epicyon/auth.py

__filename__ = "auth.py"
__author__ = "Bob Mottram"
__license__ = "AGPL3+"
__version__ = "1.1.0"
__maintainer__ = "Bob Mottram"
__email__ = "bob@freedombone.net"
__status__ = "Production"

import base64
import hashlib
import binascii
import os
import secrets
from utils import isSystemAccount
from utils import hasUsersPath


def _hashPassword(password: str) -> str:
    """Hash a password for storing
    """
    salt = hashlib.sha256(os.urandom(60)).hexdigest().encode('ascii')
    pwdhash = hashlib.pbkdf2_hmac('sha512',
                                  password.encode('utf-8'),
                                  salt, 100000)
    pwdhash = binascii.hexlify(pwdhash)
    return (salt + pwdhash).decode('ascii')


def _getPasswordHash(salt: str, providedPassword: str) -> str:
    """Returns the hash of a password
    """
    pwdhash = hashlib.pbkdf2_hmac('sha512',
                                  providedPassword.encode('utf-8'),
                                  salt.encode('ascii'),
                                  100000)
    return binascii.hexlify(pwdhash).decode('ascii')


def constantTimeStringCheck(string1: str, string2: str) -> bool:
    """Compares two string and returns if they are the same
    using a constant amount of time
    See https://sqreen.github.io/DevelopersSecurityBestPractices/
    timing-attack/python
    """
    # strings must be of equal length
    if len(string1) != len(string2):
        return False
    ctr = 0
    matched = True
    for ch in string1:
        if ch != string2[ctr]:
            matched = False
        else:
            # this is to make the timing more even
            # and not provide clues
            matched = matched
        ctr += 1
    return matched


def _verifyPassword(storedPassword: str, providedPassword: str) -> bool:
    """Verify a stored password against one provided by user
    """
    if not storedPassword:
        return False
    if not providedPassword:
        return False
    salt = storedPassword[:64]
    storedPassword = storedPassword[64:]
    pwHash = _getPasswordHash(salt, providedPassword)
    return constantTimeStringCheck(pwHash, storedPassword)


def createBasicAuthHeader(nickname: str, password: str) -> str:
    """This is only used by tests
    """
    authStr = \
        nickname.replace('\n', '').replace('\r', '') + \
        ':' + \
        password.replace('\n', '').replace('\r', '')
    return 'Basic ' + base64.b64encode(authStr.encode('utf-8')).decode('utf-8')


def authorizeBasic(baseDir: str, path: str, authHeader: str,
                   debug: bool) -> bool:
    """HTTP basic auth
    """
    if ' ' not in authHeader:
        if debug:
            print('DEBUG: basic auth - Authorixation header does not ' +
                  'contain a space character')
        return False
    if not hasUsersPath(path):
        if debug:
            print('DEBUG: basic auth - ' +
                  'path for Authorization does not contain a user')
        return False
    pathUsersSection = path.split('/users/')[1]
    if '/' not in pathUsersSection:
        if debug:
            print('DEBUG: basic auth - this is not a users endpoint')
        return False
    nicknameFromPath = pathUsersSection.split('/')[0]
    if isSystemAccount(nicknameFromPath):
        print('basic auth - attempted login using system account ' +
              nicknameFromPath + ' in path')
        return False
    base64Str = \
        authHeader.split(' ')[1].replace('\n', '').replace('\r', '')
    plain = base64.b64decode(base64Str).decode('utf-8')
    if ':' not in plain:
        if debug:
            print('DEBUG: basic auth header does not contain a ":" ' +
                  'separator for username:password')
        return False
    nickname = plain.split(':')[0]
    if isSystemAccount(nickname):
        print('basic auth - attempted login using system account ' + nickname +
              ' in Auth header')
        return False
    if nickname != nicknameFromPath:
        if debug:
            print('DEBUG: Nickname given in the path (' + nicknameFromPath +
                  ') does not match the one in the Authorization header (' +
                  nickname + ')')
        return False
    passwordFile = baseDir+'/accounts/passwords'
    if not os.path.isfile(passwordFile):
        if debug:
            print('DEBUG: passwords file missing')
        return False
    providedPassword = plain.split(':')[1]
    passfile = open(passwordFile, "r")
    for line in passfile:
        if line.startswith(nickname+':'):
            storedPassword = \
                line.split(':')[1].replace('\n', '').replace('\r', '')
            success = _verifyPassword(storedPassword, providedPassword)
            if not success:
                if debug:
                    print('DEBUG: Password check failed for ' + nickname)
            return success
    print('DEBUG: Did not find credentials for ' + nickname +
          ' in ' + passwordFile)
    return False


