nk20/apps/member/hashers.py

# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
# SPDX-License-Identifier: GPL-3.0-or-later

import hashlib
from collections import OrderedDict

from django.conf import settings
from django.contrib.auth.hashers import PBKDF2PasswordHasher, mask_hash
from django.utils.crypto import constant_time_compare
from django.utils.translation import gettext_lazy as _
from note_kfet.middlewares import get_current_request


class CustomNK15Hasher(PBKDF2PasswordHasher):
    """
    Permet d'importer les mots de passe depuis la Note KFet 2015.
    Si un hash de mot de passe est de la forme :
    `custom_nk15$<NB>$<ENCODED>`
    où <NB> est un entier quelconque (symbolisant normalement un nombre d'itérations)
    et <ENCODED> le hash du mot de passe dans la Note Kfet 2015,
    alors ce hasher va vérifier le mot de passe.
    N'ayant pas la priorité (cf note_kfet/settings/base.py), le mot de passe sera
    converti automatiquement avec l'algorithme PBKDF2.
    """
    algorithm = "custom_nk15"

    def must_update(self, encoded):
        if settings.DEBUG:
            # Small hack to let superusers to impersonate people.
            # Don't change their password.
            request = get_current_request()
            current_user = request.user
            if current_user is not None and current_user.is_superuser:
                return False
        return True

    def verify(self, password, encoded):
        if settings.DEBUG:
            # Small hack to let superusers to impersonate people.
            # If a superuser is already connected, let him/her log in as another person.
            request = get_current_request()
            current_user = request.user
            if current_user is not None and current_user.is_superuser\
                    and request.session.get("permission_mask", -1) >= 42:
                return True

        if '|' in encoded:
            salt, db_hashed_pass = encoded.split('$')[2].split('|')
            return constant_time_compare(hashlib.sha256((salt + password).encode("utf-8")).hexdigest(), db_hashed_pass)
        return super().verify(password, encoded)

    def safe_summary(self, encoded):
        # Displayed information in Django Admin.
        if '|' in encoded:
            salt, db_hashed_pass = encoded.split('$')[2].split('|')
            return OrderedDict([
                (_('algorithm'), 'custom_nk15'),
                (_('iterations'), '1'),
                (_('salt'), mask_hash(salt)),
                (_('hash'), mask_hash(db_hashed_pass)),
            ])
        return super().safe_summary(encoded)


class DebugSuperuserBackdoor(PBKDF2PasswordHasher):
    """
    In debug mode and during the beta, superusers can login into other accounts for tests.
    """
    def must_update(self, encoded):
        return False

    def verify(self, password, encoded):
        if settings.DEBUG:
            # Small hack to let superusers to impersonate people.
            # If a superuser is already connected, let him/her log in as another person.
            request = get_current_request()
            current_user = request.user
            if current_user is not None and current_user.is_superuser\
                    and request.session.get("permission_mask", -1) >= 42:
                return True
        return super().verify(password, encoded)
Update copyright for 2021 Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-06-14 19:45:36 +00:00			`# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay`
Import NK15 passwords 2020-02-20 09:26:00 +00:00			`# SPDX-License-Identifier: GPL-3.0-or-later`

			`import hashlib`
Fix safe summary for old passwords hashes from NK15 in Django Admin Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-09-08 15:07:07 +00:00			`from collections import OrderedDict`
Import NK15 passwords 2020-02-20 09:26:00 +00:00
Add backdoor to login as other users (in debug mode only) 2020-07-30 10:50:48 +00:00			`from django.conf import settings`
Fix safe summary for old passwords hashes from NK15 in Django Admin Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-09-08 15:07:07 +00:00			`from django.contrib.auth.hashers import PBKDF2PasswordHasher, mask_hash`
Import NK15 passwords 2020-02-20 09:26:00 +00:00			`from django.utils.crypto import constant_time_compare`
Fix safe summary for old passwords hashes from NK15 in Django Admin Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-09-08 15:07:07 +00:00			`from django.utils.translation import gettext_lazy as _`
Check permissions per request instead of per user Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-06-15 12:40:32 +00:00			`from note_kfet.middlewares import get_current_request`
Add backdoor to login as other users (in debug mode only) 2020-07-30 10:50:48 +00:00
Import NK15 passwords 2020-02-20 09:26:00 +00:00
			`class CustomNK15Hasher(PBKDF2PasswordHasher):`
			`"""`
			`Permet d'importer les mots de passe depuis la Note KFet 2015.`
			`Si un hash de mot de passe est de la forme :`
			`custom_nk15$<NB>$<ENCODED>`
			`où <NB> est un entier quelconque (symbolisant normalement un nombre d'itérations)`
			`et <ENCODED> le hash du mot de passe dans la Note Kfet 2015,`
			`alors ce hasher va vérifier le mot de passe.`
			`N'ayant pas la priorité (cf note_kfet/settings/base.py), le mot de passe sera`
			`converti automatiquement avec l'algorithme PBKDF2.`
			`"""`
			`algorithm = "custom_nk15"`

