kallithea Changeset - 710512deb83d

Changeset - 710512deb83d

Parent rev.

Child rev.

[Not reviewed]

default

0 8 0

Mads Kiilerich (mads) - 5 years ago 2020-11-01 23:50:29
mads@kiilerich.com

Grafted from: 7755b166b92b

lib: move some auth low level helper functions to utils2

8 files changed with 80 insertions and 85 deletions:

kallithea/lib/auth.py

kallithea/lib/auth_modules/__init__.py

kallithea/lib/auth_modules/auth_internal.py

kallithea/lib/utils2.py

kallithea/model/user.py

kallithea/tests/functional/test_admin_users.py

kallithea/tests/functional/test_login.py

kallithea/tests/scripts/manual_test_concurrency.py

0 comments (0 inline, 0 general)

kallithea/lib/auth.py

➞

Show inline comments

@@ @@ -21,104 +21,35 @@ This file was forked by the Kallithea pr @@
 Original author and date, and relevant copyright and licensing information is below:
 :created_on: Apr 4, 2010
 :author: marcink
 :copyright: (c) 2013 RhodeCode GmbH, and others.
 :license: GPLv3, see LICENSE.md for more details.
 """
 import hashlib
 import itertools
 import logging
 import os
 import string
 import bcrypt
 import ipaddr
 from decorator import decorator
 from sqlalchemy.orm import joinedload
 from sqlalchemy.orm.exc import ObjectDeletedError
 from tg import request
 from tg.i18n import ugettext as _
 from webob.exc import HTTPForbidden, HTTPFound
 import kallithea
 from kallithea.lib import webutils
 from kallithea.lib.utils import get_repo_group_slug, get_repo_slug, get_user_group_slug
 from kallithea.lib.utils2 import ascii_bytes, ascii_str, safe_bytes
 from kallithea.lib.vcs.utils.lazy import LazyProperty
 from kallithea.lib.webutils import url
 from kallithea.model import db, meta
 from kallithea.model.user import UserModel
 log = logging.getLogger(__name__)
 class PasswordGenerator(object):
     """
     This is a simple class for generating password from different sets of
     characters
     usage::
         passwd_gen = PasswordGenerator()
         #print 8-letter password containing only big and small letters
             of alphabet
         passwd_gen.gen_password(8, passwd_gen.ALPHABETS_BIG_SMALL)
     """
     ALPHABETS_NUM = r'''1234567890'''
     ALPHABETS_SMALL = r'''qwertyuiopasdfghjklzxcvbnm'''
     ALPHABETS_BIG = r'''QWERTYUIOPASDFGHJKLZXCVBNM'''
     ALPHABETS_SPECIAL = r'''`-=[]\;',./~!@#$%^&*()_+{}|:"<>?'''
     ALPHABETS_FULL = ALPHABETS_BIG + ALPHABETS_SMALL \
         + ALPHABETS_NUM + ALPHABETS_SPECIAL
     ALPHABETS_ALPHANUM = ALPHABETS_BIG + ALPHABETS_SMALL + ALPHABETS_NUM
     ALPHABETS_BIG_SMALL = ALPHABETS_BIG + ALPHABETS_SMALL
     ALPHABETS_ALPHANUM_BIG = ALPHABETS_BIG + ALPHABETS_NUM
     ALPHABETS_ALPHANUM_SMALL = ALPHABETS_SMALL + ALPHABETS_NUM
     def gen_password(self, length, alphabet=ALPHABETS_FULL):
         assert len(alphabet) <= 256, alphabet
         l = []
         while len(l) < length:
             i = ord(os.urandom(1))
             if i < len(alphabet):
                 l.append(alphabet[i])
         return ''.join(l)
 def get_crypt_password(password):
     """
     Cryptographic function used for bcrypt password hashing.
     :param password: password to hash
     """
     return ascii_str(bcrypt.hashpw(safe_bytes(password), bcrypt.gensalt(10)))
 def check_password(password, hashed):
     """
     Checks password match the hashed value using bcrypt.
     Remains backwards compatible and accept plain sha256 hashes which used to
     be used on Windows.
     :param password: password
     :param hashed: password in hashed form
     """
     # sha256 hashes will always be 64 hex chars
     # bcrypt hashes will always contain $ (and be shorter)
     if len(hashed) == 64 and all(x in string.hexdigits for x in hashed):
         return hashlib.sha256(password).hexdigest() == hashed
     try:
         return bcrypt.checkpw(safe_bytes(password), ascii_bytes(hashed))
     except ValueError as e:
         # bcrypt will throw ValueError 'Invalid hashed_password salt' on all password errors
         log.error('error from bcrypt checking password: %s', e)
         return False
     log.error('check_password failed - no method found for hash length %s', len(hashed))
     return False
 PERM_WEIGHTS = db.Permission.PERM_WEIGHTS
 def bump_permission(permissions, key, new_perm):
     """Add a new permission for key to permissions.
     Assuming the permissions are comparable, set the new permission if it
     has higher weight, else drop it and keep the old permission.

