From dafd1660fdfdf008a20d95f95ea6529525bf11b8 Mon Sep 17 00:00:00 2001 From: Jarek Potiuk Date: Mon, 3 Feb 2025 18:56:21 +0100 Subject: [PATCH] Use different default algorithms for different werkzeug versions (#46384) Older werkzeug uses different algorithms for different versions - we should match the default algorithm for those versions. --- .../auth_manager/security_manager/override.py | 24 ++++++++++++++----- 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/providers/fab/src/airflow/providers/fab/auth_manager/security_manager/override.py b/providers/fab/src/airflow/providers/fab/auth_manager/security_manager/override.py index 508720fd894cd..6438fea6282de 100644 --- a/providers/fab/src/airflow/providers/fab/auth_manager/security_manager/override.py +++ b/providers/fab/src/airflow/providers/fab/auth_manager/security_manager/override.py @@ -839,12 +839,24 @@ def _init_config(self): app.config.setdefault("AUTH_ROLES_MAPPING", {}) app.config.setdefault("AUTH_ROLES_SYNC_AT_LOGIN", False) app.config.setdefault("AUTH_API_LOGIN_ALLOW_MULTIPLE_PROVIDERS", False) - app.config.setdefault( - "AUTH_DB_FAKE_PASSWORD_HASH_CHECK", - "scrypt:32768:8:1$wiDa0ruWlIPhp9LM$6e409d093e62ad54df2af895d0e125b05ff6cf6414" - "8350189ffc4bcc71286edf1b8ad94a442c00f890224bf2b32153d0750c89ee9" - "401e62f9dcee5399065e4e5", - ) + + from packaging.version import Version + from werkzeug import __version__ as werkzeug_version + + parsed_werkzeug_version = Version(werkzeug_version) + if parsed_werkzeug_version < Version("3.0.0"): + app.config.setdefault( + "AUTH_DB_FAKE_PASSWORD_HASH_CHECK", + "pbkdf2:sha256:150000$Z3t6fmj2$22da622d94a1f8118" + "c0976a03d2f18f680bfff877c9a965db9eedc51bc0be87c", + ) + else: + app.config.setdefault( + "AUTH_DB_FAKE_PASSWORD_HASH_CHECK", + "scrypt:32768:8:1$wiDa0ruWlIPhp9LM$6e409d093e62ad54df2af895d0e125b05ff6cf6414" + "8350189ffc4bcc71286edf1b8ad94a442c00f890224bf2b32153d0750c89ee9" + "401e62f9dcee5399065e4e5", + ) # LDAP Config if self.auth_type == AUTH_LDAP: