Merge pull request #2496 from Pylons/update/hashalg_authtkt

Switch to sha512 in AuthTktAuthenticationPolicy

3 files changed, 56 insertions, 77 deletions

diff --git a/CHANGES.txt b/CHANGES.txt
index 96d8d8236..ead9eb4b9 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -1,6 +1,22 @@
 unreleased
 ==========
 
+Backward Incompatibilities
+--------------------------
+
+- Following the Pyramid deprecation period (1.4 -> 1.6),
+  AuthTktAuthenticationPolicy's default hashing algorithm is changing from md5
+  to sha512. If you are using the authentication policy and need to continue
+  using md5, please explicitly set hashalg to 'md5'.
+
+  This change does mean that any existing auth tickets (and associated cookies)
+  will no longer be valid, and users will no longer be logged in, and have to
+  login to their accounts again. No other backwards incompatible changes have
+  been made.
+
+Features
+--------
+
 - Pyramid HTTPExceptions will now take into account the best match for the
   clients Accept header, and depending on what is requested will return
   text/html, application/json or text/plain. The default for */* is still
@@ -8,16 +24,38 @@ unreleased
   receive a valid JSON response. See:
   https://github.com/Pylons/pyramid/pull/2489
 
-- (Deprecation) Support for Python 3.3 will be removed in Pyramid 1.8.
-  https://github.com/Pylons/pyramid/issues/2477
-
 - A new event and interface (BeforeTraversal) has been introduced that will
   notify listeners before traversal starts in the router. See
   https://github.com/Pylons/pyramid/pull/2469 and
   https://github.com/Pylons/pyramid/pull/1876
 
-- Python 2.6 is no longer supported by Pyramid. See
-  https://github.com/Pylons/pyramid/issues/2368
+- Add a new "view deriver" concept to Pyramid to allow framework authors to
+  inject elements into the standard Pyramid view pipeline and affect all
+  views in an application. This is similar to a decorator except that it
+  has access to options passed to ``config.add_view`` and can affect other
+  stages of the pipeline such as the raw response from a view or prior to
+  security checks. See https://github.com/Pylons/pyramid/pull/2021
+
+
+- Allow a leading ``=`` on the key of the request param predicate.
+  For example, '=abc=1' is equivalent down to
+  ``request.params['=abc'] == '1'``.
+  See https://github.com/Pylons/pyramid/pull/1370
+
+- A new ``request.invoke_exception_view(...)`` method which can be used to
+  invoke an exception view and get back a response. This is useful for
+  rendering an exception view outside of the context of the excview tween
+  where you may need more control over the request.
+  See https://github.com/Pylons/pyramid/pull/2393
+
+- Allow using variable substitutions like ``%(LOGGING_LOGGER_ROOT_LEVEL)s``
+  for logging sections of the .ini file and populate these variables from
+  the ``pserve`` command line -- e.g.:
+  ``pserve development.ini LOGGING_LOGGER_ROOT_LEVEL=DEBUG``
+  See https://github.com/Pylons/pyramid/pull/2399
+
+Documentation Changes
+---------------------
 
 - A complete overhaul of the docs:
 
@@ -37,8 +75,8 @@ unreleased
   point for new projects.
   See https://github.com/Pylons/pyramid/pull/2024
 
-- Dropped Python 3.2 support.
-  See https://github.com/Pylons/pyramid/pull/2256
+Bug Fixes
+---------
 
 - Fix ``pserve --browser`` to use the ``--server-name`` instead of the
   app name when selecting a section to use. This was only working for people
@@ -46,29 +84,18 @@ unreleased
   ``[app:main]`` and ``[server:main]``.
   See https://github.com/Pylons/pyramid/pull/2292
 
-- Allow a leading ``=`` on the key of the request param predicate.
-  For example, '=abc=1' is equivalent down to
-  ``request.params['=abc'] == '1'``.
-  See https://github.com/Pylons/pyramid/pull/1370
+Deprecations
+------------
 
-- A new ``request.invoke_exception_view(...)`` method which can be used to
-  invoke an exception view and get back a response. This is useful for
-  rendering an exception view outside of the context of the excview tween
-  where you may need more control over the request.
-  See https://github.com/Pylons/pyramid/pull/2393
+- (Deprecation) Support for Python 3.3 will be removed in Pyramid 1.8.
+  https://github.com/Pylons/pyramid/issues/2477
 
-- Allow using variable substitutions like ``%(LOGGING_LOGGER_ROOT_LEVEL)s``
-  for logging sections of the .ini file and populate these variables from
-  the ``pserve`` command line -- e.g.:
-  ``pserve development.ini LOGGING_LOGGER_ROOT_LEVEL=DEBUG``
-  See https://github.com/Pylons/pyramid/pull/2399
+- Python 2.6 is no longer supported by Pyramid. See
+  https://github.com/Pylons/pyramid/issues/2368
+
+- Dropped Python 3.2 support.
+  See https://github.com/Pylons/pyramid/pull/2256
 
