Radicale/radicale/auth/__init__.py

# This file is part of Radicale - CalDAV and CardDAV server
# Copyright © 2008 Nicolas Kandel
# Copyright © 2008 Pascal Halter
# Copyright © 2008-2017 Guillaume Ayoub
# Copyright © 2017-2022 Unrud <unrud@outlook.com>
# Copyright © 2024-2024 Peter Bieringer <pb@bieringer.de>
#
# This library is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Radicale.  If not, see <http://www.gnu.org/licenses/>.

"""
Authentication module.

Authentication is based on usernames and passwords. If something more
advanced is needed an external WSGI server or reverse proxy can be used
(see ``remote_user`` or ``http_x_remote_user`` backend).

Take a look at the class ``BaseAuth`` if you want to implement your own.

"""

import hashlib
import time
import threading
from typing import Sequence, Set, Tuple, Union, final

from radicale import config, types, utils
from radicale.log import logger

INTERNAL_TYPES: Sequence[str] = ("none", "remote_user", "http_x_remote_user",
                                 "denyall",
                                 "htpasswd",
                                 "ldap",
                                 "dovecot")


def load(configuration: "config.Configuration") -> "BaseAuth":
    """Load the authentication module chosen in configuration."""
    if configuration.get("auth", "type") == "none":
        logger.warning("No user authentication is selected: '[auth] type=none' (insecure)")
    if configuration.get("auth", "type") == "denyall":
        logger.warning("All access is blocked by: '[auth] type=denyall'")
    return utils.load_plugin(INTERNAL_TYPES, "auth", "Auth", BaseAuth,
                             configuration)


class BaseAuth:

    _ldap_groups: Set[str] = set([])
    _lc_username: bool
    _uc_username: bool
    _strip_domain: bool
    _type: str
    _cache_logins: bool
    _cache_successful: dict                 # login -> (digest, time_ns)
    _cache_successful_logins_expiry: int
    _cache_failed: dict                     # digest_failed -> (time_ns, login)
    _cache_failed_logins_expiry: int
    _cache_failed_logins_salt_ns: int       # persistent over runtime
    _lock: threading.Lock

    def __init__(self, configuration: "config.Configuration") -> None:
        """Initialize BaseAuth.

        ``configuration`` see ``radicale.config`` module.
        The ``configuration`` must not change during the lifetime of
        this object, it is kept as an internal reference.

        """
        self.configuration = configuration
        self._lc_username = configuration.get("auth", "lc_username")
        self._uc_username = configuration.get("auth", "uc_username")
        self._strip_domain = configuration.get("auth", "strip_domain")
        logger.info("auth.strip_domain: %s", self._strip_domain)
        logger.info("auth.lc_username: %s", self._lc_username)
        logger.info("auth.uc_username: %s", self._uc_username)
        if self._lc_username is True and self._uc_username is True:
            raise RuntimeError("auth.lc_username and auth.uc_username cannot be enabled together")
        # cache_successful_logins
        self._cache_logins = configuration.get("auth", "cache_logins")
        self._type = configuration.get("auth", "type")
        if (self._type in [ "dovecot", "ldap", "htpasswd" ]) or (self._cache_logins is False):
            logger.info("auth.cache_logins: %s", self._cache_logins)
        else:
            logger.info("auth.cache_logins: %s (but not required for type '%s' and disabled therefore)", self._cache_logins, self._type)
            self._cache_logins = False
        if self._cache_logins is True:
            self._cache_successful_logins_expiry = configuration.get("auth", "cache_successful_logins_expiry")
            if self._cache_successful_logins_expiry < 0:
                raise RuntimeError("self._cache_successful_logins_expiry cannot be < 0")
            self._cache_failed_logins_expiry = configuration.get("auth", "cache_failed_logins_expiry")
            if self._cache_failed_logins_expiry < 0:
                raise RuntimeError("self._cache_failed_logins_expiry cannot be < 0")
            logger.info("auth.cache_successful_logins_expiry: %s seconds", self._cache_successful_logins_expiry)
            logger.info("auth.cache_failed_logins_expiry: %s seconds", self._cache_failed_logins_expiry)
            # cache init
            self._cache_successful = dict()
            self._cache_failed = dict()
            self._cache_failed_logins_salt_ns = time.time_ns()
            self._lock = threading.Lock()