kallithea/lib/auth_modules/__init__.py

➞

Show inline comments

@@ @@ -17,15 +17,15 @@ Authentication modules @@
 import importlib
 import logging
 import traceback
 from inspect import isfunction
-from kallithea.lib.auth import AuthUser, PasswordGenerator
 from kallithea.lib.auth import AuthUser
 from kallithea.lib.compat import hybrid_property
 from kallithea.lib.utils2 import asbool
+from kallithea.lib.utils2 import asbool, PasswordGenerator
 from kallithea.model import db, meta, validators
 from kallithea.model.user import UserModel
 from kallithea.model.user_group import UserGroupModel
 log = logging.getLogger(__name__)

kallithea/lib/auth_modules/auth_internal.py

➞

Show inline comments

@@ @@ -25,13 +25,13 @@ Original author and date, and relevant c @@
 :license: GPLv3, see LICENSE.md for more details.
 """
 import logging
-from kallithea.lib import auth, auth_modules
+from kallithea.lib import auth_modules, utils2
 from kallithea.lib.compat import hybrid_property
 log = logging.getLogger(__name__)
@@ @@ -75,13 +75,13 @@ class KallitheaAuthPlugin(auth_modules.K @@
             "email": userobj.email,
             "admin": userobj.admin,
             "extern_name": userobj.user_id,
+        }
         log.debug('user data: %s', user_data)
-        password_match = auth.check_password(password, userobj.password)
+        password_match = utils2.check_password(password, userobj.password)
         if userobj.is_default_user:
             log.info('user %s authenticated correctly as anonymous user',
                      username)
             return user_data
         elif userobj.username == username and password_match:

