Radicale/radicale/auth/htpasswd.py

# This file is part of Radicale Server - Calendar Server
# Copyright © 2008 Nicolas Kandel
# Copyright © 2008 Pascal Halter
# Copyright © 2008-2017 Guillaume Ayoub
# Copyright © 2017-2018 Unrud <unrud@outlook.com>
#
# This library is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Radicale.  If not, see <http://www.gnu.org/licenses/>.

import base64
import functools
import hashlib
import hmac
import os

from radicale import auth


class Auth(auth.BaseAuth):
    def __init__(self, configuration):
        super().__init__(configuration)
        self.filename = os.path.expanduser(
            configuration.get("auth", "htpasswd_filename"))
        self.encryption = configuration.get("auth", "htpasswd_encryption")

        if self.encryption == "ssha":
            self.verify = self._ssha
        elif self.encryption == "sha1":
            self.verify = self._sha1
        elif self.encryption == "plain":
            self.verify = self._plain
        elif self.encryption == "md5":
            try:
                from passlib.hash import apr_md5_crypt
            except ImportError as e:
                raise RuntimeError(
                    "The htpasswd encryption method 'md5' requires "
                    "the passlib module.") from e
            self.verify = functools.partial(self._md5apr1, apr_md5_crypt)
        elif self.encryption == "bcrypt":
            try:
                from passlib.hash import bcrypt
            except ImportError as e:
                raise RuntimeError(
                    "The htpasswd encryption method 'bcrypt' requires "
                    "the passlib module with bcrypt support.") from e
            # A call to `encrypt` raises passlib.exc.MissingBackendError with a
            # good error message if bcrypt backend is not available. Trigger
            # this here.
            bcrypt.hash("test-bcrypt-backend")
            self.verify = functools.partial(self._bcrypt, bcrypt)
        elif self.encryption == "crypt":
            try:
                import crypt
            except ImportError as e:
                raise RuntimeError(
                    "The htpasswd encryption method 'crypt' requires "
                    "the crypt() system support.") from e
            self.verify = functools.partial(self._crypt, crypt)
        else:
            raise RuntimeError(
                "The htpasswd encryption method %r is not "
                "supported." % self.encryption)

    def _plain(self, hash_value, password):
        """Check if ``hash_value`` and ``password`` match, plain method."""
        return hmac.compare_digest(hash_value, password)

    def _crypt(self, crypt, hash_value, password):
        """Check if ``hash_value`` and ``password`` match, crypt method."""
        hash_value = hash_value.strip()
        return hmac.compare_digest(crypt.crypt(password, hash_value),
                                   hash_value)

    def _sha1(self, hash_value, password):
        """Check if ``hash_value`` and ``password`` match, sha1 method."""
        hash_value = base64.b64decode(hash_value.strip().replace(
            "{SHA}", "").encode("ascii"))
        password = password.encode(self.configuration.get("encoding", "stock"))
        sha1 = hashlib.sha1()
        sha1.update(password)
        return hmac.compare_digest(sha1.digest(), hash_value)

    def _ssha(self, hash_value, password):
        """Check if ``hash_value`` and ``password`` match, salted sha1 method.

        This method is not directly supported by htpasswd, but it can be
        written with e.g. openssl, and nginx can parse it.

        """
        hash_value = base64.b64decode(hash_value.strip().replace(
            "{SSHA}", "").encode("ascii"))
        password = password.encode(self.configuration.get("encoding", "stock"))
        salt_value = hash_value[20:]
        hash_value = hash_value[:20]
        sha1 = hashlib.sha1()
        sha1.update(password)
        sha1.update(salt_value)
        return hmac.compare_digest(sha1.digest(), hash_value)

    def _bcrypt(self, bcrypt, hash_value, password):
        hash_value = hash_value.strip()
        return bcrypt.verify(password, hash_value)

    def _md5apr1(self, md5_apr1, hash_value, password):
        hash_value = hash_value.strip()
        return md5_apr1.verify(password, hash_value)

    def login(self, login, password):
        """Validate credentials.