    def _cache_digest(self, login: str, password: str, salt: str) -> str:
        h = hashlib.sha3_512()
        h.update(salt.encode())
        h.update(login.encode())
        h.update(password.encode())
        return str(h.digest())

    def get_external_login(self, environ: types.WSGIEnviron) -> Union[
            Tuple[()], Tuple[str, str]]:
        """Optionally provide the login and password externally.

        ``environ`` a dict with the WSGI environment

        If ``()`` is returned, Radicale handles HTTP authentication.
        Otherwise, returns a tuple ``(login, password)``. For anonymous users
        ``login`` must be ``""``.

        """
        return ()

    def _login(self, login: str, password: str) -> str:
        """Check credentials and map login to internal user

        ``login`` the login name

        ``password`` the password

        Returns the username or ``""`` for invalid credentials.

        """

        raise NotImplementedError

    @final
    def login(self, login: str, password: str) -> str:
        if self._lc_username:
            login = login.lower()
        if self._uc_username:
            login = login.upper()
        if self._strip_domain:
            login = login.split('@')[0]
        if self._cache_logins is True:
            # time_ns is also used as salt
            result = ""
            digest = ""
            time_ns = time.time_ns()
            # cleanup failed login cache to avoid out-of-memory
            cache_failed_entries = len(self._cache_failed)
            if cache_failed_entries > 0:
                logger.debug("Login failed cache investigation start (entries: %d)", cache_failed_entries)
                self._lock.acquire()
                cache_failed_cleanup = dict()
                for digest in self._cache_failed:
                    (time_ns_cache, login_cache) = self._cache_failed[digest]
                    age_failed = int((time_ns - time_ns_cache) / 1000 / 1000 / 1000)
                    if age_failed > self._cache_failed_logins_expiry:
                        cache_failed_cleanup[digest] = (login_cache, age_failed)
                cache_failed_cleanup_entries = len(cache_failed_cleanup)
                logger.debug("Login failed cache cleanup start (entries: %d)", cache_failed_cleanup_entries)
                if cache_failed_cleanup_entries > 0:
                    for digest in cache_failed_cleanup:
                        (login, age_failed) = cache_failed_cleanup[digest]
                        logger.debug("Login failed cache entry for user+password expired: '%s' (age: %d > %d sec)", login_cache, age_failed, self._cache_failed_logins_expiry)
                        del self._cache_failed[digest]
                self._lock.release()
                logger.debug("Login failed cache investigation finished")
            # check for cache failed login
            digest_failed = login + ":" + self._cache_digest(login, password, str(self._cache_failed_logins_salt_ns))
            if self._cache_failed.get(digest_failed):
                # login+password found in cache "failed" -> shortcut return
                (time_ns_cache, login_cache) = self._cache_failed[digest]
                age_failed = int((time_ns - time_ns_cache) / 1000 / 1000 / 1000)
                logger.debug("Login failed cache entry for user+password found: '%s' (age: %d sec)", login_cache, age_failed)
                return ""
            if self._cache_successful.get(login):
                # login found in cache "successful"
                (digest_cache, time_ns_cache) = self._cache_successful[login]
                digest = self._cache_digest(login, password, str(time_ns_cache))
                if digest == digest_cache:
                    age_success = int((time_ns - time_ns_cache) / 1000 / 1000 / 1000)
                    if age_success > self._cache_successful_logins_expiry:
