epicyon/auth.py

__filename__ = "auth.py"
__author__ = "Bob Mottram"
__license__ = "AGPL3+"
__version__ = "0.0.1"
__maintainer__ = "Bob Mottram"
__email__ = "bob@freedombone.net"
__status__ = "Production"

import base64
import hashlib
import binascii
import os
import shutil
import random

def hashPassword(password: str) -> str:
    """Hash a password for storing
    """
    salt = hashlib.sha256(os.urandom(60)).hexdigest().encode('ascii')
    pwdhash = hashlib.pbkdf2_hmac('sha512', password.encode('utf-8'), salt, 100000)
    pwdhash = binascii.hexlify(pwdhash)
    return (salt + pwdhash).decode('ascii')
 
def verifyPassword(storedPassword: str,providedPassword: str) -> bool:
    """Verify a stored password against one provided by user
    """
    salt = storedPassword[:64]
    storedPassword = storedPassword[64:]
    pwdhash = hashlib.pbkdf2_hmac('sha512', \
                                  providedPassword.encode('utf-8'), \
                                  salt.encode('ascii'), \
                                  100000)
    pwdhash = binascii.hexlify(pwdhash).decode('ascii')
    return pwdhash == storedPassword

def createBasicAuthHeader(nickname: str,password: str) -> str:
    """This is only used by tests
    """
    authStr=nickname.replace('\n','')+':'+password.replace('\n','')
    return 'Basic '+base64.b64encode(authStr.encode('utf-8')).decode('utf-8')

def authorizeBasic(baseDir: str,path: str,authHeader: str,debug: bool) -> bool:
    """HTTP basic auth
    """
    if ' ' not in authHeader:
        if debug:
            print('DEBUG: Authorixation header does not contain a space character')
        return False
    if '/users/' not in path:
        if debug:
            print('DEBUG: Path for Authorization does not contain a user')
        return False
    pathUsersSection=path.split('/users/')[1]
    if '/' not in pathUsersSection:
        if debug:
            print('DEBUG: This is not a users endpoint')
        return False
    nicknameFromPath=pathUsersSection.split('/')[0]
    base64Str = authHeader.split(' ')[1].replace('\n','')
    plain = base64.b64decode(base64Str).decode('utf-8')
    if ':' not in plain:
        if debug:
            print('DEBUG: Basic Auth header does not contain a ":" separator for username:password')
        return False
    nickname = plain.split(':')[0]
    if nickname!=nicknameFromPath:
        if debug:
            print('DEBUG: Nickname given in the path ('+nicknameFromPath+ \
                  ') does not match the one in the Authorization header ('+ \
                  nickname+')')
        return False
    passwordFile=baseDir+'/accounts/passwords'
    if not os.path.isfile(passwordFile):
        if debug:
            print('DEBUG: passwords file missing')
        return False
    providedPassword = plain.split(':')[1]
    passfile = open(passwordFile, "r")
    for line in passfile:
        if line.startswith(nickname+':'):
            storedPassword=line.split(':')[1].replace('\n','')
            success = verifyPassword(storedPassword,providedPassword)
            if not success:
                if debug:
                    print('DEBUG: Password check failed for '+nickname)
            return success
    print('DEBUG: Did not find credentials for '+nickname+' in '+passwordFile)
    return False

def storeBasicCredentials(baseDir: str,nickname: str,password: str) -> bool:
    """Stores login credentials to a file
    """
    if ':' in nickname or ':' in password:
        return False
    nickname=nickname.replace('\n','').strip()
    password=password.replace('\n','').strip()

    if not os.path.isdir(baseDir+'/accounts'):
        os.mkdir(baseDir+'/accounts')

    passwordFile=baseDir+'/accounts/passwords'
    storeStr=nickname+':'+hashPassword(password)
    if os.path.isfile(passwordFile):
        if nickname+':' in open(passwordFile).read():
            with open(passwordFile, "r") as fin:
                with open(passwordFile+'.new', "w") as fout:
                    for line in fin:
                        if not line.startswith(nickname+':'):
                            fout.write(line)
                        else:
                            fout.write(storeStr+'\n')
            os.rename(passwordFile+'.new', passwordFile)
        else:
            # append to password file
            with open(passwordFile, "a") as passfile:
                passfile.write(storeStr+'\n')
    else:
        with open(passwordFile, "w") as passfile:
            passfile.write(storeStr+'\n')
    return True