kallithea/lib/utils2.py

➞

Show inline comments

@@ @@ -26,18 +26,22 @@ Original author and date, and relevant c @@
 :copyright: (c) 2013 RhodeCode GmbH, and others.
 :license: GPLv3, see LICENSE.md for more details.
 """
 import binascii
 import datetime
 import hashlib
 import json
 import logging
 import os
 import re
 import string
 import time
 import urllib.parse
 import bcrypt
 import urlobject
 from dateutil import relativedelta
 from sqlalchemy.engine import url as sa_url
 from sqlalchemy.exc import ArgumentError
 from tg import tmpl_context
 from tg.i18n import ugettext as _
@@ @@ -56,12 +60,15 @@ from kallithea.lib.vcs.utils.lazy import @@
 try:
     import pwd
 except ImportError:
     pass
 log = logging.getLogger(__name__)
 # mute pyflakes "imported but unused"
 assert asbool
 assert aslist
 assert ascii_bytes
 assert ascii_str
 assert safe_bytes
@@ @@ -546,6 +553,70 @@ def ask_ok(prompt, retries=4, complaint= @@
         if ok in ('n', 'no', 'nop', 'nope'):
             return False
         retries = retries - 1
         if retries < 0:
             raise IOError
         print(complaint)
 class PasswordGenerator(object):
     """
     This is a simple class for generating password from different sets of
     characters
     usage::
         passwd_gen = PasswordGenerator()
         #print 8-letter password containing only big and small letters
             of alphabet
         passwd_gen.gen_password(8, passwd_gen.ALPHABETS_BIG_SMALL)
     """
     ALPHABETS_NUM = r'''1234567890'''
     ALPHABETS_SMALL = r'''qwertyuiopasdfghjklzxcvbnm'''
     ALPHABETS_BIG = r'''QWERTYUIOPASDFGHJKLZXCVBNM'''
     ALPHABETS_SPECIAL = r'''`-=[]\;',./~!@#$%^&*()_+{}|:"<>?'''
     ALPHABETS_FULL = ALPHABETS_BIG + ALPHABETS_SMALL \
         + ALPHABETS_NUM + ALPHABETS_SPECIAL
     ALPHABETS_ALPHANUM = ALPHABETS_BIG + ALPHABETS_SMALL + ALPHABETS_NUM
     ALPHABETS_BIG_SMALL = ALPHABETS_BIG + ALPHABETS_SMALL
     ALPHABETS_ALPHANUM_BIG = ALPHABETS_BIG + ALPHABETS_NUM
     ALPHABETS_ALPHANUM_SMALL = ALPHABETS_SMALL + ALPHABETS_NUM
     def gen_password(self, length, alphabet=ALPHABETS_FULL):
         assert len(alphabet) <= 256, alphabet
         l = []
         while len(l) < length:
             i = ord(os.urandom(1))
             if i < len(alphabet):
                 l.append(alphabet[i])
         return ''.join(l)
 def get_crypt_password(password):
     """
     Cryptographic function used for bcrypt password hashing.
     :param password: password to hash
     """
     return ascii_str(bcrypt.hashpw(safe_bytes(password), bcrypt.gensalt(10)))
 def check_password(password, hashed):
     """
     Checks password match the hashed value using bcrypt.
     Remains backwards compatible and accept plain sha256 hashes which used to
     be used on Windows.
     :param password: password
     :param hashed: password in hashed form
     """
     # sha256 hashes will always be 64 hex chars
     # bcrypt hashes will always contain $ (and be shorter)
     if len(hashed) == 64 and all(x in string.hexdigits for x in hashed):
         return hashlib.sha256(password).hexdigest() == hashed
     try:
         return bcrypt.checkpw(safe_bytes(password), ascii_bytes(hashed))
     except ValueError as e:
         # bcrypt will throw ValueError 'Invalid hashed_password salt' on all password errors
         log.error('error from bcrypt checking password: %s', e)
         return False
     log.error('check_password failed - no method found for hash length %s', len(hashed))
     return False

