utils.py 23.1 KB
Newer Older
Valentin Samir's avatar
Valentin Samir committed
1
# -*- coding: utf-8 -*-
Valentin Samir's avatar
Valentin Samir committed
2 3 4 5 6 7 8 9 10
# This program is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU General Public License version 3 for
# more details.
#
# You should have received a copy of the GNU General Public License version 3
# along with this program; if not, write to the Free Software Foundation, Inc., 51
# Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
Valentin Samir's avatar
Valentin Samir committed
11
# (c) 2015-2016 Valentin Samir
Valentin Samir's avatar
Valentin Samir committed
12
"""Some util function for the app"""
13
from .default_settings import settings
14

15
from django.core.urlresolvers import reverse
16 17
from django.http import HttpResponseRedirect, HttpResponse
from django.contrib import messages
18 19
from django.contrib.messages import constants as DEFAULT_MESSAGE_LEVELS
from django.core.serializers.json import DjangoJSONEncoder
20 21 22

import random
import string
23
import json
24 25 26 27
import hashlib
import crypt
import base64
import six
28 29 30
import requests
import time
import logging
31

Valentin Samir's avatar
Valentin Samir committed
32
from importlib import import_module
Valentin Samir's avatar
Valentin Samir committed
33
from datetime import datetime, timedelta
Valentin Samir's avatar
Valentin Samir committed
34
from six.moves.urllib.parse import urlparse, urlunparse, parse_qsl, urlencode
Valentin Samir's avatar
Valentin Samir committed
35

36 37 38 39 40
from . import VERSION

#: logger facility
logger = logging.getLogger(__name__)

Valentin Samir's avatar
Valentin Samir committed
41

42 43 44 45 46 47 48 49 50
def json_encode(obj):
    """Encode a python object to json"""
    try:
        return json_encode.encoder.encode(obj)
    except AttributeError:
        json_encode.encoder = DjangoJSONEncoder(default=six.text_type)
        return json_encode(obj)


51
def context(params):
52 53 54 55 56 57 58 59
    """
        Function that add somes variable to the context before template rendering

        :param dict params: The context dictionary used to render templates.
        :return: The ``params`` dictionary with the key ``settings`` set to
            :obj:`django.conf.settings`.
        :rtype: dict
    """
60
    params["settings"] = settings
61
    params["message_levels"] = DEFAULT_MESSAGE_LEVELS
62 63 64 65 66
    if settings.CAS_NEW_VERSION_HTML_WARNING:
        LAST_VERSION = last_version()
        params["VERSION"] = VERSION
        params["LAST_VERSION"] = LAST_VERSION
        if LAST_VERSION is not None:
Valentin Samir's avatar
Valentin Samir committed
67
            params["upgrade_available"] = decode_version(VERSION) < decode_version(LAST_VERSION)
68 69
        else:
            params["upgrade_available"] = False
70 71 72
    return params


Valentin Samir's avatar
style  
Valentin Samir committed
73
def json_response(request, data):
74 75 76 77 78 79 80 81
    """
        Wrapper dumping `data` to a json and sending it to the user with an HttpResponse

        :param django.http.HttpRequest request: The request object used to generate this response.
        :param dict data: The python dictionnary to return as a json
        :return: The content of ``data`` serialized in json
        :rtype: django.http.HttpResponse
    """
82 83 84 85 86 87
    data["messages"] = []
    for msg in messages.get_messages(request):
        data["messages"].append({'message': msg.message, 'level': msg.level_tag})
    return HttpResponse(json.dumps(data), content_type="application/json")


88
def import_attr(path):
89 90 91 92 93 94 95
    """
        transform a python dotted path to the attr

        :param path: A dotted path to a python object or a python object
        :type path: :obj:`unicode` or anything
        :return: The python object pointed by the dotted path or the python object unchanged
    """
96
    if not isinstance(path, str):
Valentin Samir's avatar
Valentin Samir committed
97
        return path
98 99
    if "." not in path:
        ValueError("%r should be of the form `module.attr` and we just got `attr`" % path)
100
    module, attr = path.rsplit('.', 1)
101 102 103 104 105 106
    try:
        return getattr(import_module(module), attr)
    except ImportError:
        raise ImportError("Module %r not found" % module)
    except AttributeError:
        raise AttributeError("Module %r has not attribut %r" % (module, attr))
107