                        logger.debug("Login successful cache entry for user+password found but expired: '%s' (age: %d > %d sec)", login, age_success, self._cache_successful_logins_expiry)
                        # delete expired success from cache
                        del self._cache_successful[login]
                        digest = ""
                    else:
                        logger.debug("Login successful cache entry for user+password found: '%s' (age: %d sec)", login, age_success)
                        result = login
                else:
                    logger.debug("Login successful cache entry for user+password not matching: '%s'", login)
            else:
                # login not found in cache, caculate always to avoid timing attacks
                digest = self._cache_digest(login, password, str(time_ns))
            if result == "":
                # verify login+password via configured backend
                logger.debug("Login verification for user+password via backend: '%s'", login)
                result = self._login(login, password)
                if result != "":
                    logger.debug("Login successful for user+password via backend: '%s'", login)
                    if digest == "":
                        # successful login, but expired, digest must be recalculated
                        digest = self._cache_digest(login, password, str(time_ns))
                    # store successful login in cache
                    self._lock.acquire()
                    self._cache_successful[login] = (digest, time_ns)
                    self._lock.release()
                    logger.debug("Login successful cache for user set: '%s'", login)
                    if self._cache_failed.get(digest_failed):
                        logger.debug("Login failed cache for user cleared: '%s'", login)
                        del self._cache_failed[digest_failed]
                else:
                    logger.debug("Login failed for user+password via backend: '%s'", login)
                    self._lock.acquire()
                    self._cache_failed[digest_failed] = (time_ns, login)
                    self._lock.release()
                    logger.debug("Login failed cache for user set: '%s'", login)
            return result
        else:
            return self._login(login, password)
Change name in file header 2021-12-08 21:45:42 +01:00			`# This file is part of Radicale - CalDAV and CardDAV server`
refactor 2018-08-28 16:19:36 +02:00			`# Copyright © 2008 Nicolas Kandel`
			`# Copyright © 2008 Pascal Halter`
			`# Copyright © 2008-2017 Guillaume Ayoub`
extend copyright 2024-06-07 06:46:16 +02:00			`# Copyright © 2017-2022 Unrud <unrud@outlook.com>`
			`# Copyright © 2024-2024 Peter Bieringer <pb@bieringer.de>`
refactor 2018-08-28 16:19:36 +02:00			`#`
			`# This library is free software: you can redistribute it and/or modify`
			`# it under the terms of the GNU General Public License as published by`
			`# the Free Software Foundation, either version 3 of the License, or`
			`# (at your option) any later version.`
			`#`
			`# This library is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU General Public License for more details.`
			`#`
			`# You should have received a copy of the GNU General Public License`
			`# along with Radicale. If not, see <http://www.gnu.org/licenses/>.`

			`"""`
Improve documentation 2020-01-12 23:32:28 +01:00			`Authentication module.`
refactor 2018-08-28 16:19:36 +02:00
Improve documentation 2020-01-12 23:32:28 +01:00			`Authentication is based on usernames and passwords. If something more`
			`advanced is needed an external WSGI server or reverse proxy can be used`
			(see ``remote_user`` or ``http_x_remote_user`` backend).
refactor 2018-08-28 16:19:36 +02:00
Improve documentation 2020-01-12 23:32:28 +01:00			Take a look at the class ``BaseAuth`` if you want to implement your own.
refactor 2018-08-28 16:19:36 +02:00
			`"""`

