From 698ae42c9db87e68fd721913930ceb63c6b3a18e Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Tue, 11 Feb 2020 21:17:41 +0100
Subject: [PATCH] Drop old login algorithm

---
 med/login.py    | 84 -------------------------------------------------
 med/settings.py |  8 -----
 2 files changed, 92 deletions(-)
 delete mode 100644 med/login.py

diff --git a/med/login.py b/med/login.py
deleted file mode 100644
index f4acacd..0000000
--- a/med/login.py
+++ /dev/null
@@ -1,84 +0,0 @@
-# -*- mode: python; coding: utf-8 -*-
-# Copyright (C) 2017-2019 by BDE ENS Paris-Saclay
-# SPDX-License-Identifier: GPL-3.0-or-later
-
-
-import binascii
-import hashlib
-import os
-from base64 import decodestring
-from base64 import encodestring
-from collections import OrderedDict
-
-from django.contrib.auth import hashers
-
-ALGO_NAME = "{SSHA}"
-ALGO_LEN = len(ALGO_NAME + "$")
-DIGEST_LEN = 20
-
-
-def make_secret(password):
-    salt = os.urandom(4)
-    h = hashlib.sha1(password.encode())
-    h.update(salt)
-    return ALGO_NAME + "$" + encodestring(h.digest() + salt).decode()[:-1]
-
-
-def check_password(challenge_password, password):
-    challenge_bytes = decodestring(challenge_password[ALGO_LEN:].encode())
-    digest = challenge_bytes[:DIGEST_LEN]
-    salt = challenge_bytes[DIGEST_LEN:]
-    hr = hashlib.sha1(password.encode())
-    hr.update(salt)
-    valid_password = True
-    # La comparaison est volontairement en temps constant
-    # (pour éviter les timing-attacks)
-    for i, j in zip(digest, hr.digest()):
-        valid_password &= i == j
-    return valid_password
-
-
-class SSHAPasswordHasher(hashers.BasePasswordHasher):
-    """
-    SSHA password hashing to allow for LDAP auth compatibility
-    """
-
-    algorithm = ALGO_NAME
-
-    def encode(self, password, salt, iterations=None):
-        """
-        Hash and salt the given password using SSHA algorithm
-
-        salt is overridden
-        """
-        assert password is not None
-        return make_secret(password)
-
-    def verify(self, password, encoded):
-        """
-        Check password against encoded using SSHA algorithm
-        """
-        assert encoded.startswith(self.algorithm)
-        return check_password(encoded, password)
-
-    def safe_summary(self, encoded):
-        """
-        Provides a safe summary ofthe password
-        """
-        assert encoded.startswith(self.algorithm)
-        hash = encoded[ALGO_LEN:]
-        hash = binascii.hexlify(decodestring(hash.encode())).decode()
-        return OrderedDict([
-            ('algorithm', self.algorithm),
-            ('iterations', 0),
-            ('salt', hashers.mask_hash(hash[2 * DIGEST_LEN:], show=2)),
-            ('hash', hashers.mask_hash(hash[:2 * DIGEST_LEN])),
-        ])
-
-    def harden_runtime(self, password, encoded):
-        """
-        Method implemented to shut up BasePasswordHasher warning
-
-        As we are not using multiple iterations the method is pretty useless
-        """
-        pass
diff --git a/med/settings.py b/med/settings.py
index 3f24651..b9b08cd 100644
--- a/med/settings.py
+++ b/med/settings.py
@@ -162,14 +162,6 @@ REST_FRAMEWORK = {
 # Med configuration
 PAGINATION_NUMBER = 25
 
-PASSWORD_HASHERS = [
-    'django.contrib.auth.hashers.PBKDF2PasswordHasher',
-    'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
-    'django.contrib.auth.hashers.Argon2PasswordHasher',
-    'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
-    'med.login.SSHAPasswordHasher',
-]
-
 AUTH_USER_MODEL = 'users.User'
 
 MAX_EMPRUNT = 5  # Max emprunts