Valentin Samir's avatar
PEP8  
Valentin Samir committed
108

109
def redirect_params(url_name, params=None):
110 111 112 113 114 115 116 117 118
    """
        Redirect to ``url_name`` with ``params`` as querystring

        :param unicode url_name: a URL pattern name
        :param params: Some parameter to append to the reversed URL
        :type params: :obj:`dict` or :obj:`NoneType<types.NoneType>`
        :return: A redirection to the URL with name ``url_name`` with ``params`` as querystring.
        :rtype: django.http.HttpResponseRedirect
    """
119
    url = reverse(url_name)
Valentin Samir's avatar
Valentin Samir committed
120
    params = urlencode(params if params else {})
121 122
    return HttpResponseRedirect(url + "?%s" % params)

Valentin Samir's avatar
PEP8  
Valentin Samir committed
123

124
def reverse_params(url_name, params=None, **kwargs):
125 126 127 128 129 130 131 132 133 134 135
    """
        compute the reverse url of ``url_name`` and add to it parameters from ``params``
        as querystring

        :param unicode url_name: a URL pattern name
        :param params: Some parameter to append to the reversed URL
        :type params: :obj:`dict` or :obj:`NoneType<types.NoneType>`
        :param **kwargs: additional parameters needed to compure the reverse URL
        :return: The computed reverse URL of ``url_name`` with possible querystring from ``params``
        :rtype: unicode
    """
136 137
    url = reverse(url_name, **kwargs)
    params = urlencode(params if params else {})
Valentin Samir's avatar
Valentin Samir committed
138
    if params:
139
        return u"%s?%s" % (url, params)
Valentin Samir's avatar
Valentin Samir committed
140 141 142 143
    else:
        return url


Valentin Samir's avatar
Valentin Samir committed
144
def copy_params(get_or_post_params, ignore=None):
145 146 147 148 149 150 151 152 153
    """
        copy a :class:`django.http.QueryDict` in a :obj:`dict` ignoring keys in the set ``ignore``

        :param django.http.QueryDict get_or_post_params: A GET or POST
            :class:`QueryDict<django.http.QueryDict>`
        :param set ignore: An optinal set of keys to ignore during the copy
        :return: A copy of get_or_post_params
        :rtype: dict
    """
Valentin Samir's avatar
Valentin Samir committed
154 155
    if ignore is None:
        ignore = set()
Valentin Samir's avatar
Valentin Samir committed
156 157 158 159 160 161 162 163
    params = {}
    for key in get_or_post_params:
        if key not in ignore and get_or_post_params[key]:
            params[key] = get_or_post_params[key]
    return params


def set_cookie(response, key, value, max_age):
164 165 166 167 168 169 170 171
    """
        Set the cookie ``key`` on ``response`` with value ``value`` valid for ``max_age`` secondes

        :param django.http.HttpResponse response: a django response where to set the cookie
        :param unicode key: the cookie key
        :param unicode value: the cookie value
        :param int max_age: the maximum validity age of the cookie
    """
Valentin Samir's avatar
Valentin Samir committed
172 173 174 175 176 177 178 179 180 181 182 183 184 185
    expires = datetime.strftime(
        datetime.utcnow() + timedelta(seconds=max_age),
        "%a, %d-%b-%Y %H:%M:%S GMT"
    )
    response.set_cookie(
        key,
        value,
        max_age=max_age,
        expires=expires,
        domain=settings.SESSION_COOKIE_DOMAIN,
        secure=settings.SESSION_COOKIE_SECURE or None
    )


Valentin Samir's avatar
Valentin Samir committed
186
def get_current_url(request, ignore_params=None):
187 188 189 190 191 192 193 194 195
    """
        Giving a django request, return the current http url, possibly ignoring some GET parameters