implement cache_logins* option 2024-12-30 08:17:15 +01:00			`import hashlib`
			`import time`
add chache cleanup and locking 2024-12-31 16:13:52 +01:00			`import threading`
Disable overloading BaseAuth login method 2024-12-25 21:56:04 +03:00			`from typing import Sequence, Set, Tuple, Union, final`
refactor 2018-08-28 16:19:36 +02:00
More type hints 2021-07-26 20:56:46 +02:00			`from radicale import config, types, utils`
warn in case no user authentication is active 2024-06-07 08:35:46 +02:00			`from radicale.log import logger`
refactor 2018-08-28 16:19:36 +02:00
More type hints 2021-07-26 20:56:46 +02:00			`INTERNAL_TYPES: Sequence[str] = ("none", "remote_user", "http_x_remote_user",`
add support for auth.type=denyall 2024-06-07 06:45:39 +02:00			`"denyall",`
Fix merge conflicts. 2024-08-25 14:11:48 +02:00			`"htpasswd",`
Rebase galaxy4public patch on top of bf4f5834 2024-10-30 10:33:10 -10:00			`"ldap",`
			`"dovecot")`
refactor 2018-08-28 16:19:36 +02:00
More type hints 2021-07-26 20:56:46 +02:00
			`def load(configuration: "config.Configuration") -> "BaseAuth":`
Extract method loader() 2020-01-14 22:43:48 +01:00			`"""Load the authentication module chosen in configuration."""`
warn in case no user authentication is active 2024-06-07 08:35:46 +02:00			`if configuration.get("auth", "type") == "none":`
DeprecationWarning: The 'warn' method is deprecated, use 'warning' instead 2024-06-09 08:32:45 +02:00			`logger.warning("No user authentication is selected: '[auth] type=none' (insecure)")`
log also in case of "denyall" is selected, cosmetics 2024-06-07 12:35:21 +02:00			`if configuration.get("auth", "type") == "denyall":`
DeprecationWarning: The 'warn' method is deprecated, use 'warning' instead 2024-06-09 08:32:45 +02:00			`logger.warning("All access is blocked by: '[auth] type=denyall'")`
More type hints 2021-07-26 20:56:46 +02:00			`return utils.load_plugin(INTERNAL_TYPES, "auth", "Auth", BaseAuth,`
			`configuration)`
refactor 2018-08-28 16:19:36 +02:00
flake8 E302 2024-12-25 22:28:01 +03:00
refactor 2018-08-28 16:19:36 +02:00			`class BaseAuth:`
More type hints 2021-07-26 20:56:46 +02:00
Fixing type definition error. 2024-09-11 14:13:06 +02:00			`_ldap_groups: Set[str] = set([])`
added compatibility with a case-insensitive authentication provider 2024-04-17 18:31:51 +03:00			`_lc_username: bool`
Add: option [auth] uc_username for uppercase conversion (similar to existing lc_username) 2024-12-14 09:25:36 +01:00			`_uc_username: bool`
add auth/strip_domain option 2024-07-18 06:50:29 +02:00			`_strip_domain: bool`
reorg code, disable caching on not required types 2024-12-31 08:11:19 +01:00			`_type: str`
implement cache_logins* option 2024-12-30 08:17:15 +01:00			`_cache_logins: bool`
fix failed_login cache, improve coding 2024-12-31 07:57:54 +01:00			`_cache_successful: dict # login -> (digest, time_ns)`
			`_cache_successful_logins_expiry: int`
add chache cleanup and locking 2024-12-31 16:13:52 +01:00			`_cache_failed: dict # digest_failed -> (time_ns, login)`
fix failed_login cache, improve coding 2024-12-31 07:57:54 +01:00			`_cache_failed_logins_expiry: int`
			`_cache_failed_logins_salt_ns: int # persistent over runtime`
add chache cleanup and locking 2024-12-31 16:13:52 +01:00			`_lock: threading.Lock`
Now rights can be add to user groups too. 2022-02-21 17:15:21 +01:00
More type hints 2021-07-26 20:56:46 +02:00			`def __init__(self, configuration: "config.Configuration") -> None:`
Improve documentation 2020-01-13 15:51:10 +01:00			`"""Initialize BaseAuth.`

			``configuration`` see ``radicale.config`` module.
			The ``configuration`` must not change during the lifetime of
			`this object, it is kept as an internal reference.`