def removePassword(baseDir: str,nickname: str) -> None:
    """Removes the password entry for the given nickname
    This is called during account removal
    """
    passwordFile=baseDir+'/accounts/passwords'
    if os.path.isfile(passwordFile):
        with open(passwordFile, "r") as fin:
            with open(passwordFile+'.new', "w") as fout:
                for line in fin:
                    if not line.startswith(nickname+':'):
                        fout.write(line)
        os.rename(passwordFile+'.new', passwordFile)

def authorize(baseDir: str,path: str,authHeader: str,debug: bool) -> bool:
    """Authorize using http header
    """
    if authHeader.lower().startswith('basic '):
        return authorizeBasic(baseDir,path,authHeader,debug)
    return False

def createPassword(length=10):
    validChars='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
    return ''.join((random.choice(validChars) for i in range(length)))
Tests for basic authentication 2019-07-03 18:24:44 +00:00			`__filename__ = "auth.py"`
			`__author__ = "Bob Mottram"`
			`__license__ = "AGPL3+"`
			`__version__ = "0.0.1"`
			`__maintainer__ = "Bob Mottram"`
			`__email__ = "bob@freedombone.net"`
			`__status__ = "Production"`

			`import base64`
			`import hashlib`
			`import binascii`
			`import os`
			`import shutil`
Create shared inbox on start of daemon 2019-07-05 11:27:18 +00:00			`import random`
Tests for basic authentication 2019-07-03 18:24:44 +00:00
			`def hashPassword(password: str) -> str:`
			`"""Hash a password for storing`
			`"""`
			`salt = hashlib.sha256(os.urandom(60)).hexdigest().encode('ascii')`
			`pwdhash = hashlib.pbkdf2_hmac('sha512', password.encode('utf-8'), salt, 100000)`
			`pwdhash = binascii.hexlify(pwdhash)`
			`return (salt + pwdhash).decode('ascii')`

			`def verifyPassword(storedPassword: str,providedPassword: str) -> bool:`
			`"""Verify a stored password against one provided by user`
			`"""`
			`salt = storedPassword[:64]`
			`storedPassword = storedPassword[64:]`
			`pwdhash = hashlib.pbkdf2_hmac('sha512', \`
			`providedPassword.encode('utf-8'), \`
			`salt.encode('ascii'), \`
			`100000)`
			`pwdhash = binascii.hexlify(pwdhash).decode('ascii')`
			`return pwdhash == storedPassword`

			`def createBasicAuthHeader(nickname: str,password: str) -> str:`
			`"""This is only used by tests`
			`"""`
			`authStr=nickname.replace('\n','')+':'+password.replace('\n','')`
Consistent utf string 2019-07-03 19:15:42 +00:00			`return 'Basic '+base64.b64encode(authStr.encode('utf-8')).decode('utf-8')`
Tests for basic authentication 2019-07-03 18:24:44 +00:00
Authentication debug 2019-07-04 08:56:15 +00:00			`def authorizeBasic(baseDir: str,path: str,authHeader: str,debug: bool) -> bool:`
Tests for basic authentication 2019-07-03 18:24:44 +00:00			`"""HTTP basic auth`
			`"""`
			`if ' ' not in authHeader:`
Authentication debug 2019-07-04 08:56:15 +00:00			`if debug:`
			`print('DEBUG: Authorixation header does not contain a space character')`
Tests for basic authentication 2019-07-03 18:24:44 +00:00			`return False`
Authentication debug 2019-07-04 08:56:15 +00:00			`if '/users/' not in path:`
			`if debug:`
			`print('DEBUG: Path for Authorization does not contain a user')`
			`return False`
			`pathUsersSection=path.split('/users/')[1]`
			`if '/' not in pathUsersSection:`
			`if debug:`
			`print('DEBUG: This is not a users endpoint')`
			`return False`
			`nicknameFromPath=pathUsersSection.split('/')[0]`
newline replace 2019-07-03 18:28:43 +00:00			`base64Str = authHeader.split(' ')[1].replace('\n','')`
Consistent utf string 2019-07-03 19:15:42 +00:00			`plain = base64.b64decode(base64Str).decode('utf-8')`
Tests for basic authentication 2019-07-03 18:24:44 +00:00			`if ':' not in plain:`
Authentication debug 2019-07-04 08:56:15 +00:00			`if debug:`
			`print('DEBUG: Basic Auth header does not contain a ":" separator for username:password')`
Tests for basic authentication 2019-07-03 18:24:44 +00:00			`return False`
			`nickname = plain.split(':')[0]`
Authentication debug 2019-07-04 08:56:15 +00:00			`if nickname!=nicknameFromPath:`
			`if debug:`
Reduce some line lengths 2019-07-06 17:00:22 +00:00			`print('DEBUG: Nickname given in the path ('+nicknameFromPath+ \`
			`') does not match the one in the Authorization header ('+ \`
			`nickname+')')`
Authentication debug 2019-07-04 08:56:15 +00:00			`return False`
Tests for basic authentication 2019-07-03 18:24:44 +00:00			`passwordFile=baseDir+'/accounts/passwords'`
			`if not os.path.isfile(passwordFile):`
Authentication debug 2019-07-04 08:56:15 +00:00			`if debug:`
			`print('DEBUG: passwords file missing')`
Tests for basic authentication 2019-07-03 18:24:44 +00:00			`return False`
			`providedPassword = plain.split(':')[1]`
			`passfile = open(passwordFile, "r")`
			`for line in passfile:`
			`if line.startswith(nickname+':'):`
			`storedPassword=line.split(':')[1].replace('\n','')`
Authentication debug 2019-07-04 08:56:15 +00:00			`success = verifyPassword(storedPassword,providedPassword)`
			`if not success:`
			`if debug:`
			`print('DEBUG: Password check failed for '+nickname)`
			`return success`
			`print('DEBUG: Did not find credentials for '+nickname+' in '+passwordFile)`
Tests for basic authentication 2019-07-03 18:24:44 +00:00			`return False`

