re2o/re2o/login.py

# -*- mode: python; coding: utf-8 -*-
# Re2o est un logiciel d'administration développé initiallement au Rézo Metz. Il
# se veut agnostique au réseau considéré, de manière à être installable en
# quelques clics.
#
# Copyright © 2017  Gabriel Détraz
# Copyright © 2017  Lara Kermarec
# Copyright © 2017  Augustin Lemesle
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

# -*- coding: utf-8 -*-
# Module d'authentification
# David Sinquin, Gabriel Détraz, Lara Kermarec
"""re2o.login
Module in charge of handling the login process and verifications
"""

import binascii
import crypt
import hashlib
import os
from base64 import encodestring, decodestring, b64encode, b64decode
from collections import OrderedDict
from django.contrib.auth import hashers
from django.contrib.auth.backends import ModelBackend
from hmac import compare_digest as constant_time_compare


ALGO_NAME = "{SSHA}"
ALGO_LEN = len(ALGO_NAME + "$")
DIGEST_LEN = 20


def makeSecret(password):
    """ Build a hashed and salted version of the password with SSHA

    Parameters:
    password (string): Password to hash

     Returns:
    string: Hashed password
    """
    salt = os.urandom(4)
    h = hashlib.sha1(password.encode())
    h.update(salt)
    return ALGO_NAME + "$" + encodestring(h.digest() + salt).decode()[:-1]


def hashNT(password):
    """ Build a md4 hash of the password to use as the NT-password 

    Parameters:
    password (string): Password to hash

     Returns:
    string: Hashed password

    """
    hash_str = hashlib.new("md4", password.encode("utf-16le")).digest()
    return binascii.hexlify(hash_str).upper()


def checkPassword(challenge_password, password):
    """Check if a given password match the hash of a stored password

    Parameters:
        challenge_password (string): Password to verify with hash
        password (string): Hashed password to verify 

    Returns:
        boolean: True if challenge_password and password match

    """
    challenge_bytes = decodestring(challenge_password[ALGO_LEN:].encode())
    digest = challenge_bytes[:DIGEST_LEN]
    salt = challenge_bytes[DIGEST_LEN:]
    hr = hashlib.sha1(password.encode())
    hr.update(salt)
    return constant_time_compare(digest, hr.digest())


def hash_password_salt(hashed_password):
    """ Extract the salt from a given hashed password 

    Parameters:
        hashed_password (string): Hashed password to extract salt

    Returns:
        string: Salt of the password

    """
    if hashed_password.upper().startswith("{CRYPT}"):
        hashed_password = hashed_password[7:]
        if hashed_password.startswith("$"):
            return "$".join(hashed_password.split("$")[:-1])
        else:
            return hashed_password[:2]
    elif hashed_password.upper().startswith("{SSHA}"):
        try:
            digest = b64decode(hashed_password[6:])
        except TypeError as error:
            raise ValueError("b64 error for `hashed_password`: %s." % error)
        if len(digest) < 20:
            raise ValueError("`hashed_password` too short.")
        return digest[20:]
    elif hashed_password.upper().startswith("{SMD5}"):
        try:
            digest = b64decode(hashed_password[7:])
        except TypeError as error:
            raise ValueError("b64 error for `hashed_password`: %s." % error)
        if len(digest) < 16:
            raise ValueError("`hashed_password` too short.")
        return digest[16:]
    else:
        raise ValueError(
            "`hashed_password` should start with '{SSHA}' or '{CRYPT}' or '{SMD5}'."
        )


class CryptPasswordHasher(hashers.BasePasswordHasher):
    """
    Crypt password hashing to allow for LDAP auth compatibility
    We do not encode, this should bot be used !
    The actual implementation may depend on the OS.
    """

    algorithm = "{crypt}"

    def encode(self, password, salt):
        pass

    def verify(self, password, encoded):
        """
        Check password against encoded using CRYPT algorithm
        """
        assert encoded.startswith(self.algorithm)
        salt = hash_password_salt(encoded)
        return constant_time_compare(
            self.algorithm + crypt.crypt(password, salt), encoded
        )

    def safe_summary(self, encoded):
        """
        Provides a safe summary of the password
        """
        assert encoded.startswith(self.algorithm)
        hash_str = encoded[7:]
        hash_str = binascii.hexlify(decodestring(hash_str.encode())).decode()
        return OrderedDict(
            [
                ("algorithm", self.algorithm),
                ("iterations", 0),
                ("salt", hashers.mask_hash(hash_str[2 * DIGEST_LEN :], show=2)),
                ("hash", hashers.mask_hash(hash_str[: 2 * DIGEST_LEN])),
            ]
        )

    def harden_runtime(self, password, encoded):
        """
        Method implemented to shut up BasePasswordHasher warning

