예제 #1
0
파일: auth.py 프로젝트: tewe/genesis
def check_password(passw, hash):
    """
    Tests if a password is the same as the hash.

    Instance vars:

    - ``passw`` - ``str``, The password in it's original form
    - ``hash`` - ``str``, The hashed version of the password to check against
    """
    if hash.startswith('{SHA}'):
        try:
            import warnings
            warnings.warn(
                'SHA1 as a password hash may be removed in a future release.')
            passw_hash = '{SHA}' + b64encode(sha1(passw).digest())
            if passw_hash == hash:
                return True
        except:
            import traceback
            traceback.print_exc()
    elif hash.startswith('$2a$') and len(hash) == 60:
        return bcrypt.verify(passw, hash)
    elif sha512_crypt.identify(hash):
        return sha512_crypt.verify(passw, hash)
    return False
예제 #2
0
 def edit_one(element, attrib, value):
     if attrib == "id":
         element.id = value
     elif attrib == "name":
         element.name = value
     elif attrib == "password":
         if sha512_crypt.identify(value) == True:
             element.password = value
         else:
             element.password = Role.get_hashed_password(value)
     elif attrib == "active":
         if value == "True":
             element.active = True
         else:
             element.active = False
     elif attrib == "backend_name":
         element.backend_name = value
     elif attrib == "backend_pass":
         element.backend_pass = value
     elif attrib == "ip":
         element.ip = value
     elif attrib == "serverport":
         element.serverport = value
     elif attrib == "zeroconfport":
         element.zeroconfport = value
     else:
         return Role.ERROR_ATTRIB_NOT_VALID
     return element
예제 #3
0
파일: auth.py 프로젝트: ajvb/genesis
def check_password(passw, hash):
    """
    Tests if a password is the same as the hash.

    Instance vars:

    - ``passw`` - ``str``, The password in it's original form
    - ``hash`` - ``str``, The hashed version of the password to check against
    """
    if hash.startswith('{SHA}'):
        try:
            import warnings
            warnings.warn(
                'SHA1 as a password hash may be removed in a future release.')
            passw_hash = '{SHA}' + b64encode(sha1(passw).digest())
            if passw_hash == hash:
                return True
        except:
            import traceback
            traceback.print_exc()
    elif hash.startswith('$2a$') and len(hash) == 60:
        return bcrypt.verify(passw, hash)
    elif sha512_crypt.identify(hash):
        return sha512_crypt.verify(passw, hash)
    return False
예제 #4
0
def check_password(passw, hash):
    if hash.startswith('{SHA}'):
        try:
            passw_hash = '{SHA}' + b64encode(sha1(passw).digest())
            if passw_hash == hash:
                return True
        except:
            import traceback
            traceback.print_exc()
    elif sha512_crypt.identify(hash):
        return sha512_crypt.verify(passw, hash)
    return False
예제 #5
0
파일: auth.py 프로젝트: bneg/genesis
def check_password(passw, hash):
    if hash.startswith('{SHA}'):
        try:
            passw_hash = '{SHA}' + b64encode(sha1(passw).digest())
            if passw_hash == hash:
                return True
        except:
            import traceback
            traceback.print_exc()
    elif sha512_crypt.identify(hash):
        return sha512_crypt.verify(passw, hash)
    return False
예제 #6
0
파일: local.py 프로젝트: unixmonster/ajenti
    def check_password(self, username, password):
        if not username in ajenti.config.tree.users:
            return False
        type = 'plain'
        saved = ajenti.config.tree.users[username].password
        if '|' in saved:
            type, saved = saved.split('|')

        if type == 'plain':
            hash = password
            return hash == saved
        elif sha512_crypt.identify(saved):
            return sha512_crypt.verify(password, saved)
예제 #7
0
파일: local.py 프로젝트: AojiaoZero/ajenti
    def check_password(self, username, password):
        if not username in ajenti.config.tree.users:
            return False
        type = 'plain'
        saved = ajenti.config.tree.users[username].password
        if '|' in saved:
            type, saved = saved.split('|')

        if type == 'plain':
            hash = password
            return hash == saved
        elif sha512_crypt.identify(saved):
            return sha512_crypt.verify(password, saved)
예제 #8
0
def check_auth(username, password):
    """This function is called to check if a username /
    password combination is valid.
    """
    def any_(l):
        """Check if any element in the list is true, in constant time.
        """
        ret = False
        for e in l:
            if e:
                ret = True
        return ret

    user_ok = False
    pass_sha1_ok = pbkdf2_sha256_ok = pass_sha512_ok = pass_sha512_crypt_ok = pass_bcrypt_crypt_ok = False

