diff options
| author | Eli Collins <elic@assurancetechnologies.com> | 2012-04-11 17:49:09 -0400 |
|---|---|---|
| committer | Eli Collins <elic@assurancetechnologies.com> | 2012-04-11 17:49:09 -0400 |
| commit | 5bd6deb8144cb24caa51e82c7682f706ecc09a6c (patch) | |
| tree | 0eca5ec7a8a145cb3e166a9a75b95b393e9d417d /docs | |
| parent | 157d4806512b2586c1a0fd5ee57e8c167e506f3e (diff) | |
| download | passlib-5bd6deb8144cb24caa51e82c7682f706ecc09a6c.tar.gz | |
clarify behavior for secret=None and hash=None
* passing a non-string secret or non-string hash to any
CryptContext or handler method will now reliably result
in a TypeError.
previously, passing hash=None to many handler identify() and verify()
methods would return False, while others would raise a TypeError.
other handler methods would alternately throw ValueError or TypeError
when passed a value that wasn't unicode or bytes.
the various CryptContext methods also behaved inconsistently,
depending on the behavior of the underlying handler.
all of these behaviors are gone, they should all raise the same TypeError.
* redid many of the from_string() methods to verify the hash type.
* moved secret type & size validation to GenericHandler's encrypt/genhash/verify methods.
this cheaply made the secret validation global to all hashes, and lets
_calc_digest() implementations trust that the secret is valid.
* updated the CryptContext and handler unittests to verify the above behavior is adhered to.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/password_hash_api.rst | 19 |
1 files changed, 10 insertions, 9 deletions
diff --git a/docs/password_hash_api.rst b/docs/password_hash_api.rst index 67f9ba6..c349992 100644 --- a/docs/password_hash_api.rst +++ b/docs/password_hash_api.rst @@ -216,7 +216,7 @@ which scheme a hash belongs to when multiple schemes are in use. :raises TypeError: - * if :samp:`{secret}` is not a bytes or unicode instance. + * if :samp:`{secret}` is not a unicode or bytes instance. * if a required option (such as a context keyword) was not set. @@ -237,8 +237,9 @@ which scheme a hash belongs to when multiple schemes are in use. Quickly identify if a hash string belongs to this algorithm. - :arg hash: - the candidate hash string to check + :arg hash: the candidate hash string to check + + :raises TypeError: if :samp:`{hash}` is not a unicode or bytes instance. :returns: ``True`` if the input appears to be a hash or configuration string @@ -273,11 +274,12 @@ which scheme a hash belongs to when multiple schemes are in use. method. These should be limited to those listed in :attr:`~PasswordHash.context_kwds`. - :raises TypeError: if :samp:`{secret}` is not a bytes or unicode instance. + :raises TypeError: + + if either *secret* or *hash* is not a unicode or bytes instance. :raises ValueError: - * if no hash is provided, or the hash does not match this - algorithm's hash format. + * the hash does not match this algorithm's hash format. * if the secret contains forbidden characters (see :meth:`~PasswordHash.encrypt`). * if a configuration string from :meth:`~PasswordHash.genconfig` @@ -356,9 +358,8 @@ and :meth:`~PasswordHash.genhash`. these kwds must be specified in :attr:`~PasswordHash.context_kwds`. :raises TypeError: - * if the configuration string is not provided - * if required contextual information is not provided - * if :samp:`{secret}` is not a bytes or unicode instance. + * if either *secret* or *config* is not a unicode or bytes instance. + * if required contextual keywords are not provided :raises ValueError: * if the configuration string is not in a recognized format. |