        As we are not using multiple iterations the method is pretty useless
        """
        pass


class MD5PasswordHasher(hashers.BasePasswordHasher):
    """
    Salted MD5 password hashing to allow for LDAP auth compatibility
    We do not encode, this should bot be used !
    """

    algorithm = "{SMD5}"

    def encode(self, password, salt):
        pass

    def verify(self, password, encoded):
        """
        Check password against encoded using SMD5 algorithm
        """
        assert encoded.startswith(self.algorithm)
        salt = hash_password_salt(encoded)
        return constant_time_compare(
            self.algorithm
            + "$"
            + b64encode(hashlib.md5(password.encode() + salt).digest() + salt).decode(),
            encoded,
        )

    def safe_summary(self, encoded):
        """
        Provides a safe summary of the password
        """
        assert encoded.startswith(self.algorithm)
        hash_str = encoded[7:]
        hash_str = binascii.hexlify(decodestring(hash_str.encode())).decode()
        return OrderedDict(
            [
                ("algorithm", self.algorithm),
                ("iterations", 0),
                ("salt", hashers.mask_hash(hash_str[2 * DIGEST_LEN :], show=2)),
                ("hash", hashers.mask_hash(hash_str[: 2 * DIGEST_LEN])),
            ]
        )

    def harden_runtime(self, password, encoded):
        """
        Method implemented to shut up BasePasswordHasher warning

        As we are not using multiple iterations the method is pretty useless
        """
        pass


class SSHAPasswordHasher(hashers.BasePasswordHasher):
    """
    Salted SHA-1 password hashing to allow for LDAP auth compatibility
    """

    algorithm = ALGO_NAME

    def encode(self, password, salt):
        """
        Hash and salt the given password using SSHA algorithm

        salt is overridden
        """
        assert password is not None
        return makeSecret(password)

    def verify(self, password, encoded):
        """
        Check password against encoded using SSHA algorithm
        """
        assert encoded.startswith(self.algorithm)
        return checkPassword(encoded, password)

    def safe_summary(self, encoded):
        """
        Provides a safe summary of the password
        """
        assert encoded.startswith(self.algorithm)
        hash_str = encoded[ALGO_LEN:]
        hash_str = binascii.hexlify(decodestring(hash_str.encode())).decode()
        return OrderedDict(
            [
                ("algorithm", self.algorithm),
                ("iterations", 0),
                ("salt", hashers.mask_hash(hash_str[2 * DIGEST_LEN :], show=2)),
                ("hash", hashers.mask_hash(hash_str[: 2 * DIGEST_LEN])),
            ]
        )

    def harden_runtime(self, password, encoded):
        """
        Method implemented to shut up BasePasswordHasher warning

        As we are not using multiple iterations the method is pretty useless
        """
        pass


class RecryptBackend(ModelBackend):
    """Function for legacy users. During auth, if their hash password is different from SSHA or ntlm
    password is empty, rehash in SSHA or NTLM
    
    Returns:
        model user instance: Instance of the user logged
        
    """

    def authenticate(self, username=None, password=None):
        # we obtain from the classical auth backend the user
        user = super(RecryptBackend, self).authenticate(None, username, password)
        if user:
            if not (user.pwd_ntlm):
                # if we dont have NT hash, we create it
                user.pwd_ntlm = hashNT(password)
                user.save()
            if not ("SSHA" in user.password):
                # if the hash is too old, we update it
                user.password = makeSecret(password)
                user.save()
        return user
Fix encodage et imports 2017-09-27 13:40:28 +00:00			`# -- mode: python; coding: utf-8 --`
Ça se dit Rézo Metz 'tain 2020-11-23 16:06:37 +00:00			`# Re2o est un logiciel d'administration développé initiallement au Rézo Metz. Il`
Add copyright header to all .py files 2017-01-15 23:01:18 +00:00			`# se veut agnostique au réseau considéré, de manière à être installable en`
			`# quelques clics.`
			`#`
			`# Copyright © 2017 Gabriel Détraz`
Hello Lara :D Just ran `find /var/www/re2o \( -type d -name .git -prune \) -o -type f -print0 \| xargs -0 sed -i 's/Goulven/Lara/g'`. 2019-09-29 14:02:28 +00:00			`# Copyright © 2017 Lara Kermarec`
Add copyright header to all .py files 2017-01-15 23:01:18 +00:00			`# Copyright © 2017 Augustin Lemesle`
			`#`
			`# This program is free software; you can redistribute it and/or modify`
			`# it under the terms of the GNU General Public License as published by`
			`# the Free Software Foundation; either version 2 of the License, or`
			`# (at your option) any later version.`
			`#`
			`# This program is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU General Public License for more details.`
			`#`
			`# You should have received a copy of the GNU General Public License along`
			`# with this program; if not, write to the Free Software Foundation, Inc.,`
			`# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.`

