def check_password(passw, hash):
"""
Tests if a password is the same as the hash.
Instance vars:
- ``passw`` - ``str``, The password in it's original form
- ``hash`` - ``str``, The hashed version of the password to check against
"""
if hash.startswith('{SHA}'):
try:
import warnings
warnings.warn(
'SHA1 as a password hash may be removed in a future release.')
passw_hash = '{SHA}' + b64encode(sha1(passw).digest())
if passw_hash == hash:
return True
except:
import traceback
traceback.print_exc()
elif hash.startswith('$2a$') and len(hash) == 60:
return bcrypt.verify(passw, hash)
elif sha512_crypt.identify(hash):
return sha512_crypt.verify(passw, hash)
return False
def edit_one(element, attrib, value):
if attrib == "id":
element.id = value
elif attrib == "name":
element.name = value
elif attrib == "password":
if sha512_crypt.identify(value) == True:
element.password = value
else:
element.password = Role.get_hashed_password(value)
elif attrib == "active":
if value == "True":
element.active = True
else:
element.active = False
elif attrib == "backend_name":
element.backend_name = value
elif attrib == "backend_pass":
element.backend_pass = value
elif attrib == "ip":
element.ip = value
elif attrib == "serverport":
element.serverport = value
elif attrib == "zeroconfport":
element.zeroconfport = value
else:
return Role.ERROR_ATTRIB_NOT_VALID
return element
def check_password(passw, hash):
"""
Tests if a password is the same as the hash.
Instance vars:
- ``passw`` - ``str``, The password in it's original form
- ``hash`` - ``str``, The hashed version of the password to check against
"""
if hash.startswith('{SHA}'):
try:
import warnings
warnings.warn(
'SHA1 as a password hash may be removed in a future release.')
passw_hash = '{SHA}' + b64encode(sha1(passw).digest())
if passw_hash == hash:
return True
except:
import traceback
traceback.print_exc()
elif hash.startswith('$2a$') and len(hash) == 60:
return bcrypt.verify(passw, hash)
elif sha512_crypt.identify(hash):
return sha512_crypt.verify(passw, hash)
return False
def check_password(passw, hash):
if hash.startswith('{SHA}'):
try:
passw_hash = '{SHA}' + b64encode(sha1(passw).digest())
if passw_hash == hash:
return True
except:
import traceback
traceback.print_exc()
elif sha512_crypt.identify(hash):
return sha512_crypt.verify(passw, hash)
return False
def check_password(passw, hash):
if hash.startswith('{SHA}'):
try:
passw_hash = '{SHA}' + b64encode(sha1(passw).digest())
if passw_hash == hash:
return True
except:
import traceback
traceback.print_exc()
elif sha512_crypt.identify(hash):
return sha512_crypt.verify(passw, hash)
return False
def check_password(self, username, password):
if not username in ajenti.config.tree.users:
return False
type = 'plain'
saved = ajenti.config.tree.users[username].password
if '|' in saved:
type, saved = saved.split('|')
if type == 'plain':
hash = password
return hash == saved
elif sha512_crypt.identify(saved):
return sha512_crypt.verify(password, saved)
def check_password(self, username, password):
if not username in ajenti.config.tree.users:
return False
type = 'plain'
saved = ajenti.config.tree.users[username].password
if '|' in saved:
type, saved = saved.split('|')
if type == 'plain':
hash = password
return hash == saved
elif sha512_crypt.identify(saved):
return sha512_crypt.verify(password, saved)
def check_auth(username, password):
"""This function is called to check if a username /
password combination is valid.
"""
def any_(l):
"""Check if any element in the list is true, in constant time.