    user_ok = app.conf['wapt_user'] == username

    pass_sha1_ok = app.conf['wapt_password'] == hashlib.sha1(
        password.encode('utf8')).hexdigest()
    pass_sha512_ok = app.conf['wapt_password'] == hashlib.sha512(
        password.encode('utf8')).hexdigest()

    if '$pbkdf2-sha256$' in app.conf['wapt_password']:
        pbkdf2_sha256_ok = pbkdf2_sha256.verify(password,
                                                app.conf['wapt_password'])
    elif sha512_crypt.identify(app.conf['wapt_password']):
        pass_sha512_crypt_ok = sha512_crypt.verify(password,
                                                   app.conf['wapt_password'])
    else:
        try:
            if bcrypt.identify(app.conf['wapt_password']):
                pass_bcrypt_crypt_ok = bcrypt.verify(password,
                                                     app.conf['wapt_password'])

        except Exception:
            pass

    basic_auth = any_([
        pbkdf2_sha256_ok, pass_sha1_ok, pass_sha512_ok, pass_sha512_crypt_ok,
        pass_bcrypt_crypt_ok
    ]) and user_ok

    return basic_auth or (auth_module_ad is not None
                          and auth_module_ad.check_credentials_ad(
                              app.conf, username, password))
예제 #9
0
파일: auth.py 프로젝트: tranquilit/WAPT
def check_auth(username, password):
    """This function is called to check if a username /
    password combination is valid.
    """
    def any_(l):
        """Check if any element in the list is true, in constant time.
        """
        ret = False
        for e in l:
            if e:
                ret = True
        return ret

    user_ok = False
    pass_sha1_ok = pbkdf2_sha256_ok = pass_sha512_ok = pass_sha512_crypt_ok = pass_bcrypt_crypt_ok = False

    user_ok = app.conf['wapt_user'] == username

    pass_sha1_ok = app.conf['wapt_password'] == hashlib.sha1(
        password.encode('utf8')).hexdigest()
    pass_sha512_ok = app.conf['wapt_password'] == hashlib.sha512(
        password.encode('utf8')).hexdigest()

    if '$pbkdf2-sha256$' in app.conf['wapt_password']:
        pbkdf2_sha256_ok = pbkdf2_sha256.verify(password, app.conf['wapt_password'])
    elif sha512_crypt.identify(app.conf['wapt_password']):
        pass_sha512_crypt_ok = sha512_crypt.verify(
            password,
            app.conf['wapt_password'])
    else:
        try:
            if bcrypt.identify(app.conf['wapt_password']):
                pass_bcrypt_crypt_ok = bcrypt.verify(
                    password,
                    app.conf['wapt_password'])

        except Exception:
            pass

    basic_auth = any_([pbkdf2_sha256_ok, pass_sha1_ok, pass_sha512_ok,
                 pass_sha512_crypt_ok, pass_bcrypt_crypt_ok]) and user_ok

    return basic_auth or (auth_module_ad is not None and auth_module_ad.check_credentials_ad(app.conf, username, password))
예제 #10
0
파일: auth.py 프로젝트: fabadja/WAPT
def check_auth( username=None, password = None, request = None,
                session=None, methods=['admin','ldap','session']):
    """This function is called to check if a username /
    password combination is valid or to get already authenticated username
    from session argument.

    If no username or password, use session.authorization header if available.

    Args:
        username (str):
        password (str):
        request (Flask.Request) : request where to lookup authrization basic header
        session (Flask.Session) where to lookup session user
        methods (list of str) : list of auth method to try until one is successfull
                               'session': use current session user if it matches username
                               'admin':
                               'ldap':
                               'kerb':
                               'ssl':
                               'passwd':



    Returns:
        dict (auth_method = auth_method,user=auth_user,auth_date=auth_date)
             None if auth is not successfull

    """
    if username is None and password is None and request is not None and request.authorization:
        username = request.authorization.username
        password = request.authorization.password

    auth_method = None
    auth_user = None
    auth_date = None

    assert(isinstance(methods,list))

    for method in methods:
        if method == 'session' and session:
            session_user = session.get('user',None)
            if session_user and (username is None or username == session_user):
                auth_user = session_user
                auth_date = session.get('auth_date',None)
                auth_method = method
                logger.debug(u'User %s authenticated using session cookie' % (username,))