        Iterate through htpasswd credential file until login matches, extract
        hash (encrypted password) and check hash against password,
        using the method specified in the Radicale config.

        The content of the file is not cached because reading is generally a
        very cheap operation, and it's useful to get live updates of the
        htpasswd file.

        """
        try:
            with open(self.filename) as f:
                for line in f:
                    line = line.rstrip("\n")
                    if line.lstrip() and not line.lstrip().startswith("#"):
                        try:
                            hash_login, hash_value = line.split(
                                ":", maxsplit=1)
                            # Always compare both login and password to avoid
                            # timing attacks, see #591.
                            login_ok = hmac.compare_digest(hash_login, login)
                            password_ok = self.verify(hash_value, password)
                            if login_ok and password_ok:
                                return login
                        except ValueError as e:
                            raise RuntimeError("Invalid htpasswd file %r: %s" %
                                               (self.filename, e)) from e
        except OSError as e:
            raise RuntimeError("Failed to load htpasswd file %r: %s" %
                               (self.filename, e)) from e
        return ""
Files added git-svn-id: http://svn.32rwr.info/radicale/trunk@2 74e4794c-479d-4a33-9dda-c6c359d70f12 2008-12-30 16:25:42 +00:00			`# This file is part of Radicale Server - Calendar Server`
Huge code and copyright cleanup. git-svn-id: http://svn.32rwr.info/radicale/trunk@9 74e4794c-479d-4a33-9dda-c6c359d70f12 2009-07-27 15:04:54 +00:00			`# Copyright © 2008 Nicolas Kandel`
			`# Copyright © 2008 Pascal Halter`
Update copyright years 2017-05-27 17:28:07 +02:00			`# Copyright © 2008-2017 Guillaume Ayoub`
Update copyright 2019-06-17 04:13:24 +02:00			`# Copyright © 2017-2018 Unrud <unrud@outlook.com>`
Files added git-svn-id: http://svn.32rwr.info/radicale/trunk@2 74e4794c-479d-4a33-9dda-c6c359d70f12 2008-12-30 16:25:42 +00:00			`#`
			`# This library is free software: you can redistribute it and/or modify`
			`# it under the terms of the GNU General Public License as published by`
			`# the Free Software Foundation, either version 3 of the License, or`
			`# (at your option) any later version.`
			`#`
			`# This library is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU General Public License for more details.`
			`#`
			`# You should have received a copy of the GNU General Public License`
			`# along with Radicale. If not, see <http://www.gnu.org/licenses/>.`

Add authentication structure, with fake and htpasswd methods. 2010-01-21 18:52:53 +01:00			`import base64`
Sort imports 2016-07-04 14:32:33 +02:00			`import functools`
Add authentication structure, with fake and htpasswd methods. 2010-01-21 18:52:53 +01:00			`import hashlib`
Compare passwords and hashes in constant time (Fixes #591) 2017-05-23 03:02:22 +02:00			`import hmac`
Allow tilde expansion for htpasswd file Call os.path.expanduser on the location given by the config parameter. This will allow to use settings like htpasswd_filename = ~/.config/radicale/users 2014-05-14 01:42:19 +02:00			`import os`
Huge code and copyright cleanup. git-svn-id: http://svn.32rwr.info/radicale/trunk@9 74e4794c-479d-4a33-9dda-c6c359d70f12 2009-07-27 15:04:54 +00:00
refactor 2018-08-28 16:19:36 +02:00			`from radicale import auth`
Use module-wide logger and remove logging config 2018-08-16 07:59:55 +02:00
Allow additional config options for external plugins 2017-06-21 09:48:57 +02:00
refactor 2018-08-28 16:19:36 +02:00			`class Auth(auth.BaseAuth):`
Use module-wide logger and remove logging config 2018-08-16 07:59:55 +02:00			`def __init__(self, configuration):`
			`super().__init__(configuration)`
Remove global state about configuration and logs Many things have been changed to make this possible, probably leading to many hidden bugs waiting to be found. Related to #122. 2016-04-22 11:37:02 +09:00			`self.filename = os.path.expanduser(`
			`configuration.get("auth", "htpasswd_filename"))`
			`self.encryption = configuration.get("auth", "htpasswd_encryption")`