        :param django.http.HttpRequest request: The current request object.
        :param set ignore_params: An optional set of GET parameters to ignore
        :return: The URL of the current page, possibly omitting some parameters from
            ``ignore_params`` in the querystring.
        :rtype: unicode
    """
Valentin Samir's avatar
Valentin Samir committed
196 197
    if ignore_params is None:
        ignore_params = set()
198 199
    protocol = u'https' if request.is_secure() else u"http"
    service_url = u"%s://%s%s" % (protocol, request.get_host(), request.path)
Valentin Samir's avatar
Valentin Samir committed
200 201 202
    if request.GET:
        params = copy_params(request.GET, ignore_params)
        if params:
203
            service_url += u"?%s" % urlencode(params)
Valentin Samir's avatar
Valentin Samir committed
204
    return service_url
205 206


Valentin Samir's avatar
Valentin Samir committed
207
def update_url(url, params):
208 209 210 211 212 213 214 215 216
    """
        update parameters using ``params`` in the ``url`` query string

        :param url: An URL possibily with a querystring
        :type url: :obj:`unicode` or :obj:`str`
        :param dict params: A dictionary of parameters for updating the url querystring
        :return: The URL with an updated querystring
        :rtype: unicode
    """
Valentin Samir's avatar
Valentin Samir committed
217
    if not isinstance(url, bytes):
Valentin Samir's avatar
PEP8  
Valentin Samir committed
218
        url = url.encode('utf-8')
Valentin Samir's avatar
Valentin Samir committed
219 220
    for key, value in list(params.items()):
        if not isinstance(key, bytes):
Valentin Samir's avatar
Valentin Samir committed
221 222
            del params[key]
            key = key.encode('utf-8')
Valentin Samir's avatar
Valentin Samir committed
223
        if not isinstance(value, bytes):
Valentin Samir's avatar
Valentin Samir committed
224 225
            value = value.encode('utf-8')
        params[key] = value
Valentin Samir's avatar
Valentin Samir committed
226 227
    url_parts = list(urlparse(url))
    query = dict(parse_qsl(url_parts[4]))
Valentin Samir's avatar
Valentin Samir committed
228
    query.update(params)
Valentin Samir's avatar
Valentin Samir committed
229 230 231 232
    # make the params order deterministic
    query = list(query.items())
    query.sort()
    url_query = urlencode(query)
233
    if not isinstance(url_query, bytes):  # pragma: no cover in python3 urlencode return an unicode
Valentin Samir's avatar
Valentin Samir committed
234 235
        url_query = url_query.encode("utf-8")
    url_parts[4] = url_query
Valentin Samir's avatar
Valentin Samir committed
236
    return urlunparse(url_parts).decode('utf-8')
237

Valentin Samir's avatar
PEP8  
Valentin Samir committed
238

239
def unpack_nested_exception(error):
240 241 242 243 244 245
    """
        If exception are stacked, return the first one

        :param error: A python exception with possible exception embeded within
        :return: A python exception with no exception embeded within
    """
246 247 248 249 250 251 252 253 254 255 256 257 258
    i = 0
    while True:
        if error.args[i:]:
            if isinstance(error.args[i], Exception):
                error = error.args[i]
                i = 0
            else:
                i += 1
        else:
            break
    return error


259 260 261 262 263 264 265 266 267 268 269 270 271
def _gen_ticket(prefix=None, lg=settings.CAS_TICKET_LEN):
    """
        Generate a ticket with prefix ``prefix`` and length ``lg``

        :param unicode prefix: An optional prefix (probably ST, PT, PGT or PGTIOU)
        :param int lg: The length of the generated ticket (with the prefix)
        :return: A randomlly generated ticket of length ``lg``
        :rtype: unicode
    """
    random_part = u''.join(
        random.choice(
            string.ascii_letters + string.digits
        ) for _ in range(lg - len(prefix or "") - 1)
272
    )
273 274 275 276
    if prefix is not None:
        return u'%s-%s' % (prefix, random_part)
    else:
        return random_part
277

Valentin Samir's avatar
PEP8  
Valentin Samir committed
278

279
def gen_lt():
280 281 282 283 284 285 286
    """
        Generate a Login Ticket

