)]}'
{"ironic_python_agent/extensions/rescue.py":[{"author":{"_account_id":15064,"name":"raphael.glon","email":"raphael.glon@corp.ovh.com","username":"raphael"},"change_message_id":"9279b9b5065c51607e919660dbaa339d2cf2b7ad","unresolved":false,"context_lines":[{"line_number":41,"context_line":"        :param rescue_password: Rescue password."},{"line_number":42,"context_line":"        \"\"\""},{"line_number":43,"context_line":"        LOG.debug(\u0027Writing hashed rescue password to %s\u0027, PASSWORD_FILE)"},{"line_number":44,"context_line":"        password \u003d str(rescue_password)"},{"line_number":45,"context_line":"        hashed_password \u003d None"},{"line_number":46,"context_line":"        if (password.startswith(\u0027$\u0027)"},{"line_number":47,"context_line":"            and (password.startswith(\u0027$\u0027, 2, 3)"}],"source_content_type":"text/x-python","patch_set":3,"id":"3fa7e38b_ffe811e0","line":44,"updated":"2019-11-27 08:46:30.000000000","message":"May be it could be easier to have two separate explicit fields in the interface, rescue_password would be assumed to be in clear text, and hashed_rescue_password would be hashed, then we could deprecate the clear one in a few versions (once it\u0027s not used by Ironic anymore).\n\n(see related https://review.opendev.org/#/c/695649/)","commit_id":"4e5718f5f099a50fd06c2cd62a53bd2b02ec7cbe"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"2804b15fcc2444cbb81367487b73ff2ab24aa9d5","unresolved":false,"context_lines":[{"line_number":41,"context_line":"        :param rescue_password: Rescue password."},{"line_number":42,"context_line":"        \"\"\""},{"line_number":43,"context_line":"        LOG.debug(\u0027Writing hashed rescue password to %s\u0027, PASSWORD_FILE)"},{"line_number":44,"context_line":"        password \u003d str(rescue_password)"},{"line_number":45,"context_line":"        hashed_password \u003d None"},{"line_number":46,"context_line":"        if (password.startswith(\u0027$\u0027)"},{"line_number":47,"context_line":"            and (password.startswith(\u0027$\u0027, 2, 3)"}],"source_content_type":"text/x-python","patch_set":3,"id":"3fa7e38b_ca52e368","line":44,"in_reply_to":"3fa7e38b_ffe811e0","updated":"2019-12-03 23:39:49.000000000","message":"You\u0027ve got a good point, although I have a feeling we\u0027re going to need to be able to allow operators to select themselves. There was a case I was talking about with Dmitry where it made sense.","commit_id":"4e5718f5f099a50fd06c2cd62a53bd2b02ec7cbe"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"41445503506259035db4b062d80a8ee6f32ac25e","unresolved":false,"context_lines":[{"line_number":47,"context_line":"            and (password.startswith(\u0027$\u0027, 2, 3)"},{"line_number":48,"context_line":"                 or password.startswith(\u0027$\u0027, 3, 4))"},{"line_number":49,"context_line":"            and len(password) \u003e 30):"},{"line_number":50,"context_line":"            # Password appears to already be hashed, lets make sure"},{"line_number":51,"context_line":"            elements \u003d password.split(\u0027$\u0027)"},{"line_number":52,"context_line":"            if elements[1] in [\u00271\u0027, \u00272a\u0027, \u00275\u0027, \u00276\u0027]:"},{"line_number":53,"context_line":"                # These are the type markers for hashed password types."}],"source_content_type":"text/x-python","patch_set":3,"id":"3fa7e38b_4f3c9792","line":50,"updated":"2019-10-28 09:18:54.000000000","message":"make sure what?","commit_id":"4e5718f5f099a50fd06c2cd62a53bd2b02ec7cbe"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"a0cf7421c63ae2da10bb7ed8f28655ca451b30ce","unresolved":false,"context_lines":[{"line_number":47,"context_line":"            and (password.startswith(\u0027$\u0027, 2, 3)"},{"line_number":48,"context_line":"                 or password.startswith(\u0027$\u0027, 3, 4))"},{"line_number":49,"context_line":"            and len(password) \u003e 30):"},{"line_number":50,"context_line":"            # Password appears to already be hashed, lets make sure"},{"line_number":51,"context_line":"            elements \u003d password.split(\u0027$\u0027)"},{"line_number":52,"context_line":"            if elements[1] in [\u00271\u0027, \u00272a\u0027, \u00275\u0027, \u00276\u0027]:"},{"line_number":53,"context_line":"                # These are the type markers for hashed password types."}],"source_content_type":"text/x-python","patch_set":3,"id":"3fa7e38b_930a9f87","line":50,"in_reply_to":"3fa7e38b_4f3c9792","updated":"2019-10-29 17:02:00.000000000","message":"The checking the second field value since it is not structurally part of the password.","commit_id":"4e5718f5f099a50fd06c2cd62a53bd2b02ec7cbe"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"41445503506259035db4b062d80a8ee6f32ac25e","unresolved":false,"context_lines":[{"line_number":49,"context_line":"            and len(password) \u003e 30):"},{"line_number":50,"context_line":"            # Password appears to already be hashed, lets make sure"},{"line_number":51,"context_line":"            elements \u003d password.split(\u0027$\u0027)"},{"line_number":52,"context_line":"            if elements[1] in [\u00271\u0027, \u00272a\u0027, \u00275\u0027, \u00276\u0027]:"},{"line_number":53,"context_line":"                # These are the type markers for hashed password types."