issue2551191 - Module deprication PEP 594. crypt

Handle missing crypt module "better" by raising an exception rather
than just silently failing to log in the user when a crypt encoded
password can't be checked.

Update tests and upgrading.txt too.

Author: rouilj

doc/upgrading.txt

@@ -154,6 +154,33 @@ can use the ``_generic.404.html`` template to create a
 the 400 template by appending ``@template=400`` to the url for the
 tracker.
 
+Change passwords using crypt module (optional)
+----------------------------------------------
+
+The crypt module is being removed from the standard library.  Any
+stored password using crypt encoding will fail to verify once the
+crypt module is removed (expected in Python 3.13 see
+pep-0594). Automatic migration of passwords (if enabled in config.ini)
+re-encrypts old passwords using something other than crypt if a user
+logs in using the web interface.
+
+You can find users with passwords still encrypted using crypt by
+running::
+
+    roundup-admin -i <tracker_home> table password,id,username
+
+Look for lines starting with ``{CRYPT}``. You can reset the user's
+password using::
+
+    roundup-admin -i <tracker_home>
+    roundup> set user16 password=somenewpassword
+
+changing ``16`` to the id in the second column of the table output.
+The example uses interactive mode (indicated by the ``roundup>``
+prompt). This prevents the new password from showing up in the output
+of ps or shell history. The new password will be encrypted using the
+default encryption method (usually pbkdf2).
+
 Migrating from 2.0.0 to 2.1.0
 =============================
 

roundup/password.py

@@ -201,7 +201,10 @@ def encodePassword(plaintext, scheme, other=None, config=None):
         s = sha1(s2b(plaintext)).hexdigest()  # nosec
     elif scheme == 'MD5':
         s = md5(s2b(plaintext)).hexdigest()  # nosec
-    elif scheme == 'crypt' and crypt is not None:
+    elif scheme == 'crypt':
+        if crypt is None:
+            raise PasswordValueError(
+                'Unsupported encryption scheme %r' % scheme)
         if other is not None:
             salt = other
         else:
@@ -355,6 +358,8 @@ def __str__(self):
             raise ValueError('Password not set')
         return '{%s}%s' % (self.scheme, self.password)
 
+def test_missing_crypt():
+    p = encodePassword('sekrit', 'crypt')
 
 def test():
     # SHA
@@ -415,5 +420,6 @@ def test():
 
 if __name__ == '__main__':
     test()
+    test_missing_crypt()
 
 # vim: set filetype=python sts=4 sw=4 et si :

test/test_security.py

@@ -411,8 +411,15 @@ def testTransitiveSearchPermissions(self):
         self.assertEqual(has(uimu, 'issue', 'messages.recipients'), 1)
         self.assertEqual(has(uimu, 'issue', 'messages.recipients.username'), 1)
 
-    # roundup.password has its own built-in test, call it.
+    # roundup.password has its own built-in tests, call them.
     def test_password(self):
         roundup.password.test()
 
+        # pretend import of crypt failed
+        orig_crypt = roundup.password.crypt
+        roundup.password.crypt = None
+        with self.assertRaises(roundup.password.PasswordValueError) as ctx:
+            roundup.password.test_missing_crypt()
+        roundup.password.crypt = orig_crypt
+
 # vim: set filetype=python sts=4 sw=4 et si :