def verify_secret(self, authcid, secret, authzid=None):
ret = self.lookup.lookup_address(authcid, authzid=authzid)
if not ret or 'password' not in ret:
raise CredentialsInvalidError()
if not ldap_context.verify(secret, ret['password']):
raise CredentialsInvalidError()
return ret.get('user', authcid)
def check_credentials(self, creds):
ret = self.lookup_creds.lookup_address(creds.authcid,
authzid=creds.authzid)
if not ret or 'password' not in ret:
return False
if not ldap_context.verify(creds.secret, ret['password']):
return False
return True
def validate(password, pwhash):
# Check for old-style MD5 passwords which won't have any associated type
if pwhash[0] != "{":
if hashlib.md5(password).hexdigest() == pwhash:
return True
else:
return False
else:
return ldap_context.verify(password, pwhash)
async def _check_user(cls, redis: Redis, config: Config,
credentials: AuthenticationCredentials) -> bytes:
user = credentials.authcid
password, namespace = await cls._get_password(redis, config, user)
if user != credentials.identity:
raise InvalidAuth()
elif ldap_context is None or not credentials.has_secret:
if not credentials.check_secret(password):
raise InvalidAuth()
elif not ldap_context.verify(credentials.secret, password):
raise InvalidAuth()
return namespace
async def _check_user(cls, redis: Redis, config: Config,
credentials: AuthenticationCredentials) -> str:
user = credentials.authcid
password = await cls._get_password(redis, config, user)
if user != credentials.identity:
raise InvalidAuth()
elif ldap_context is None or not credentials.has_secret:
if not credentials.check_secret(password):
raise InvalidAuth()
elif not ldap_context.verify(credentials.secret, password):
raise InvalidAuth()
return user
def verify_password(plaintext_password, hash):
"""Verifies a plain password string agailst a given password hash.
It uses a ldap_context to verify RFC 2307 hashes including the GNU
{crypt} extension. If the passord is a basic 2-byte-salted hash
given grom old unix crypt() the ldap_context will fail. For this we
try to crypt() the given plaintext using the first two bytes of the
given hash als salt and compare the two hashes.
"""
try:
result = ldap_context.verify(plaintext_password, hash)
if result:
return result
except ValueError:
pass
if hash.startswith("{crypt}") and len(hash) > 9:
real_hash = hash[7:]
salt = hash[7:9]
crypted = crypt(plaintext_password, salt)
return crypted == real_hash
return False