use idea from Eli Collins to use a list of deprecated password encoding schemes

Ralf Schlatterbeck · Ralf Schlatterbeck · commit 80ea7989e3e3 · 2011-04-14T18:27:51.000Z
diff --git a/roundup/password.py b/roundup/password.py
@@ -240,7 +240,8 @@ class Password(JournalPassword):
     """
     #TODO: code to migrate from old password schemes.
 
-    known_schemes = [ "PBKDF2", "SHA", "MD5", "crypt", "plaintext" ]
+    deprecated_schemes = ["SHA", "MD5", "crypt", "plaintext"]
+    known_schemes = ["PBKDF2"] + deprecated_schemes
 
     def __init__(self, plaintext=None, scheme=None, encrypted=None, strict=False):
         """Call setPassword if plaintext is not None."""
@@ -259,7 +260,7 @@ def needs_migration(self):
         """ Password has insecure scheme or other insecure parameters
             and needs migration to new password scheme
         """
-        if self.scheme != 'PBKDF2':
+        if self.scheme in self.deprecated_schemes:
             return True
         rounds, salt, raw_salt, digest = pbkdf2_unpack(self.password)
         if rounds < 1000:
diff --git a/test/test_cgi.py b/test/test_cgi.py
@@ -431,7 +431,7 @@ def testPasswordMigration(self):
         cl = self._make_client(form)
         # assume that the "best" algorithm is the first one and doesn't
         # need migration, all others should be migrated.
-        for scheme in password.Password.known_schemes[1:]:
+        for scheme in password.Password.deprecated_schemes:
             pw1 = password.Password('foo', scheme=scheme)
             self.assertEqual(pw1.needs_migration(), True)
             self.db.user.set(chef, password=pw1)