"""
ret = False
for e in l:
if e:
ret = True
return ret
user_ok = False
pass_sha1_ok = pbkdf2_sha256_ok = pass_sha512_ok = pass_sha512_crypt_ok = pass_bcrypt_crypt_ok = False
user_ok = app.conf['wapt_user'] == username
pass_sha1_ok = app.conf['wapt_password'] == hashlib.sha1(
password.encode('utf8')).hexdigest()
pass_sha512_ok = app.conf['wapt_password'] == hashlib.sha512(
password.encode('utf8')).hexdigest()
if '$pbkdf2-sha256$' in app.conf['wapt_password']:
pbkdf2_sha256_ok = pbkdf2_sha256.verify(password,
app.conf['wapt_password'])
elif sha512_crypt.identify(app.conf['wapt_password']):
pass_sha512_crypt_ok = sha512_crypt.verify(password,
app.conf['wapt_password'])
else:
try:
if bcrypt.identify(app.conf['wapt_password']):
pass_bcrypt_crypt_ok = bcrypt.verify(password,
app.conf['wapt_password'])
except Exception:
pass
basic_auth = any_([
pbkdf2_sha256_ok, pass_sha1_ok, pass_sha512_ok, pass_sha512_crypt_ok,
pass_bcrypt_crypt_ok
]) and user_ok
return basic_auth or (auth_module_ad is not None
and auth_module_ad.check_credentials_ad(
app.conf, username, password))
def check_auth(username, password):
"""This function is called to check if a username /
password combination is valid.
"""
def any_(l):
"""Check if any element in the list is true, in constant time.
"""
ret = False
for e in l:
if e:
ret = True
return ret
user_ok = False
pass_sha1_ok = pbkdf2_sha256_ok = pass_sha512_ok = pass_sha512_crypt_ok = pass_bcrypt_crypt_ok = False
user_ok = app.conf['wapt_user'] == username
pass_sha1_ok = app.conf['wapt_password'] == hashlib.sha1(
password.encode('utf8')).hexdigest()
pass_sha512_ok = app.conf['wapt_password'] == hashlib.sha512(
password.encode('utf8')).hexdigest()
if '$pbkdf2-sha256$' in app.conf['wapt_password']:
pbkdf2_sha256_ok = pbkdf2_sha256.verify(password, app.conf['wapt_password'])
elif sha512_crypt.identify(app.conf['wapt_password']):
pass_sha512_crypt_ok = sha512_crypt.verify(
password,
app.conf['wapt_password'])
else:
try:
if bcrypt.identify(app.conf['wapt_password']):
pass_bcrypt_crypt_ok = bcrypt.verify(
password,
app.conf['wapt_password'])
except Exception:
pass
basic_auth = any_([pbkdf2_sha256_ok, pass_sha1_ok, pass_sha512_ok,
pass_sha512_crypt_ok, pass_bcrypt_crypt_ok]) and user_ok
return basic_auth or (auth_module_ad is not None and auth_module_ad.check_credentials_ad(app.conf, username, password))
def check_auth( username=None, password = None, request = None,
session=None, methods=['admin','ldap','session']):
"""This function is called to check if a username /
password combination is valid or to get already authenticated username
from session argument.
If no username or password, use session.authorization header if available.
Args:
username (str):
password (str):
request (Flask.Request) : request where to lookup authrization basic header
session (Flask.Session) where to lookup session user
methods (list of str) : list of auth method to try until one is successfull
'session': use current session user if it matches username
'admin':
'ldap':
'kerb':
'ssl':
'passwd':
Returns:
dict (auth_method = auth_method,user=auth_user,auth_date=auth_date)
None if auth is not successfull
"""
if username is None and password is None and request is not None and request.authorization:
username = request.authorization.username
password = request.authorization.password
auth_method = None
auth_user = None
auth_date = None
assert(isinstance(methods,list))
for method in methods:
if method == 'session' and session:
session_user = session.get('user',None)
if session_user and (username is None or username == session_user):
auth_user = session_user
auth_date = session.get('auth_date',None)
auth_method = method
logger.debug(u'User %s authenticated using session cookie' % (username,))
elif method == 'passwd' and valid_username(username) and username != app.conf['wapt_user'] and password is not None:
# local htpasswd user/passwd file for add_host registration action
if app.conf.get('htpasswd_path'):
