| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274 |
- # This file is part of Radicale Server - Calendar Server
- # Copyright © 2008 Nicolas Kandel
- # Copyright © 2008 Pascal Halter
- # Copyright © 2008-2017 Guillaume Ayoub
- #
- # This library is free software: you can redistribute it and/or modify
- # it under the terms of the GNU General Public License as published by
- # the Free Software Foundation, either version 3 of the License, or
- # (at your option) any later version.
- #
- # This library is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- # GNU General Public License for more details.
- #
- # You should have received a copy of the GNU General Public License
- # along with Radicale. If not, see <http://www.gnu.org/licenses/>.
- """
- Authentication management.
- Default is htpasswd authentication.
- Apache's htpasswd command (httpd.apache.org/docs/programs/htpasswd.html)
- manages a file for storing user credentials. It can encrypt passwords using
- different methods, e.g. BCRYPT, MD5-APR1 (a version of MD5 modified for
- Apache), SHA1, or by using the system's CRYPT routine. The CRYPT and SHA1
- encryption methods implemented by htpasswd are considered as insecure. MD5-APR1
- provides medium security as of 2015. Only BCRYPT can be considered secure by
- current standards.
- MD5-APR1-encrypted credentials can be written by all versions of htpasswd (it
- is the default, in fact), whereas BCRYPT requires htpasswd 2.4.x or newer.
- The `is_authenticated(user, password)` function provided by this module
- verifies the user-given credentials by parsing the htpasswd credential file
- pointed to by the ``htpasswd_filename`` configuration value while assuming
- the password encryption method specified via the ``htpasswd_encryption``
- configuration value.
- The following htpasswd password encrpytion methods are supported by Radicale
- out-of-the-box:
- - plain-text (created by htpasswd -p...) -- INSECURE
- - CRYPT (created by htpasswd -d...) -- INSECURE
- - SHA1 (created by htpasswd -s...) -- INSECURE
- When passlib (https://pypi.python.org/pypi/passlib) is importable, the
- following significantly more secure schemes are parsable by Radicale:
- - MD5-APR1 (htpasswd -m...) -- htpasswd's default method
- - BCRYPT (htpasswd -B...) -- Requires htpasswd 2.4.x
- """
- import base64
- import functools
- import hashlib
- import hmac
- import os
- from importlib import import_module
- INTERNAL_TYPES = ("None", "none", "remote_user", "http_x_remote_user",
- "htpasswd")
- def load(configuration, logger):
- """Load the authentication manager chosen in configuration."""
- auth_type = configuration.get("auth", "type")
- if auth_type in ("None", "none"): # DEPRECATED: use "none"
- class_ = NoneAuth
- elif auth_type == "remote_user":
- class_ = RemoteUserAuth
- elif auth_type == "http_x_remote_user":
- class_ = HttpXRemoteUserAuth
- elif auth_type == "htpasswd":
- class_ = Auth
- else:
- try:
- class_ = import_module(auth_type).Auth
- except Exception as e:
- raise RuntimeError("Failed to load authentication module %r: %s" %
- (auth_type, e)) from e
- logger.info("Authentication type is %r", auth_type)
- return class_(configuration, logger)
- class BaseAuth:
- def __init__(self, configuration, logger):
- self.configuration = configuration
- self.logger = logger
- def get_external_login(self, environ):
- """Optionally provide the login and password externally.
- ``environ`` a dict with the WSGI environment
- If ``()`` is returned, Radicale handles HTTP authentication.
- Otherwise, returns a tuple ``(login, password)``. For anonymous users
- ``login`` must be ``""``.
- """
- return ()
- def is_authenticated2(self, login, user, password):
- """Validate credentials.
- ``login`` the login name
- ``user`` the user from ``map_login_to_user(login)``.
- ``password`` the login password
- """
- return self.is_authenticated(user, password)
- def is_authenticated(self, user, password):
- """Validate credentials.
- DEPRECATED: use ``is_authenticated2`` instead
- """
- raise NotImplementedError
- def map_login_to_user(self, login):
- """Map login name to internal user.
- ``login`` the login name, ``""`` for anonymous users
- Returns a string with the user name.
- If a login can't be mapped to an user, return ``login`` and
- return ``False`` in ``is_authenticated2(...)``.