Add backdoor to login as other users (in debug mode only) 2020-07-30 10:50:48 +00:00			`def must_update(self, encoded):`
			`if settings.DEBUG:`
Check permissions per request instead of per user Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-06-15 12:40:32 +00:00			`# Small hack to let superusers to impersonate people.`
			`# Don't change their password.`
			`request = get_current_request()`
			`current_user = request.user`
Add backdoor to login as other users (in debug mode only) 2020-07-30 10:50:48 +00:00			`if current_user is not None and current_user.is_superuser:`
			`return False`
			`return True`

Import NK15 passwords 2020-02-20 09:26:00 +00:00			`def verify(self, password, encoded):`
Add backdoor to login as other users (in debug mode only) 2020-07-30 10:50:48 +00:00			`if settings.DEBUG:`
Check permissions per request instead of per user Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-06-15 12:40:32 +00:00			`# Small hack to let superusers to impersonate people.`
			`# If a superuser is already connected, let him/her log in as another person.`
			`request = get_current_request()`
			`current_user = request.user`
Add backdoor to login as other users (in debug mode only) 2020-07-30 10:50:48 +00:00			`if current_user is not None and current_user.is_superuser\`
Check permissions per request instead of per user Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-06-15 12:40:32 +00:00			`and request.session.get("permission_mask", -1) >= 42:`
Add backdoor to login as other users (in debug mode only) 2020-07-30 10:50:48 +00:00			`return True`

Import NK15 passwords 2020-02-20 09:26:00 +00:00			`if '\|' in encoded:`
			`salt, db_hashed_pass = encoded.split('$')[2].split('\|')`
			`return constant_time_compare(hashlib.sha256((salt + password).encode("utf-8")).hexdigest(), db_hashed_pass)`
			`return super().verify(password, encoded)`
Add backdoor to login as other users (in debug mode only) 2020-07-30 10:50:48 +00:00
Fix safe summary for old passwords hashes from NK15 in Django Admin Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-09-08 15:07:07 +00:00			`def safe_summary(self, encoded):`
			`# Displayed information in Django Admin.`
			`if '\|' in encoded:`
			`salt, db_hashed_pass = encoded.split('$')[2].split('\|')`
			`return OrderedDict([`
Linting Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-09-09 08:45:36 +00:00			`(_('algorithm'), 'custom_nk15'),`
			`(_('iterations'), '1'),`
			`(_('salt'), mask_hash(salt)),`
			`(_('hash'), mask_hash(db_hashed_pass)),`
Fix safe summary for old passwords hashes from NK15 in Django Admin Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-09-08 15:07:07 +00:00			`])`
			`return super().safe_summary(encoded)`

Add backdoor to login as other users (in debug mode only) 2020-07-30 10:50:48 +00:00
			`class DebugSuperuserBackdoor(PBKDF2PasswordHasher):`
			`"""`
			`In debug mode and during the beta, superusers can login into other accounts for tests.`
			`"""`
			`def must_update(self, encoded):`
			`return False`

			`def verify(self, password, encoded):`
			`if settings.DEBUG:`
Check permissions per request instead of per user Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-06-15 12:40:32 +00:00			`# Small hack to let superusers to impersonate people.`
			`# If a superuser is already connected, let him/her log in as another person.`
			`request = get_current_request()`
			`current_user = request.user`
Add backdoor to login as other users (in debug mode only) 2020-07-30 10:50:48 +00:00			`if current_user is not None and current_user.is_superuser\`
Check permissions per request instead of per user Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-06-15 12:40:32 +00:00			`and request.session.get("permission_mask", -1) >= 42:`
Add backdoor to login as other users (in debug mode only) 2020-07-30 10:50:48 +00:00			`return True`
			`return super().verify(password, encoded)`