htpasswd_users = HtpasswdFile(app.conf.get('htpasswd_path'))
if htpasswd_users.verify(username,password):
auth_method = method
auth_user = username
auth_date = datetime.datetime.utcnow().isoformat()
logger.debug(u'User %s authenticated using htpasswd %s' % (username,htpasswd_users))
else:
logger.debug(u'user %s htpasswd %s verification failed' % (username,htpasswd_users))
elif method == 'admin' and valid_username(username) and app.conf['wapt_user'] == username and password is not None:
pbkdf2_sha256_ok = False
pass_sha512_crypt_ok = False
pass_bcrypt_crypt_ok = False
if '$pbkdf2-sha256$' in app.conf['wapt_password']:
pbkdf2_sha256_ok = pbkdf2_sha256.verify(password, app.conf['wapt_password'])
elif sha512_crypt.identify(app.conf['wapt_password']):
pass_sha512_crypt_ok = sha512_crypt.verify(
password,
app.conf['wapt_password'])
else:
try:
if bcrypt.identify(app.conf['wapt_password']):
pass_bcrypt_crypt_ok = bcrypt.verify(
password,
app.conf['wapt_password'])
except Exception:
pass
if pbkdf2_sha256_ok or pass_sha512_crypt_ok or pass_bcrypt_crypt_ok:
auth_method = method
auth_user = username
auth_date = datetime.datetime.utcnow().isoformat()
else:
logger.debug(u'wapt admin passwd verification failed')
elif method == 'token':
# token auth
token_secret_key = app.conf['secret_key']
if token_secret_key:
# check if there is a valid token in the password
try:
token_gen = get_secured_token_generator(token_secret_key)
# check if there is a Bearer, else use Basic / password
authorization = request.headers.get('Authorization')
if authorization and authorization.startswith('Bearer '):
token_data = token_gen.loads(authorization.split(' ',1)[1])
elif password is not None:
token_data = token_gen.loads(password)
else:
raise EWaptAuthenticationFailure('No token')
uuid = token_data.get('uuid', token_data.get('user',None))
if not uuid:
raise EWaptAuthenticationFailure('Bad token UUID')
if token_data['server_uuid'] != get_server_uuid():
raise EWaptAuthenticationFailure('Bad server UUID')
auth_method = method
auth_user = uuid
auth_date = datetime.datetime.fromtimestamp(token_data['iat']).isoformat()
logger.debug(u'User %s authenticated using token' % (uuid,))
except Exception as e:
logger.debug(u'Token verification failed : %s' % repr(e))
pass
elif method == 'kerb' and app.conf['use_kerberos']:
# with nginx kerberos module, auth user name is stored as Basic auth in the
# 'Authorisation' header with password 'bogus_auth_gss_passwd'
# Kerberos auth negociated by nginx
if username != '' and password == 'bogus_auth_gss_passwd':
authenticated_user = username.lower().replace('$', '')
auth_method = method
auth_user = authenticated_user
auth_date = datetime.datetime.utcnow().isoformat()
logger.debug(u'User %s authenticated using kerberos' % (authenticated_user,))
elif method == 'ldap' and valid_username(username) and password is not None:
if auth_module_ad is not None and (app.conf['wapt_user'] != username and
auth_module_ad.check_credentials_ad(app.conf, username, password)):
auth_method = method
auth_user = username
auth_date = datetime.datetime.utcnow().isoformat()
logger.debug(u'User %s authenticated using LDAP' % (username,))
# nginx ssl auth.
elif method == 'ssl' and request and app.conf['use_ssl_client_auth'] and request.headers.get('X-Ssl-Authenticated', None) == 'SUCCESS':
dn = request.headers.get('X-Ssl-Client-Dn', None)
if dn:
auth_method = method
# strip CN= if no other suffix.
if dn.upper().startswith('CN='):
auth_user = dn.split('=',1)[1]
else:
auth_user = dn
auth_date = datetime.datetime.utcnow().isoformat()
logger.debug(u'User %s authenticated using SSL client certificate' % (dn,))
if auth_method and auth_user:
break
#only session and admin methods are ok for the embedded wapt admin password based account.
if auth_method and auth_user and (auth_user != app.conf['wapt_user'] or auth_method in ('session','admin')):
return dict(auth_method = auth_method,user=auth_user,auth_date=auth_date)
else:
return None