def storeBasicCredentials(baseDir: str, nickname: str, password: str) -> bool:
    """Stores login credentials to a file
    """
    if ':' in nickname or ':' in password:
        return False
    nickname = nickname.replace('\n', '').replace('\r', '').strip()
    password = password.replace('\n', '').replace('\r', '').strip()

    if not os.path.isdir(baseDir + '/accounts'):
        os.mkdir(baseDir + '/accounts')

    passwordFile = baseDir + '/accounts/passwords'
    storeStr = nickname + ':' + _hashPassword(password)
    if os.path.isfile(passwordFile):
        if nickname + ':' in open(passwordFile).read():
            with open(passwordFile, "r") as fin:
                with open(passwordFile + '.new', 'w+') as fout:
                    for line in fin:
                        if not line.startswith(nickname + ':'):
                            fout.write(line)
                        else:
                            fout.write(storeStr + '\n')
            os.rename(passwordFile + '.new', passwordFile)
        else:
            # append to password file
            with open(passwordFile, 'a+') as passfile:
                passfile.write(storeStr + '\n')
    else:
        with open(passwordFile, 'w+') as passfile:
            passfile.write(storeStr + '\n')
    return True


def removePassword(baseDir: str, nickname: str) -> None:
    """Removes the password entry for the given nickname
    This is called during account removal
    """
    passwordFile = baseDir + '/accounts/passwords'
    if os.path.isfile(passwordFile):
        with open(passwordFile, "r") as fin:
            with open(passwordFile + '.new', 'w+') as fout:
                for line in fin:
                    if not line.startswith(nickname + ':'):
                        fout.write(line)
        os.rename(passwordFile + '.new', passwordFile)


def authorize(baseDir: str, path: str, authHeader: str, debug: bool) -> bool:
    """Authorize using http header
    """
    if authHeader.lower().startswith('basic '):
        return authorizeBasic(baseDir, path, authHeader, debug)
    return False


def createPassword(length=10):
    validChars = 'abcdefghijklmnopqrstuvwxyz' + \
        'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
    return ''.join((secrets.choice(validChars) for i in range(length)))
flake8 style 2020-04-01 19:29:56 +00:00			`__filename__ = "auth.py"`
			`__author__ = "Bob Mottram"`
			`__license__ = "AGPL3+"`
			`__version__ = "1.1.0"`
			`__maintainer__ = "Bob Mottram"`
			`__email__ = "bob@freedombone.net"`
			`__status__ = "Production"`
Tests for basic authentication 2019-07-03 18:24:44 +00:00
			`import base64`
			`import hashlib`
			`import binascii`
			`import os`
Avoid providing password hash match timing clues 2020-09-03 18:13:29 +00:00			`import secrets`
Check for system account logins via c2s 2020-11-23 09:51:26 +00:00			`from utils import isSystemAccount`
Tidying of users path detection 2020-12-23 10:57:44 +00:00			`from utils import hasUsersPath`
Tests for basic authentication 2019-07-03 18:24:44 +00:00
flake8 style 2020-04-01 19:29:56 +00:00
Enforce convention of underscore before local function names 2020-12-22 18:06:23 +00:00			`def _hashPassword(password: str) -> str:`
Tests for basic authentication 2019-07-03 18:24:44 +00:00			`"""Hash a password for storing`
			`"""`
flake8 style 2020-04-01 19:29:56 +00:00			`salt = hashlib.sha256(os.urandom(60)).hexdigest().encode('ascii')`
			`pwdhash = hashlib.pbkdf2_hmac('sha512',`
			`password.encode('utf-8'),`
			`salt, 100000)`
			`pwdhash = binascii.hexlify(pwdhash)`
			`return (salt + pwdhash).decode('ascii')`


Enforce convention of underscore before local function names 2020-12-22 18:06:23 +00:00			`def _getPasswordHash(salt: str, providedPassword: str) -> str:`
Constant time password hash match 2020-09-03 18:07:02 +00:00			`"""Returns the hash of a password`
Tests for basic authentication 2019-07-03 18:24:44 +00:00			`"""`
flake8 style 2020-04-01 19:29:56 +00:00			`pwdhash = hashlib.pbkdf2_hmac('sha512',`
			`providedPassword.encode('utf-8'),`
			`salt.encode('ascii'),`
			`100000)`
Constant time password hash match 2020-09-03 18:07:02 +00:00			`return binascii.hexlify(pwdhash).decode('ascii')`

