Radicale/radicale/auth/__init__.py

# This file is part of Radicale - CalDAV and CardDAV server
# Copyright © 2008 Nicolas Kandel
# Copyright © 2008 Pascal Halter
# Copyright © 2008-2017 Guillaume Ayoub
# Copyright © 2017-2022 Unrud <unrud@outlook.com>
# Copyright © 2024-2024 Peter Bieringer <pb@bieringer.de>
#
# This library is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Radicale.  If not, see <http://www.gnu.org/licenses/>.

"""
Authentication module.

Authentication is based on usernames and passwords. If something more
advanced is needed an external WSGI server or reverse proxy can be used
(see ``remote_user`` or ``http_x_remote_user`` backend).

Take a look at the class ``BaseAuth`` if you want to implement your own.

"""

import hashlib
import time
from typing import Sequence, Set, Tuple, Union, final

from radicale import config, types, utils
from radicale.log import logger

INTERNAL_TYPES: Sequence[str] = ("none", "remote_user", "http_x_remote_user",
                                 "denyall",
                                 "htpasswd",
                                 "ldap",
                                 "dovecot")


def load(configuration: "config.Configuration") -> "BaseAuth":
    """Load the authentication module chosen in configuration."""
    if configuration.get("auth", "type") == "none":
        logger.warning("No user authentication is selected: '[auth] type=none' (insecure)")
    if configuration.get("auth", "type") == "denyall":
        logger.warning("All access is blocked by: '[auth] type=denyall'")
    return utils.load_plugin(INTERNAL_TYPES, "auth", "Auth", BaseAuth,
                             configuration)


class BaseAuth:

    _ldap_groups: Set[str] = set([])
    _lc_username: bool
    _uc_username: bool
    _strip_domain: bool
    _cache: dict
    _cache_logins: bool
    _cache_logins_expiry: int
    _cache_logins_expiry_ns: int

    def __init__(self, configuration: "config.Configuration") -> None:
        """Initialize BaseAuth.

        ``configuration`` see ``radicale.config`` module.
        The ``configuration`` must not change during the lifetime of
        this object, it is kept as an internal reference.

        """
        self.configuration = configuration
        self._lc_username = configuration.get("auth", "lc_username")
        self._uc_username = configuration.get("auth", "uc_username")
        self._strip_domain = configuration.get("auth", "strip_domain")
        self._cache_logins = configuration.get("auth", "cache_logins")
        self._cache_logins_expiry = configuration.get("auth", "cache_logins_expiry")
        if self._cache_logins_expiry < 0:
            raise RuntimeError("self._cache_logins_expiry cannot be < 0")
        logger.info("auth.strip_domain: %s", self._strip_domain)
        logger.info("auth.lc_username: %s", self._lc_username)
        logger.info("auth.uc_username: %s", self._uc_username)
        if self._lc_username is True and self._uc_username is True:
            raise RuntimeError("auth.lc_username and auth.uc_username cannot be enabled together")
        logger.info("auth.cache_logins: %s", self._cache_logins)
        if self._cache_logins is True:
            logger.info("auth.cache_logins_expiry: %s seconds", self._cache_logins_expiry)
            self._cache_logins_expiry_ns = self._cache_logins_expiry * 1000 * 1000 * 1000
        self._cache = dict()

    def _cache_digest(self, login: str, password: str, salt: str) -> str:
        h = hashlib.sha3_512()
        h.update(salt.encode())
        h.update(login.encode())
        h.update(password.encode())
        return str(h.digest())

    def get_external_login(self, environ: types.WSGIEnviron) -> Union[
            Tuple[()], Tuple[str, str]]:
        """Optionally provide the login and password externally.

        ``environ`` a dict with the WSGI environment

        If ``()`` is returned, Radicale handles HTTP authentication.
        Otherwise, returns a tuple ``(login, password)``. For anonymous users
        ``login`` must be ``""``.

        """
        return ()

    def _login(self, login: str, password: str) -> str:
        """Check credentials and map login to internal user

        ``login`` the login name

        ``password`` the password

        Returns the username or ``""`` for invalid credentials.