Vue de modification du mdp 2016-07-01 22:35:44 +00:00			`# -- coding: utf-8 --`
			`# Module d'authentification`
Hello Lara :D Just ran `find /var/www/re2o \( -type d -name .git -prune \) -o -type f -print0 \| xargs -0 sed -i 's/Goulven/Lara/g'`. 2019-09-29 14:02:28 +00:00			`# David Sinquin, Gabriel Détraz, Lara Kermarec`
Pylint compliance on re2o 2018-04-14 19:29:16 +00:00			`"""re2o.login`
			`Module in charge of handling the login process and verifications`
			`"""`
Custom password hasher for SSHA 2016-07-06 20:44:30 +00:00
			`import binascii`
login handler: Various code cleanings with no impact. 2018-08-04 20:50:13 +00:00			`import crypt`
			`import hashlib`
Vue de modification du mdp 2016-07-01 22:35:44 +00:00			`import os`
login handler: Various code cleanings with no impact. 2018-08-04 20:50:13 +00:00			`from base64 import encodestring, decodestring, b64encode, b64decode`
Custom password hasher for SSHA 2016-07-06 20:44:30 +00:00			`from collections import OrderedDict`
			`from django.contrib.auth import hashers`
Produce newer hash upon login 2018-08-10 15:43:10 +00:00			`from django.contrib.auth.backends import ModelBackend`
login handler: Use constant-time comparaison for hashes. An attacker knowing the salt but not the hash could try timming-attacks to guess a password hash and then try to find it from the hash. Although not a high risk, there is no good reason not to use a constant-time comparison, hence this commit. 2018-08-04 20:52:59 +00:00			`from hmac import compare_digest as constant_time_compare`
Custom password hasher for SSHA 2016-07-06 20:44:30 +00:00

			`ALGO_NAME = "{SSHA}"`
			`ALGO_LEN = len(ALGO_NAME + "$")`
			`DIGEST_LEN = 20`

Vue de modification du mdp 2016-07-01 22:35:44 +00:00
			`def makeSecret(password):`
First step of docstring translation 2020-04-25 01:36:27 +00:00			`""" Build a hashed and salted version of the password with SSHA`

			`Parameters:`
			`password (string): Password to hash`

			`Returns:`
			`string: Hashed password`
			`"""`
Vue de modification du mdp 2016-07-01 22:35:44 +00:00			`salt = os.urandom(4)`
			`h = hashlib.sha1(password.encode())`
			`h.update(salt)`
Custom password hasher for SSHA 2016-07-06 20:44:30 +00:00			`return ALGO_NAME + "$" + encodestring(h.digest() + salt).decode()[:-1]`

Vue de modification du mdp 2016-07-01 22:35:44 +00:00
			`def hashNT(password):`
First step of docstring translation 2020-04-25 01:36:27 +00:00			`""" Build a md4 hash of the password to use as the NT-password`

			`Parameters:`
			`password (string): Password to hash`

			`Returns:`
			`string: Hashed password`

			`"""`
I like my ☕ black. Just ran black on the whoe repository. Fix #210. 2019-11-04 16:55:03 +00:00			`hash_str = hashlib.new("md4", password.encode("utf-16le")).digest()`
Pylint compliance on re2o 2018-04-14 19:29:16 +00:00			`return binascii.hexlify(hash_str).upper()`
Vue de modification du mdp 2016-07-01 22:35:44 +00:00
Custom password hasher for SSHA 2016-07-06 20:44:30 +00:00
Vue de modification du mdp 2016-07-01 22:35:44 +00:00			`def checkPassword(challenge_password, password):`
First step of docstring translation 2020-04-25 01:36:27 +00:00			`"""Check if a given password match the hash of a stored password`

