[Zope-dev] PAS, AuthEncoding and zope.password

[Martijn Pieters]

On Fri, Feb 18, 2011 at 22:19, Martijn Pieters <mj at zopatista.com> wrote:
> We should at the very least convert PAS to use zope.password instead
> of AccessControl.AuthEncoding.

There is a snag. The zope.password API doesn't provide any way to
detect what scheme was used for a given hash.

Say you have a SSHA hash, it'll start with the string "{SSHA}", while
a bcrypt encryption starts with "$2a$". Unfortunately, the
zope.password IPasswordManager only provides methods to encode the
password and check if a given password is correct. The only consumer
of the interface, zope.app.authentication.principalfolder only
supports one password manager at a time so never had a need to detect
schemes.

I'll just go ahead and expand then IPasswordManager interface to
provide a match method that returns a boolean if a given hash uses the
specific encoding scheme. Presumably this'll be zope.password 4.0.0.

What does this mean for the versioning of AccessControl however? Will
that'll be a 2.14 release? What version of Zope2 can start using the
new AccessControl package with a "zope.password >= 4.0.0" dependency?
Zope2 primarily uses the ZTK, so a version pin would be needed there
until the new zope.password release makes it into the ZTK.

-- 
Martijn Pieters