Example #1
0
    def auth(self, username, password, verifyPassword=False,):
        if not iredutils.isEmail(username):
            return (False, 'INVALID_USERNAME')

        if len(password) == 0:
            return (False, 'EMPTY_PASSWORD')

        # Query admin.
        result = self.conn.select(
            'admin',
            where="username=%s AND active=1" % web.sqlquote(username),
            limit=1,
        )

        if len(result) == 1:
            # It's a valid admin.
            record = result[0]

            # Get salt string from password which stored in SQL.
            tmpsalt = str(record.password).split('$')
            tmpsalt[-1] = ''
            salt = '$'.join(tmpsalt)

            # Compare passwords.
            if md5crypt.md5crypt(password, salt) == str(record.password):
                if verifyPassword is not True:
                    session['username'] = username
                    session['logged'] = True
                    # Set preferred language.
                    session['lang'] = str(record.language) or 'en_US'

                    # Set session['domainGlobalAdmin']
                    try:
                        result = self.conn.select(
                            'domain_admins',
                            what='domain',
                            where='''username=%s AND domain="ALL"''' % web.sqlquote(username),
                            limit=1,
                        )
                        if len(result) == 1:
                            session['domainGlobalAdmin'] = True
                    except:
                        pass

                return (True,)
            else:
                return (False, 'INVALID_CREDENTIALS')
        else:
            return (False, 'INVALID_CREDENTIALS')
Example #2
0
def verify_md5_password(challenge_password, plain_password):
    """Verify salted MD5 password"""
    if challenge_password.startswith('{MD5}') or challenge_password.startswith('{md5}'):
        challenge_password = challenge_password[5:]
    elif challenge_password.startswith('{CRYPT}') or challenge_password.startswith('{crypt}'):
        challenge_password = challenge_password[7:]

    if not (challenge_password.startswith('$')
            and len(challenge_password) == 34
            and challenge_password.count('$') == 3):
        return False

    # Get salt from hashed string
    salt = '$'.join(challenge_password.split('$')[:3])

    if md5crypt.md5crypt(plain_password, salt) == challenge_password:
        return True

    return False
Example #3
0
def verify_md5_password(challenge_password, plain_password):
    """Verify salted MD5 password"""
    if challenge_password.startswith('{MD5}'):
        challenge_password = challenge_password.replace('{MD5}', '')

    if not (
        challenge_password.startswith('$') \
        and len(challenge_password) == 34 \
        and challenge_password.count('$') == 3):
        return False

    # Get salt from hashed string
    salt = challenge_password.split('$')
    salt[-1] = ''
    salt = '$'.join(salt)

    if md5crypt.md5crypt(plain_password, salt) == challenge_password:
        return True
    else:
        return False
Example #4
0
def verify_md5_password(challenge_password, plain_password):
    """Verify salted MD5 password"""
    if challenge_password.startswith('{MD5}') or challenge_password.startswith('{md5}'):
        challenge_password = challenge_password[5:]
    elif challenge_password.startswith('{CRYPT}') or challenge_password.startswith('{crypt}'):
        challenge_password = challenge_password[7:]

    if not (challenge_password.startswith('$') and
            len(challenge_password) == 34 and
            challenge_password.count('$') == 3):
        return False

    # Get salt from hashed string
    salt = challenge_password.split('$')
    salt[-1] = ''
    salt = '$'.join(salt)

    if md5crypt.md5crypt(plain_password, salt) == challenge_password:
        return True
    else:
        return False
Example #5
0
    def auth(self, username, password, accountType='admin', verifyPassword=False,):
        if not iredutils.isEmail(username):
            return (False, 'INVALID_USERNAME')

        if len(password) == 0:
            return (False, 'EMPTY_PASSWORD')

        # Query account from SQL database.
        if accountType == 'admin':
            result = self.conn.select(
                'dbmail_admins',
                where="username=%s AND active=1" % web.sqlquote(username),
                limit=1,
            )
        elif accountType == 'user':
            result = self.conn.select(
                'dbmail_users',
                where="userid=%s AND active=1" % web.sqlquote(username),
                limit=1,
            )
        else:
            return (False, 'INVALID_ACCOUNT_TYPE')

        if len(result) != 1:
            # Account not found.
            # Do NOT return msg like 'Account does not ***EXIST***', crackers
            # can use it to verify valid accounts.
            return (False, 'INVALID_CREDENTIALS')

        # It's a valid account.
        record = result[0]
        password_sql = str(record.password)

        # Verify password.
        authenticated = False
        if password_sql.startswith('$') and len(password_sql) == 34 and password_sql.count('$') == 3:
            # Password is considered as a MD5 password (with salt).
            # Get salt string from password which stored in SQL.
            tmpsalt = password_sql.split('$')
            tmpsalt[-1] = ''
            salt = '$'.join(tmpsalt)

            if md5crypt.md5crypt(password, salt) == password_sql:
                authenticated = True

        elif password_sql.upper().startswith('{PLAIN}'):
            # Plain password with prefix '{PLAIN}'.
            if password_sql.split('}', 1)[-1] == password:
                authenticated = True

        elif password_sql == password:
            # Plain password.
            authenticated = True

        # Compare passwords.
        if authenticated is False:
            return (False, 'INVALID_CREDENTIALS')

        if verifyPassword is not True:
            session['username'] = username
            session['logged'] = True
            # Set preferred language.
            session['lang'] = str(record.language) or 'en_US'

            # Set session['domainGlobalAdmin']
            try:
                result = self.conn.select(
                    'dbmail_domain_admins',
                    what='domain',
                    where="""username=%s AND domain='ALL'""" % web.sqlquote(username),
                    limit=1,
                )
                if len(result) == 1:
                    session['domainGlobalAdmin'] = True
            except:
                pass

        return (True,)