        :return: A ticket with prefix ``settings.CAS_LOGIN_TICKET_PREFIX`` and length
            ``settings.CAS_LT_LEN``
        :rtype: unicode
    """
287 288
    return _gen_ticket(settings.CAS_LOGIN_TICKET_PREFIX, settings.CAS_LT_LEN)

Valentin Samir's avatar
PEP8  
Valentin Samir committed
289

290
def gen_st():
291 292 293 294 295 296 297
    """
        Generate a Service Ticket

        :return: A ticket with prefix ``settings.CAS_SERVICE_TICKET_PREFIX`` and length
            ``settings.CAS_ST_LEN``
        :rtype: unicode
    """
298
    return _gen_ticket(settings.CAS_SERVICE_TICKET_PREFIX, settings.CAS_ST_LEN)
299

Valentin Samir's avatar
PEP8  
Valentin Samir committed
300

301
def gen_pt():
302 303 304 305 306 307 308
    """
        Generate a Proxy Ticket

        :return: A ticket with prefix ``settings.CAS_PROXY_TICKET_PREFIX`` and length
            ``settings.CAS_PT_LEN``
        :rtype: unicode
    """
309
    return _gen_ticket(settings.CAS_PROXY_TICKET_PREFIX, settings.CAS_PT_LEN)
310

Valentin Samir's avatar
PEP8  
Valentin Samir committed
311

312
def gen_pgt():
313 314 315 316 317 318 319
    """
        Generate a Proxy Granting Ticket

        :return: A ticket with prefix ``settings.CAS_PROXY_GRANTING_TICKET_PREFIX`` and length
            ``settings.CAS_PGT_LEN``
        :rtype: unicode
    """
320
    return _gen_ticket(settings.CAS_PROXY_GRANTING_TICKET_PREFIX, settings.CAS_PGT_LEN)
321

Valentin Samir's avatar
PEP8  
Valentin Samir committed
322

323
def gen_pgtiou():
324 325 326 327 328 329 330
    """
        Generate a Proxy Granting Ticket IOU

        :return: A ticket with prefix ``settings.CAS_PROXY_GRANTING_TICKET_IOU_PREFIX`` and length
            ``settings.CAS_PGTIOU_LEN``
        :rtype: unicode
    """
331
    return _gen_ticket(settings.CAS_PROXY_GRANTING_TICKET_IOU_PREFIX, settings.CAS_PGTIOU_LEN)
332

333 334

def gen_saml_id():
335 336 337 338 339 340 341
    """
        Generate an saml id

        :return: A random id of length ``settings.CAS_TICKET_LEN``
        :rtype: unicode
    """
    return _gen_ticket()
342 343


Valentin Samir's avatar
Valentin Samir committed
344
def get_tuple(nuplet, index, default=None):
Valentin Samir's avatar
Valentin Samir committed
345
    """
346 347 348 349
        :param tuple nuplet: A tuple
        :param int index: An index
        :param default: An optional default value
        :return: ``nuplet[index]`` if defined, else ``default`` (possibly ``None``)
Valentin Samir's avatar
Valentin Samir committed
350
    """
Valentin Samir's avatar
Valentin Samir committed
351
    if nuplet is None:
352
        return default
353
    try:
Valentin Samir's avatar
Valentin Samir committed
354
        return nuplet[index]
355 356
    except IndexError:
        return default
357

358

359
def crypt_salt_is_valid(salt):
360 361 362 363 364 365 366
    """
        Validate a salt as crypt salt

        :param str salt: a password salt
        :return: ``True`` if ``salt`` is a valid crypt salt on this system, ``False`` otherwise
        :rtype: bool
    """
367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383
    if len(salt) < 2:
        return False
    else:
        if salt[0] == '$':
            if salt[1] == '$':
                return False
            else:
                if '$' not in salt[1:]:
                    return False
                else:
                    hashed = crypt.crypt("", salt)
                    if not hashed or '$' not in hashed[1:]:
                        return False
                    else:
                        return True
        else:
            return True
384

385

386
class LdapHashUserPassword(object):
387 388 389 390
    """
        Class to deal with hashed password as defined at
        https://tools.ietf.org/id/draft-stroeder-hashed-userpassword-values-01.html
    """
391

