Server IP : 85.214.239.14 / Your IP : 18.223.171.83 Web Server : Apache/2.4.62 (Debian) System : Linux h2886529.stratoserver.net 4.9.0 #1 SMP Tue Jan 9 19:45:01 MSK 2024 x86_64 User : www-data ( 33) PHP Version : 7.4.18 Disable Function : pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare, MySQL : OFF | cURL : OFF | WGET : ON | Perl : ON | Python : ON | Sudo : ON | Pkexec : OFF Directory : /proc/3/root/proc/self/root/lib/python3/dist-packages/passlib/handlers/ |
Upload File : |
"""passlib.handlers.misc - misc generic handlers """ #============================================================================= # imports #============================================================================= # core import sys import logging; log = logging.getLogger(__name__) from warnings import warn # site # pkg from passlib.utils import to_native_str, str_consteq from passlib.utils.compat import unicode, u, unicode_or_bytes_types import passlib.utils.handlers as uh # local __all__ = [ "unix_disabled", "unix_fallback", "plaintext", ] #============================================================================= # handler #============================================================================= class unix_fallback(uh.ifc.DisabledHash, uh.StaticHandler): """This class provides the fallback behavior for unix shadow files, and follows the :ref:`password-hash-api`. This class does not implement a hash, but instead provides fallback behavior as found in /etc/shadow on most unix variants. If used, should be the last scheme in the context. * this class will positively identify all hash strings. * for security, passwords will always hash to ``!``. * it rejects all passwords if the hash is NOT an empty string (``!`` or ``*`` are frequently used). * by default it rejects all passwords if the hash is an empty string, but if ``enable_wildcard=True`` is passed to verify(), all passwords will be allowed through if the hash is an empty string. .. deprecated:: 1.6 This has been deprecated due to its "wildcard" feature, and will be removed in Passlib 1.8. Use :class:`unix_disabled` instead. """ name = "unix_fallback" context_kwds = ("enable_wildcard",) @classmethod def identify(cls, hash): if isinstance(hash, unicode_or_bytes_types): return True else: raise uh.exc.ExpectedStringError(hash, "hash") def __init__(self, enable_wildcard=False, **kwds): warn("'unix_fallback' is deprecated, " "and will be removed in Passlib 1.8; " "please use 'unix_disabled' instead.", DeprecationWarning) super(unix_fallback, self).__init__(**kwds) self.enable_wildcard = enable_wildcard def _calc_checksum(self, secret): if self.checksum: # NOTE: hash will generally be "!", but we want to preserve # it in case it's something else, like "*". return self.checksum else: return u("!") @classmethod def verify(cls, secret, hash, enable_wildcard=False): uh.validate_secret(secret) if not isinstance(hash, unicode_or_bytes_types): raise uh.exc.ExpectedStringError(hash, "hash") elif hash: return False else: return enable_wildcard _MARKER_CHARS = u("*!") _MARKER_BYTES = b"*!" class unix_disabled(uh.ifc.DisabledHash, uh.MinimalHandler): """This class provides disabled password behavior for unix shadow files, and follows the :ref:`password-hash-api`. This class does not implement a hash, but instead matches the "disabled account" strings found in ``/etc/shadow`` on most Unix variants. "encrypting" a password will simply return the disabled account marker. It will reject all passwords, no matter the hash string. The :meth:`~passlib.ifc.PasswordHash.hash` method supports one optional keyword: :type marker: str :param marker: Optional marker string which overrides the platform default used to indicate a disabled account. If not specified, this will default to ``"*"`` on BSD systems, and use the Linux default ``"!"