Avoid providing password hash match timing clues 2020-09-03 18:13:29 +00:00
Unit test for constant time string check 2020-09-03 18:48:32 +00:00			`def constantTimeStringCheck(string1: str, string2: str) -> bool:`
			`"""Compares two string and returns if they are the same`
			`using a constant amount of time`
			`See https://sqreen.github.io/DevelopersSecurityBestPractices/`
			`timing-attack/python`
Constant time password hash match 2020-09-03 18:07:02 +00:00			`"""`
Unit test for constant time string check 2020-09-03 18:48:32 +00:00			`# strings must be of equal length`
			`if len(string1) != len(string2):`
Constant time password hash match 2020-09-03 18:07:02 +00:00			`return False`
			`ctr = 0`
			`matched = True`
Unit test for constant time string check 2020-09-03 18:48:32 +00:00			`for ch in string1:`
			`if ch != string2[ctr]:`
Constant time password hash match 2020-09-03 18:07:02 +00:00			`matched = False`
Avoid providing password hash match timing clues 2020-09-03 18:13:29 +00:00			`else:`
			`# this is to make the timing more even`
			`# and not provide clues`
			`matched = matched`
Constant time password hash match 2020-09-03 18:07:02 +00:00			`ctr += 1`
			`return matched`
flake8 style 2020-04-01 19:29:56 +00:00

Enforce convention of underscore before local function names 2020-12-22 18:06:23 +00:00			`def _verifyPassword(storedPassword: str, providedPassword: str) -> bool:`
Unit test for constant time string check 2020-09-03 18:48:32 +00:00			`"""Verify a stored password against one provided by user`
			`"""`
			`if not storedPassword:`
			`return False`
			`if not providedPassword:`
			`return False`
			`salt = storedPassword[:64]`
			`storedPassword = storedPassword[64:]`
Enforce convention of underscore before local function names 2020-12-22 18:06:23 +00:00			`pwHash = _getPasswordHash(salt, providedPassword)`
Unit test for constant time string check 2020-09-03 18:48:32 +00:00			`return constantTimeStringCheck(pwHash, storedPassword)`