-- Add a new "view deriver" concept to Pyramid to allow framework authors to
-  inject elements into the standard Pyramid view pipeline and affect all
-  views in an application. This is similar to a decorator except that it
-  has access to options passed to ``config.add_view`` and can affect other
-  stages of the pipeline such as the raw response from a view or prior to
-  security checks. See https://github.com/Pylons/pyramid/pull/2021
 
 1.6 (2015-04-14)
 ================
diff --git a/TODO.txt b/TODO.txt
index ff567bca8..797f8acef 100644
--- a/TODO.txt
+++ b/TODO.txt
@@ -120,9 +120,6 @@ Future
 
 - 1.6: Remove IContextURL and TraversalContextURL.
 
-- 1.7: Change ``pyramid.authentication.AuthTktAuthenticationPolicy`` default
-  ``hashalg`` to ``sha512``.
-
 - 1.8: Remove set_request_property.
 - 1.8: Drop Python 3.3 support.
 
diff --git a/pyramid/authentication.py b/pyramid/authentication.py
index 9bf1de62e..e6b888db2 100644
--- a/pyramid/authentication.py
+++ b/pyramid/authentication.py
@@ -5,7 +5,6 @@ import hashlib
 import base64
 import re
 import time as time_mod
-import warnings
 
 from zope.interface import implementer
 
@@ -417,20 +416,11 @@ class RemoteUserAuthenticationPolicy(CallbackAuthenticationPolicy):
         be done somewhere else or in a subclass."""
         return []
 
-_marker = object()
-
 @implementer(IAuthenticationPolicy)
 class AuthTktAuthenticationPolicy(CallbackAuthenticationPolicy):
     """A :app:`Pyramid` :term:`authentication policy` which
     obtains data from a Pyramid "auth ticket" cookie.
 
-    .. warning::
-
-       The default hash algorithm used in this policy is MD5 and has known
-       hash collision vulnerabilities. The risk of an exploit is low.
-       However, for improved authentication security, use
-       ``hashalg='sha512'``.
-
     Constructor Arguments
 
     ``secret``
@@ -552,7 +542,7 @@ class AuthTktAuthenticationPolicy(CallbackAuthenticationPolicy):
 
     ``hashalg``
 
-       Default: ``md5`` (the literal string).
+       Default: ``sha512`` (the literal string).
 
        Any hash algorithm supported by Python's ``hashlib.new()`` function
        can be used as the ``hashalg``.
@@ -562,21 +552,10 @@ class AuthTktAuthenticationPolicy(CallbackAuthenticationPolicy):
        ``hashalg`` will imply that all existing users with a valid cookie will
        be required to re-login.
 
-       A warning is emitted at startup if an explicit ``hashalg`` is not
-       passed.  This is for backwards compatibility reasons.
-
        This option is available as of :app:`Pyramid` 1.4.
 
        Optional.
 
-       .. note::
-
-          ``md5`` is the default for backwards compatibility reasons. However,
-          if you don't specify ``md5`` as the hashalg explicitly, a warning is
-          issued at application startup time.  An explicit value of ``sha512``
-          is recommended for improved security, and ``sha512`` will become the
-          default in a future Pyramid version.
-
     ``debug``
 
         Default: ``False``.  If ``debug`` is ``True``, log messages to the
@@ -601,34 +580,10 @@ class AuthTktAuthenticationPolicy(CallbackAuthenticationPolicy):
                  http_only=False,
                  wild_domain=True,
                  debug=False,
-                 hashalg=_marker,
+                 hashalg='sha512',
                  parent_domain=False,
                  domain=None,
                  ):
-        if hashalg is _marker:
-            hashalg = 'md5'
-            warnings.warn(
-                'The MD5 hash function used by default by the '
-                'AuthTktAuthenticationPolicy is known to be '
-                'susceptible to collision attacks.  It is the current default '
-                'for backwards compatibility reasons, but we recommend that '
-                'you use the SHA512 algorithm instead for improved security.  '
-                'Pass ``hashalg=\'sha512\'`` to the '
-                'AuthTktAuthenticationPolicy constructor to do so.\n\nNote '
-                'that a change to the hash algorithms will invalidate existing '
-                'auth tkt cookies set by your application.  If backwards '
-                'compatibility of existing auth tkt cookies is of greater '
-                'concern than the risk posed by the potential for a hash '
-                'collision, you\'ll want to continue using MD5 explicitly.  '
-                'To do so, pass ``hashalg=\'md5\'`` in your application to '
-                'the AuthTktAuthenticationPolicy constructor.   When you do so '
-                'this warning will not be emitted again.  The default '
-                'algorithm used in this policy will change in the future, so '
-                'setting an explicit hashalg will futureproof your '
-                'application.',
-                DeprecationWarning,
-                stacklevel=2
-                )
         self.cookie = AuthTktCookieHelper(
             secret,
             cookie_name=cookie_name,