			`"""`
refactor 2018-08-28 16:19:36 +02:00			`self.configuration = configuration`
added compatibility with a case-insensitive authentication provider 2024-04-17 18:31:51 +03:00			`self._lc_username = configuration.get("auth", "lc_username")`
Add: option [auth] uc_username for uppercase conversion (similar to existing lc_username) 2024-12-14 09:25:36 +01:00			`self._uc_username = configuration.get("auth", "uc_username")`
add auth/strip_domain option 2024-07-18 06:50:29 +02:00			`self._strip_domain = configuration.get("auth", "strip_domain")`
Add: option [auth] uc_username for uppercase conversion (similar to existing lc_username) 2024-12-14 09:25:36 +01:00			`logger.info("auth.strip_domain: %s", self._strip_domain)`
			`logger.info("auth.lc_username: %s", self._lc_username)`
			`logger.info("auth.uc_username: %s", self._uc_username)`
			`if self._lc_username is True and self._uc_username is True:`
			`raise RuntimeError("auth.lc_username and auth.uc_username cannot be enabled together")`
fix failed_login cache, improve coding 2024-12-31 07:57:54 +01:00			`# cache_successful_logins`
reorg code, disable caching on not required types 2024-12-31 08:11:19 +01:00			`self._cache_logins = configuration.get("auth", "cache_logins")`
			`self._type = configuration.get("auth", "type")`
			`if (self._type in [ "dovecot", "ldap", "htpasswd" ]) or (self._cache_logins is False):`
			`logger.info("auth.cache_logins: %s", self._cache_logins)`
			`else:`
			`logger.info("auth.cache_logins: %s (but not required for type '%s' and disabled therefore)", self._cache_logins, self._type)`
			`self._cache_logins = False`
implement cache_logins* option 2024-12-30 08:17:15 +01:00			`if self._cache_logins is True:`
reorg code, disable caching on not required types 2024-12-31 08:11:19 +01:00			`self._cache_successful_logins_expiry = configuration.get("auth", "cache_successful_logins_expiry")`
			`if self._cache_successful_logins_expiry < 0:`
			`raise RuntimeError("self._cache_successful_logins_expiry cannot be < 0")`
			`self._cache_failed_logins_expiry = configuration.get("auth", "cache_failed_logins_expiry")`
			`if self._cache_failed_logins_expiry < 0:`
			`raise RuntimeError("self._cache_failed_logins_expiry cannot be < 0")`
fix failed_login cache, improve coding 2024-12-31 07:57:54 +01:00			`logger.info("auth.cache_successful_logins_expiry: %s seconds", self._cache_successful_logins_expiry)`
			`logger.info("auth.cache_failed_logins_expiry: %s seconds", self._cache_failed_logins_expiry)`
reorg code, disable caching on not required types 2024-12-31 08:11:19 +01:00			`# cache init`
			`self._cache_successful = dict()`
			`self._cache_failed = dict()`
			`self._cache_failed_logins_salt_ns = time.time_ns()`
add chache cleanup and locking 2024-12-31 16:13:52 +01:00			`self._lock = threading.Lock()`
implement cache_logins* option 2024-12-30 08:17:15 +01:00
			`def _cache_digest(self, login: str, password: str, salt: str) -> str:`
			`h = hashlib.sha3_512()`
			`h.update(salt.encode())`
			`h.update(login.encode())`
			`h.update(password.encode())`
fixes triggered by tox 2024-12-30 05:25:10 +01:00			`return str(h.digest())`
refactor 2018-08-28 16:19:36 +02:00
More type hints 2021-07-26 20:56:46 +02:00			`def get_external_login(self, environ: types.WSGIEnviron) -> Union[`
			`Tuple[()], Tuple[str, str]]:`
refactor 2018-08-28 16:19:36 +02:00			`"""Optionally provide the login and password externally.`

			``environ`` a dict with the WSGI environment

			If ``()`` is returned, Radicale handles HTTP authentication.
			Otherwise, returns a tuple ``(login, password)``. For anonymous users
			``login`` must be ``""``.