392
    #: valide schemes that require a salt
393
    schemes_salt = {b"{SMD5}", b"{SSHA}", b"{SSHA256}", b"{SSHA384}", b"{SSHA512}", b"{CRYPT}"}
394
    #: valide sschemes that require no slat
395 396
    schemes_nosalt = {b"{MD5}", b"{SHA}", b"{SHA256}", b"{SHA384}", b"{SHA512}"}

397
    #: map beetween scheme and hash function
398 399 400 401 402 403 404 405 406 407 408 409 410
    _schemes_to_hash = {
        b"{SMD5}": hashlib.md5,
        b"{MD5}": hashlib.md5,
        b"{SSHA}": hashlib.sha1,
        b"{SHA}": hashlib.sha1,
        b"{SSHA256}": hashlib.sha256,
        b"{SHA256}": hashlib.sha256,
        b"{SSHA384}": hashlib.sha384,
        b"{SHA384}": hashlib.sha384,
        b"{SSHA512}": hashlib.sha512,
        b"{SHA512}": hashlib.sha512
    }

411
    #: map between scheme and hash length
412 413 414 415 416 417 418 419 420
    _schemes_to_len = {
        b"{SMD5}": 16,
        b"{SSHA}": 20,
        b"{SSHA256}": 32,
        b"{SSHA384}": 48,
        b"{SSHA512}": 64,
    }

    class BadScheme(ValueError):
421 422 423 424
        """
            Error raised then the hash scheme is not in
            :attr:`LdapHashUserPassword.schemes_salt` + :attr:`LdapHashUserPassword.schemes_nosalt`
        """
425 426 427
        pass

    class BadHash(ValueError):
Valentin Samir's avatar
Valentin Samir committed
428
        """Error raised then the hash is too short"""
429 430 431
        pass

    class BadSalt(ValueError):
432
        """Error raised then, with the scheme ``{CRYPT}``, the salt is invalid"""
433 434 435 436
        pass

    @classmethod
    def _raise_bad_scheme(cls, scheme, valid, msg):
Valentin Samir's avatar
Valentin Samir committed
437
        """
438 439 440 441 442 443 444
            Raise :attr:`BadScheme` error for ``scheme``, possible valid scheme are
            in ``valid``, the error message is ``msg``

            :param bytes scheme: A bad scheme
            :param list valid: A list a valid scheme
            :param str msg: The error template message
            :raises LdapHashUserPassword.BadScheme: always
Valentin Samir's avatar
Valentin Samir committed
445
        """
446
        valid_schemes = [s.decode() for s in valid]
447
        valid_schemes.sort()
448
        raise cls.BadScheme(msg % (scheme, u", ".join(valid_schemes)))
449 450 451

    @classmethod
    def _test_scheme(cls, scheme):
452 453 454 455 456 457
        """
            Test if a scheme is valide or raise BadScheme

            :param bytes scheme: A scheme
            :raises BadScheme: if ``scheme`` is not a valid scheme
        """
458 459 460 461 462 463 464 465 466
        if scheme not in cls.schemes_salt and scheme not in cls.schemes_nosalt:
            cls._raise_bad_scheme(
                scheme,
                cls.schemes_salt | cls.schemes_nosalt,
                "The scheme %r is not valid. Valide schemes are %s."
            )

    @classmethod
    def _test_scheme_salt(cls, scheme):
467 468 469 470 471 472
        """
            Test if the scheme need a salt or raise BadScheme

            :param bytes scheme: A scheme
            :raises BadScheme: if ``scheme` require no salt
        """
473 474 475 476 477 478 479 480 481
        if scheme not in cls.schemes_salt:
            cls._raise_bad_scheme(
                scheme,
                cls.schemes_salt,
                "The scheme %r is only valid without a salt. Valide schemes with salt are %s."
            )

    @classmethod
    def _test_scheme_nosalt(cls, scheme):
482 483 484 485 486 487
        """
            Test if the scheme need no salt or raise BadScheme