kallithea/model/user.py

➞

Show inline comments

@@ @@ -35,13 +35,13 @@ import traceback @@
 from sqlalchemy.exc import DatabaseError
 from tg import config
 from tg.i18n import ugettext as _
 from kallithea.lib import webutils
 from kallithea.lib.exceptions import DefaultUserException, UserOwnsReposException
 from kallithea.lib.utils2 import generate_api_key, get_current_authuser
+from kallithea.lib.utils2 import check_password, generate_api_key, get_crypt_password, get_current_authuser
 from kallithea.model import db, forms, meta
 log = logging.getLogger(__name__)
@@ @@ -69,13 +69,12 @@ class UserModel(object): @@
             'lastname': _fd['lastname'],
             'active': _fd['active'],
             'admin': False
+        }
         # raises UserCreationError if it's not allowed
         check_allowed_create_user(user_data, cur_user)
         from kallithea.lib.auth import get_crypt_password
         new_user = db.User()
         for k, v in form_data.items():
             if k == 'password':
                 v = get_crypt_password(v)
             if k == 'firstname':
@@ @@ -107,13 +106,12 @@ class UserModel(object): @@
         :param extern_type:
         :param cur_user:
         """
         if not cur_user:
             cur_user = getattr(get_current_authuser(), 'username', None)
         from kallithea.lib.auth import check_password, get_crypt_password
         from kallithea.lib.hooks import check_allowed_create_user, log_create_user
         user_data = {
             'username': username, 'password': password,
             'email': email, 'firstname': firstname, 'lastname': lastname,
             'active': active, 'admin': admin
+        }
@@ @@ -191,13 +189,12 @@ class UserModel(object): @@
         notification.NotificationModel().create(created_by=new_user, subject=subject,
                                    body=body, recipients=None,
                                    type_=notification.NotificationModel.TYPE_REGISTRATION,
                                    email_kwargs=email_kwargs)
     def update(self, user_id, form_data, skip_attrs=None):
         from kallithea.lib.auth import get_crypt_password
         skip_attrs = skip_attrs or []
         user = self.get(user_id)
         if user.is_default_user:
             raise DefaultUserException(
                             _("You can't edit this user since it's "
                               "crucial for entire application"))
@@ @@ -212,14 +209,12 @@ class UserModel(object): @@
                 # need proper refactor to username
                 if k == 'firstname':
                     k = 'name'
                 setattr(user, k, v)
     def update_user(self, user, **kwargs):
         from kallithea.lib.auth import get_crypt_password
         user = db.User.guess_instance(user)
         if user.is_default_user:
             raise DefaultUserException(
                 _("You can't edit this user since it's"
                   " crucial for entire application")
+            )
@@ @@ -378,19 +373,18 @@ class UserModel(object): @@
                                                        webutils.session_csrf_secret_token())
         log.debug('computed password reset token: %s', expected_token)
         log.debug('received password reset token: %s', token)
         return expected_token == token
     def reset_password(self, user_email, new_passwd):
         from kallithea.lib import auth
         from kallithea.lib.celerylib import tasks
         user = db.User.get_by_email(user_email)
         if user is not None:
             if not self.can_change_password(user):
                 raise Exception('trying to change password for external user')
-            user.password = auth.get_crypt_password(new_passwd)
             user.password = get_crypt_password(new_passwd)
             meta.Session().commit()
             log.info('change password for %s', user_email)
         if new_passwd is None:
             raise Exception('unable to set new password')
         tasks.send_email([user_email],

kallithea/tests/functional/test_admin_users.py

➞

Show inline comments

@@ @@ -17,13 +17,13 @@ from sqlalchemy.orm.exc import NoResultF @@
 from tg.util.webtest import test_context
 from webob.exc import HTTPNotFound
 import kallithea
 from kallithea.controllers.admin.users import UsersController
 from kallithea.lib import webutils
-from kallithea.lib.auth import check_password
+from kallithea.lib.utils2 import check_password
 from kallithea.model import db, meta, validators
 from kallithea.model.user import UserModel
 from kallithea.tests import base
 from kallithea.tests.fixture import Fixture

kallithea/tests/functional/test_login.py

➞

Show inline comments

@@ @@ -5,14 +5,13 @@ import urllib.parse @@
 import mock
 from tg.util.webtest import test_context
 import kallithea.lib.celerylib.tasks
 from kallithea.lib import webutils
 from kallithea.lib.auth import check_password
 from kallithea.lib.utils2 import generate_api_key
 from kallithea.lib.utils2 import check_password, generate_api_key
 from kallithea.model import db, meta, validators
 from kallithea.model.api_key import ApiKeyModel
 from kallithea.model.user import UserModel
 from kallithea.tests import base
 from kallithea.tests.fixture import Fixture

kallithea/tests/scripts/manual_test_concurrency.py

➞

Show inline comments

@@ @@ -35,13 +35,13 @@ from os.path import dirname @@
 from subprocess import PIPE, Popen
 from paste.deploy import appconfig
 from sqlalchemy import engine_from_config
 import kallithea.config.application
-from kallithea.lib.auth import get_crypt_password
+from kallithea.lib.utils2 import get_crypt_password
 from kallithea.model import db, meta
 from kallithea.model.base import init_model
 from kallithea.model.repo import RepoModel
 from kallithea.tests.base import HG_REPO, TEST_USER_ADMIN_LOGIN, TEST_USER_ADMIN_PASS

0 comments (0 inline, 0 general)