			`"""`
			`return ()`

added compatibility with a case-insensitive authentication provider 2024-04-17 18:31:51 +03:00			`def _login(self, login: str, password: str) -> str:`
refactor 2018-08-28 16:19:36 +02:00			`"""Check credentials and map login to internal user`

			``login`` the login name

			``password`` the password

Change "user name" to "username" 2022-01-07 23:54:34 +01:00			Returns the username or ``""`` for invalid credentials.
refactor 2018-08-28 16:19:36 +02:00
			`"""`

			`raise NotImplementedError`
added compatibility with a case-insensitive authentication provider 2024-04-17 18:31:51 +03:00
Disable overloading BaseAuth login method 2024-12-25 21:56:04 +03:00			`@final`
added compatibility with a case-insensitive authentication provider 2024-04-17 18:31:51 +03:00			`def login(self, login: str, password: str) -> str:`
add auth/strip_domain option 2024-07-18 06:50:29 +02:00			`if self._lc_username:`
			`login = login.lower()`
Add: option [auth] uc_username for uppercase conversion (similar to existing lc_username) 2024-12-14 09:25:36 +01:00			`if self._uc_username:`
			`login = login.upper()`
add auth/strip_domain option 2024-07-18 06:50:29 +02:00			`if self._strip_domain:`
			`login = login.split('@')[0]`
implement cache_logins* option 2024-12-30 08:17:15 +01:00			`if self._cache_logins is True:`
			`# time_ns is also used as salt`
			`result = ""`
			`digest = ""`
			`time_ns = time.time_ns()`
add chache cleanup and locking 2024-12-31 16:13:52 +01:00			`# cleanup failed login cache to avoid out-of-memory`
			`cache_failed_entries = len(self._cache_failed)`
			`if cache_failed_entries > 0:`
			`logger.debug("Login failed cache investigation start (entries: %d)", cache_failed_entries)`
			`self._lock.acquire()`
			`cache_failed_cleanup = dict()`
			`for digest in self._cache_failed:`
			`(time_ns_cache, login_cache) = self._cache_failed[digest]`
			`age_failed = int((time_ns - time_ns_cache) / 1000 / 1000 / 1000)`
			`if age_failed > self._cache_failed_logins_expiry:`
			`cache_failed_cleanup[digest] = (login_cache, age_failed)`
			`cache_failed_cleanup_entries = len(cache_failed_cleanup)`
			`logger.debug("Login failed cache cleanup start (entries: %d)", cache_failed_cleanup_entries)`
			`if cache_failed_cleanup_entries > 0:`
			`for digest in cache_failed_cleanup:`
			`(login, age_failed) = cache_failed_cleanup[digest]`
			`logger.debug("Login failed cache entry for user+password expired: '%s' (age: %d > %d sec)", login_cache, age_failed, self._cache_failed_logins_expiry)`
			`del self._cache_failed[digest]`
			`self._lock.release()`
			`logger.debug("Login failed cache investigation finished")`
			`# check for cache failed login`
fix failed_login cache, improve coding 2024-12-31 07:57:54 +01:00			`digest_failed = login + ":" + self._cache_digest(login, password, str(self._cache_failed_logins_salt_ns))`
			`if self._cache_failed.get(digest_failed):`
add chache cleanup and locking 2024-12-31 16:13:52 +01:00			`# login+password found in cache "failed" -> shortcut return`
			`(time_ns_cache, login_cache) = self._cache_failed[digest]`
fix failed_login cache, improve coding 2024-12-31 07:57:54 +01:00			`age_failed = int((time_ns - time_ns_cache) / 1000 / 1000 / 1000)`
add chache cleanup and locking 2024-12-31 16:13:52 +01:00			`logger.debug("Login failed cache entry for user+password found: '%s' (age: %d sec)", login_cache, age_failed)`
			`return ""`
fix failed_login cache, improve coding 2024-12-31 07:57:54 +01:00			`if self._cache_successful.get(login):`
