def verify_secret(self, authcid, secret, authzid=None): ret = self.lookup.lookup_address(authcid, authzid=authzid) if not ret or 'password' not in ret: raise CredentialsInvalidError() if not ldap_context.verify(secret, ret['password']): raise CredentialsInvalidError() return ret.get('user', authcid)
def check_credentials(self, creds): ret = self.lookup_creds.lookup_address(creds.authcid, authzid=creds.authzid) if not ret or 'password' not in ret: return False if not ldap_context.verify(creds.secret, ret['password']): return False return True
def validate(password, pwhash): # Check for old-style MD5 passwords which won't have any associated type if pwhash[0] != "{": if hashlib.md5(password).hexdigest() == pwhash: return True else: return False else: return ldap_context.verify(password, pwhash)
async def _check_user(cls, redis: Redis, config: Config, credentials: AuthenticationCredentials) -> bytes: user = credentials.authcid password, namespace = await cls._get_password(redis, config, user) if user != credentials.identity: raise InvalidAuth() elif ldap_context is None or not credentials.has_secret: if not credentials.check_secret(password): raise InvalidAuth() elif not ldap_context.verify(credentials.secret, password): raise InvalidAuth() return namespace
async def _check_user(cls, redis: Redis, config: Config, credentials: AuthenticationCredentials) -> str: user = credentials.authcid password = await cls._get_password(redis, config, user) if user != credentials.identity: raise InvalidAuth() elif ldap_context is None or not credentials.has_secret: if not credentials.check_secret(password): raise InvalidAuth() elif not ldap_context.verify(credentials.secret, password): raise InvalidAuth() return user
def verify_password(plaintext_password, hash): """Verifies a plain password string agailst a given password hash. It uses a ldap_context to verify RFC 2307 hashes including the GNU {crypt} extension. If the passord is a basic 2-byte-salted hash given grom old unix crypt() the ldap_context will fail. For this we try to crypt() the given plaintext using the first two bytes of the given hash als salt and compare the two hashes. """ try: result = ldap_context.verify(plaintext_password, hash) if result: return result except ValueError: pass if hash.startswith("{crypt}") and len(hash) > 9: real_hash = hash[7:] salt = hash[7:9] crypted = crypt(plaintext_password, salt) return crypted == real_hash return False