tests are breaking with last commit. Restore a hopefully working tree while I figure out what's going on

Author: rouilj

CHANGES.txt

@@ -74,9 +74,6 @@ Fixed:
   make sure that an 'X-Content-Type-Options: nosniff' header is sent.
 - issue2551252 - default number of rounds for PKDF2 password increased
   to 2,000,000.
-- issue2551251 - migrate/re-encrypt PBKDF2 password if stored
-  password used a smaller number of rounds than set in
-  password_pbkdf2_default_rounds.
 
 Features:
 

roundup/cgi/actions.py

@@ -1399,8 +1399,7 @@ def verifyPassword(self, userid, givenpw):
         db = self.db
         stored = db.user.get(userid, 'password')
         if givenpw == stored:
-            if (db.config.WEB_MIGRATE_PASSWORDS and
-                stored.needs_migration(config=db.config)):
+            if db.config.WEB_MIGRATE_PASSWORDS and stored.needs_migration():
                 newpw = password.Password(givenpw, config=db.config)
                 db.user.set(userid, password=newpw)
                 db.commit()

roundup/password.py

@@ -190,7 +190,7 @@ def encodePassword(plaintext, scheme, other=None, config=None):
             if config:
                 rounds = config.PASSWORD_PBKDF2_DEFAULT_ROUNDS
             else:
-                rounds = 2000000
+                rounds = 10000
         if rounds < 1000:
             raise PasswordValueError("invalid PBKDF2 hash (rounds too low)")
         raw_digest = pbkdf2(plaintext, raw_salt, rounds, 20)
@@ -325,7 +325,7 @@ def __init__(self, plaintext=None, scheme=None, encrypted=None,
     def __repr__(self):
         return self.__str__()
 
-    def needs_migration(self, config):
+    def needs_migration(self):
         """ Password has insecure scheme or other insecure parameters
             and needs migration to new password scheme
         """
@@ -334,10 +334,6 @@ def needs_migration(self, config):
         rounds, salt, raw_salt, digest = pbkdf2_unpack(self.password)
         if rounds < 1000:
             return True
-        if (self.scheme == "PBKDF2"):
-            new_rounds = config.PASSWORD_PBKDF2_DEFAULT_ROUNDS
-            if rounds < int(new_rounds):
-                return True
         return False
 
     def unpack(self, encrypted, scheme=None, strict=False, config=None):

test/test_security.py

@@ -422,14 +422,4 @@ def test_password(self):
             roundup.password.test_missing_crypt()
         roundup.password.crypt = orig_crypt
 
-    def test_pbkdf2_migrate_rounds(self):
-        self.db.config.PASSWORD_PBKDF2_DEFAULT_ROUNDS = 10000
-
-        p = roundup.password.Password('sekrit', 'PBKDF2',
-                                      config=self.db.config)
-
-        self.db.config.PASSWORD_PBKDF2_DEFAULT_ROUNDS = 2000000
-
-        self.assertEqual(p.needs_migration(config=self.db.config), True)
-
 # vim: set filetype=python sts=4 sw=4 et si :