type, so we get a StringIO |
1627 # passwords are stored using the Bytes type, so we get a StringIO |
1628 args['pwd'] = Binary(crypt_password(password, pwd.getvalue())) |
1628 args['pwd'] = Binary(crypt_password(password, pwd.getvalue())) |
1629 # get eid from login and (crypted) password |
1629 # get eid from login and (crypted) password |
1630 rset = self.source.syntax_tree_search(session, self._auth_rqlst, args) |
1630 rset = self.source.syntax_tree_search(session, self._auth_rqlst, args) |
1631 try: |
1631 try: |
1632 return rset[0][0] |
1632 user = rset[0][0] |
|
1633 # If the stored hash uses a deprecated scheme (e.g. DES or MD5 used |
|
1634 # before 3.14.7), update with a fresh one |
|
1635 if pwd.getvalue(): |
|
1636 verify, newhash = verify_and_update(password, pwd.getvalue()) |
|
1637 if not verify: # should not happen, but... |
|
1638 raise AuthenticationError('bad password') |
|
1639 if newhash: |
|
1640 session.system_sql("UPDATE %s SET %s=%%(newhash)s WHERE %s=%%(login)s" % ( |
|
1641 SQL_PREFIX + 'CWUser', |
|
1642 SQL_PREFIX + 'upassword', |
|
1643 SQL_PREFIX + 'login'), |
|
1644 {'newhash': self.source._binary(newhash), |
|
1645 'login': login}) |
|
1646 session.commit(free_cnxset=False) |
|
1647 return user |
1633 except IndexError: |
1648 except IndexError: |
1634 raise AuthenticationError('bad password') |
1649 raise AuthenticationError('bad password') |
1635 |
1650 |
1636 |
1651 |
1637 class EmailPasswordAuthentifier(BaseAuthentifier): |
1652 class EmailPasswordAuthentifier(BaseAuthentifier): |