Add password upgrade notifications and dry-run option to bin/update

jared mauch · jared mauch · commit 26ba1dca60a2 · 2025-11-12T18:37:19.000-05:00
- Add check_and_notify_password_upgrades() function to scan lists for old SHA1 passwords
- Send email notifications to list administrators asking them to login
- Add auto-upgrade support for global passwords when used for authentication
- Add --dry-run option to preview password upgrade checks without sending emails
- Update check_global_password() to support auto-upgrade parameter

When bin/update runs, it now:
- Checks all lists for old password formats
- Sends emails to list owners asking them to login (which triggers auto-upgrade)
- Detects old global passwords and notes they'll upgrade on next use
- Supports --dry-run mode to preview without sending emails
diff --git a/Mailman/SecurityManager.py b/Mailman/SecurityManager.py
@@ -142,11 +142,13 @@ def Authenticate(self, authcontexts, response, user=None):
 
         for ac in authcontexts:
             if ac == mm_cfg.AuthCreator:
-                ok = Utils.check_global_password(response, siteadmin=0)
+                # Auto-upgrade global passwords when used for authentication
+                ok = Utils.check_global_password(response, siteadmin=0, auto_upgrade=True)
                 if ok:
                     return mm_cfg.AuthCreator
             elif ac == mm_cfg.AuthSiteAdmin:
-                ok = Utils.check_global_password(response)
+                # Auto-upgrade global passwords when used for authentication
+                ok = Utils.check_global_password(response, auto_upgrade=True)
                 if ok:
                     return mm_cfg.AuthSiteAdmin
             elif ac == mm_cfg.AuthListAdmin:
diff --git a/Mailman/Utils.py b/Mailman/Utils.py
@@ -825,14 +825,25 @@ def get_global_password(siteadmin=True):
     return challenge
 
 
-def check_global_password(response, siteadmin=True):
+def check_global_password(response, siteadmin=True, auto_upgrade=False):
+    """Check a global password and optionally upgrade it if in old format.
+    
+    Args:
+        response: The password to check (str or bytes)
+        siteadmin: If True, check site admin password; if False, check list creator password
+        auto_upgrade: If True, automatically upgrade old format passwords to new format
+    
+    Returns:
+        bool: True if password is valid, False otherwise
+    """
     challenge = get_global_password(siteadmin)
     if challenge is None:
         return None
     # Use verify_password which handles both old SHA1 and new PBKDF2 formats
     is_valid, needs_upgrade = verify_password(response, challenge)
-    # Note: We don't auto-upgrade global passwords here since they're in files
-    # and we'd need to write back to the file. This could be added if needed.
+    # Auto-upgrade if requested and password is valid but in old format
+    if is_valid and needs_upgrade and auto_upgrade:
+        set_global_password(response, siteadmin)
     return is_valid
 
 
diff --git a/bin/update b/bin/update
@@ -27,6 +27,11 @@ Options:
         of the installed Mailman matches the current version number (or a
         `downgrade' is detected), nothing will be done.
 
+    -n/--dry-run
+        Show what would be done without actually making changes.  When checking
+        for password upgrades, this will show which lists need upgrades but
+        will not send email notifications to list administrators.
+
     -h/--help
         Print this text and exit.
 
@@ -55,6 +60,7 @@ from Mailman import Message
 from Mailman import Pending
 from Mailman.LockFile import TimeOutError
 from Mailman.i18n import C_
+import Mailman.i18n as i18n
 from Mailman.Queue.Switchboard import Switchboard
 from Mailman.OldStyleMemberships import OldStyleMemberships
 from Mailman.MemberAdaptor import BYBOUNCE, ENABLED
@@ -663,7 +669,158 @@ def update_pending():
 
 
 