			`Parameters:`
			`challenge_password (string): Password to verify with hash`
			`password (string): Hashed password to verify`

			`Returns:`
			`boolean: True if challenge_password and password match`

			`"""`
Custom password hasher for SSHA 2016-07-06 20:44:30 +00:00			`challenge_bytes = decodestring(challenge_password[ALGO_LEN:].encode())`
			`digest = challenge_bytes[:DIGEST_LEN]`
			`salt = challenge_bytes[DIGEST_LEN:]`
Vue de modification du mdp 2016-07-01 22:35:44 +00:00			`hr = hashlib.sha1(password.encode())`
			`hr.update(salt)`
login handler: Use constant-time comparaison for hashes. An attacker knowing the salt but not the hash could try timming-attacks to guess a password hash and then try to find it from the hash. Although not a high risk, there is no good reason not to use a constant-time comparison, hence this commit. 2018-08-04 20:52:59 +00:00			`return constant_time_compare(digest, hr.digest())`
Custom password hasher for SSHA 2016-07-06 20:44:30 +00:00

Support old hashes, md5/crypt 2018-08-04 14:58:42 +00:00			`def hash_password_salt(hashed_password):`
First step of docstring translation 2020-04-25 01:36:27 +00:00			`""" Extract the salt from a given hashed password`

			`Parameters:`
			`hashed_password (string): Hashed password to extract salt`

			`Returns:`
			`string: Salt of the password`

			`"""`
I like my ☕ black. Just ran black on the whoe repository. Fix #210. 2019-11-04 16:55:03 +00:00			`if hashed_password.upper().startswith("{CRYPT}"):`
Support old hashes, md5/crypt 2018-08-04 14:58:42 +00:00			`hashed_password = hashed_password[7:]`
I like my ☕ black. Just ran black on the whoe repository. Fix #210. 2019-11-04 16:55:03 +00:00			`if hashed_password.startswith("$"):`
			`return "$".join(hashed_password.split("$")[:-1])`
Support old hashes, md5/crypt 2018-08-04 14:58:42 +00:00			`else:`
			`return hashed_password[:2]`
I like my ☕ black. Just ran black on the whoe repository. Fix #210. 2019-11-04 16:55:03 +00:00			`elif hashed_password.upper().startswith("{SSHA}"):`
Support old hashes, md5/crypt 2018-08-04 14:58:42 +00:00			`try:`
			`digest = b64decode(hashed_password[6:])`
			`except TypeError as error:`
Improve internationalisation for email templates, scripts, commands and error messages 2019-11-16 14:11:57 +00:00			raise ValueError("b64 error for `hashed_password`: %s." % error)
Support old hashes, md5/crypt 2018-08-04 14:58:42 +00:00			`if len(digest) < 20:`
Improve internationalisation for email templates, scripts, commands and error messages 2019-11-16 14:11:57 +00:00			raise ValueError("`hashed_password` too short.")
Support old hashes, md5/crypt 2018-08-04 14:58:42 +00:00			`return digest[20:]`
I like my ☕ black. Just ran black on the whoe repository. Fix #210. 2019-11-04 16:55:03 +00:00			`elif hashed_password.upper().startswith("{SMD5}"):`
Support old hashes, md5/crypt 2018-08-04 14:58:42 +00:00			`try:`
			`digest = b64decode(hashed_password[7:])`
			`except TypeError as error:`
Improve internationalisation for email templates, scripts, commands and error messages 2019-11-16 14:11:57 +00:00			raise ValueError("b64 error for `hashed_password`: %s." % error)
Support old hashes, md5/crypt 2018-08-04 14:58:42 +00:00			`if len(digest) < 16:`
Improve internationalisation for email templates, scripts, commands and error messages 2019-11-16 14:11:57 +00:00			raise ValueError("`hashed_password` too short.")
Support old hashes, md5/crypt 2018-08-04 14:58:42 +00:00			`return digest[16:]`
			`else:`
I like my ☕ black. Just ran black on the whoe repository. Fix #210. 2019-11-04 16:55:03 +00:00			`raise ValueError(`
Improve internationalisation for email templates, scripts, commands and error messages 2019-11-16 14:11:57 +00:00			"`hashed_password` should start with '{SSHA}' or '{CRYPT}' or '{SMD5}'."
I like my ☕ black. Just ran black on the whoe repository. Fix #210. 2019-11-04 16:55:03 +00:00			`)`
Support old hashes, md5/crypt 2018-08-04 14:58:42 +00:00

