random: expose hashed passwords in recipe options

Directly expose all passlib.hash supported hashes, using a `passwd-` prefix. For example, to access `sha256_crypt`, use `passwd-sha256-crypt` option name. [secret] recipe = slapos.cookbook:generate.password [config-file] hashed-password = ${secret:passwd-sha256-crypt}

random: expose hashed passwords in recipe options
Directly expose all passlib.hash supported hashes, using a `passwd-` prefix. For example, to access `sha256_crypt`, use `passwd-sha256-crypt` option name. [secret] recipe = slapos.cookbook:generate.password [config-file] hashed-password = ${secret:passwd-sha256-crypt}
5efa1762 · Jérome Perrin · fa27962e · 5efa1762 · 5efa1762 · 5efa1762
Commit 5efa1762 authored Dec 31, 2023 by Jérome Perrin
Hide whitespace changes
Inline Side-by-side

Showing with 102 additions and 0 deletions

setup.py setup.py +1 -0

slapos/recipe/random.py slapos/recipe/random.py +16 -0

slapos/test/recipe/test_random.py slapos/test/recipe/test_random.py +85 -0

No files found.
--- a/setup.py
+++ b/setup.py
@@ -72,6 +72,7 @@ setup(name=name,
        'zc.buildout', # plays with buildout
        'zc.recipe.egg', # for scripts generation
        'pytz', # for timezone database
+        'passlib',
        ],
      zip_safe=True,
      entry_points={

--- a/slapos/recipe/random.py
+++ b/slapos/recipe/random.py
@@ -40,6 +40,9 @@ from .librecipe import GenericBaseRecipe
 from .publish_early import volatileOptions
 from slapos.util import str2bytes

+import passlib.hash
+
+
 class Integer(object):
  """
  Generate a random integer (see standard random.randint documentation).
@@ -154,6 +157,19 @@ class Password(object):
        passwd = self.generatePassword(int(options.get('bytes', '16')))
        self.update = self.install
      options['passwd'] = passwd
+
+    class HashedPasswordDict(dict):
+      def __missing__(self, key):
+        if not key.startswith('passwd-'):
+          raise KeyError(key)
+        handler = getattr(
+          passlib.hash, key[len('passwd-'):].replace('-', '_'), None)
+        if handler is None:
+          raise KeyError(key)
+        return handler.hash(passwd)
+
+    options._data = HashedPasswordDict(options._data)
+
    # Password must not go into .installed file, for 2 reasons:
    # security of course but also to prevent buildout to always reinstall.
    # publish_early already does it, but this recipe may also be used alone.

--- a/slapos/test/recipe/test_random.py
+++ b/slapos/test/recipe/test_random.py
+import os
+import shutil
+import tempfile
+import unittest
+
+import zc.buildout.testing
+import zc.buildout.buildout
+import passlib.hash
+from slapos.recipe import random
+
+
+class TestPassword(unittest.TestCase):
+  def setUp(self):
+    self.buildout = zc.buildout.testing.Buildout()
+    parts_directory = tempfile.mkdtemp()
+    self.buildout['buildout']['parts-directory'] = parts_directory
+    self.addCleanup(shutil.rmtree, parts_directory)
+
+  def _makeRecipe(self, options, section_name="random"):
+    self.buildout[section_name] = options
+    recipe = random.Password(
+      self.buildout, section_name, self.buildout[section_name]
+    )
+    return recipe
+
+  def test_empty_options(self):
+    recipe = self._makeRecipe({})
+    passwd = self.buildout["random"]["passwd"]
+    self.assertEqual(len(passwd), 16)
+    recipe.install()
+    with open(self.buildout["random"]["storage-path"]) as f:
+      self.assertEqual(f.read().strip(), passwd)
+
+  def test_storage_path(self):
+    tf = tempfile.NamedTemporaryFile(delete=False)
+    self.addCleanup(os.unlink, tf.name)
+    self._makeRecipe({'storage-path': tf.name}).install()
+    passwd = self.buildout["random"]["passwd"]
+    self.assertEqual(len(passwd), 16)
+    with open(tf.name) as f:
+      self.assertEqual(f.read().strip(), passwd)
+
+    self._makeRecipe({'storage-path': tf.name}, "another").install()
+    self.assertEqual(self.buildout["another"]["passwd"], passwd)
+
+  def test_bytes(self):
+    self._makeRecipe({'bytes': '32'}).install()
+    passwd = self.buildout["random"]["passwd"]
+    self.assertEqual(len(passwd), 32)
+    with open(self.buildout["random"]["storage-path"]) as f:
+      self.assertEqual(f.read().strip(), passwd)
+
+  def test_volatile(self):
+    self._makeRecipe({})
+    options = self.buildout['random']
+    self.assertIn('passwd', options)
+    options_items = [(k, v) for k, v in options.items() if k != 'passwd']
+    copied_options = options.copy()
+    self.assertEqual(list(copied_options.items()), options_items)
+
+  def test_passlib(self):
+    self._makeRecipe({})
+
+    hashed = self.buildout['random']['passwd-sha256-crypt']
+    self.assertTrue(
+      passlib.hash.sha256_crypt.verify(
+        self.buildout['random']['passwd'], hashed))
+
+    hashed = self.buildout['random']['passwd-md5-crypt']
+    self.assertTrue(
+      passlib.hash.md5_crypt.verify(
+        self.buildout['random']['passwd'], hashed))
+
+    hashed = self.buildout['random']['passwd-ldap-salted-sha1']
+    self.assertTrue(
+      passlib.hash.ldap_salted_sha1.verify(
+        self.buildout['random']['passwd'], hashed))
+
+    with self.assertRaises(zc.buildout.buildout.MissingOption):
+      self.buildout['random']['passwd-unknown']
+    with self.assertRaises(zc.buildout.buildout.MissingOption):
+      self.buildout['random']['unknown']
+
+    copied_options = self.buildout['random'].copy()
+    self.assertEqual(list(copied_options.keys()), ['storage-path'])