def post(self, request, *args, **kwargs):
serializer = self.get_serializer(data=request.data)
try:
serializer.is_valid(raise_exception=True)
except TokenError as e:
logger.warning(
_("Failed connection attempt from '%s' as user '%s'"),
request.META["REMOTE_ADDR"],
escape(serializer.data["username"])
)
raise InvalidToken(e.args[0])
user = serializer.user
logger.info(
_("User '%s' successfully logged in"), user.username
)
if user and user.is_active:
condition = (
user.is_local and
param_tools.get_global_parameter(
"update_scheme", raise_exception=False)
)
if condition:
# check if password scheme is correct
scheme = param_tools.get_global_parameter(
"password_scheme", raise_exception=False)
# use SHA512CRYPT as default fallback
if scheme is None:
pwhash = get_password_hasher("sha512crypt")()
else:
pwhash = get_password_hasher(scheme)()
if not user.password.startswith(pwhash.scheme):
logger.info(
_("Password scheme mismatch. Updating %s password"),
user.username
)
user.set_password(request.data["password"])
user.save()
if pwhash.needs_rehash(user.password):
logger.info(
_("Password hash parameter missmatch. "
"Updating %s password"),
user.username
)
user.set_password(serializer.data["password"])
user.save()
return response.Response(
serializer.validated_data, status=status.HTTP_200_OK)
def test_password_schemes(self):
"""Validate password scheme changes."""
username = "******"
password = "******"
data = {"username": username, "password": password}
user = models.User.objects.get(username=username)
pw_hash = get_password_hasher('fallback_scheme')()
self.client.logout()
self.set_global_parameter("password_scheme", "sha512crypt")
self.client.post(reverse("core:login"), data)
user.refresh_from_db()
self.assertTrue(user.password.startswith("{SHA512-CRYPT}"))
self.client.logout()
self.set_global_parameter("password_scheme", "sha256")
self.client.post(reverse("core:login"), data)
user.refresh_from_db()
self.assertTrue(user.password.startswith("{SHA256}"))
self.client.logout()
self.set_global_parameter("password_scheme", "fallback_scheme")
self.client.post(reverse("core:login"), data)
user.refresh_from_db()
self.assertTrue(user.password.startswith(pw_hash.scheme))
self.client.logout()
self.set_global_parameter("password_scheme", "sha256crypt")
self.set_global_parameter("update_scheme", False)
self.client.post(reverse("core:login"), data)
user.refresh_from_db()
self.assertTrue(user.password.startswith(pw_hash.scheme))
def test_password_schemes(self):
"""Validate password scheme changes."""
username = "******"
password = "******"
data = {"username": username, "password": password}
user = models.User.objects.get(username=username)
pw_hash = get_password_hasher('fallback_scheme')()
self.client.logout()
self.set_global_parameter("password_scheme", "sha512crypt")
self.client.post(reverse("core:login"), data)
user.refresh_from_db()
self.assertTrue(user.password.startswith("{SHA512-CRYPT}"))
self.client.logout()
self.set_global_parameter("password_scheme", "sha256")
self.client.post(reverse("core:login"), data)
user.refresh_from_db()
self.assertTrue(user.password.startswith("{SHA256}"))
self.client.logout()
self.set_global_parameter("password_scheme", "fallback_scheme")
self.client.post(reverse("core:login"), data)
user.refresh_from_db()
self.assertTrue(user.password.startswith(pw_hash.scheme))
self.client.logout()
self.set_global_parameter("password_scheme", "sha256crypt")
self.set_global_parameter("update_scheme", False)
self.client.post(reverse("core:login"), data)
user.refresh_from_db()
self.assertTrue(user.password.startswith(pw_hash.scheme))
def _crypt_password(self, clearpassword):
"""Overidding of the crypt_password function (LDAP compliant)
:param clearpassword: the clear password
:return: the encrypted password
"""
scheme = self.global_params["password_scheme"]
hasher = get_password_hasher(scheme.upper())("ldap")