-def main():
+def check_and_notify_password_upgrades(dry_run=False):
+    """Check for old password formats and notify list admins to login and upgrade.
+    
+    This function identifies lists with old SHA1 password hashes and sends
+    email notifications to list administrators asking them to login, which
+    will trigger automatic password upgrades to the new PBKDF2 format.
+    
+    Args:
+        dry_run: If True, show what would be done but don't send emails
+    """
+    from Mailman.Utils import is_old_password_format
+    
+    print('Checking for lists with old password formats...')
+    lists_needing_upgrade = []
+    
+    # Check all lists for old password formats
+    listnames = Utils.list_names()
+    for listname in listnames:
+        try:
+            mlist = MailList.MailList(listname, lock=0)
+        except Exception as e:
+            print(C_('Warning: Could not check list %(listname)s: %(e)s') % {
+            'listname': listname, 'e': e})
+            continue
+        
+        needs_upgrade = False
+        # Check list admin password
+        if mlist.password and is_old_password_format(mlist.password):
+            needs_upgrade = True
+        # Check moderator password
+        if mlist.mod_password and is_old_password_format(mlist.mod_password):
+            needs_upgrade = True
+        # Check poster password
+        if mlist.post_password and is_old_password_format(mlist.post_password):
+            needs_upgrade = True
+        
+        if needs_upgrade:
+            lists_needing_upgrade.append(mlist)
+    
+    # Check global passwords
+    global_passwords_old = []
+    site_pw = Utils.get_global_password(siteadmin=True)
+    if site_pw and is_old_password_format(site_pw):
+        global_passwords_old.append(('site admin', True))
+    creator_pw = Utils.get_global_password(siteadmin=False)
+    if creator_pw and is_old_password_format(creator_pw):
+        global_passwords_old.append(('list creator', False))
+    
+    # Send notifications if needed
+    if lists_needing_upgrade or global_passwords_old:
+        print(C_('Found %(count)d lists with old password formats that need upgrading.') % {
+            'count': len(lists_needing_upgrade)})
+        if global_passwords_old:
+            print(C_('Also found %(count)d global password(s) with old format.') % {
+                'count': len(global_passwords_old)})
+        
+        # Send emails to list owners (unless dry-run)
+        if dry_run:
+            print(C_('DRY-RUN: Would send password upgrade notifications to %(count)d list(s).') % {
+                'count': len(lists_needing_upgrade)})
+            for mlist in lists_needing_upgrade:
+                print(C_('  - Would notify owners of %(listname)s (%(listaddr)s)') % {
+                    'listname': mlist.internal_name(),
+                    'listaddr': mlist.GetListEmail()})
+        else:
+            for mlist in lists_needing_upgrade:
+                send_password_upgrade_notification(mlist)
+        
+        # Note about global passwords
+        if global_passwords_old:
+            print(C_('Note: Global passwords will be automatically upgraded when used.'))
+            for pw_type, siteadmin in global_passwords_old:
+                print(C_('  - %(pw_type)s password needs upgrade (will upgrade on next use)') % {
+                    'pw_type': pw_type})
+    else:
+        print('All passwords are already in the new format.')
+
+
+def send_password_upgrade_notification(mlist):
+    """Send an email to list administrators asking them to login to upgrade passwords.
+    
+    Args:
+        mlist: The MailList object for the list needing password upgrade
+    """
+    # Get list owner addresses
+    if not mlist.owner:
+        print(C_('Warning: List %(listname)s has no owners, skipping notification.') % {
+            'listname': mlist.internal_name()})
+        return
+    
+    # Set up i18n for the list's language
+    otrans = i18n.get_translation()
+    i18n.set_language(mlist.preferred_language)
+    
+    try:
+        # Create the notification message
+        admin_url = mlist.GetScriptURL('admin', absolute=1)
+        listname = mlist.real_name
+        listaddr = mlist.GetListEmail()
+        siteowner = Utils.get_site_email(mlist.host_name, 'owner')
+        
+        text = _("""\
+This is an automated message from your Mailman installation.
+
+Your mailing list "%(listname)s" (%(listaddr)s) is using an older password 
+hashing format. For security reasons, we have upgraded Mailman to use a more 
+secure password hashing method (PBKDF2-SHA256 instead of SHA1).
+
+To complete the upgrade, please log in to your list administration page:
+
+    %(admin_url)s
+
+Simply logging in with your current list administrator password will 
+automatically upgrade your password to the new secure format. You don't 
+need to change your password - just log in once and the upgrade will happen 
+automatically.
+
+This is a one-time upgrade. After you log in, your password will be 
+automatically converted to the new format and you won't need to do anything 
+else.
+
+If you have any questions or concerns, please contact the site administrator 
+at %(siteowner)s.
+
+Thank you for your attention to this important security upgrade.
+""") % {
+            'listname': listname,
+            'listaddr': listaddr,
+            'admin_url': admin_url,
+            'siteowner': siteowner,
+        }
+        
+        subject = _('Action Required: Password Upgrade for %(listname)s') % {
+            'listname': listname
+        }
+        
+        # Send to all list owners
+        msg = Message.OwnerNotification(
+            mlist, subject, text, tomoderators=0)
+        msg.send(mlist)
+        
+        print(C_('Sent password upgrade notification to owners of %(listname)s') % {
+            'listname': mlist.internal_name()})
+    except Exception as e:
+        print(C_('Error sending notification for %(listname)s: %(e)s') % {
+            'listname': mlist.internal_name(), 'e': e})
+    finally:
+        i18n.set_translation(otrans)
+
+
+
+def main(dry_run=False):
     errors = 0
     # get rid of old stuff
     print('getting rid of old source files')
@@ -731,6 +888,8 @@ If your archives are big, this could take a minute or two..."""))
     # files from separate .msg (pickled Message objects) and .db (marshalled
     # dictionaries) to a shared .pck file containing two pickles.
     update_qfiles()
+    # Check for old password formats and notify list admins
+    check_and_notify_password_upgrades(dry_run=dry_run)
     # This warning was necessary for the upgrade from 1.0b9 to 1.0b10.
     # There's no good way of figuring this out for releases prior to 2.0beta2
     # :(
@@ -771,20 +930,23 @@ def usage(code, msg=''):
 
 if __name__ == '__main__':
     try:
-        opts, args = getopt.getopt(sys.argv[1:], 'hf',
-                                   ['help', 'force'])
+        opts, args = getopt.getopt(sys.argv[1:], 'hfn',
+                                   ['help', 'force', 'dry-run'])
     except getopt.error as msg:
         usage(1, msg)
 
     if args:
         usage(1, 'Unexpected arguments: %s' % args)
 
     force = 0
+    dry_run = 0
     for opt, arg in opts:
         if opt in ('-h', '--help'):
             usage(0)
         elif opt in ('-f', '--force'):
             force = 1
+        elif opt in ('-n', '--dry-run'):
+            dry_run = 1
 
     # calculate the versions
     lastversion, thisversion = calcversions()
@@ -801,7 +963,9 @@ This is probably not safe.
 Exiting."""))
         sys.exit(1)
     print(C_('Upgrading from version %(hexlversion)s to %(hextversion)s'))
-    errors = main()
+    if dry_run:
+        print(C_('DRY-RUN mode: No changes will be made, emails will not be sent.'))
+    errors = main(dry_run=dry_run)
     if not errors:
         # Record the version we just upgraded to
         fp = open(LMVFILE, 'w')