},{"line_number":54,"context_line":"                # 1 is md5"},{"line_number":55,"context_line":"                # 2a is bcrypt"}],"source_content_type":"text/x-python","patch_set":3,"id":"3fa7e38b_ef3c6393","line":52,"updated":"2019-10-28 09:18:54.000000000","message":"this is still not a rock-solid check, is it? maybe allow some additional marker that is unlikely to be met in a real password?\n\nalso this whole check seems to be a good case for a regex","commit_id":"4e5718f5f099a50fd06c2cd62a53bd2b02ec7cbe"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"85129c436bce51590cf5503d49fd599cd6ce0351","unresolved":false,"context_lines":[{"line_number":49,"context_line":"            and len(password) \u003e 30):"},{"line_number":50,"context_line":"            # Password appears to already be hashed, lets make sure"},{"line_number":51,"context_line":"            elements \u003d password.split(\u0027$\u0027)"},{"line_number":52,"context_line":"            if elements[1] in [\u00271\u0027, \u00272a\u0027, \u00275\u0027, \u00276\u0027]:"},{"line_number":53,"context_line":"                # These are the type markers for hashed password types."},{"line_number":54,"context_line":"                # 1 is md5"},{"line_number":55,"context_line":"                # 2a is bcrypt"}],"source_content_type":"text/x-python","patch_set":3,"id":"3fa7e38b_91d6f4c2","line":52,"in_reply_to":"3fa7e38b_932ffff4","updated":"2019-10-31 17:59:22.000000000","message":"I guess my conundrum is that to be here we already have to have a password that is 30 characters or longer. Which means that we\u0027re likely in the realm of md5 (32 bytes). bcrypt is about 36, sha256 is ?46? and sha512 is ?64?, which are exceptionally long passwords, which means if we\u0027re talking about random passwords we\u0027re already kind of outside the length used by most generators. I guess I feel like the happy medium is just publish a reno and backport this change in alignment with a conductor change.","commit_id":"4e5718f5f099a50fd06c2cd62a53bd2b02ec7cbe"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"a0cf7421c63ae2da10bb7ed8f28655ca451b30ce","unresolved":false,"context_lines":[{"line_number":49,"context_line":"            and len(password) \u003e 30):"},{"line_number":50,"context_line":"            # Password appears to already be hashed, lets make sure"},{"line_number":51,"context_line":"            elements \u003d password.split(\u0027$\u0027)"},{"line_number":52,"context_line":"            if elements[1] in [\u00271\u0027, \u00272a\u0027, \u00275\u0027, \u00276\u0027]:"},{"line_number":53,"context_line":"                # These are the type markers for hashed password types."},{"line_number":54,"context_line":"                # 1 is md5"},{"line_number":55,"context_line":"                # 2a is bcrypt"}],"source_content_type":"text/x-python","patch_set":3,"id":"3fa7e38b_932ffff4","line":52,"in_reply_to":"3fa7e38b_ef3c6393","updated":"2019-10-29 17:02:00.000000000","message":"So are you thinking instead just allow anything with double dollar signs through since it structurally appears to be a hashed password, either user supplied or conductor generated?","commit_id":"4e5718f5f099a50fd06c2cd62a53bd2b02ec7cbe"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"4a6325ffcca125999b52f3749bdacba7a2fab637","unresolved":false,"context_lines":[{"line_number":51,"context_line":"        # in the V or W cycles."},{"line_number":52,"context_line":"        LOG.debug(\u0027Writing hashed rescue password to %s\u0027, PASSWORD_FILE)"},{"line_number":53,"context_line":"        password \u003d str(rescue_password)"},{"line_number":54,"context_line":"        hashed_password \u003d None"},{"line_number":55,"context_line":"        if hashed:"},{"line_number":56,"context_line":"            hashed_password \u003d password"},{"line_number":57,"context_line":"        else:"}],"source_content_type":"text/x-python","patch_set":5,"id":"3fa7e38b_980649cd","line":54,"updated":"2020-01-03 12:53:39.000000000","message":"nit: not needed","commit_id":"de90f54b9b78343c558735b2a1f3bdc047c4a9e1"}],"releasenotes/notes/permit-pre-hashed-rescue-passwords-4275f6e697533cec.yaml":[{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"41445503506259035db4b062d80a8ee6f32ac25e","unresolved":false,"context_lines":[{"line_number":2,"context_line":"security:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Enables pre-hashed passwords to be supplied to the ``rescue`` extension."},{"line_number":5,"context_line":"    Please see `story 2006777 \u003chttps://storyboard.openstack.org/#!/story/2006777\u003e`_"},{"line_number":6,"context_line":"    for more information."}],"source_content_type":"text/x-yaml","patch_set":3,"id":"3fa7e38b_0f421f10","line":5,"updated":"2019-10-28 09:18:54.000000000","message":"nit: we usually skip \"Please\"","commit_id":"4e5718f5f099a50fd06c2cd62a53bd2b02ec7cbe"}]}
