925289 – dev-python/bcrypt-4.1.[12] breaks bcrypt support in dev-python/passlib-1.7.4-r2 (and by extension, ansible)

Bug 925289 - dev-python/bcrypt-4.1.[12] breaks bcrypt support in dev-python/passlib-1.7.4-r2 (and by extension, ansible)

Summary: dev-python/bcrypt-4.1.[12] breaks bcrypt support in dev-python/passlib-1.7.4-...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal critical (vote)
Assignee:	Python Gentoo Team

URL:	https://foss.heptapod.net/python-libs...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2024-02-23 04:44 UTC by Stuart Longland
Modified:	2024-04-25 12:52 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Hacked up ebuild for bcrypt-4.0.1 (bcrypt-4.0.1.ebuild,1.65 KB, text/plain) 2024-02-23 04:45 UTC, Stuart Longland	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stuart Longland 2024-02-23 04:44:07 UTC

The `passlib` python module attempts to access a module property which has been removed from later releases of `bcrypt` when checking the version number.  This breaks many applications that use `passlib` for hashing including `ansible`.

Reproducible: Always

Steps to Reproduce:
1. emerge dev-python/bcryot dev-python/passlib
2. python3 -c 'from passlib.hash import bcrypt; print(bcrypt.hash("test123"))'
Actual Results:  
(trapped) error reading bcrypt version
Traceback (most recent call last):
  File "/usr/lib/python3.11/site-packages/passlib/handlers/bcrypt.py", line 620, in _load_backend_mixin
    version = _bcrypt.__about__.__version__

AttributeError: module 'bcrypt' has no attribute '__about__'
$2b$12$r1TA1sIbDCV199V9qVszhOJo2o5s9pXF4cAr7ne3qlorPz7Dce80K

Expected Results:  
$2b$12$r1TA1sIbDCV199V9qVszhOJo2o5s9pXF4cAr7ne3qlorPz7Dce80K

On some applications, that allegedly "trapped" error is sufficient to terminate the application.  Ansible playbooks seem to abort with failures due to this error:

e.g. the Ansible deployment step:

- name: fail if passlib not installed on deployment workstation
  local_action: fail msg="Python passlib is not installed. Must be for correct password hashes for <censored>"
  when: "'whatever'|password_hash('bcrypt') == '*0'"

 TASK [<censored> : fail if passlib not installed on deployment workstation] ***
│ (trapped) error reading bcrypt version
│ Traceback (most recent call last):
│   File "/usr/lib/python3.11/site-packages/passlib/handlers/bcrypt.py", line 620, in _load_backend_mixin
│     version = _bcrypt.__about__.__version__
│               ^^^^^^^^^^^^^^^^^
│ AttributeError: module 'bcrypt' has no attribute '__about__'
│ (trapped) error reading bcrypt version
│ Traceback (most recent call last):
│   File "/usr/lib/python3.11/site-packages/passlib/handlers/bcrypt.py", line 620, in _load_backend_mixin
│     version = _bcrypt.__about__.__version__
│               ^^^^^^^^^^^^^^^^^
│ AttributeError: module 'bcrypt' has no attribute '__about__'
│ (trapped) error reading bcrypt version
│ Traceback (most recent call last):
│   File "/usr/lib/python3.11/site-packages/passlib/handlers/bcrypt.py", line 620, in _load_backend_mixin
│     version = _bcrypt.__about__.__version__
│               ^^^^^^^^^^^^^^^^^
│ AttributeError: module 'bcrypt' has no attribute '__about__'
│ (trapped) error reading bcrypt version
│ Traceback (most recent call last):
│   File "/usr/lib/python3.11/site-packages/passlib/handlers/bcrypt.py", line 620, in _load_backend_mixin
│     version = _bcrypt.__about__.__version__
│               ^^^^^^^^^^^^^^^^^
│ AttributeError: module 'bcrypt' has no attribute '__about__'

It appears maintenance on `passlib` stopped in 2020.  It is possible the upstream project has been abandoned.

For now, I was able to continue by manually copying the `bcrypt-4.1.1.ebuild` file to `bcrypt-4.0.1.ebuild` and then going on a hacking spree re-constructing the correct Rust crates list to make it build.

Comment 1 Stuart Longland 2024-02-23 04:45:22 UTC

Created attachment 885760 [details]
Hacked up ebuild for bcrypt-4.0.1

Installing `bcrypt-4.0.1` via this ebuild script restored `bcrypt` functionality in `passlib`.

Comment 2 Michał Górny archtester

2024-02-23 20:04:43 UTC

That sounds like a bug in ansible.  FWICS passlib is emitting a warning.  My guess is that something is either treating warnings as errors (which is a bad idea for production setup), or reading output from stderr.

Sure, it's not perfect.  What's even less perfect is that passlib is clearly dead at this point, so I'd say ansible is equally at fault for still using it.

That said, feel free to make a merge request upstream and I'll add the patch to Gentoo then.

Comment 3 Larry the Git Cow gentoo-dev

2024-04-25 12:52:02 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c1e015b65b74283a51893672739c5e4784b95273

commit c1e015b65b74283a51893672739c5e4784b95273
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2024-04-25 12:30:53 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2024-04-25 12:51:56 +0000

    dev-python/passlib: Fix warning with dev-python/bcrypt-4.1.1
    
    Fix a warning due to `dev-python/bcrypt` removing `bcrypt.__about__`.
    Apparently this breaks random packages.
    
    Closes: https://bugs.gentoo.org/925289
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/passlib/files/passlib-1.7.4-bcrypt-4.1.patch     | 13 +++++++++++++
 .../{passlib-1.7.4-r2.ebuild => passlib-1.7.4-r3.ebuild}    | 10 +++++++++-
 2 files changed, 22 insertions(+), 1 deletion(-)