			`if self.encryption == "ssha":`
			`self.verify = self._ssha`
			`elif self.encryption == "sha1":`
			`self.verify = self._sha1`
			`elif self.encryption == "plain":`
			`self.verify = self._plain`
			`elif self.encryption == "md5":`
			`try:`
Flake8 fixes 2016-05-04 19:25:34 +02:00			`from passlib.hash import apr_md5_crypt`
Improve error handling * Check the configuration file for errors (check option names and basic type checking). * Perform basic type checking on command line arguments. * Only print stack traces in debug mode. * Include much more information in error messages (e.g. include the path of invalid files). * Send Bad Request to clients for invalid XML requests or iCalendar data. * Change the log level of some messages. 2017-05-31 11:08:32 +02:00			`except ImportError as e:`
Remove global state about configuration and logs Many things have been changed to make this possible, probably leading to many hidden bugs waiting to be found. Related to #122. 2016-04-22 11:37:02 +09:00			`raise RuntimeError(`
			`"The htpasswd encryption method 'md5' requires "`
Improve error handling * Check the configuration file for errors (check option names and basic type checking). * Perform basic type checking on command line arguments. * Only print stack traces in debug mode. * Include much more information in error messages (e.g. include the path of invalid files). * Send Bad Request to clients for invalid XML requests or iCalendar data. * Change the log level of some messages. 2017-05-31 11:08:32 +02:00			`"the passlib module.") from e`
Flake8 fixes 2016-05-04 19:25:34 +02:00			`self.verify = functools.partial(self._md5apr1, apr_md5_crypt)`
Remove global state about configuration and logs Many things have been changed to make this possible, probably leading to many hidden bugs waiting to be found. Related to #122. 2016-04-22 11:37:02 +09:00			`elif self.encryption == "bcrypt":`
			`try:`
Flake8 fixes 2016-05-04 19:25:34 +02:00			`from passlib.hash import bcrypt`
Improve error handling * Check the configuration file for errors (check option names and basic type checking). * Perform basic type checking on command line arguments. * Only print stack traces in debug mode. * Include much more information in error messages (e.g. include the path of invalid files). * Send Bad Request to clients for invalid XML requests or iCalendar data. * Change the log level of some messages. 2017-05-31 11:08:32 +02:00			`except ImportError as e:`
Remove global state about configuration and logs Many things have been changed to make this possible, probably leading to many hidden bugs waiting to be found. Related to #122. 2016-04-22 11:37:02 +09:00			`raise RuntimeError(`
			`"The htpasswd encryption method 'bcrypt' requires "`
Improve error handling * Check the configuration file for errors (check option names and basic type checking). * Perform basic type checking on command line arguments. * Only print stack traces in debug mode. * Include much more information in error messages (e.g. include the path of invalid files). * Send Bad Request to clients for invalid XML requests or iCalendar data. * Change the log level of some messages. 2017-05-31 11:08:32 +02:00			`"the passlib module with bcrypt support.") from e`
Remove global state about configuration and logs Many things have been changed to make this possible, probably leading to many hidden bugs waiting to be found. Related to #122. 2016-04-22 11:37:02 +09:00			# A call to `encrypt` raises passlib.exc.MissingBackendError with a
			`# good error message if bcrypt backend is not available. Trigger`
			`# this here.`
passlib: use hash() instead of deprecated encrypt() 2018-09-08 14:42:19 +02:00			`bcrypt.hash("test-bcrypt-backend")`
Flake8 fixes 2016-05-04 19:25:34 +02:00			`self.verify = functools.partial(self._bcrypt, bcrypt)`
Remove global state about configuration and logs Many things have been changed to make this possible, probably leading to many hidden bugs waiting to be found. Related to #122. 2016-04-22 11:37:02 +09:00			`elif self.encryption == "crypt":`
			`try:`
			`import crypt`
Improve error handling * Check the configuration file for errors (check option names and basic type checking). * Perform basic type checking on command line arguments. * Only print stack traces in debug mode. * Include much more information in error messages (e.g. include the path of invalid files). * Send Bad Request to clients for invalid XML requests or iCalendar data. * Change the log level of some messages. 2017-05-31 11:08:32 +02:00			`except ImportError as e:`
Remove global state about configuration and logs Many things have been changed to make this possible, probably leading to many hidden bugs waiting to be found. Related to #122. 2016-04-22 11:37:02 +09:00			`raise RuntimeError(`
			`"The htpasswd encryption method 'crypt' requires "`
Improve error handling * Check the configuration file for errors (check option names and basic type checking). * Perform basic type checking on command line arguments. * Only print stack traces in debug mode. * Include much more information in error messages (e.g. include the path of invalid files). * Send Bad Request to clients for invalid XML requests or iCalendar data. * Change the log level of some messages. 2017-05-31 11:08:32 +02:00			`"the crypt() system support.") from e`
Flake8 fixes 2016-05-04 19:25:34 +02:00			`self.verify = functools.partial(self._crypt, crypt)`
Remove global state about configuration and logs Many things have been changed to make this possible, probably leading to many hidden bugs waiting to be found. Related to #122. 2016-04-22 11:37:02 +09:00			`else:`
			`raise RuntimeError(`
Improve error handling * Check the configuration file for errors (check option names and basic type checking). * Perform basic type checking on command line arguments. * Only print stack traces in debug mode. * Include much more information in error messages (e.g. include the path of invalid files). * Send Bad Request to clients for invalid XML requests or iCalendar data. * Change the log level of some messages. 2017-05-31 11:08:32 +02:00			`"The htpasswd encryption method %r is not "`
Remove global state about configuration and logs Many things have been changed to make this possible, probably leading to many hidden bugs waiting to be found. Related to #122. 2016-04-22 11:37:02 +09:00			`"supported." % self.encryption)`