			`def storeBasicCredentials(baseDir: str,nickname: str,password: str) -> bool:`
Comments 2019-07-05 09:51:58 +00:00			`"""Stores login credentials to a file`
			`"""`
Tests for basic authentication 2019-07-03 18:24:44 +00:00			`if ':' in nickname or ':' in password:`
			`return False`
			`nickname=nickname.replace('\n','').strip()`
			`password=password.replace('\n','').strip()`

			`if not os.path.isdir(baseDir+'/accounts'):`
			`os.mkdir(baseDir+'/accounts')`

			`passwordFile=baseDir+'/accounts/passwords'`
			`storeStr=nickname+':'+hashPassword(password)`
			`if os.path.isfile(passwordFile):`
			`if nickname+':' in open(passwordFile).read():`
			`with open(passwordFile, "r") as fin:`
			`with open(passwordFile+'.new', "w") as fout:`
			`for line in fin:`
			`if not line.startswith(nickname+':'):`
			`fout.write(line)`
			`else:`
			`fout.write(storeStr+'\n')`
			`os.rename(passwordFile+'.new', passwordFile)`
			`else:`
			`# append to password file`
			`with open(passwordFile, "a") as passfile:`
			`passfile.write(storeStr+'\n')`
			`else:`
			`with open(passwordFile, "w") as passfile:`
			`passfile.write(storeStr+'\n')`
			`return True`

Convert password removal to function 2019-07-05 09:49:57 +00:00			`def removePassword(baseDir: str,nickname: str) -> None:`
Comments 2019-07-05 09:51:58 +00:00			`"""Removes the password entry for the given nickname`
			`This is called during account removal`
			`"""`
Convert password removal to function 2019-07-05 09:49:57 +00:00			`passwordFile=baseDir+'/accounts/passwords'`
			`if os.path.isfile(passwordFile):`
			`with open(passwordFile, "r") as fin:`
			`with open(passwordFile+'.new', "w") as fout:`
			`for line in fin:`
			`if not line.startswith(nickname+':'):`
			`fout.write(line)`
			`os.rename(passwordFile+'.new', passwordFile)`

Authentication debug 2019-07-04 08:56:15 +00:00			`def authorize(baseDir: str,path: str,authHeader: str,debug: bool) -> bool:`
Comments 2019-07-05 09:51:58 +00:00			`"""Authorize using http header`
			`"""`
Tests for basic authentication 2019-07-03 18:24:44 +00:00			`if authHeader.lower().startswith('basic '):`
Authentication debug 2019-07-04 08:56:15 +00:00			`return authorizeBasic(baseDir,path,authHeader,debug)`
Tests for basic authentication 2019-07-03 18:24:44 +00:00			`return False`
Create shared inbox on start of daemon 2019-07-05 11:27:18 +00:00
			`def createPassword(length=10):`
			`validChars='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'`
			`return ''.join((random.choice(validChars) for i in range(length)))`