[4.3.x] Fix #891 - Fix legacy password hashes and handling of disabled hashes (backport #894)

.circleci/config.yml

@@ -99,26 +99,32 @@ commands:
             echo
 
       - run:
-          name: Installing psql client, enchant, netcat, rust
-          command: $SUDO apt -y install postgresql-client netcat python3-enchant rustc
+          name: Installing psql client, enchant, netcat
+          command: $SUDO apt -y install postgresql-client netcat python3-enchant python3-venv python3-dev
+
+      - run:
+          name: Installing rust
+          command: $SUDO curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
 
       - restore_cache:
           keys:
-            - v23-dependencies-{{ .Environment.CIRCLE_JOB }}-{{ checksum
+            - v24-dependencies-{{ .Environment.CIRCLE_JOB }}-{{ checksum
               "requirements.txt" }}
             # fallback to using the latest cache if no exact match is found
-            - v23-dependencies-{{ .Environment.CIRCLE_JOB }}
+            - v24-dependencies-{{ .Environment.CIRCLE_JOB }}
 
       - run:
           name: install latest pip
           command: |
+            rm -rf venv
             $PYTHON_INTERPRETER -m venv venv
             . venv/bin/activate
             pip install -U pip
 
       - run:
           name: install dependencies
           command: |
+            rm -rf venv
             PATH=$PATH:/root/.cargo/bin/
             $PYTHON_INTERPRETER -m venv venv
             . venv/bin/activate
@@ -127,7 +133,7 @@ commands:
       - save_cache:
           paths:
             - ./venv
-          key: v23-dependencies-{{ .Environment.CIRCLE_JOB }}-{{ checksum
+          key: v24-dependencies-{{ .Environment.CIRCLE_JOB }}-{{ checksum
             "requirements.txt" }}
 
   wait_for_postgres:
@@ -200,6 +206,7 @@ jobs:
           IRRD_REDIS_URL: 'redis://localhost'
           PYTHON_INTERPRETER: python3
           SUDO: sudo
+          PATH: /root/.cargo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 
       - image: cimg/postgres:<< parameters.postgres_version >>
         environment:
@@ -236,6 +243,7 @@ jobs:
           IRRD_REDIS_URL: 'redis://localhost'
           PYTHON_INTERPRETER: pypy3
           SUDO: ''
+          PATH: /root/.cargo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 
       - image: cimg/postgres:<< parameters.postgres_version >>
         environment:
@@ -274,6 +282,7 @@ jobs:
           IRRD_REDIS_URL_INTEGRATION_2: 'redis://localhost/5'
           PYTHON_INTERPRETER: python3
           SUDO: sudo
+          PATH: /root/.cargo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 
       - image: cimg/postgres:<< parameters.postgres_version >>
         environment:
@@ -313,6 +322,7 @@ jobs:
           IRRD_REDIS_URL_INTEGRATION_2: 'redis://localhost/5'
           PYTHON_INTERPRETER: pypy3
           SUDO: ''
+          PATH: /root/.cargo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 
       - image: cimg/postgres:<< parameters.postgres_version >>
         environment:

irrd/updates/tests/test_validators.py

@@ -124,6 +124,44 @@ def test_valid_new_person(self, prepare_mocks):
             ["rpsl_pks", ({"TEST-MNT"},), {}],
         ]
 
+    def test_new_person_with_legacy_hash(self, prepare_mocks, config_override):
+        config_override(
+            {
+                "auth": {"password_hashers": {"crypt-pw": "legacy"}},
+            }
+        )
+
+        validator, mock_dq, mock_dh = prepare_mocks
+        person = rpsl_object_from_text(SAMPLE_PERSON)
+        mock_dh.execute_query = lambda q: [
+            {"object_class": "mntner", "object_text": SAMPLE_MNTNER},
+        ]
+
+        validator.passwords = [SAMPLE_MNTNER_CRYPT]
+        result = validator.process_auth(person, None)
+        assert result.is_valid()
+
+    def test_new_person_with_authless_mntner(self, prepare_mocks, config_override):
+        # "authless" meaning: no auth lines that are currently enabled - #891
+        config_override(
+            {
+                "auth": {"password_hashers": {"crypt-pw": "disabled"}},
+            }
+        )
+
+        validator, mock_dq, mock_dh = prepare_mocks
+        person = rpsl_object_from_text(SAMPLE_PERSON)
+        cryptonly_maintainer = "\n".join(
+            line for line in SAMPLE_MNTNER.splitlines() if not line.startswith("auth:") or "CRYPT" in line
+        )
+        mock_dh.execute_query = lambda q: [
+            {"object_class": "mntner", "object_text": cryptonly_maintainer},
+        ]
+
+        validator.passwords = [SAMPLE_MNTNER_CRYPT]
+        result = validator.process_auth(person, None)
+        assert not result.is_valid()
+
     def test_existing_person_mntner_change(self, prepare_mocks):
         validator, mock_dq, mock_dh = prepare_mocks
         # TEST-MNT is in both maintainers

irrd/updates/validators.py

@@ -304,7 +304,7 @@ def _check_mntners(self, mntner_pk_list: List[str], source: str) -> Tuple[bool,
             query = query.object_classes(["mntner"]).rpsl_pks(mntner_pks_to_resolve)
             results = self.database_handler.execute_query(query)
 
-            retrieved_mntner_objs: List[RPSLMntner] = [rpsl_object_from_text(r["object_text"]) for r in results]  # type: ignore
+            retrieved_mntner_objs: List[RPSLMntner] = [rpsl_object_from_text(r["object_text"], strict_validation=False) for r in results]  # type: ignore
             self._mntner_db_cache.update(retrieved_mntner_objs)
             mntner_objs += retrieved_mntner_objs
 

requirements.txt

@@ -48,11 +48,17 @@ pytest-asyncio==0.20.3
 freezegun==1.2.2
 pytest-freezegun==0.4.2
 asyncmock==0.4.2; python_version < '3.8'
+anyio==3.7.1
 
 # Documentation generation
 Sphinx==4.3.2  # pyup: <4.4  # importlib-metadata conflict with flake8
 sphinxcontrib-spelling==7.7.0
 sphinx-material==0.0.35
+sphinxcontrib-applehelp==1.0.2  # https://github.com/googleapis/sphinx-docfx-yaml/issues/344
+sphinxcontrib-devhelp==1.0.2
+sphinxcontrib-htmlhelp==2.0.0
+sphinxcontrib-qthelp==1.0.3
+sphinxcontrib-serializinghtml==1.1.5
 
 # Code style and type checks
 mypy==1.0.0; platform_python_implementation == "CPython"