			`def _plain(self, hash_value, password):`
Cut long lines 2016-05-18 22:41:05 +02:00			"""Check if ``hash_value`` and ``password`` match, plain method."""
Compare passwords and hashes in constant time (Fixes #591) 2017-05-23 03:02:22 +02:00			`return hmac.compare_digest(hash_value, password)`
Remove global state about configuration and logs Many things have been changed to make this possible, probably leading to many hidden bugs waiting to be found. Related to #122. 2016-04-22 11:37:02 +09:00
Flake8 fixes 2016-05-04 19:25:34 +02:00			`def _crypt(self, crypt, hash_value, password):`
Cut long lines 2016-05-18 22:41:05 +02:00			"""Check if ``hash_value`` and ``password`` match, crypt method."""
htpasswd: don't strip whitespaces and allow ':' in plain password 2017-08-17 06:46:38 +02:00			`hash_value = hash_value.strip()`
Compare passwords and hashes in constant time (Fixes #591) 2017-05-23 03:02:22 +02:00			`return hmac.compare_digest(crypt.crypt(password, hash_value),`
			`hash_value)`
Remove global state about configuration and logs Many things have been changed to make this possible, probably leading to many hidden bugs waiting to be found. Related to #122. 2016-04-22 11:37:02 +09:00
			`def _sha1(self, hash_value, password):`
Cut long lines 2016-05-18 22:41:05 +02:00			"""Check if ``hash_value`` and ``password`` match, sha1 method."""
htpasswd: don't strip whitespaces and allow ':' in plain password 2017-08-17 06:46:38 +02:00			`hash_value = base64.b64decode(hash_value.strip().replace(`
			`"{SHA}", "").encode("ascii"))`
Remove global state about configuration and logs Many things have been changed to make this possible, probably leading to many hidden bugs waiting to be found. Related to #122. 2016-04-22 11:37:02 +09:00			`password = password.encode(self.configuration.get("encoding", "stock"))`
Remove pylint 2016-08-02 14:39:20 +02:00			`sha1 = hashlib.sha1()`
Remove global state about configuration and logs Many things have been changed to make this possible, probably leading to many hidden bugs waiting to be found. Related to #122. 2016-04-22 11:37:02 +09:00			`sha1.update(password)`
htpasswd: don't strip whitespaces and allow ':' in plain password 2017-08-17 06:46:38 +02:00			`return hmac.compare_digest(sha1.digest(), hash_value)`
Remove global state about configuration and logs Many things have been changed to make this possible, probably leading to many hidden bugs waiting to be found. Related to #122. 2016-04-22 11:37:02 +09:00
Cut long lines 2016-05-18 22:41:05 +02:00			`def _ssha(self, hash_value, password):`
			"""Check if ``hash_value`` and ``password`` match, salted sha1 method.