`` for all other platforms. (:attr:`!unix_disabled.default_marker` will contain the default value) .. versionadded:: 1.6 This class was added as a replacement for the now-deprecated :class:`unix_fallback` class, which had some undesirable features. """ name = "unix_disabled" setting_kwds = ("marker",) context_kwds = () _disable_prefixes = tuple(str(_MARKER_CHARS)) # TODO: rename attr to 'marker'... if 'bsd' in sys.platform: # pragma: no cover -- runtime detection default_marker = u("*") else: # use the linux default for other systems # (glibc also supports adding old hash after the marker # so it can be restored later). default_marker = u("!") @classmethod def using(cls, marker=None, **kwds): subcls = super(unix_disabled, cls).using(**kwds) if marker is not None: if not cls.identify(marker): raise ValueError("invalid marker: %r" % marker) subcls.default_marker = marker return subcls @classmethod def identify(cls, hash): # NOTE: technically, anything in the /etc/shadow password field # which isn't valid crypt() output counts as "disabled". # but that's rather ambiguous, and it's hard to predict what # valid output is for unknown crypt() implementations. # so to be on the safe side, we only match things *known* # to be disabled field indicators, and will add others # as they are found. things beginning w/ "$" should *never* match. # # things currently matched: # * linux uses "!" # * bsd uses "*" # * linux may use "!" + hash to disable but preserve original hash # * linux counts empty string as "any password"; # this code recognizes it, but treats it the same as "!" if isinstance(hash, unicode): start = _MARKER_CHARS elif isinstance(hash, bytes): start = _MARKER_BYTES else: raise uh.exc.ExpectedStringError(hash, "hash") return not hash or hash[0] in start @classmethod def verify(cls, secret, hash): uh.validate_secret(secret) if not cls.identify(hash): # handles typecheck raise uh.exc.InvalidHashError(cls) return False @classmethod def hash(cls, secret, **kwds): if kwds: uh.warn_hash_settings_deprecation(cls, kwds) return cls.using(**kwds).hash(secret) uh.validate_secret(secret) marker = cls.default_marker assert marker and cls.identify(marker) return to_native_str(marker, param="marker") @uh.deprecated_method(deprecated="1.7", removed="2.0") @classmethod def genhash(cls, secret, config, marker=None): if not cls.identify(config): raise uh.exc.InvalidHashError(cls) elif config: # preserve the existing str,since it might contain a disabled password hash ("!" + hash) uh.validate_secret(secret) return to_native_str(config, param="config") else: if marker is not None: cls = cls.using(marker=marker) return cls.hash(secret) @classmethod def disable(cls, hash=None): out = cls.hash("") if hash is not None: hash = to_native_str(hash, param="hash") if cls.identify(hash): # extract original hash, so that we normalize marker hash = cls.enable(hash) if hash: out += hash return out @classmethod def enable(cls, hash): hash = to_native_str(hash, param="hash") for prefix in cls._disable_prefixes: if hash.startswith(prefix): orig = hash[len(prefix):] if orig: return orig else: raise ValueError("cannot restore original hash") raise uh.exc.InvalidHashError(cls) class plaintext(uh.MinimalHandler): """This class stores passwords in plaintext, and follows the :ref:`password-hash-api`. The :meth:`~passlib.ifc.PasswordHash.hash`, :meth:`~passlib.ifc.PasswordHash.genhash`, and :meth:`~passlib.ifc.PasswordHash.verify` methods all require the following additional contextual keyword: :type encoding: str :param encoding: This controls the character encoding to use (defaults to ``utf-8``). This encoding will be used to encode :class:`!unicode` passwords under Python 2, and decode :class:`!bytes` hashes under Python 3. .. versionchanged:: 1.6 The ``encoding`` keyword was added. """ # NOTE: this is subclassed by ldap_plaintext name = "plaintext" setting_kwds = () context_kwds = ("encoding",) default_encoding = "utf-8" @classmethod def identify(cls, hash): if isinstance(hash, unicode_or_bytes_types): return True else: raise uh.exc.ExpectedStringError(hash, "hash") @classmethod def hash(cls, secret, encoding=None): uh.validate_secret(secret) if not encoding: encoding = cls.default_encoding return to_native_str(secret, encoding, "secret") @classmethod def verify(cls, secret, hash, encoding=None): if not encoding: encoding = cls.default_encoding hash = to_native_str(hash, encoding, "hash") if not cls.identify(hash): raise uh.exc.InvalidHashError(cls) return str_consteq(cls.hash(secret, encoding), hash) @uh.deprecated_method(deprecated="1.7", removed="2.0") @classmethod def genconfig(cls): return cls.hash("") @uh.deprecated_method(deprecated="1.7", removed="2.0") @classmethod def genhash(cls, secret, config, encoding=None): # NOTE: 'config' is ignored, as this hash has no salting / etc if not cls.identify(config): raise uh.exc.InvalidHashError(cls) return cls.hash(secret, encoding=encoding) #============================================================================= # eof #=============================================================================