return hasher.encrypt(clearpassword)
def _crypt_password(self, clearpassword):
"""Overidding of the crypt_password function (LDAP compliant)
:param clearpassword: the clear password
:return: the encrypted password
"""
scheme = self.global_params["password_scheme"]
hasher = get_password_hasher(scheme.upper())("ldap")
return hasher.encrypt(clearpassword)
def _crypt_password(self, clearpassword):
"""Overidding of the crypt_password function (LDAP compliant)
:param clearpassword: the clear password
:return: the encrypted password
"""
scheme = parameters.get_admin("PASSWORD_SCHEME", app="core")
hasher = get_password_hasher(scheme.upper())('ldap')
return hasher.encrypt(clearpassword)
def _crypt_password(self, clearpassword):
"""Overidding of the crypt_password function (LDAP compliant)
:param clearpassword: the clear password
:return: the encrypted password
"""
scheme = parameters.get_admin("PASSWORD_SCHEME", app="core")
hasher = get_password_hasher(scheme.upper())('ldap')
return hasher.encrypt(clearpassword)
def check_password(self, raw_value):
"""Compare raw_value to current password."""
match = self.password_expr.match(self.password)
if match is None:
return False
raw_value = force_str(raw_value)
scheme = match.group(1)
val2 = match.group(2)
hasher = get_password_hasher(scheme)
return hasher().verify(raw_value, val2)
def check_password(self, raw_value):
match = self.password_expr.match(self.password)
if match is None:
return False
if type(raw_value) is unicode:
raw_value = raw_value.encode("utf-8")
scheme = match.group(1)
val2 = match.group(2)
hasher = get_password_hasher(scheme)
return hasher().verify(raw_value, val2)
def check_password(self, raw_value):
"""Compare raw_value to current password."""
match = self.password_expr.match(self.password)
if match is None:
return False
raw_value = force_str(raw_value)
scheme = match.group(1)
val2 = match.group(2)
hasher = get_password_hasher(scheme)
return hasher().verify(raw_value, val2)
def check_password(self, raw_value):
match = self.password_expr.match(self.password)
if match is None:
return False
if isinstance(raw_value, unicode):
raw_value = raw_value.encode("utf-8")
scheme = match.group(1)
val2 = match.group(2)
hasher = get_password_hasher(scheme)
return hasher().verify(raw_value, val2)
def check_password(self, raw_value):
"""Compare raw_value to current password."""
match = self.password_expr.match(self.password)
if match is None:
return False
if isinstance(raw_value, unicode):
raw_value = raw_value.encode("utf-8")
scheme = match.group(1)
val2 = match.group(2)
hasher = get_password_hasher(scheme)
return hasher().verify(raw_value, val2)
def _crypt_password(self, raw_value):
"""Crypt the local password using the appropriate scheme.
In case we don't find the scheme (for example when the
management framework is used), we load the parameters and try
one more time.
"""
scheme = param_tools.get_global_parameter(
"password_scheme", raise_exception=False)
if scheme is None:
from modoboa.core.apps import load_core_settings
load_core_settings()
scheme = param_tools.get_global_parameter(
"password_scheme", raise_exception=False)
raw_value = smart_bytes(raw_value)
return get_password_hasher(scheme.upper())().encrypt(raw_value)
def _crypt_password(self, raw_value):
"""Crypt the local password using the appropriate scheme.
In case we don't find the scheme (for example when the
management framework is used), we load the parameters and try
one more time.
"""
scheme = param_tools.get_global_parameter("password_scheme",
raise_exception=False)
if scheme is None:
from modoboa.core.apps import load_core_settings
load_core_settings()
scheme = param_tools.get_global_parameter("password_scheme",
raise_exception=False)
raw_value = smart_bytes(raw_value)
return get_password_hasher(scheme.upper())().encrypt(raw_value)
def _crypt_password(self, raw_value):
"""Crypt the local password using the appropriate scheme.