        """

        raise NotImplementedError

    @final
    def login(self, login: str, password: str) -> str:
        if self._lc_username:
            login = login.lower()
        if self._uc_username:
            login = login.upper()
        if self._strip_domain:
            login = login.split('@')[0]
        if self._cache_logins is True:
            # time_ns is also used as salt
            result = ""
            digest = ""
            time_ns = time.time_ns()
            if self._cache.get(login):
                # entry found in cache
                (digest_cache, time_ns_cache) = self._cache[login]
                digest = self._cache_digest(login, password, str(time_ns_cache))
                if digest == digest_cache:
                    if (time_ns - time_ns_cache) > self._cache_logins_expiry_ns:
                        logger.debug("Login cache entry for user found but expired: '%s'", login)
                        digest = ""
                    else:
                        logger.debug("Login cache entry for user found: '%s'", login)
                        result = login
                else:
                    logger.debug("Login cache entry for user not matching: '%s'", login)
            else:
                # entry not found in cache, caculate always to avoid timing attacks
                digest = self._cache_digest(login, password, str(time_ns))
            if result == "":
                result = self._login(login, password)
                if result != "":
                    if digest == "":
                        # successful login, but expired, digest must be recalculated
                        digest = self._cache_digest(login, password, str(time_ns))
                    # store successful login in cache
                    self._cache[login] = (digest, time_ns)
                    logger.debug("Login cache for user set: '%s'", login)
            return result
        else:
            return self._login(login, password)
Change name in file header 2021-12-08 21:45:42 +01:00			`# This file is part of Radicale - CalDAV and CardDAV server`
refactor 2018-08-28 16:19:36 +02:00			`# Copyright © 2008 Nicolas Kandel`
			`# Copyright © 2008 Pascal Halter`
			`# Copyright © 2008-2017 Guillaume Ayoub`
extend copyright 2024-06-07 06:46:16 +02:00			`# Copyright © 2017-2022 Unrud <unrud@outlook.com>`
			`# Copyright © 2024-2024 Peter Bieringer <pb@bieringer.de>`
refactor 2018-08-28 16:19:36 +02:00			`#`
			`# This library is free software: you can redistribute it and/or modify`
			`# it under the terms of the GNU General Public License as published by`
			`# the Free Software Foundation, either version 3 of the License, or`
			`# (at your option) any later version.`
			`#`
			`# This library is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU General Public License for more details.`
			`#`
			`# You should have received a copy of the GNU General Public License`
			`# along with Radicale. If not, see <http://www.gnu.org/licenses/>.`

			`"""`
Improve documentation 2020-01-12 23:32:28 +01:00			`Authentication module.`
refactor 2018-08-28 16:19:36 +02:00
Improve documentation 2020-01-12 23:32:28 +01:00			`Authentication is based on usernames and passwords. If something more`
			`advanced is needed an external WSGI server or reverse proxy can be used`
			(see ``remote_user`` or ``http_x_remote_user`` backend).
refactor 2018-08-28 16:19:36 +02:00
Improve documentation 2020-01-12 23:32:28 +01:00			Take a look at the class ``BaseAuth`` if you want to implement your own.
refactor 2018-08-28 16:19:36 +02:00
			`"""`