flake8 style 2020-04-01 19:29:56 +00:00			`def createBasicAuthHeader(nickname: str, password: str) -> str:`
Tests for basic authentication 2019-07-03 18:24:44 +00:00			`"""This is only used by tests`
			`"""`
Remove carriage returns 2020-05-22 11:32:38 +00:00			`authStr = \`
			`nickname.replace('\n', '').replace('\r', '') + \`
			`':' + \`
			`password.replace('\n', '').replace('\r', '')`
flake8 style 2020-04-01 19:29:56 +00:00			`return 'Basic ' + base64.b64encode(authStr.encode('utf-8')).decode('utf-8')`
Tests for basic authentication 2019-07-03 18:24:44 +00:00
flake8 style 2020-04-01 19:29:56 +00:00
			`def authorizeBasic(baseDir: str, path: str, authHeader: str,`
			`debug: bool) -> bool:`
Tests for basic authentication 2019-07-03 18:24:44 +00:00			`"""HTTP basic auth`
			`"""`
			`if ' ' not in authHeader:`
Authentication debug 2019-07-04 08:56:15 +00:00			`if debug:`
Check for system account logins via c2s 2020-11-23 09:51:26 +00:00			`print('DEBUG: basic auth - Authorixation header does not ' +`
Tidying 2020-03-30 19:09:45 +00:00			`'contain a space character')`
Tests for basic authentication 2019-07-03 18:24:44 +00:00			`return False`
Tidying of users path detection 2020-12-23 10:57:44 +00:00			`if not hasUsersPath(path):`
Authentication debug 2019-07-04 08:56:15 +00:00			`if debug:`
Check for system account logins via c2s 2020-11-23 09:51:26 +00:00			`print('DEBUG: basic auth - ' +`
			`'path for Authorization does not contain a user')`
Authentication debug 2019-07-04 08:56:15 +00:00			`return False`
flake8 style 2020-04-01 19:29:56 +00:00			`pathUsersSection = path.split('/users/')[1]`
Authentication debug 2019-07-04 08:56:15 +00:00			`if '/' not in pathUsersSection:`
			`if debug:`
Check for system account logins via c2s 2020-11-23 09:51:26 +00:00			`print('DEBUG: basic auth - this is not a users endpoint')`
Authentication debug 2019-07-04 08:56:15 +00:00			`return False`
flake8 style 2020-04-01 19:29:56 +00:00			`nicknameFromPath = pathUsersSection.split('/')[0]`
Check for system account logins via c2s 2020-11-23 09:51:26 +00:00			`if isSystemAccount(nicknameFromPath):`
			`print('basic auth - attempted login using system account ' +`
			`nicknameFromPath + ' in path')`
			`return False`
Remove carriage returns 2020-05-22 11:32:38 +00:00			`base64Str = \`
			`authHeader.split(' ')[1].replace('\n', '').replace('\r', '')`
flake8 style 2020-04-01 19:29:56 +00:00			`plain = base64.b64decode(base64Str).decode('utf-8')`
Tests for basic authentication 2019-07-03 18:24:44 +00:00			`if ':' not in plain:`
Authentication debug 2019-07-04 08:56:15 +00:00			`if debug:`
Lower case 2020-11-23 10:18:52 +00:00			`print('DEBUG: basic auth header does not contain a ":" ' +`
Tidying 2020-03-30 19:09:45 +00:00			`'separator for username:password')`
Tests for basic authentication 2019-07-03 18:24:44 +00:00			`return False`
flake8 style 2020-04-01 19:29:56 +00:00			`nickname = plain.split(':')[0]`
Check for system account logins via c2s 2020-11-23 09:51:26 +00:00			`if isSystemAccount(nickname):`
			`print('basic auth - attempted login using system account ' + nickname +`
			`' in Auth header')`
			`return False`
flake8 style 2020-04-01 19:29:56 +00:00			`if nickname != nicknameFromPath:`
Authentication debug 2019-07-04 08:56:15 +00:00			`if debug:`
flake8 style 2020-04-01 19:29:56 +00:00			`print('DEBUG: Nickname given in the path (' + nicknameFromPath +`
			`') does not match the one in the Authorization header (' +`
			`nickname + ')')`
Authentication debug 2019-07-04 08:56:15 +00:00			`return False`
flake8 style 2020-04-01 19:29:56 +00:00			`passwordFile = baseDir+'/accounts/passwords'`
Tests for basic authentication 2019-07-03 18:24:44 +00:00			`if not os.path.isfile(passwordFile):`
Authentication debug 2019-07-04 08:56:15 +00:00			`if debug:`
			`print('DEBUG: passwords file missing')`
Tests for basic authentication 2019-07-03 18:24:44 +00:00			`return False`
flake8 style 2020-04-01 19:29:56 +00:00			`providedPassword = plain.split(':')[1]`
			`passfile = open(passwordFile, "r")`
Tests for basic authentication 2019-07-03 18:24:44 +00:00			`for line in passfile:`
			`if line.startswith(nickname+':'):`
Remove carriage returns 2020-05-22 11:32:38 +00:00			`storedPassword = \`
			`line.split(':')[1].replace('\n', '').replace('\r', '')`
Enforce convention of underscore before local function names 2020-12-22 18:06:23 +00:00			`success = _verifyPassword(storedPassword, providedPassword)`
Authentication debug 2019-07-04 08:56:15 +00:00			`if not success:`
			`if debug:`
flake8 style 2020-04-01 19:29:56 +00:00			`print('DEBUG: Password check failed for ' + nickname)`
Authentication debug 2019-07-04 08:56:15 +00:00			`return success`
flake8 style 2020-04-01 19:29:56 +00:00			`print('DEBUG: Did not find credentials for ' + nickname +`
			`' in ' + passwordFile)`
Tests for basic authentication 2019-07-03 18:24:44 +00:00			`return False`