In case we don't find the scheme (for example when the
management framework is used), we load the parameters and try
one more time.
"""
try:
scheme = parameters.get_admin("PASSWORD_SCHEME")
except parameters.NotDefined:
from modoboa.core import load_core_settings
load_core_settings()
scheme = parameters.get_admin("PASSWORD_SCHEME")
if isinstance(raw_value, unicode):
raw_value = raw_value.encode("utf-8")
return get_password_hasher(scheme.upper())().encrypt(raw_value)
def _crypt_password(self, raw_value):
"""Crypt the local password using the appropriate scheme.
In case we don't find the scheme (for example when the
management framework is used), we load the parameters and try
one more time.
"""
try:
scheme = parameters.get_admin("PASSWORD_SCHEME")
except parameters.NotDefined:
from modoboa.core import load_core_settings
load_core_settings()
scheme = parameters.get_admin("PASSWORD_SCHEME")
if isinstance(raw_value, unicode):
raw_value = raw_value.encode("utf-8")
return get_password_hasher(scheme.upper())().encrypt(raw_value)
def dologin(request):
"""Try to authenticate."""
error = None
if request.method == "POST":
form = forms.LoginForm(request.POST)
if form.is_valid():
logger = logging.getLogger("modoboa.auth")
user = authenticate(username=form.cleaned_data["username"],
password=form.cleaned_data["password"])
if user and user.is_active:
if param_tools.get_global_parameter("update_scheme",
raise_exception=False):
# check if password scheme is correct
scheme = param_tools.get_global_parameter(
"password_scheme", raise_exception=False)
# use SHA512CRYPT as default fallback
if scheme is None:
pwhash = get_password_hasher('sha512crypt')()
else:
pwhash = get_password_hasher(scheme)()
if not user.password.startswith(pwhash.scheme):
logging.info(
_("Password scheme mismatch. Updating %s password"),
user.username
)
user.set_password(form.cleaned_data["password"])
user.save()
if pwhash.needs_rehash(user.password):
logging.info(
_("Password hash parameter missmatch. "
"Updating %s password"),
user.username
)
user.set_password(form.cleaned_data["password"])
user.save()
login(request, user)
if not form.cleaned_data["rememberme"]:
request.session.set_expiry(0)
translation.activate(request.user.language)
request.session[translation.LANGUAGE_SESSION_KEY] = (
request.user.language)
logger.info(
_("User '%s' successfully logged in") % user.username
)
signals.user_login.send(
sender="dologin",
username=form.cleaned_data["username"],
password=form.cleaned_data["password"])
return HttpResponseRedirect(find_nextlocation(request, user))
error = _(
"Your username and password didn't match. Please try again.")
logger.warning(
"Failed connection attempt from '%(addr)s' as user '%(user)s'"
% {"addr": request.META["REMOTE_ADDR"],
"user": form.cleaned_data["username"]}
)
nextlocation = request.POST.get("next", "")
httpcode = 401
else:
form = forms.LoginForm()
nextlocation = request.GET.get("next", "")
httpcode = 200
announcements = signals.get_announcements.send(
sender="login", location="loginpage")
announcements = [announcement[1] for announcement in announcements]
return HttpResponse(
render_to_string(
"registration/login.html", {
"form": form, "error": error, "next": nextlocation,
"annoucements": announcements},
request),
status=httpcode)
def _crypt_password(self, raw_value):
scheme = parameters.get_admin("PASSWORD_SCHEME")
if type(raw_value) is unicode:
raw_value = raw_value.encode("utf-8")
return get_password_hasher(scheme.upper())().encrypt(raw_value)
def _crypt_password(self, raw_value):
scheme = parameters.get_admin("PASSWORD_SCHEME")
if type(raw_value) is unicode:
raw_value = raw_value.encode("utf-8")
return get_password_hasher(scheme.upper())().encrypt(raw_value)