implement cache_logins* option 2024-12-30 08:17:15 +01:00			`import hashlib`
			`import time`
Disable overloading BaseAuth login method 2024-12-25 21:56:04 +03:00			`from typing import Sequence, Set, Tuple, Union, final`
refactor 2018-08-28 16:19:36 +02:00
More type hints 2021-07-26 20:56:46 +02:00			`from radicale import config, types, utils`
warn in case no user authentication is active 2024-06-07 08:35:46 +02:00			`from radicale.log import logger`
refactor 2018-08-28 16:19:36 +02:00
More type hints 2021-07-26 20:56:46 +02:00			`INTERNAL_TYPES: Sequence[str] = ("none", "remote_user", "http_x_remote_user",`
add support for auth.type=denyall 2024-06-07 06:45:39 +02:00			`"denyall",`
Fix merge conflicts. 2024-08-25 14:11:48 +02:00			`"htpasswd",`
Rebase galaxy4public patch on top of bf4f5834 2024-10-30 10:33:10 -10:00			`"ldap",`
			`"dovecot")`
refactor 2018-08-28 16:19:36 +02:00
More type hints 2021-07-26 20:56:46 +02:00
			`def load(configuration: "config.Configuration") -> "BaseAuth":`
Extract method loader() 2020-01-14 22:43:48 +01:00			`"""Load the authentication module chosen in configuration."""`
warn in case no user authentication is active 2024-06-07 08:35:46 +02:00			`if configuration.get("auth", "type") == "none":`
DeprecationWarning: The 'warn' method is deprecated, use 'warning' instead 2024-06-09 08:32:45 +02:00			`logger.warning("No user authentication is selected: '[auth] type=none' (insecure)")`
log also in case of "denyall" is selected, cosmetics 2024-06-07 12:35:21 +02:00			`if configuration.get("auth", "type") == "denyall":`
DeprecationWarning: The 'warn' method is deprecated, use 'warning' instead 2024-06-09 08:32:45 +02:00			`logger.warning("All access is blocked by: '[auth] type=denyall'")`
More type hints 2021-07-26 20:56:46 +02:00			`return utils.load_plugin(INTERNAL_TYPES, "auth", "Auth", BaseAuth,`
			`configuration)`
refactor 2018-08-28 16:19:36 +02:00
flake8 E302 2024-12-25 22:28:01 +03:00
refactor 2018-08-28 16:19:36 +02:00			`class BaseAuth:`
More type hints 2021-07-26 20:56:46 +02:00
Fixing type definition error. 2024-09-11 14:13:06 +02:00			`_ldap_groups: Set[str] = set([])`
added compatibility with a case-insensitive authentication provider 2024-04-17 18:31:51 +03:00			`_lc_username: bool`
Add: option [auth] uc_username for uppercase conversion (similar to existing lc_username) 2024-12-14 09:25:36 +01:00			`_uc_username: bool`
add auth/strip_domain option 2024-07-18 06:50:29 +02:00			`_strip_domain: bool`
implement cache_logins* option 2024-12-30 08:17:15 +01:00			`_cache: dict`
			`_cache_logins: bool`
			`_cache_logins_expiry: int`
			`_cache_logins_expiry_ns: int`
Now rights can be add to user groups too. 2022-02-21 17:15:21 +01:00
More type hints 2021-07-26 20:56:46 +02:00			`def __init__(self, configuration: "config.Configuration") -> None:`
Improve documentation 2020-01-13 15:51:10 +01:00			`"""Initialize BaseAuth.`

			``configuration`` see ``radicale.config`` module.
			The ``configuration`` must not change during the lifetime of
			`this object, it is kept as an internal reference.`

			`"""`
refactor 2018-08-28 16:19:36 +02:00			`self.configuration = configuration`
added compatibility with a case-insensitive authentication provider 2024-04-17 18:31:51 +03:00			`self._lc_username = configuration.get("auth", "lc_username")`
Add: option [auth] uc_username for uppercase conversion (similar to existing lc_username) 2024-12-14 09:25:36 +01:00			`self._uc_username = configuration.get("auth", "uc_username")`
add auth/strip_domain option 2024-07-18 06:50:29 +02:00			`self._strip_domain = configuration.get("auth", "strip_domain")`
implement cache_logins* option 2024-12-30 08:17:15 +01:00			`self._cache_logins = configuration.get("auth", "cache_logins")`
			`self._cache_logins_expiry = configuration.get("auth", "cache_logins_expiry")`
			`if self._cache_logins_expiry < 0:`
			`raise RuntimeError("self._cache_logins_expiry cannot be < 0")`
Add: option [auth] uc_username for uppercase conversion (similar to existing lc_username) 2024-12-14 09:25:36 +01:00			`logger.info("auth.strip_domain: %s", self._strip_domain)`
			`logger.info("auth.lc_username: %s", self._lc_username)`
			`logger.info("auth.uc_username: %s", self._uc_username)`
			`if self._lc_username is True and self._uc_username is True:`
			`raise RuntimeError("auth.lc_username and auth.uc_username cannot be enabled together")`
implement cache_logins* option 2024-12-30 08:17:15 +01:00			`logger.info("auth.cache_logins: %s", self._cache_logins)`
			`if self._cache_logins is True:`
			`logger.info("auth.cache_logins_expiry: %s seconds", self._cache_logins_expiry)`
			`self._cache_logins_expiry_ns = self._cache_logins_expiry * 1000 * 1000 * 1000`
			`self._cache = dict()`

