Fix merge conflicts.

radicale/auth/__init__.py

@@ -2,7 +2,8 @@
 # Copyright © 2008 Nicolas Kandel
 # Copyright © 2008 Pascal Halter
 # Copyright © 2008-2017 Guillaume Ayoub
-# Copyright © 2017-2018 Unrud <unrud@outlook.com>
+# Copyright © 2017-2022 Unrud <unrud@outlook.com>
+# Copyright © 2024-2024 Peter Bieringer <pb@bieringer.de>
 #
 # This library is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -31,13 +32,20 @@ Take a look at the class ``BaseAuth`` if you want to implement your own.
 from typing import Sequence, Tuple, Union
 
 from radicale import config, types, utils
+from radicale.log import logger
 
 INTERNAL_TYPES: Sequence[str] = ("none", "remote_user", "http_x_remote_user",
-                                 "htpasswd", "ldap")
+                                 "denyall",
+                                 "htpasswd",
+                                 "ldap")
 
 
 def load(configuration: "config.Configuration") -> "BaseAuth":
     """Load the authentication module chosen in configuration."""
+    if configuration.get("auth", "type") == "none":
+        logger.warning("No user authentication is selected: '[auth] type=none' (insecure)")
+    if configuration.get("auth", "type") == "denyall":
+        logger.warning("All access is blocked by: '[auth] type=denyall'")
     return utils.load_plugin(INTERNAL_TYPES, "auth", "Auth", BaseAuth,
                              configuration)
 
@@ -45,6 +53,8 @@ def load(configuration: "config.Configuration") -> "BaseAuth":
 class BaseAuth:
 
     _ldap_groups: set
+    _lc_username: bool
+    _strip_domain: bool
 
     def __init__(self, configuration: "config.Configuration") -> None:
         """Initialize BaseAuth.
@@ -55,6 +65,8 @@ class BaseAuth:
 
         """
         self.configuration = configuration
+        self._lc_username = configuration.get("auth", "lc_username")
+        self._strip_domain = configuration.get("auth", "strip_domain")
 
     def get_external_login(self, environ: types.WSGIEnviron) -> Union[
             Tuple[()], Tuple[str, str]]:
@@ -69,7 +81,7 @@ class BaseAuth:
         """
         return ()
 
-    def login(self, login: str, password: str) -> str:
+    def _login(self, login: str, password: str) -> str:
         """Check credentials and map login to internal user
 
         ``login`` the login name
@@ -81,3 +93,10 @@ class BaseAuth:
         """
 
         raise NotImplementedError
+
+    def login(self, login: str, password: str) -> str:
+        if self._lc_username:
+            login = login.lower()
+        if self._strip_domain:
+            login = login.split('@')[0]
+        return self._login(login, password)

radicale/auth/denyall.py

@@ -0,0 +1,30 @@
+# This file is part of Radicale - CalDAV and CardDAV server
+# Copyright © 2024-2024 Peter Bieringer <pb@bieringer.de>
+#
+# This library is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Radicale.  If not, see <http://www.gnu.org/licenses/>.
+
+"""
+A dummy backend that denies any username and password.
+
+Used as default for security reasons.
+
+"""
+
+from radicale import auth
+
+
+class Auth(auth.BaseAuth):
+
+    def _login(self, login: str, password: str) -> str:
+        return ""

radicale/auth/htpasswd.py

@@ -3,6 +3,7 @@
 # Copyright © 2008 Pascal Halter
 # Copyright © 2008-2017 Guillaume Ayoub
 # Copyright © 2017-2019 Unrud <unrud@outlook.com>
+# Copyright © 2024 Peter Bieringer <pb@bieringer.de>
 #
 # This library is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -22,12 +23,12 @@ Authentication backend that checks credentials with a htpasswd file.
 
 Apache's htpasswd command (httpd.apache.org/docs/programs/htpasswd.html)
 manages a file for storing user credentials. It can encrypt passwords using
-different the methods BCRYPT or MD5-APR1 (a version of MD5 modified for
-Apache). MD5-APR1 provides medium security as of 2015. Only BCRYPT can be
+different the methods BCRYPT/SHA256/SHA512 or MD5-APR1 (a version of MD5 modified for
+Apache). MD5-APR1 provides medium security as of 2015. Only BCRYPT/SHA256/SHA512 can be
 considered secure by current standards.
 
 MD5-APR1-encrypted credentials can be written by all versions of htpasswd (it
-is the default, in fact), whereas BCRYPT requires htpasswd 2.4.x or newer.
+is the default, in fact), whereas BCRYPT/SHA256/SHA512 requires htpasswd 2.4.x or newer.
 
 The `is_authenticated(user, password)` function provided by this module
 verifies the user-given credentials by parsing the htpasswd credential file
@@ -35,15 +36,15 @@ pointed to by the ``htpasswd_filename`` configuration value while assuming
 the password encryption method specified via the ``htpasswd_encryption``
 configuration value.
 