flake8 style 2020-04-01 19:29:56 +00:00
			`def storeBasicCredentials(baseDir: str, nickname: str, password: str) -> bool:`
Comments 2019-07-05 09:51:58 +00:00			`"""Stores login credentials to a file`
			`"""`
Tests for basic authentication 2019-07-03 18:24:44 +00:00			`if ':' in nickname or ':' in password:`
			`return False`
Remove carriage returns 2020-05-22 11:32:38 +00:00			`nickname = nickname.replace('\n', '').replace('\r', '').strip()`
			`password = password.replace('\n', '').replace('\r', '').strip()`
Tests for basic authentication 2019-07-03 18:24:44 +00:00
flake8 style 2020-04-01 19:29:56 +00:00			`if not os.path.isdir(baseDir + '/accounts'):`
			`os.mkdir(baseDir + '/accounts')`
Tests for basic authentication 2019-07-03 18:24:44 +00:00
flake8 style 2020-04-01 19:29:56 +00:00			`passwordFile = baseDir + '/accounts/passwords'`
Enforce convention of underscore before local function names 2020-12-22 18:06:23 +00:00			`storeStr = nickname + ':' + _hashPassword(password)`
Tests for basic authentication 2019-07-03 18:24:44 +00:00			`if os.path.isfile(passwordFile):`
flake8 style 2020-04-01 19:29:56 +00:00			`if nickname + ':' in open(passwordFile).read():`
Tests for basic authentication 2019-07-03 18:24:44 +00:00			`with open(passwordFile, "r") as fin:`
Directories must be created first 2020-08-29 11:14:19 +00:00			`with open(passwordFile + '.new', 'w+') as fout:`
Tests for basic authentication 2019-07-03 18:24:44 +00:00			`for line in fin:`
flake8 style 2020-04-01 19:29:56 +00:00			`if not line.startswith(nickname + ':'):`
Tests for basic authentication 2019-07-03 18:24:44 +00:00			`fout.write(line)`
			`else:`
flake8 style 2020-04-01 19:29:56 +00:00			`fout.write(storeStr + '\n')`
			`os.rename(passwordFile + '.new', passwordFile)`
Tests for basic authentication 2019-07-03 18:24:44 +00:00			`else:`
			`# append to password file`
Consistent append 2020-08-20 11:34:39 +00:00			`with open(passwordFile, 'a+') as passfile:`
flake8 style 2020-04-01 19:29:56 +00:00			`passfile.write(storeStr + '\n')`
Tests for basic authentication 2019-07-03 18:24:44 +00:00			`else:`
Directories must be created first 2020-08-29 11:14:19 +00:00			`with open(passwordFile, 'w+') as passfile:`
flake8 style 2020-04-01 19:29:56 +00:00			`passfile.write(storeStr + '\n')`
Tests for basic authentication 2019-07-03 18:24:44 +00:00			`return True`

flake8 style 2020-04-01 19:29:56 +00:00
			`def removePassword(baseDir: str, nickname: str) -> None:`
Comments 2019-07-05 09:51:58 +00:00			`"""Removes the password entry for the given nickname`
			`This is called during account removal`
			`"""`
flake8 style 2020-04-01 19:29:56 +00:00			`passwordFile = baseDir + '/accounts/passwords'`
Convert password removal to function 2019-07-05 09:49:57 +00:00			`if os.path.isfile(passwordFile):`
			`with open(passwordFile, "r") as fin:`
Directories must be created first 2020-08-29 11:14:19 +00:00			`with open(passwordFile + '.new', 'w+') as fout:`
Convert password removal to function 2019-07-05 09:49:57 +00:00			`for line in fin:`
flake8 style 2020-04-01 19:29:56 +00:00			`if not line.startswith(nickname + ':'):`
Convert password removal to function 2019-07-05 09:49:57 +00:00			`fout.write(line)`
flake8 style 2020-04-01 19:29:56 +00:00			`os.rename(passwordFile + '.new', passwordFile)`
Convert password removal to function 2019-07-05 09:49:57 +00:00
flake8 style 2020-04-01 19:29:56 +00:00
			`def authorize(baseDir: str, path: str, authHeader: str, debug: bool) -> bool:`
Comments 2019-07-05 09:51:58 +00:00			`"""Authorize using http header`
			`"""`
Tests for basic authentication 2019-07-03 18:24:44 +00:00			`if authHeader.lower().startswith('basic '):`
flake8 style 2020-04-01 19:29:56 +00:00			`return authorizeBasic(baseDir, path, authHeader, debug)`
Tests for basic authentication 2019-07-03 18:24:44 +00:00			`return False`
Create shared inbox on start of daemon 2019-07-05 11:27:18 +00:00
flake8 style 2020-04-01 19:29:56 +00:00
Create shared inbox on start of daemon 2019-07-05 11:27:18 +00:00			`def createPassword(length=10):`
flake8 style 2020-04-01 19:29:56 +00:00			`validChars = 'abcdefghijklmnopqrstuvwxyz' + \`
			`'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'`
Use secrets for password generation 2020-07-08 15:09:27 +00:00			`return ''.join((secrets.choice(validChars) for i in range(length)))`