        elif method == 'passwd' and valid_username(username) and username != app.conf['wapt_user'] and password is not None:
                # local htpasswd user/passwd file for add_host registration action
                if app.conf.get('htpasswd_path'):
                    htpasswd_users = HtpasswdFile(app.conf.get('htpasswd_path'))
                    if htpasswd_users.verify(username,password):
                        auth_method = method
                        auth_user = username
                        auth_date = datetime.datetime.utcnow().isoformat()
                        logger.debug(u'User %s authenticated using htpasswd %s' % (username,htpasswd_users))
                    else:
                        logger.debug(u'user %s htpasswd %s verification failed' % (username,htpasswd_users))

        elif method == 'admin' and valid_username(username) and app.conf['wapt_user'] == username and password is not None:
                pbkdf2_sha256_ok = False
                pass_sha512_crypt_ok = False
                pass_bcrypt_crypt_ok = False

                if '$pbkdf2-sha256$' in app.conf['wapt_password']:
                    pbkdf2_sha256_ok = pbkdf2_sha256.verify(password, app.conf['wapt_password'])
                elif sha512_crypt.identify(app.conf['wapt_password']):
                    pass_sha512_crypt_ok = sha512_crypt.verify(
                        password,
                        app.conf['wapt_password'])
                else:
                    try:
                        if bcrypt.identify(app.conf['wapt_password']):
                            pass_bcrypt_crypt_ok = bcrypt.verify(
                                password,
                                app.conf['wapt_password'])
                    except Exception:
                        pass

                if pbkdf2_sha256_ok or pass_sha512_crypt_ok or pass_bcrypt_crypt_ok:
                    auth_method = method
                    auth_user = username
                    auth_date = datetime.datetime.utcnow().isoformat()
                else:
                    logger.debug(u'wapt admin passwd verification failed')

        elif method == 'token':
            # token auth
            token_secret_key = app.conf['secret_key']
            if token_secret_key:
                # check if there is a valid token in the password
                try:
                    token_gen = get_secured_token_generator(token_secret_key)
                    # check if there is a Bearer, else use Basic / password
                    authorization = request.headers.get('Authorization')
                    if authorization and authorization.startswith('Bearer '):
                        token_data = token_gen.loads(authorization.split(' ',1)[1])
                    elif password is not None:
                        token_data = token_gen.loads(password)
                    else:
                        raise EWaptAuthenticationFailure('No token')

                    uuid = token_data.get('uuid', token_data.get('user',None))
                    if not uuid:
                        raise EWaptAuthenticationFailure('Bad token UUID')
                    if token_data['server_uuid'] != get_server_uuid():
                        raise EWaptAuthenticationFailure('Bad server UUID')
                    auth_method = method
                    auth_user = uuid
                    auth_date =  datetime.datetime.fromtimestamp(token_data['iat']).isoformat()
                    logger.debug(u'User %s authenticated using token' % (uuid,))
                except Exception as e:
                    logger.debug(u'Token verification failed : %s' % repr(e))
                    pass

        elif method == 'kerb' and app.conf['use_kerberos']:
            # with nginx kerberos module, auth user name is stored as Basic auth in the
            # 'Authorisation' header with password 'bogus_auth_gss_passwd'

            # Kerberos auth negociated by nginx
            if username != '' and password == 'bogus_auth_gss_passwd':
                authenticated_user = username.lower().replace('$', '')
                auth_method = method
                auth_user = authenticated_user
                auth_date = datetime.datetime.utcnow().isoformat()
                logger.debug(u'User %s authenticated using kerberos' % (authenticated_user,))

        elif method == 'ldap' and valid_username(username) and password is not None:
            if auth_module_ad is not None and (app.conf['wapt_user'] != username and
                    auth_module_ad.check_credentials_ad(app.conf, username, password)):
                auth_method = method
                auth_user = username
                auth_date = datetime.datetime.utcnow().isoformat()
                logger.debug(u'User %s authenticated using LDAP' % (username,))

        # nginx ssl auth.
        elif method == 'ssl' and request and app.conf['use_ssl_client_auth'] and request.headers.get('X-Ssl-Authenticated', None) == 'SUCCESS':
            dn = request.headers.get('X-Ssl-Client-Dn', None)
            if dn:
                auth_method = method
                # strip CN= if no other suffix.
                if dn.upper().startswith('CN='):
                    auth_user = dn.split('=',1)[1]
                else:
                    auth_user = dn
                auth_date = datetime.datetime.utcnow().isoformat()
                logger.debug(u'User %s authenticated using SSL client certificate' % (dn,))

        if auth_method and auth_user:
            break

    #only session and admin methods are ok for the embedded wapt admin password based account.
    if auth_method and auth_user and (auth_user != app.conf['wapt_user'] or auth_method in ('session','admin')):
        return dict(auth_method = auth_method,user=auth_user,auth_date=auth_date)
    else:
        return None