-The following htpasswd password encrpytion methods are supported by Radicale
+The following htpasswd password encryption methods are supported by Radicale
 out-of-the-box:
+    - plain-text (created by htpasswd -p ...) -- INSECURE
+    - MD5-APR1   (htpasswd -m ...) -- htpasswd's default method, INSECURE
+    - SHA256     (htpasswd -2 ...)
+    - SHA512     (htpasswd -5 ...)
 
-    - plain-text (created by htpasswd -p...) -- INSECURE
-    - MD5-APR1   (htpasswd -m...) -- htpasswd's default method
-
-When passlib[bcrypt] is installed:
-
-    - BCRYPT     (htpasswd -B...) -- Requires htpasswd 2.4.x
+When bcrypt is installed:
+    - BCRYPT     (htpasswd -B ...) -- Requires htpasswd 2.4.x
 
 """
 
@@ -51,9 +52,9 @@ import functools
 import hmac
 from typing import Any
 
-from passlib.hash import apr_md5_crypt
+from passlib.hash import apr_md5_crypt, sha256_crypt, sha512_crypt
 
-from radicale import auth, config
+from radicale import auth, config, logger
 
 
 class Auth(auth.BaseAuth):
@@ -67,22 +68,28 @@ class Auth(auth.BaseAuth):
         self._encoding = configuration.get("encoding", "stock")
         encryption: str = configuration.get("auth", "htpasswd_encryption")
 
+        logger.info("auth htpasswd encryption is 'radicale.auth.htpasswd_encryption.%s'", encryption)
+
         if encryption == "plain":
             self._verify = self._plain
         elif encryption == "md5":
             self._verify = self._md5apr1
-        elif encryption == "bcrypt":
+        elif encryption == "sha256":
+            self._verify = self._sha256
+        elif encryption == "sha512":
+            self._verify = self._sha512
+        elif encryption == "bcrypt" or encryption == "autodetect":
             try:
-                from passlib.hash import bcrypt
+                import bcrypt
             except ImportError as e:
                 raise RuntimeError(
-                    "The htpasswd encryption method 'bcrypt' requires "
-                    "the passlib[bcrypt] module.") from e
-            # A call to `encrypt` raises passlib.exc.MissingBackendError with a
-            # good error message if bcrypt backend is not available. Trigger
-            # this here.
-            bcrypt.hash("test-bcrypt-backend")
-            self._verify = functools.partial(self._bcrypt, bcrypt)
+                    "The htpasswd encryption method 'bcrypt' or 'autodetect' requires "
+                    "the bcrypt module.") from e
+            if encryption == "bcrypt":
+                self._verify = functools.partial(self._bcrypt, bcrypt)
+            else:
+                self._verify = self._autodetect
+                self._verify_bcrypt = functools.partial(self._bcrypt, bcrypt)
         else:
             raise RuntimeError("The htpasswd encryption method %r is not "
                                "supported." % encryption)
@@ -92,12 +99,35 @@ class Auth(auth.BaseAuth):
         return hmac.compare_digest(hash_value.encode(), password.encode())
 
     def _bcrypt(self, bcrypt: Any, hash_value: str, password: str) -> bool:
-        return bcrypt.verify(password, hash_value.strip())
+        return bcrypt.checkpw(password=password.encode('utf-8'), hashed_password=hash_value.encode())
 
     def _md5apr1(self, hash_value: str, password: str) -> bool:
         return apr_md5_crypt.verify(password, hash_value.strip())
 
-    def login(self, login: str, password: str) -> str:
+    def _sha256(self, hash_value: str, password: str) -> bool:
+        return sha256_crypt.verify(password, hash_value.strip())
+
+    def _sha512(self, hash_value: str, password: str) -> bool:
+        return sha512_crypt.verify(password, hash_value.strip())
+
+    def _autodetect(self, hash_value: str, password: str) -> bool:
+        if hash_value.startswith("$apr1$", 0, 6) and len(hash_value) == 37:
+            # MD5-APR1
+            return self._md5apr1(hash_value, password)
+        elif hash_value.startswith("$2y$", 0, 4) and len(hash_value) == 60:
+            # BCRYPT
+            return self._verify_bcrypt(hash_value, password)
+        elif hash_value.startswith("$5$", 0, 3) and len(hash_value) == 63:
+            # SHA-256
+            return self._sha256(hash_value, password)
+        elif hash_value.startswith("$6$", 0, 3) and len(hash_value) == 106:
+            # SHA-512
+            return self._sha512(hash_value, password)
+        else:
+            # assumed plaintext
+            return self._plain(hash_value, password)
+
+    def _login(self, login: str, password: str) -> str:
         """Validate credentials.
 
         Iterate through htpasswd credential file until login matches, extract

radicale/auth/none.py

@@ -27,5 +27,5 @@ from radicale import auth
 
 class Auth(auth.BaseAuth):
 
-    def login(self, login: str, password: str) -> str:
+    def _login(self, login: str, password: str) -> str:
         return login