            :param bytes scheme: A scheme
            :raises BadScheme: if ``scheme` require a salt
        """
488 489 490 491 492 493 494 495 496
        if scheme not in cls.schemes_nosalt:
            cls._raise_bad_scheme(
                scheme,
                cls.schemes_nosalt,
                "The scheme %r is only valid with a salt. Valide schemes without salt are %s."
            )

    @classmethod
    def hash(cls, scheme, password, salt=None, charset="utf8"):
Valentin Samir's avatar
Valentin Samir committed
497
        """
498 499 500 501 502 503 504 505 506
           Hash ``password`` with ``scheme`` using ``salt``.
           This three variable beeing encoded in ``charset``.

           :param bytes scheme: A valid scheme
           :param bytes password: A byte string to hash using ``scheme``
           :param bytes salt: An optional salt to use if ``scheme`` requires any
           :param str charset: The encoding of ``scheme``, ``password`` and ``salt``
           :return: The hashed password encoded with ``charset``
           :rtype: bytes
Valentin Samir's avatar
Valentin Samir committed
507
        """
508 509 510 511 512
        scheme = scheme.upper()
        cls._test_scheme(scheme)
        if salt is None or salt == b"":
            salt = b""
            cls._test_scheme_nosalt(scheme)
Valentin Samir's avatar
Valentin Samir committed
513
        else:
514 515
            cls._test_scheme_salt(scheme)
        try:
516 517 518
            return scheme + base64.b64encode(
                cls._schemes_to_hash[scheme](password + salt).digest() + salt
            )
519 520 521 522
        except KeyError:
            if six.PY3:
                password = password.decode(charset)
                salt = salt.decode(charset)
523
            if not crypt_salt_is_valid(salt):
524
                raise cls.BadSalt("System crypt implementation do not support the salt %r" % salt)
525
            hashed_password = crypt.crypt(password, salt)
526 527 528 529 530 531
            if six.PY3:
                hashed_password = hashed_password.encode(charset)
            return scheme + hashed_password

    @classmethod
    def get_scheme(cls, hashed_passord):
532 533 534 535 536 537 538 539
        """
            Return the scheme of ``hashed_passord`` or raise :attr:`BadHash`

            :param bytes hashed_passord: A hashed password
            :return: The scheme used by the hashed password
            :rtype: bytes
            :raises BadHash: if no valid scheme is found within ``hashed_passord``
        """
540
        if not hashed_passord[0] == b'{'[0] or b'}' not in hashed_passord:
541 542 543 544 545 546 547
            raise cls.BadHash("%r should start with the scheme enclosed with { }" % hashed_passord)
        scheme = hashed_passord.split(b'}', 1)[0]
        scheme = scheme.upper() + b"}"
        return scheme

    @classmethod
    def get_salt(cls, hashed_passord):
548 549 550 551 552 553 554 555 556
        """
            Return the salt of ``hashed_passord`` possibly empty

            :param bytes hashed_passord: A hashed password
            :return: The salt used by the hashed password (empty if no salt is used)
            :rtype: bytes
            :raises BadHash: if no valid scheme is found within ``hashed_passord`` or if the
                hashed password is too short for the scheme found.
        """
557 558 559 560 561
        scheme = cls.get_scheme(hashed_passord)
        cls._test_scheme(scheme)
        if scheme in cls.schemes_nosalt:
            return b""
        elif scheme == b'{CRYPT}':
Valentin Samir's avatar
Valentin Samir committed
562
            return b'$'.join(hashed_passord.split(b'$', 3)[:-1])[len(scheme):]
563
        else:
564 565 566 567
            try:
                hashed_passord = base64.b64decode(hashed_passord[len(scheme):])
            except TypeError as error:
                raise cls.BadHash("Bad base64: %s" % error)
568 569 570 571 572 573
            if len(hashed_passord) < cls._schemes_to_len[scheme]:
                raise cls.BadHash("Hash too short for the scheme %s" % scheme)
            return hashed_passord[cls._schemes_to_len[scheme]:]


def check_password(method, password, hashed_password, charset):
Valentin Samir's avatar
Valentin Samir committed
574
    """
575 576 577 578 579 580 581 582 583 584 585 586 587 588
        Check that ``password`` match `hashed_password` using ``method``,
        assuming the encoding is ``charset``.