			`# login found in cache "successful"`
			`(digest_cache, time_ns_cache) = self._cache_successful[login]`
implement cache_logins* option 2024-12-30 08:17:15 +01:00			`digest = self._cache_digest(login, password, str(time_ns_cache))`
			`if digest == digest_cache:`
fix failed_login cache, improve coding 2024-12-31 07:57:54 +01:00			`age_success = int((time_ns - time_ns_cache) / 1000 / 1000 / 1000)`
			`if age_success > self._cache_successful_logins_expiry:`
			`logger.debug("Login successful cache entry for user+password found but expired: '%s' (age: %d > %d sec)", login, age_success, self._cache_successful_logins_expiry)`
			`# delete expired success from cache`
			`del self._cache_successful[login]`
implement cache_logins* option 2024-12-30 08:17:15 +01:00			`digest = ""`
			`else:`
fix failed_login cache, improve coding 2024-12-31 07:57:54 +01:00			`logger.debug("Login successful cache entry for user+password found: '%s' (age: %d sec)", login, age_success)`
implement cache_logins* option 2024-12-30 08:17:15 +01:00			`result = login`
			`else:`
fix failed_login cache, improve coding 2024-12-31 07:57:54 +01:00			`logger.debug("Login successful cache entry for user+password not matching: '%s'", login)`
implement cache_logins* option 2024-12-30 08:17:15 +01:00			`else:`
fix failed_login cache, improve coding 2024-12-31 07:57:54 +01:00			`# login not found in cache, caculate always to avoid timing attacks`
implement cache_logins* option 2024-12-30 08:17:15 +01:00			`digest = self._cache_digest(login, password, str(time_ns))`
			`if result == "":`
fix failed_login cache, improve coding 2024-12-31 07:57:54 +01:00			`# verify login+password via configured backend`
			`logger.debug("Login verification for user+password via backend: '%s'", login)`
implement cache_logins* option 2024-12-30 08:17:15 +01:00			`result = self._login(login, password)`
fixes triggered by tox 2024-12-30 05:25:10 +01:00			`if result != "":`
fix failed_login cache, improve coding 2024-12-31 07:57:54 +01:00			`logger.debug("Login successful for user+password via backend: '%s'", login)`
fixes triggered by tox 2024-12-30 05:25:10 +01:00			`if digest == "":`
implement cache_logins* option 2024-12-30 08:17:15 +01:00			`# successful login, but expired, digest must be recalculated`
			`digest = self._cache_digest(login, password, str(time_ns))`
			`# store successful login in cache`
add chache cleanup and locking 2024-12-31 16:13:52 +01:00			`self._lock.acquire()`
fix failed_login cache, improve coding 2024-12-31 07:57:54 +01:00			`self._cache_successful[login] = (digest, time_ns)`
add chache cleanup and locking 2024-12-31 16:13:52 +01:00			`self._lock.release()`
fix failed_login cache, improve coding 2024-12-31 07:57:54 +01:00			`logger.debug("Login successful cache for user set: '%s'", login)`
			`if self._cache_failed.get(digest_failed):`
			`logger.debug("Login failed cache for user cleared: '%s'", login)`
			`del self._cache_failed[digest_failed]`
			`else:`
			`logger.debug("Login failed for user+password via backend: '%s'", login)`
add chache cleanup and locking 2024-12-31 16:13:52 +01:00			`self._lock.acquire()`
			`self._cache_failed[digest_failed] = (time_ns, login)`
			`self._lock.release()`
fix failed_login cache, improve coding 2024-12-31 07:57:54 +01:00			`logger.debug("Login failed cache for user set: '%s'", login)`
implement cache_logins* option 2024-12-30 08:17:15 +01:00			`return result`
			`else:`
			`return self._login(login, password)`