			`def _cache_digest(self, login: str, password: str, salt: str) -> str:`
			`h = hashlib.sha3_512()`
			`h.update(salt.encode())`
			`h.update(login.encode())`
			`h.update(password.encode())`
fixes triggered by tox 2024-12-30 05:25:10 +01:00			`return str(h.digest())`
refactor 2018-08-28 16:19:36 +02:00
More type hints 2021-07-26 20:56:46 +02:00			`def get_external_login(self, environ: types.WSGIEnviron) -> Union[`
			`Tuple[()], Tuple[str, str]]:`
refactor 2018-08-28 16:19:36 +02:00			`"""Optionally provide the login and password externally.`

			``environ`` a dict with the WSGI environment

			If ``()`` is returned, Radicale handles HTTP authentication.
			Otherwise, returns a tuple ``(login, password)``. For anonymous users
			``login`` must be ``""``.

			`"""`
			`return ()`

added compatibility with a case-insensitive authentication provider 2024-04-17 18:31:51 +03:00			`def _login(self, login: str, password: str) -> str:`
refactor 2018-08-28 16:19:36 +02:00			`"""Check credentials and map login to internal user`

			``login`` the login name

			``password`` the password

Change "user name" to "username" 2022-01-07 23:54:34 +01:00			Returns the username or ``""`` for invalid credentials.
refactor 2018-08-28 16:19:36 +02:00
			`"""`

			`raise NotImplementedError`
added compatibility with a case-insensitive authentication provider 2024-04-17 18:31:51 +03:00
Disable overloading BaseAuth login method 2024-12-25 21:56:04 +03:00			`@final`
added compatibility with a case-insensitive authentication provider 2024-04-17 18:31:51 +03:00			`def login(self, login: str, password: str) -> str:`
add auth/strip_domain option 2024-07-18 06:50:29 +02:00			`if self._lc_username:`
			`login = login.lower()`
Add: option [auth] uc_username for uppercase conversion (similar to existing lc_username) 2024-12-14 09:25:36 +01:00			`if self._uc_username:`
			`login = login.upper()`
add auth/strip_domain option 2024-07-18 06:50:29 +02:00			`if self._strip_domain:`
			`login = login.split('@')[0]`
implement cache_logins* option 2024-12-30 08:17:15 +01:00			`if self._cache_logins is True:`
			`# time_ns is also used as salt`
			`result = ""`
			`digest = ""`
			`time_ns = time.time_ns()`
			`if self._cache.get(login):`
			`# entry found in cache`
			`(digest_cache, time_ns_cache) = self._cache[login]`
			`digest = self._cache_digest(login, password, str(time_ns_cache))`
			`if digest == digest_cache:`
			`if (time_ns - time_ns_cache) > self._cache_logins_expiry_ns:`
			`logger.debug("Login cache entry for user found but expired: '%s'", login)`
			`digest = ""`
			`else:`
			`logger.debug("Login cache entry for user found: '%s'", login)`
			`result = login`
			`else:`
			`logger.debug("Login cache entry for user not matching: '%s'", login)`
			`else:`
			`# entry not found in cache, caculate always to avoid timing attacks`
			`digest = self._cache_digest(login, password, str(time_ns))`
			`if result == "":`
			`result = self._login(login, password)`
fixes triggered by tox 2024-12-30 05:25:10 +01:00			`if result != "":`
			`if digest == "":`
implement cache_logins* option 2024-12-30 08:17:15 +01:00			`# successful login, but expired, digest must be recalculated`
			`digest = self._cache_digest(login, password, str(time_ns))`
			`# store successful login in cache`
			`self._cache[login] = (digest, time_ns)`
			`logger.debug("Login cache for user set: '%s'", login)`
			`return result`
			`else:`
			`return self._login(login, password)`