- """
- return login
- class NoneAuth(BaseAuth):
- def is_authenticated(self, user, password):
- return True
- class Auth(BaseAuth):
- def __init__(self, configuration, logger):
- super().__init__(configuration, logger)
- self.filename = os.path.expanduser(
- configuration.get("auth", "htpasswd_filename"))
- self.encryption = configuration.get("auth", "htpasswd_encryption")
- if self.encryption == "ssha":
- self.verify = self._ssha
- elif self.encryption == "sha1":
- self.verify = self._sha1
- elif self.encryption == "plain":
- self.verify = self._plain
- elif self.encryption == "md5":
- try:
- from passlib.hash import apr_md5_crypt
- except ImportError as e:
- raise RuntimeError(
- "The htpasswd encryption method 'md5' requires "
- "the passlib module.") from e
- self.verify = functools.partial(self._md5apr1, apr_md5_crypt)
- elif self.encryption == "bcrypt":
- try:
- from passlib.hash import bcrypt
- except ImportError as e:
- raise RuntimeError(
- "The htpasswd encryption method 'bcrypt' requires "
- "the passlib module with bcrypt support.") from e
- # A call to `encrypt` raises passlib.exc.MissingBackendError with a
- # good error message if bcrypt backend is not available. Trigger
- # this here.
- bcrypt.encrypt("test-bcrypt-backend")
- self.verify = functools.partial(self._bcrypt, bcrypt)
- elif self.encryption == "crypt":
- try:
- import crypt
- except ImportError as e:
- raise RuntimeError(
- "The htpasswd encryption method 'crypt' requires "
- "the crypt() system support.") from e
- self.verify = functools.partial(self._crypt, crypt)
- else:
- raise RuntimeError(
- "The htpasswd encryption method %r is not "
- "supported." % self.encryption)
- def _plain(self, hash_value, password):
- """Check if ``hash_value`` and ``password`` match, plain method."""
- return hmac.compare_digest(hash_value, password)
- def _crypt(self, crypt, hash_value, password):
- """Check if ``hash_value`` and ``password`` match, crypt method."""
- hash_value = hash_value.strip()
- return hmac.compare_digest(crypt.crypt(password, hash_value),
- hash_value)
- def _sha1(self, hash_value, password):
- """Check if ``hash_value`` and ``password`` match, sha1 method."""
- hash_value = base64.b64decode(hash_value.strip().replace(
- "{SHA}", "").encode("ascii"))
- password = password.encode(self.configuration.get("encoding", "stock"))
- sha1 = hashlib.sha1()
- sha1.update(password)
- return hmac.compare_digest(sha1.digest(), hash_value)
- def _ssha(self, hash_value, password):
- """Check if ``hash_value`` and ``password`` match, salted sha1 method.
- This method is not directly supported by htpasswd, but it can be
- written with e.g. openssl, and nginx can parse it.
- """
- hash_value = base64.b64decode(hash_value.strip().replace(
- "{SSHA}", "").encode("ascii"))
- password = password.encode(self.configuration.get("encoding", "stock"))
- salt_value = hash_value[20:]
- hash_value = hash_value[:20]
- sha1 = hashlib.sha1()
- sha1.update(password)
- sha1.update(salt_value)
- return hmac.compare_digest(sha1.digest(), hash_value)
- def _bcrypt(self, bcrypt, hash_value, password):
- hash_value = hash_value.strip()
- return bcrypt.verify(password, hash_value)
- def _md5apr1(self, md5_apr1, hash_value, password):
- hash_value = hash_value.strip()
- return md5_apr1.verify(password, hash_value)
- def is_authenticated(self, user, password):
- """Validate credentials.
- Iterate through htpasswd credential file until user matches, extract
- hash (encrypted password) and check hash against user-given password,
- using the method specified in the Radicale config.
- The content of the file is not cached because reading is generally a
- very cheap operation, and it's useful to get live updates of the
- htpasswd file.
- """
- try:
- with open(self.filename) as f:
- for line in f:
- line = line.rstrip("\n")
- if line.lstrip() and not line.lstrip().startswith("#"):
- try:
- login, hash_value = line.split(":", maxsplit=1)
- # Always compare both login and password to avoid
- # timing attacks, see #591.
- login_ok = hmac.compare_digest(login, user)
- password_ok = self.verify(hash_value, password)
- if login_ok and password_ok:
- return True
- except ValueError as e:
- raise RuntimeError("Invalid htpasswd file %r: %s" %
- (self.filename, e)) from e
- except OSError as e:
- raise RuntimeError("Failed to load htpasswd file %r: %s" %
- (self.filename, e)) from e
- return False
- class RemoteUserAuth(NoneAuth):
- def get_external_login(self, environ):
- return environ.get("REMOTE_USER", ""), ""
- class HttpXRemoteUserAuth(NoneAuth):
- def get_external_login(self, environ):
- return environ.get("HTTP_X_REMOTE_USER", ""), ""
|
