klemek/stapler
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 14 Wiki Activity

refactor(token_manager): use pbkdf2 hmac
Docker CI / docker-build (push) Has been cancelled
Details
Python Lint CI / ruff (push) Has been cancelled
Details
Python Lint CI / ruff-format-check (push) Has been cancelled
Details
Python Lint CI / ty (push) Has been cancelled
Details
Python Test CI / coverage (push) Has been cancelled
Details

Browse Source
This commit is contained in:
klemek
2026-06-02 23:07:30 +02:00
parent 60b6b0e592
commit c3131acc88
2 changed files with 14 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
stapler/token_manager.py
+9 -5
View File
@@ -15,6 +15,7 @@ class TokenManager:
__slots__ = [
"last_file_change",
"logger",
"pbkdf2_iterations",
"registry",
"token_hashes",
"token_salt",
@@ -23,11 +24,14 @@ class TokenManager:
FILE = ".tokens"
def __init__(self, params: Parameters, registry: Registry) -> None:
def __init__(
self, params: Parameters, registry: Registry, pbkdf2_iterations: int = 500_000
) -> None:
self.logger: logging.Logger = logging.getLogger(self.__class__.__name__)
self.token_salt: str = params.token_salt
self.token_salt: bytes = params.token_salt.encode()
self.tokens_file: pathlib.Path = pathlib.Path(params.data_dir) / self.FILE
self.registry: Registry = registry
self.pbkdf2_iterations: int = pbkdf2_iterations
self.token_hashes: list[str] = []
self.last_file_change: int | float = 0
@@ -71,9 +75,9 @@ class TokenManager:
return False
def __hash_token(self, token: str) -> str:
return hashlib.sha512(
(self.token_salt + token).encode(), usedforsecurity=True
).hexdigest()
return hashlib.pbkdf2_hmac(
"sha256", token.encode(), self.token_salt, self.pbkdf2_iterations
).hex()
def __load_hashes(self) -> list[str]:
if self.tokens_file.is_file():
tests/test_token_manager.py
+5 -4
View File
@@ -11,9 +11,9 @@ from . import BaseTestCase
class TestTokenManager(BaseTestCase):
EMPTY_SALT_HASH = "a04ca803c9fd73c21b721ece14b8b30cd3d9ca1bff752904a46982b881e152d0cdaa463a32e6bce71408de611953bc304ca8000d40d4b06b3f2a70769f69fecc"
SALT_HASH = "a5f2d8785eb4f064eae60f94e6025f93be32c2c93d2bbd73a982ee5c7ebcc484536487a4f60cfdfcb9ba72da7cebe0ce11afa91f191272e51d8c14be6874824b"
SECRET_HASH = "9901847ff8c76bd5fb473b7bd2e4f4ddd110332a52a888fd69deb276613885ddf382e5cf1210ed0decdb8010ae3994331a9e0639c3ca7e9e8b110dd50978ce76" # noqa: S105
EMPTY_SALT_HASH = "5f88941ac5e26c430d97411ac1103af7a35c753f14aec088fbf34801c099135a"
SALT_HASH = "d71b1f52657c77d00b2a8c59b8d12d13c1c1bb2bcfbb85d2a9b804c36ad57a70"
SECRET_HASH = "38df428b309308e48c3687e7f90bda0e9cf253568c21ec754a0e076ab4ab6423" # noqa: S105
@typing.override
def setUp(self) -> None:
@@ -21,6 +21,7 @@ class TestTokenManager(BaseTestCase):
self.token_manager = TokenManager(
Parameters(data_dir=self.get_tmp_dir(), token_salt="salt"), # noqa: S106
self.registry,
pbkdf2_iterations=1,
)
self.token_manager.logger = unittest.mock.Mock(logging.Logger)
self.tmp_tokens_file = self.tmp_path / TokenManager.FILE
@@ -34,7 +35,7 @@ class TestTokenManager(BaseTestCase):
self.assertListEqual(self.token_manager.token_hashes, [])
def test_init_weak_salt(self) -> None:
self.token_manager.token_salt = ""
self.token_manager.token_salt = b""
self.seal_mocks()
self.token_manager.init()
self.assert_file_content(