        :param str method: on of ``"crypt"``, ``"ldap"``, ``"hex_md5"``, ``"hex_sha1"``,
            ``"hex_sha224"``, ``"hex_sha256"``, ``"hex_sha384"``, ``"hex_sha512"``, ``"plain"``
        :param password: The user inputed password
        :type password: :obj:`str` or :obj:`unicode`
        :param hashed_password: The hashed password as stored in the database
        :type hashed_password: :obj:`str` or :obj:`unicode`
        :param str charset: The used char encoding (also used internally, so it must be valid for
            the charset used by ``password`` even if it is inputed as an :obj:`unicode`)
        :return: True if ``password`` match ``hashed_password`` using ``method``,
            ``False`` otherwise
        :rtype: bool
Valentin Samir's avatar
Valentin Samir committed
589
    """
590 591 592 593 594 595 596 597 598
    if not isinstance(password, six.binary_type):
        password = password.encode(charset)
    if not isinstance(hashed_password, six.binary_type):
        hashed_password = hashed_password.encode(charset)
    if method == "plain":
        return password == hashed_password
    elif method == "crypt":
        if hashed_password.startswith(b'$'):
            salt = b'$'.join(hashed_password.split(b'$', 3)[:-1])
Valentin Samir's avatar
Valentin Samir committed
599
        elif hashed_password.startswith(b'_'):  # pragma: no cover old BSD format not supported
600 601 602 603 604 605 606
            salt = hashed_password[:9]
        else:
            salt = hashed_password[:2]
        if six.PY3:
            password = password.decode(charset)
            salt = salt.decode(charset)
            hashed_password = hashed_password.decode(charset)
607
        if not crypt_salt_is_valid(salt):
608
            raise ValueError("System crypt implementation do not support the salt %r" % salt)
609
        crypted_password = crypt.crypt(password, salt)
610 611 612 613 614 615 616 617 618
        return crypted_password == hashed_password
    elif method == "ldap":
        scheme = LdapHashUserPassword.get_scheme(hashed_password)
        salt = LdapHashUserPassword.get_salt(hashed_password)
        return LdapHashUserPassword.hash(scheme, password, salt, charset=charset) == hashed_password
    elif (
       method.startswith("hex_") and
       method[4:] in {"md5", "sha1", "sha224", "sha256", "sha384", "sha512"}
    ):
619 620 621 622
        return getattr(
            hashlib,
            method[4:]
        )(password).hexdigest().encode("ascii") == hashed_password.lower()
623 624
    else:
        raise ValueError("Unknown password method check %r" % method)
625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657


def decode_version(version):
    """
        decode a version string following version semantic http://semver.org/ input a tuple of int

        :param unicode version: A dotted version
        :return: A tuple a int
        :rtype: tuple
    """
    return tuple(int(sub_version) for sub_version in version.split('.'))


def last_version():
    """
        Fetch the last version from pypi and return it. On successful fetch from pypi, the response
        is cached 24h, on error, it is cached 10 min.

        :return: the last django-cas-server version
        :rtype: unicode
    """
    try:
        last_update, version, success = last_version._cache
    except AttributeError:
        last_update = 0
        version = None
        success = False
    cache_delta = 24 * 3600 if success else 600
    if (time.time() - last_update) < cache_delta:
        return version
    else:
        try:
            req = requests.get(settings.CAS_NEW_VERSION_JSON_URL)
658 659
            data = json.loads(req.text)
            versions = list(data["releases"].keys())
660 661 662 663 664 665 666 667
            versions.sort()
            version = versions[-1]
            last_version._cache = (time.time(), version, True)
            return version
        except (
            KeyError,
            ValueError,
            requests.exceptions.RequestException
668
        ) as error:  # pragma: no cover (should not happen unless pypi is not available)
669 670 671 672
            logger.error(
                "Unable to fetch %s: %s" % (settings.CAS_NEW_VERSION_JSON_URL, error)
            )
            last_version._cache = (time.time(), version, False)