Hello community, here is the log from the commit of package python-pyhibp for openSUSE:Factory checked in at 2020-04-07 10:32:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-pyhibp (Old) and /work/SRC/openSUSE:Factory/.python-pyhibp.new.3248 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-pyhibp" Tue Apr 7 10:32:06 2020 rev:4 rq:791910 version:4.1.0 Changes: -------- --- /work/SRC/openSUSE:Factory/python-pyhibp/python-pyhibp.changes 2019-08-28 18:37:07.869266500 +0200 +++ /work/SRC/openSUSE:Factory/.python-pyhibp.new.3248/python-pyhibp.changes 2020-04-07 10:32:50.586617544 +0200 @@ -1,0 +2,10 @@ +Mon Apr 6 18:35:28 UTC 2020 - Martin Hauke <mar...@gmx.de> + +- Update to version 4.1.0 + * Adds the capability to request that the Pwned Passwords API + return padding to the responses to calls made via + pwnedpasswords. Set the parameter add_padding to True on + suffix_search or is_password_breached. See the HIBP API for + additional information. + +------------------------------------------------------------------- Old: ---- pyhibp-4.0.0.tar.gz New: ---- pyhibp-4.1.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-pyhibp.spec ++++++ --- /var/tmp/diff_new_pack.aNdPyc/_old 2020-04-07 10:32:51.054618153 +0200 +++ /var/tmp/diff_new_pack.aNdPyc/_new 2020-04-07 10:32:51.058618159 +0200 @@ -1,7 +1,7 @@ # # spec file for package python-pyhibp # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,7 +19,7 @@ %{?!python_module:%define python_module() python-%{**} python3-%{**}} %define skip_python2 1 Name: python-pyhibp -Version: 4.0.0 +Version: 4.1.0 Release: 0 Summary: An interface to Troy Hunt's 'Have I Been Pwned' public API License: AGPL-3.0-or-later ++++++ pyhibp-4.0.0.tar.gz -> pyhibp-4.1.0.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyhibp-4.0.0/CHANGELOG.md new/pyhibp-4.1.0/CHANGELOG.md --- old/pyhibp-4.0.0/CHANGELOG.md 2019-08-11 06:27:23.000000000 +0200 +++ new/pyhibp-4.1.0/CHANGELOG.md 2020-04-06 15:55:42.000000000 +0200 @@ -1,5 +1,11 @@ pyHIBP Changelog ================ +v4.1.0 (2020-04-06) +------------------------ +- Adds the capability to request that the Pwned Passwords API return padding to the responses to calls made via + ``pwnedpasswords``. Set the parameter ``add_padding`` to ``True`` on ``suffix_search`` or ``is_password_breached``. + See [the HIBP API](https://haveibeenpwned.com/API/v3#PwnedPasswordsPadding) for additional information. + v4.0.0 (2019-08-11) ------------------------ - **Breaking API change**: The HIBP API now requires an API key for calls which search by account. This means calls to @@ -27,6 +33,18 @@ - ``get_single_breach`` -> ``{} / dict`` - ``get_pastes`` -> ``[] / list`` +v3.2.0 (2020-03-28) +----------------------- +- **FINAL SUPPORTED PYTHON 2.7 RELEASE**: All following releases will require Python 3. CPython discontinued support as of + January 1, 2020, and we dropped support in v4.0.0. (Yes, we dropped support and are releasing a backport; ironic.) +- **Backported functions (from v4.0.0)**: The following functions are required to consume the API, either in general (user agent), or for querying for specific account information (API key). + - `pyhibp.set_user_agent(ua=agent)`: The HIBP API requires the calling application to set a descriptive UA string to + describe the application consuming the API. This must be called prior to invoking any functions in + `pyhibp` or `pwnedpasswords` which actually make requests to the HIBP API. + - `pyhibp.set_api_key(key=your_key)`: For `pyhibp` functions which retrieve information about specific accounts, an + API key must be purchased from the HIBP website. This must be set prior to calling the relevant functions. +- Note: As this is was a backport, this change is not in the main master branch of source control, however the tagged release may [be found here](https://gitlab.com/kitsunix/pyHIBP/pyHIBP/-/tags/v3.2.0). + v3.1.0 (2019-06-30) ----------------------- - **New function**: ``pwnedpasswords.suffix_search(hash_prefix=prefix)`` was created in order to have a dedicated function diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyhibp-4.0.0/MANIFEST.in new/pyhibp-4.1.0/MANIFEST.in --- old/pyhibp-4.0.0/MANIFEST.in 2019-08-10 02:55:56.000000000 +0200 +++ new/pyhibp-4.1.0/MANIFEST.in 2020-04-06 15:55:42.000000000 +0200 @@ -6,8 +6,11 @@ include Pipfile include tox.ini +recursive-include src *.py +recursive-include test *.py + exclude .bandit exclude .gitlab-ci.yml -recursive-include src *.py -recursive-include test *.py +exclude .gitlab +recursive-exclude .gitlab * diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyhibp-4.0.0/PKG-INFO new/pyhibp-4.1.0/PKG-INFO --- old/pyhibp-4.0.0/PKG-INFO 2019-08-11 06:27:37.000000000 +0200 +++ new/pyhibp-4.1.0/PKG-INFO 2020-04-06 15:58:01.000000000 +0200 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: pyhibp -Version: 4.0.0 +Version: 4.1.0 Summary: An interface to Troy Hunt's 'Have I Been Pwned' public API Home-page: https://gitlab.com/kitsunix/pyHIBP/pyHIBP Author: Kyra F. Kitsune @@ -13,7 +13,7 @@ A Python interface to Troy Hunt's 'Have I Been Pwned?' (HIBP) public API. A full reference to the API - specification can be found at the [HIBP API Reference](https://haveibeenpwned.com/API/v2). + specification can be found at the [HIBP API Reference](https://haveibeenpwned.com/API/v3). This module detects when the rate limit of the API has been hit, and raises a RuntimeError when the limit is exceeded, or when another API-defined error condition is encountered based on the submitted data. When @@ -75,7 +75,8 @@ Developing ---------- - This project is currently intended to be compatible with Python 2 and Python 3. As such, we use virtual environments via `pipenv`. + In order to ensure we have a consistent and repeatable development environment + we use a virtual environment, namely `pipenv`. To develop or test, execute the following: ```bash diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyhibp-4.0.0/README.md new/pyhibp-4.1.0/README.md --- old/pyhibp-4.0.0/README.md 2019-08-11 06:27:23.000000000 +0200 +++ new/pyhibp-4.1.0/README.md 2020-04-06 15:55:42.000000000 +0200 @@ -6,7 +6,7 @@ A Python interface to Troy Hunt's 'Have I Been Pwned?' (HIBP) public API. A full reference to the API -specification can be found at the [HIBP API Reference](https://haveibeenpwned.com/API/v2). +specification can be found at the [HIBP API Reference](https://haveibeenpwned.com/API/v3). This module detects when the rate limit of the API has been hit, and raises a RuntimeError when the limit is exceeded, or when another API-defined error condition is encountered based on the submitted data. When @@ -68,7 +68,8 @@ Developing ---------- -This project is currently intended to be compatible with Python 2 and Python 3. As such, we use virtual environments via `pipenv`. +In order to ensure we have a consistent and repeatable development environment +we use a virtual environment, namely `pipenv`. To develop or test, execute the following: ```bash diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyhibp-4.0.0/src/pyhibp/__version__.py new/pyhibp-4.1.0/src/pyhibp/__version__.py --- old/pyhibp-4.0.0/src/pyhibp/__version__.py 2019-08-11 06:27:23.000000000 +0200 +++ new/pyhibp-4.1.0/src/pyhibp/__version__.py 2020-04-06 15:55:42.000000000 +0200 @@ -4,5 +4,5 @@ # |)\/| |||)| # | / -__version__ = '4.0.0' +__version__ = '4.1.0' __url__ = 'https://gitlab.com/kitsunix/pyHIBP/pyHIBP' diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyhibp-4.0.0/src/pyhibp/pwnedpasswords.py new/pyhibp-4.1.0/src/pyhibp/pwnedpasswords.py --- old/pyhibp-4.0.0/src/pyhibp/pwnedpasswords.py 2019-08-11 06:27:23.000000000 +0200 +++ new/pyhibp-4.1.0/src/pyhibp/pwnedpasswords.py 2020-04-06 15:55:42.000000000 +0200 @@ -2,8 +2,7 @@ import requests -import pyhibp -from pyhibp import _require_user_agent +from pyhibp import _require_user_agent, pyHIBP_HEADERS PWNED_PASSWORDS_API_BASE_URI = "https://api.pwnedpasswords.com/" PWNED_PASSWORDS_API_ENDPOINT_RANGE_SEARCH = "range/" @@ -11,7 +10,7 @@ RESPONSE_ENCODING = "utf-8-sig" -def is_password_breached(password: str = None, sha1_hash: str = None) -> int: +def is_password_breached(password: str = None, sha1_hash: str = None, add_padding: bool = False) -> int: """ Execute a search for a password via the k-anonymity model, checking for hashes which match a specified prefix instead of supplying the full hash to the Pwned Passwords API. @@ -27,12 +26,10 @@ 2) sha1_hash - The hash prefix (hash[0:5]) is passed to the HIBP API, and this function will check the returned list of hash suffixes to determine if a breached password was in the HIBP database. - Note: Suffix searches, that is, to retrieve a list of hash suffixes by supplying a hash prefix, have moved to - `suffix_search()` as of this release (v3.1.0). A compatability shim has been left for this release, but will be removed on the - next major version release. - :param password: The password to check. Will be converted to a SHA-1 string. `str` type. :param sha1_hash: A full SHA-1 hash. `str` type. + :param add_padding: Whether padding should be used when performing the check (obfuscates response size, does not + alter return type/value. :return: An Integer representing the number of times the password is in the data set; if not found, Integer zero (0) is returned. :rtype: int @@ -52,7 +49,7 @@ sha1_hash = sha1_hash.upper() hash_prefix = sha1_hash[0:5] - suffix_list = suffix_search(hash_prefix=hash_prefix) + suffix_list = suffix_search(hash_prefix=hash_prefix, add_padding=add_padding) # Since the full SHA-1 hash was provided, check to see if it was in the resultant hash suffixes returned. for hash_suffix in suffix_list: @@ -65,7 +62,7 @@ @_require_user_agent -def suffix_search(hash_prefix: str = None) -> list: +def suffix_search(hash_prefix: str = None, add_padding: bool = False) -> list: """ Returns a list of SHA-1 hash suffixes, consisting of the SHA-1 hash characters after position five, and the number of times that password hash was found in the HIBP database, colon separated. @@ -88,6 +85,9 @@ If the `prefix` and `suffix` form a complete SHA-1 hash for the password being compared, then it indicates the password has been found in the HIBP database. + :param add_padding: Boolean. Adds padding to the response to include hash suffixes which have not been breached, in + order to prevent sniffing of response size to infer what hash prefix was searched. Entries which end in zero can be + disregarded. :param hash_prefix: The first five characters of a SHA-1 hash. `str` type. :return: A list of hash suffixes. :rtype: list @@ -99,7 +99,10 @@ uri = PWNED_PASSWORDS_API_BASE_URI + PWNED_PASSWORDS_API_ENDPOINT_RANGE_SEARCH + hash_prefix - resp = requests.get(url=uri, headers=pyhibp.pyHIBP_HEADERS) + _headers = pyHIBP_HEADERS + _headers['Add-Padding'] = "true" if add_padding else None + + resp = requests.get(url=uri, headers=_headers) if resp.status_code != 200: # The HTTP Status should always be 200 for this request raise RuntimeError("Response from the endpoint was not HTTP200; this should not happen. Code was: {0}".format(resp.status_code)) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyhibp-4.0.0/src/pyhibp.egg-info/PKG-INFO new/pyhibp-4.1.0/src/pyhibp.egg-info/PKG-INFO --- old/pyhibp-4.0.0/src/pyhibp.egg-info/PKG-INFO 2019-08-11 06:27:37.000000000 +0200 +++ new/pyhibp-4.1.0/src/pyhibp.egg-info/PKG-INFO 2020-04-06 15:58:01.000000000 +0200 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: pyhibp -Version: 4.0.0 +Version: 4.1.0 Summary: An interface to Troy Hunt's 'Have I Been Pwned' public API Home-page: https://gitlab.com/kitsunix/pyHIBP/pyHIBP Author: Kyra F. Kitsune @@ -13,7 +13,7 @@ A Python interface to Troy Hunt's 'Have I Been Pwned?' (HIBP) public API. A full reference to the API - specification can be found at the [HIBP API Reference](https://haveibeenpwned.com/API/v2). + specification can be found at the [HIBP API Reference](https://haveibeenpwned.com/API/v3). This module detects when the rate limit of the API has been hit, and raises a RuntimeError when the limit is exceeded, or when another API-defined error condition is encountered based on the submitted data. When @@ -75,7 +75,8 @@ Developing ---------- - This project is currently intended to be compatible with Python 2 and Python 3. As such, we use virtual environments via `pipenv`. + In order to ensure we have a consistent and repeatable development environment + we use a virtual environment, namely `pipenv`. To develop or test, execute the following: ```bash diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyhibp-4.0.0/test/test_pwnedpasswords.py new/pyhibp-4.1.0/test/test_pwnedpasswords.py --- old/pyhibp-4.0.0/test/test_pwnedpasswords.py 2019-08-11 06:27:23.000000000 +0200 +++ new/pyhibp-4.1.0/test/test_pwnedpasswords.py 2020-04-06 15:55:42.000000000 +0200 @@ -79,19 +79,26 @@ assert "hash_prefix must be of length 5." in str(execinfo.value) @pytest.mark.usefixtures('sleep') - def test_list_of_hashes_returned(self): + @pytest.mark.parametrize("add_padding", [True, False]) + def test_list_of_hashes_returned(self, add_padding): """ Test all parameters: The response format for all parameters is the same. """ - resp = pw.suffix_search(hash_prefix=TEST_PASSWORD_SHA1_HASH[0:5]) + resp = pw.suffix_search(hash_prefix=TEST_PASSWORD_SHA1_HASH[0:5], add_padding=add_padding) assert isinstance(resp, list) assert len(resp) > 100 match_found = False for entry in resp: - if TEST_PASSWORD_SHA1_HASH[5:] in entry.lower(): - match_found = True - break + partial_hash, count = entry.split(":") + if not add_padding: + if TEST_PASSWORD_SHA1_HASH[5:] == partial_hash.lower(): + match_found = True + break + elif add_padding: + if count == "0": + match_found = True + break assert match_found def test_user_agent_must_be_set_or_raise(self, monkeypatch): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyhibp-4.0.0/tox.ini new/pyhibp-4.1.0/tox.ini --- old/pyhibp-4.0.0/tox.ini 2019-08-11 06:27:23.000000000 +0200 +++ new/pyhibp-4.1.0/tox.ini 2020-04-06 15:55:42.000000000 +0200 @@ -1,11 +1,12 @@ [tox] -envlist = py{35,36,37} +envlist = py{35,36,37,38} [testenv] basepython = py35: python3.5 py36: python3.6 py37: python3.7 + py38: python3.8 passenv = TOXENV PIP_CACHE_DIR