[elbe-devel] [PATCH v2 6/8] proprocess: migrate root and user passwords

Fri Jun 24 13:12:33 CEST 2022

Typo in subject: preprocess

Am 16.06.22 um 12:10 schrieb Holger Dengler:
> Support legacy XMLs by adding preprocessing for plain-text passwords for
> root and users. The plain-text password elements or attributes will be
> replaced with their hashed variants.
> 
> XMLs with only hashed passwords will not be changed by the
> preprocessing.
> 
> Signed-off-by: Holger Dengler <holger at hdengler.de>
> ---
>   elbepack/xmlpreprocess.py | 28 +++++++++++++++++++++++++---
>   1 file changed, 25 insertions(+), 3 deletions(-)
> 
> diff --git a/elbepack/xmlpreprocess.py b/elbepack/xmlpreprocess.py
> index f3c2f2a7f..947b3cfce 100644
> --- a/elbepack/xmlpreprocess.py
> +++ b/elbepack/xmlpreprocess.py
> @@ -14,6 +14,7 @@ from optparse import OptionGroup
>   from itertools import islice
>   from urllib.error import HTTPError,URLError
>   from urllib.request import urlopen
> +from crypt import crypt, METHOD_SHA512

The crypt module is deprecated in Python 11.
preprocess runs on the host machine so I would like to have broad compatibility.
I am thinking of making the host commands compatible with Windows where this is
not available (part of the rationale for the deprecation). If there is no Python
3.6+ module (hashlib?) that we can use, I would prefer introducing a dependency,
possibly passlib.

The method has to be compatible with the oldest of our supported target systems,
which is jessie. I would prefer Blowfish over SHA512. If we keep SHA512, please
use a greater than default rounds parameter.

>   
>   from lxml import etree
>   from lxml.etree import XMLParser, parse, Element
> @@ -251,6 +252,25 @@ def preprocess_mirrors(xml):
>               option.text = opt
>               options.append(option)
>   
> +def preprocess_passwd(xml):
> +    """Preprocess plain-text passwords. Plain-text passwords for root and
> +       adduser will be replaced with their hashed values.
> +    """
> +
> +    # migrate root password
> +    for passwd in xml.iterfind(".//target/passwd"):
> +        passwd_hashed = '%s' % crypt(passwd.text, METHOD_SHA512)
> +        passwd.tag = "passwd_hashed"
> +        passwd.text = passwd_hashed
> +
> +    # migrate user passwords
> +    for adduser in xml.iterfind(".//target/finetuning/adduser[@passwd]"):
> +        passwd = adduser.attrib['passwd']
> +        passwd_hashed = crypt(passwd, METHOD_SHA512)
> +
> +        adduser.attrib['passwd_hashed'] = passwd_hashed
> +        del adduser.attrib['passwd']
> +
>   def xmlpreprocess(fname, output, variants=None, proxy=None):
>   
>       # pylint: disable=too-many-locals
> @@ -334,6 +354,8 @@ def xmlpreprocess(fname, output, variants=None, proxy=None):
>   
>           preprocess_mirrors(xml)
>   
> +        preprocess_passwd(xml)
> +
>           if schema.validate(xml):
>               # if validation succedes write xml file
>               xml.write(
> @@ -349,9 +371,9 @@ def xmlpreprocess(fname, output, variants=None, proxy=None):
>       except ArchivedirError:
>           raise XMLPreprocessError("<archivedir> handling failed\n" +
>                                    str(sys.exc_info()[1]))
> -    except BaseException:
> -        raise XMLPreprocessError(
> -            "Unknown Exception during validation\n" + str(sys.exc_info()[1]))
> +#     except BaseException:
> +#         raise XMLPreprocessError(
> +#             "Unknown Exception during validation\n" + str(sys.exc_info()[1]))
>   
>       # We have errors, return them in string form...
>       raise XMLPreprocessError("\n".join(error_log_to_strings(schema.error_log)))