			`This method is not directly supported by htpasswd, but it can be`
			`written with e.g. openssl, and nginx can parse it.`

			`"""`
htpasswd: don't strip whitespaces and allow ':' in plain password 2017-08-17 06:46:38 +02:00			`hash_value = base64.b64decode(hash_value.strip().replace(`
Repair SSHA method 2017-05-23 03:01:56 +02:00			`"{SSHA}", "").encode("ascii"))`
Remove global state about configuration and logs Many things have been changed to make this possible, probably leading to many hidden bugs waiting to be found. Related to #122. 2016-04-22 11:37:02 +09:00			`password = password.encode(self.configuration.get("encoding", "stock"))`
Cut long lines 2016-05-18 22:41:05 +02:00			`salt_value = hash_value[20:]`
Repair SSHA method 2017-05-23 03:01:56 +02:00			`hash_value = hash_value[:20]`
Remove pylint 2016-08-02 14:39:20 +02:00			`sha1 = hashlib.sha1()`
Remove global state about configuration and logs Many things have been changed to make this possible, probably leading to many hidden bugs waiting to be found. Related to #122. 2016-04-22 11:37:02 +09:00			`sha1.update(password)`
			`sha1.update(salt_value)`
Compare passwords and hashes in constant time (Fixes #591) 2017-05-23 03:02:22 +02:00			`return hmac.compare_digest(sha1.digest(), hash_value)`
Remove global state about configuration and logs Many things have been changed to make this possible, probably leading to many hidden bugs waiting to be found. Related to #122. 2016-04-22 11:37:02 +09:00
Flake8 fixes 2016-05-04 19:25:34 +02:00			`def _bcrypt(self, bcrypt, hash_value, password):`
htpasswd: don't strip whitespaces and allow ':' in plain password 2017-08-17 06:46:38 +02:00			`hash_value = hash_value.strip()`
Flake8 fixes 2016-05-04 19:25:34 +02:00			`return bcrypt.verify(password, hash_value)`
Remove global state about configuration and logs Many things have been changed to make this possible, probably leading to many hidden bugs waiting to be found. Related to #122. 2016-04-22 11:37:02 +09:00
Flake8 fixes 2016-05-04 19:25:34 +02:00			`def _md5apr1(self, md5_apr1, hash_value, password):`
htpasswd: don't strip whitespaces and allow ':' in plain password 2017-08-17 06:46:38 +02:00			`hash_value = hash_value.strip()`
Flake8 fixes 2016-05-04 19:25:34 +02:00			`return md5_apr1.verify(password, hash_value)`
Remove global state about configuration and logs Many things have been changed to make this possible, probably leading to many hidden bugs waiting to be found. Related to #122. 2016-04-22 11:37:02 +09:00
remove everything marked as DEPRECATED 2018-08-16 07:59:58 +02:00			`def login(self, login, password):`
Move documentation to correct method 2017-09-17 14:03:46 +02:00			`"""Validate credentials.`

