def _verify_by_hashcode(self, pincode, hashcode):
logger.debug('Will test against %s' % hashcode)
from passlib.apps import custom_app_context as pwd_context
try:
if not pwd_context.verify(pincode, hashcode):
raise totpcgi.UserPincodeError('Pincode did not match.')
return True
except ValueError:
raise totpcgi.UserPincodeError('Unsupported hashcode format')
def _verify_by_hashcode(pincode, hashcode):
logger.debug('Will test against %s', hashcode)
from passlib.context import CryptContext
myctx = CryptContext(
schemes=['sha256_crypt', 'sha512_crypt', 'bcrypt', 'md5_crypt'])
try:
if not myctx.verify(pincode, hashcode):
raise totpcgi.UserPincodeError('Pincode did not match.')
return True
except ValueError:
raise totpcgi.UserPincodeError('Unsupported hashcode format')
def verify_user_pincode(self, user, pincode):
if len(self.ldap_cacert):
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, self.ldap_cacert)
lconn = ldap.initialize(self.ldap_url)
lconn.protocol_version = 3
lconn.set_option(ldap.OPT_REFERRALS, 0)
tpt = Template(self.ldap_dn)
dn = tpt.safe_substitute(username=user)
try:
lconn.simple_bind_s(dn, pincode)
except Exception, ex:
raise totpcgi.UserPincodeError('LDAP bind failed: %s' % ex)
def verify_user_pincode(self, user, pincode):
# The format is basically /etc/shadow, except we ignore anything
# past the first 2 entries. We return the hashed code that we'll need
# to compare.
if not os.access(self.pincode_file, os.R_OK):
raise totpcgi.UserNotFound('pincodes file not found!')
# Check if we have a compiled version first
logger.debug('Checking if there is a pincodes.db')
pincode_db_file = self.pincode_file + '.db'
hashcode = None
if os.access(pincode_db_file, os.R_OK):
logger.debug('Found pincodes.db. Comparing mtime with pincodes')
dbmtime = os.stat(pincode_db_file).st_mtime
ptmtime = os.stat(self.pincode_file).st_mtime
logger.debug('dbmtime=%s' % dbmtime)
logger.debug('ptmtime=%s' % ptmtime)
if dbmtime >= ptmtime:
logger.debug('.db mtime greater, will use the db')
db = anydbm.open(pincode_db_file, 'r')
if user in db.keys():
logger.debug('Found %s in the .db' % user)
hashcode = db[user]
db.close()
logger.debug('%s not in .db. Falling back to plaintext.' % user)
else:
logger.debug('.db is stale! Falling back to plaintext.')
if hashcode is None:
logger.debug('Reading pincode file: %s' % self.pincode_file)
hashcodes = self._get_all_hashcodes()
try:
hashcode = hashcodes[user]
except KeyError:
raise totpcgi.UserPincodeError('Pincode not found for user %s' % user)
return self._verify_by_hashcode(pincode, hashcode)
def verify_user_pincode(self, user, pincode):
# The format is basically /etc/shadow, except we ignore anything
# past the first 2 entries. We return the hashed code that we'll need
# to compare.
if not os.access(self.pincode_file, os.R_OK):
raise totpcgi.UserNotFound('pincodes file not found!')
logger.debug('Reading pincode file: %s', self.pincode_file)
hashcodes = self._get_all_hashcodes()
try:
hashcode = hashcodes[user]
except KeyError:
raise totpcgi.UserPincodeError('Pincode not found for user %s' %
user)
return self._verify_by_hashcode(pincode, hashcode)