def auth(self, username, password, verifyPassword=False,):
if not iredutils.isEmail(username):
return (False, 'INVALID_USERNAME')
if len(password) == 0:
return (False, 'EMPTY_PASSWORD')
# Query admin.
result = self.conn.select(
'admin',
where="username=%s AND active=1" % web.sqlquote(username),
limit=1,
)
if len(result) == 1:
# It's a valid admin.
record = result[0]
# Get salt string from password which stored in SQL.
tmpsalt = str(record.password).split('$')
tmpsalt[-1] = ''
salt = '$'.join(tmpsalt)
# Compare passwords.
if md5crypt.md5crypt(password, salt) == str(record.password):
if verifyPassword is not True:
session['username'] = username
session['logged'] = True
# Set preferred language.
session['lang'] = str(record.language) or 'en_US'
# Set session['domainGlobalAdmin']
try:
result = self.conn.select(
'domain_admins',
what='domain',
where='''username=%s AND domain="ALL"''' % web.sqlquote(username),
limit=1,
)
if len(result) == 1:
session['domainGlobalAdmin'] = True
except:
pass
return (True,)
else:
return (False, 'INVALID_CREDENTIALS')
else:
return (False, 'INVALID_CREDENTIALS')
def verify_md5_password(challenge_password, plain_password):
"""Verify salted MD5 password"""
if challenge_password.startswith('{MD5}') or challenge_password.startswith('{md5}'):
challenge_password = challenge_password[5:]
elif challenge_password.startswith('{CRYPT}') or challenge_password.startswith('{crypt}'):
challenge_password = challenge_password[7:]
if not (challenge_password.startswith('$')
and len(challenge_password) == 34
and challenge_password.count('$') == 3):
return False
# Get salt from hashed string
salt = '$'.join(challenge_password.split('$')[:3])
if md5crypt.md5crypt(plain_password, salt) == challenge_password:
return True
return False
def verify_md5_password(challenge_password, plain_password):
"""Verify salted MD5 password"""
if challenge_password.startswith('{MD5}'):
challenge_password = challenge_password.replace('{MD5}', '')
if not (
challenge_password.startswith('$') \
and len(challenge_password) == 34 \
and challenge_password.count('$') == 3):
return False
# Get salt from hashed string
salt = challenge_password.split('$')
salt[-1] = ''
salt = '$'.join(salt)
if md5crypt.md5crypt(plain_password, salt) == challenge_password:
return True
else:
return False
def verify_md5_password(challenge_password, plain_password):
"""Verify salted MD5 password"""
if challenge_password.startswith('{MD5}') or challenge_password.startswith('{md5}'):
challenge_password = challenge_password[5:]
elif challenge_password.startswith('{CRYPT}') or challenge_password.startswith('{crypt}'):
challenge_password = challenge_password[7:]
if not (challenge_password.startswith('$') and
len(challenge_password) == 34 and
challenge_password.count('$') == 3):
return False
# Get salt from hashed string
salt = challenge_password.split('$')
salt[-1] = ''
salt = '$'.join(salt)
if md5crypt.md5crypt(plain_password, salt) == challenge_password:
return True
else:
return False
def auth(self, username, password, accountType='admin', verifyPassword=False,):
if not iredutils.isEmail(username):
return (False, 'INVALID_USERNAME')
if len(password) == 0:
return (False, 'EMPTY_PASSWORD')
# Query account from SQL database.
if accountType == 'admin':
result = self.conn.select(
'dbmail_admins',
where="username=%s AND active=1" % web.sqlquote(username),
limit=1,
)
elif accountType == 'user':
result = self.conn.select(
'dbmail_users',
where="userid=%s AND active=1" % web.sqlquote(username),
limit=1,
)
else:
return (False, 'INVALID_ACCOUNT_TYPE')
if len(result) != 1:
# Account not found.
# Do NOT return msg like 'Account does not ***EXIST***', crackers
# can use it to verify valid accounts.
return (False, 'INVALID_CREDENTIALS')
# It's a valid account.
record = result[0]
password_sql = str(record.password)
# Verify password.
authenticated = False
if password_sql.startswith('$') and len(password_sql) == 34 and password_sql.count('$') == 3:
# Password is considered as a MD5 password (with salt).
# Get salt string from password which stored in SQL.
tmpsalt = password_sql.split('$')
tmpsalt[-1] = ''
salt = '$'.join(tmpsalt)
if md5crypt.md5crypt(password, salt) == password_sql:
authenticated = True
elif password_sql.upper().startswith('{PLAIN}'):
# Plain password with prefix '{PLAIN}'.
if password_sql.split('}', 1)[-1] == password:
authenticated = True
elif password_sql == password:
# Plain password.
authenticated = True
# Compare passwords.
if authenticated is False:
return (False, 'INVALID_CREDENTIALS')
if verifyPassword is not True:
session['username'] = username
session['logged'] = True
# Set preferred language.
session['lang'] = str(record.language) or 'en_US'
# Set session['domainGlobalAdmin']
try:
result = self.conn.select(
'dbmail_domain_admins',
what='domain',
where="""username=%s AND domain='ALL'""" % web.sqlquote(username),
limit=1,
)
if len(result) == 1:
session['domainGlobalAdmin'] = True
except:
pass
return (True,)