Migrate passwords from Drupal 7 to Django

前端 未结 4 1021
南方客
南方客 2021-02-08 10:36

I am migrating a site from Drupal 7 to Django 1.4, including the current users. How can I work with the passwords that were hashed by Drupal?

According to this, Drupal 7

相关标签:
4条回答
  • 2021-02-08 10:52

    Here's an update to David's excellent answer for python 3, since hashlib no longer accepts strings. Also, this includes support for the odd "U$S$*" hashes, which apparently are from an update and I found a bunch of them in my drupal database.

    https://gist.github.com/skulegirl/bec420b5272b87d9e4dbd39e947062fc

    And as a bonus, here's the code that I used to import my xml file of user data in. (I just created the xml file via an sql export after doing a query on the users table.)

    import xml.etree.ElementTree as ET
    from django.contrib.auth.models import User
    
    tree = ET.parse('/PATH/TO/Users.xml')
    root = tree.getroot()
    
    for row in root:
        user_dict = {}
        for field in row:
            user_dict[field.attrib['name']] = field.text
        user = User.objects.create_user(user_dict['name'], user_dict['mail'])
        if user_dict['pass'][0] == '$':
            user_dict['pass'] = user_dict['pass'][1:]
        user.password = user_dict['pass']
        user.save()
    
    0 讨论(0)
  • 2021-02-08 10:56

    You should be able to implement this by creating your own subclass of BasePasswordHasher, and adding it to your PASSWORD_HASHERS setting.

    Python's hashlib implements sha512.

    The page David linked to in the question explains how the number of iterations (16385 for Drupal 7) is encoded in the hash, but it's not clear to me how to get the salt.

    Edit: In the comment to @santiago's answer, David says the "the salt is the 5th character through the 12th in the stored Drupal string".

    0 讨论(0)
  • 2021-02-08 11:04

    I don't know Drupal very well, but I suppose that the passwords are stored hashed. If that's the case, you'll have to copy the passwords (I mean, copy them unchanged) and you'll have to change the way Django hashes its passwords, using the exactly same way of Drupal, with the same Security Salt.

    I really don't know how to do that, but the logic for passwords is contained in the User object. For example. the User.set_password() function (described here) uses the make_password function.

    I think with a little research you'll find the way to change it, but the important thing is, remember that the functions must be equals! ie:

    drupal_hash(x) == django_hash(x) for every x in the allowed passwords set.

    EDIT:

    Taking a deeper look django get the has function with the get_hasher function. Now in the 1.4 version there's a way to specify how Django will select that function. Take a look at this: https://docs.djangoproject.com/en/dev/topics/auth/#how-django-stores-passwords

    Finally, in order to create your own function, you can take a look at how it's done on the MD5PasswordHasher. It seems really simple. You can use the hashlib python library to generate sha-512 algorithms.

    Changing the encode method would require somthing similar to:

    def encode(self, password, salt):
        assert password
        assert salt and '$' not in salt
        hash = hashlib.sha512(salt + password).hexdigest()
        return "%s$%s$%s" % (self.algorithm, salt, hash)
    
    0 讨论(0)
  • 2021-02-08 11:08

    Thank you, David Robinson, for your code. That made my day! It seems to have a flaw, though: If Drupal decided to not use 'C' but 'D' for the number of iterations, it fails. I fixed the class definition slightly:

    class DrupalPasswordHasher(BasePasswordHasher):
        algorithm = "S"
        iter_code = 'C'
        salt_length = 8
    
        def encode(self, password, salt, iter_code=None):
            """The Drupal 7 method of encoding passwords"""
            if iter_code == None:
                iterations = 2 ** _ITOA64.index(self.iter_code)
            else:
                iterations = 2 ** _ITOA64.index(iter_code)
            hash = hashlib.sha512(salt + password).digest()
    
            for i in range(iterations):
                hash = hashlib.sha512(hash + password).digest()
    
            l = len(hash)
    
            output = ''
            i = 0
    
            while i < l:
                value = ord(hash[i])
                i = i + 1
    
                output += _ITOA64[value & 0x3f]
                if i < l:
                    value |= ord(hash[i]) << 8
    
                output += _ITOA64[(value >> 6) & 0x3f]
                if i >= l:
                    break
                i += 1
    
                if i < l:
                    value |= ord(hash[i]) << 16
    
                output += _ITOA64[(value >> 12) & 0x3f]
                if i >= l:
                    break
                i += 1
    
                output += _ITOA64[(value >> 18) & 0x3f]
    
            longhashed = "%s$%s%s%s" % (self.algorithm, iter_code,
                                        salt, output)
            return longhashed[:54]
    
        def verify(self, password, encoded):
            hash = encoded.split("$")[1]
            iter_code = hash[0]
            salt = hash[1:1 + self.salt_length]
            return encoded == self.encode(password, salt, iter_code)
    
    0 讨论(0)
提交回复
热议问题