TO Postinstall: AttributeError: module 'hashlib' has no attribute 'scrypt'

[zrhoffman]

This Bug Report affects these Traffic Control components:

• Traffic Ops - Postinstall

Current behavior:

Python Postinstall fails on CentOS 7 if Python 3 is installed (but succeeds if Python 3 is not installed, because it will use Python 2).

Originally reported by @rsidhaarth in the first draft of #6236.

Expected behavior:

the Python Postinstall script should succeed on CentOS 7, with or without Python 3.

Steps to reproduce:

<<'DOCKER_COMMANDS' docker run --rm -iv$(pwd):/opt -w/opt centos:7 bash
yum -y install python3 &&
<<'PYTHON_COMMANDS' PYTHONPATH=traffic_ops/install/bin python3
import _postinstall
print(_postinstall.hash_pass('mysecretpassword'))
PYTHON_COMMANDS
DOCKER_COMMANDS

Output:

[...]
Traceback (most recent call last):
  File "<stdin>", line 2, in <module>
  File "/opt/traffic_ops/install/bin/_postinstall.py", line 433, in hash_pass
    hashed = hashlib.scrypt(passwd.encode(), salt=salt, n=n, r=r_val, p=p_val, dklen=dklen)
AttributeError: module 'hashlib' has no attribute 'scrypt'

[ocket8888]

According to the hashlib module docs, hashlib.scrypt was added in Python version 3.6. Versions prior to 3.6 are unmaintained - why do we need to support unmaintained interpreters?

[zrhoffman]

But it is Python 3.6

[root@5c67d26d1307 /]# python3 --version
Python 3.6.8

[zrhoffman]

You're right that the opportunity to include hashlib.scrypt() exists as of Python 3.6, but that doesn't mean that the compiled Python version necessarily includes it. As you can see from the Python 3.6.8 source, it won't include hashlib.scrypt() if the OpenSSL version is under 1.1 (CentOS 7 uses OpenSSL 1.0.2k + security patches):

#if (OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_SCRYPT) && !defined(LIBRESSL_VERSION_NUMBER))

PyDoc_STRVAR(_hashlib_scrypt__doc__,
"scrypt($module, /, password, *, salt=None, n=None, r=None, p=None,\n"

Because Python 3.6 does not assume that hashlib.scrypt() will exist, we shouldn't, either.

[ocket8888]

Oh, okay, that makes more sense, since I was pretty sure it was Python 3.6 since the last time I looked - which was a while ago so it would be weird for the version to have gone down in the meantime.

Honestly supporting unmaintained versions of OpenSSL doesn't sound any better (potential security problem?), and OpenSSL versions prior to 1.1.1 are already unmaintained. It does seem based on that CPP directive that a vendor could specifically disable SCRYPT anyway, so that's enough to warrant this PR IMO, but if CentOS7 only uses encryption libraries that aren't maintained and recieving security fixes then we may need to seriously consider dropping support for it. Not sure offhand what the entire footprint of implications of that is, but at the least it seems difficult to trust the security of the user passwords created and inserted by postinstall.