			`class CryptPasswordHasher(hashers.BasePasswordHasher):`
			`"""`
			`Crypt password hashing to allow for LDAP auth compatibility`
			`We do not encode, this should bot be used !`
login handler: Various code cleanings with no impact. 2018-08-04 20:50:13 +00:00			`The actual implementation may depend on the OS.`
Support old hashes, md5/crypt 2018-08-04 14:58:42 +00:00			`"""`

			`algorithm = "{crypt}"`

			`def encode(self, password, salt):`
			`pass`

			`def verify(self, password, encoded):`
			`"""`
login handler: Various code cleanings with no impact. 2018-08-04 20:50:13 +00:00			`Check password against encoded using CRYPT algorithm`
Support old hashes, md5/crypt 2018-08-04 14:58:42 +00:00			`"""`
			`assert encoded.startswith(self.algorithm)`
Récupération correcte du sel dans le mot de passe encodé 2018-11-15 15:43:28 +00:00			`salt = hash_password_salt(encoded)`
I like my ☕ black. Just ran black on the whoe repository. Fix #210. 2019-11-04 16:55:03 +00:00			`return constant_time_compare(`
			`self.algorithm + crypt.crypt(password, salt), encoded`
			`)`
Support old hashes, md5/crypt 2018-08-04 14:58:42 +00:00
			`def safe_summary(self, encoded):`
			`"""`
			`Provides a safe summary of the password`
			`"""`
			`assert encoded.startswith(self.algorithm)`
			`hash_str = encoded[7:]`
			`hash_str = binascii.hexlify(decodestring(hash_str.encode())).decode()`
I like my ☕ black. Just ran black on the whoe repository. Fix #210. 2019-11-04 16:55:03 +00:00			`return OrderedDict(`
			`[`
			`("algorithm", self.algorithm),`
			`("iterations", 0),`
			`("salt", hashers.mask_hash(hash_str[2 * DIGEST_LEN :], show=2)),`
			`("hash", hashers.mask_hash(hash_str[: 2 * DIGEST_LEN])),`
			`]`
			`)`
Support old hashes, md5/crypt 2018-08-04 14:58:42 +00:00
			`def harden_runtime(self, password, encoded):`
			`"""`
			`Method implemented to shut up BasePasswordHasher warning`

			`As we are not using multiple iterations the method is pretty useless`
			`"""`
			`pass`

I like my ☕ black. Just ran black on the whoe repository. Fix #210. 2019-11-04 16:55:03 +00:00
Support old hashes, md5/crypt 2018-08-04 14:58:42 +00:00			`class MD5PasswordHasher(hashers.BasePasswordHasher):`
			`"""`
login handler: Various code cleanings with no impact. 2018-08-04 20:50:13 +00:00			`Salted MD5 password hashing to allow for LDAP auth compatibility`
Support old hashes, md5/crypt 2018-08-04 14:58:42 +00:00			`We do not encode, this should bot be used !`
			`"""`

			`algorithm = "{SMD5}"`

			`def encode(self, password, salt):`
			`pass`

			`def verify(self, password, encoded):`
			`"""`
login handler: Various code cleanings with no impact. 2018-08-04 20:50:13 +00:00			`Check password against encoded using SMD5 algorithm`
Support old hashes, md5/crypt 2018-08-04 14:58:42 +00:00			`"""`
			`assert encoded.startswith(self.algorithm)`
			`salt = hash_password_salt(encoded)`
I like my ☕ black. Just ran black on the whoe repository. Fix #210. 2019-11-04 16:55:03 +00:00			`return constant_time_compare(`
			`self.algorithm`
			`+ "$"`
			`+ b64encode(hashlib.md5(password.encode() + salt).digest() + salt).decode(),`
			`encoded,`
			`)`
Support old hashes, md5/crypt 2018-08-04 14:58:42 +00:00
			`def safe_summary(self, encoded):`
			`"""`
			`Provides a safe summary of the password`
			`"""`
			`assert encoded.startswith(self.algorithm)`
			`hash_str = encoded[7:]`
			`hash_str = binascii.hexlify(decodestring(hash_str.encode())).decode()`
I like my ☕ black. Just ran black on the whoe repository. Fix #210. 2019-11-04 16:55:03 +00:00			`return OrderedDict(`
			`[`
			`("algorithm", self.algorithm),`
			`("iterations", 0),`
			`("salt", hashers.mask_hash(hash_str[2 * DIGEST_LEN :], show=2)),`
			`("hash", hashers.mask_hash(hash_str[: 2 * DIGEST_LEN])),`
			`]`
			`)`
Support old hashes, md5/crypt 2018-08-04 14:58:42 +00:00
			`def harden_runtime(self, password, encoded):`
			`"""`
			`Method implemented to shut up BasePasswordHasher warning`

