Example #1
0
 def verify_secret(self, authcid, secret, authzid=None):
     ret = self.lookup.lookup_address(authcid, authzid=authzid)
     if not ret or 'password' not in ret:
         raise CredentialsInvalidError()
     if not ldap_context.verify(secret, ret['password']):
         raise CredentialsInvalidError()
     return ret.get('user', authcid)
Example #2
0
 def check_credentials(self, creds):
     ret = self.lookup_creds.lookup_address(creds.authcid,
                                            authzid=creds.authzid)
     if not ret or 'password' not in ret:
         return False
     if not ldap_context.verify(creds.secret, ret['password']):
         return False
     return True
Example #3
0
def validate(password, pwhash):

    # Check for old-style MD5 passwords which won't have any associated type
    if pwhash[0] != "{":
        if hashlib.md5(password).hexdigest() == pwhash:
            return True
        else:
            return False
    else:
        return ldap_context.verify(password, pwhash)
Example #4
0
 async def _check_user(cls, redis: Redis, config: Config,
                       credentials: AuthenticationCredentials) -> bytes:
     user = credentials.authcid
     password, namespace = await cls._get_password(redis, config, user)
     if user != credentials.identity:
         raise InvalidAuth()
     elif ldap_context is None or not credentials.has_secret:
         if not credentials.check_secret(password):
             raise InvalidAuth()
     elif not ldap_context.verify(credentials.secret, password):
         raise InvalidAuth()
     return namespace
Example #5
0
 async def _check_user(cls, redis: Redis, config: Config,
                       credentials: AuthenticationCredentials) -> str:
     user = credentials.authcid
     password = await cls._get_password(redis, config, user)
     if user != credentials.identity:
         raise InvalidAuth()
     elif ldap_context is None or not credentials.has_secret:
         if not credentials.check_secret(password):
             raise InvalidAuth()
     elif not ldap_context.verify(credentials.secret, password):
         raise InvalidAuth()
     return user
Example #6
0
def verify_password(plaintext_password, hash):
    """Verifies a plain password string agailst a given password hash.

    It uses a ldap_context to verify RFC 2307 hashes including the GNU
    {crypt} extension. If the passord is a basic 2-byte-salted hash
    given grom old unix crypt() the ldap_context will fail. For this we
    try to crypt() the given plaintext using the first two bytes of the
    given hash als salt and compare the two hashes.
    """
    try:
        result = ldap_context.verify(plaintext_password, hash)
        if result:
            return result
    except ValueError:
        pass
    if hash.startswith("{crypt}") and len(hash) > 9:
        real_hash = hash[7:]
        salt = hash[7:9]
        crypted = crypt(plaintext_password, salt)
        return crypted == real_hash
    return False