remove everything marked as DEPRECATED 2018-08-16 07:59:58 +02:00			`Iterate through htpasswd credential file until login matches, extract`
			`hash (encrypted password) and check hash against password,`
Move documentation to correct method 2017-09-17 14:03:46 +02:00			`using the method specified in the Radicale config.`

			`The content of the file is not cached because reading is generally a`
			`very cheap operation, and it's useful to get live updates of the`
			`htpasswd file.`

			`"""`
Improve error handling * Check the configuration file for errors (check option names and basic type checking). * Perform basic type checking on command line arguments. * Only print stack traces in debug mode. * Include much more information in error messages (e.g. include the path of invalid files). * Send Bad Request to clients for invalid XML requests or iCalendar data. * Change the log level of some messages. 2017-05-31 11:08:32 +02:00			`try:`
htpasswd: don't strip whitespaces and allow ':' in plain password 2017-08-17 06:46:38 +02:00			`with open(self.filename) as f:`
			`for line in f:`
			`line = line.rstrip("\n")`
htpasswd: ignore comments 2017-08-17 06:46:40 +02:00			`if line.lstrip() and not line.lstrip().startswith("#"):`
Improve error handling * Check the configuration file for errors (check option names and basic type checking). * Perform basic type checking on command line arguments. * Only print stack traces in debug mode. * Include much more information in error messages (e.g. include the path of invalid files). * Send Bad Request to clients for invalid XML requests or iCalendar data. * Change the log level of some messages. 2017-05-31 11:08:32 +02:00			`try:`
remove everything marked as DEPRECATED 2018-08-16 07:59:58 +02:00			`hash_login, hash_value = line.split(`
			`":", maxsplit=1)`
Improve error handling * Check the configuration file for errors (check option names and basic type checking). * Perform basic type checking on command line arguments. * Only print stack traces in debug mode. * Include much more information in error messages (e.g. include the path of invalid files). * Send Bad Request to clients for invalid XML requests or iCalendar data. * Change the log level of some messages. 2017-05-31 11:08:32 +02:00			`# Always compare both login and password to avoid`
			`# timing attacks, see #591.`
remove everything marked as DEPRECATED 2018-08-16 07:59:58 +02:00			`login_ok = hmac.compare_digest(hash_login, login)`
Improve error handling * Check the configuration file for errors (check option names and basic type checking). * Perform basic type checking on command line arguments. * Only print stack traces in debug mode. * Include much more information in error messages (e.g. include the path of invalid files). * Send Bad Request to clients for invalid XML requests or iCalendar data. * Change the log level of some messages. 2017-05-31 11:08:32 +02:00			`password_ok = self.verify(hash_value, password)`
Use and instead of & Cosmetic change 2017-09-17 14:03:48 +02:00			`if login_ok and password_ok:`
remove everything marked as DEPRECATED 2018-08-16 07:59:58 +02:00			`return login`
Improve error handling * Check the configuration file for errors (check option names and basic type checking). * Perform basic type checking on command line arguments. * Only print stack traces in debug mode. * Include much more information in error messages (e.g. include the path of invalid files). * Send Bad Request to clients for invalid XML requests or iCalendar data. * Change the log level of some messages. 2017-05-31 11:08:32 +02:00			`except ValueError as e:`
			`raise RuntimeError("Invalid htpasswd file %r: %s" %`
			`(self.filename, e)) from e`
			`except OSError as e:`
			`raise RuntimeError("Failed to load htpasswd file %r: %s" %`
			`(self.filename, e)) from e`
remove everything marked as DEPRECATED 2018-08-16 07:59:58 +02:00			`return ""`