			`As we are not using multiple iterations the method is pretty useless`
			`"""`
			`pass`

I like my ☕ black. Just ran black on the whoe repository. Fix #210. 2019-11-04 16:55:03 +00:00
Custom password hasher for SSHA 2016-07-06 20:44:30 +00:00			`class SSHAPasswordHasher(hashers.BasePasswordHasher):`
			`"""`
login handler: Various code cleanings with no impact. 2018-08-04 20:50:13 +00:00			`Salted SHA-1 password hashing to allow for LDAP auth compatibility`
Custom password hasher for SSHA 2016-07-06 20:44:30 +00:00			`"""`

			`algorithm = ALGO_NAME`

Pylint compliance on re2o 2018-04-14 19:29:16 +00:00			`def encode(self, password, salt):`
Custom password hasher for SSHA 2016-07-06 20:44:30 +00:00			`"""`
			`Hash and salt the given password using SSHA algorithm`

			`salt is overridden`
			`"""`
			`assert password is not None`
			`return makeSecret(password)`

			`def verify(self, password, encoded):`
			`"""`
			`Check password against encoded using SSHA algorithm`
			`"""`
			`assert encoded.startswith(self.algorithm)`
			`return checkPassword(encoded, password)`

			`def safe_summary(self, encoded):`
			`"""`
Pylint compliance on re2o 2018-04-14 19:29:16 +00:00			`Provides a safe summary of the password`
Custom password hasher for SSHA 2016-07-06 20:44:30 +00:00			`"""`
			`assert encoded.startswith(self.algorithm)`
Pylint compliance on re2o 2018-04-14 19:29:16 +00:00			`hash_str = encoded[ALGO_LEN:]`
			`hash_str = binascii.hexlify(decodestring(hash_str.encode())).decode()`
I like my ☕ black. Just ran black on the whoe repository. Fix #210. 2019-11-04 16:55:03 +00:00			`return OrderedDict(`
			`[`
			`("algorithm", self.algorithm),`
			`("iterations", 0),`
			`("salt", hashers.mask_hash(hash_str[2 * DIGEST_LEN :], show=2)),`
			`("hash", hashers.mask_hash(hash_str[: 2 * DIGEST_LEN])),`
			`]`
			`)`
Custom password hasher for SSHA 2016-07-06 20:44:30 +00:00
			`def harden_runtime(self, password, encoded):`
			`"""`
			`Method implemented to shut up BasePasswordHasher warning`

			`As we are not using multiple iterations the method is pretty useless`
			`"""`
			`pass`
Produce newer hash upon login 2018-08-10 15:43:10 +00:00

			`class RecryptBackend(ModelBackend):`
First step of docstring translation 2020-04-25 01:36:27 +00:00			`"""Function for legacy users. During auth, if their hash password is different from SSHA or ntlm`
			`password is empty, rehash in SSHA or NTLM`

			`Returns:`
			`model user instance: Instance of the user logged`

			`"""`

Produce newer hash upon login 2018-08-10 15:43:10 +00:00			`def authenticate(self, username=None, password=None):`
			`# we obtain from the classical auth backend the user`
Fix Login, Django 1.11 changed their API. 2019-09-05 16:52:40 +00:00			`user = super(RecryptBackend, self).authenticate(None, username, password)`
Produce newer hash upon login 2018-08-10 15:43:10 +00:00			`if user:`
I like my ☕ black. Just ran black on the whoe repository. Fix #210. 2019-11-04 16:55:03 +00:00			`if not (user.pwd_ntlm):`
Produce newer hash upon login 2018-08-10 15:43:10 +00:00			`# if we dont have NT hash, we create it`
			`user.pwd_ntlm = hashNT(password)`
			`user.save()`
I like my ☕ black. Just ran black on the whoe repository. Fix #210. 2019-11-04 16:55:03 +00:00			`if not ("SSHA" in user.password):`
Produce newer hash upon login 2018-08-10 15:43:10 +00:00			`# if the hash is too old, we update it`
			`user.password = makeSecret(password)`
			`user.save()`
			`return user`