jellyfin/Emby.Server.Implementations/Library/DefaultAuthenticationProvider.cs

232 lines
8.9 KiB
C#
Raw Normal View History

2019-02-20 09:17:30 +00:00
using System;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using MediaBrowser.Controller.Authentication;
using MediaBrowser.Controller.Entities;
using MediaBrowser.Model.Cryptography;
namespace Emby.Server.Implementations.Library
{
public class DefaultAuthenticationProvider : IAuthenticationProvider, IRequiresResolvedUser
{
private readonly ICryptoProvider _cryptographyProvider;
public DefaultAuthenticationProvider(ICryptoProvider crypto)
{
_cryptographyProvider = crypto;
}
public string Name => "Default";
public bool IsEnabled => true;
2019-03-05 07:58:25 +00:00
// This is dumb and an artifact of the backwards way auth providers were designed.
// This version of authenticate was never meant to be called, but needs to be here for interface compat
// Only the providers that don't provide local user support use this
2019-02-20 09:17:30 +00:00
public Task<ProviderAuthenticationResult> Authenticate(string username, string password)
{
throw new NotImplementedException();
}
2019-03-05 07:58:25 +00:00
// This is the verson that we need to use for local users. Because reasons.
2019-02-20 09:17:30 +00:00
public Task<ProviderAuthenticationResult> Authenticate(string username, string password, User resolvedUser)
{
bool success = false;
if (resolvedUser == null)
{
throw new Exception("Invalid username or password");
}
2019-03-05 07:58:25 +00:00
// As long as jellyfin supports passwordless users, we need this little block here to accomodate
if (IsPasswordEmpty(resolvedUser, password))
{
return Task.FromResult(new ProviderAuthenticationResult
{
Username = username
});
}
2019-02-20 09:17:30 +00:00
ConvertPasswordFormat(resolvedUser);
byte[] passwordbytes = Encoding.UTF8.GetBytes(password);
PasswordHash readyHash = new PasswordHash(resolvedUser.Password);
2019-03-06 07:45:05 +00:00
byte[] calculatedHash;
string calculatedHashString;
2019-03-16 04:25:19 +00:00
if (_cryptographyProvider.GetSupportedHashMethods().Contains(readyHash.Id) || _cryptographyProvider.DefaultHashMethod == readyHash.Id)
2019-02-20 09:17:30 +00:00
{
if (string.IsNullOrEmpty(readyHash.Salt))
{
2019-03-06 07:45:05 +00:00
calculatedHash = _cryptographyProvider.ComputeHash(readyHash.Id, passwordbytes);
calculatedHashString = BitConverter.ToString(calculatedHash).Replace("-", string.Empty);
2019-02-20 09:17:30 +00:00
}
else
{
2019-03-06 07:45:05 +00:00
calculatedHash = _cryptographyProvider.ComputeHash(readyHash.Id, passwordbytes, readyHash.SaltBytes);
calculatedHashString = BitConverter.ToString(calculatedHash).Replace("-", string.Empty);
}
2019-02-20 09:17:30 +00:00
2019-03-06 07:45:05 +00:00
if (calculatedHashString == readyHash.Hash)
2019-02-20 09:17:30 +00:00
{
success = true;
2019-03-05 07:58:25 +00:00
// throw new Exception("Invalid username or password");
2019-02-20 09:17:30 +00:00
}
}
else
{
throw new Exception(string.Format($"Requested crypto method not available in provider: {readyHash.Id}"));
2019-02-20 09:17:30 +00:00
}
2019-03-05 07:58:25 +00:00
// var success = string.Equals(GetPasswordHash(resolvedUser), GetHashedString(resolvedUser, password), StringComparison.OrdinalIgnoreCase);
2019-02-20 09:17:30 +00:00
if (!success)
{
throw new Exception("Invalid username or password");
}
return Task.FromResult(new ProviderAuthenticationResult
{
Username = username
});
}
2019-03-05 07:58:25 +00:00
// This allows us to move passwords forward to the newformat without breaking. They are still insecure, unsalted, and dumb before a password change
// but at least they are in the new format.
2019-02-20 09:17:30 +00:00
private void ConvertPasswordFormat(User user)
{
if (string.IsNullOrEmpty(user.Password))
{
return;
}
2019-02-20 09:17:30 +00:00
if (!user.Password.Contains("$"))
{
string hash = user.Password;
user.Password = string.Format("$SHA1${0}", hash);
2019-02-20 09:17:30 +00:00
}
2019-02-20 09:17:30 +00:00
if (user.EasyPassword != null && !user.EasyPassword.Contains("$"))
{
string hash = user.EasyPassword;
user.EasyPassword = string.Format("$SHA1${0}", hash);
}
}
public Task<bool> HasPassword(User user)
{
var hasConfiguredPassword = !IsPasswordEmpty(user, GetPasswordHash(user));
return Task.FromResult(hasConfiguredPassword);
}
private bool IsPasswordEmpty(User user, string password)
{
2019-03-05 07:58:25 +00:00
return (string.IsNullOrEmpty(user.Password) && string.IsNullOrEmpty(password));
2019-02-20 09:17:30 +00:00
}
public Task ChangePassword(User user, string newPassword)
{
ConvertPasswordFormat(user);
2019-03-05 07:58:25 +00:00
// This is needed to support changing a no password user to a password user
if (string.IsNullOrEmpty(user.Password))
{
PasswordHash newPasswordHash = new PasswordHash(_cryptographyProvider);
2019-02-20 09:17:30 +00:00
newPasswordHash.SaltBytes = _cryptographyProvider.GenerateSalt();
newPasswordHash.Salt = PasswordHash.ConvertToByteString(newPasswordHash.SaltBytes);
newPasswordHash.Id = _cryptographyProvider.DefaultHashMethod;
newPasswordHash.Hash = GetHashedStringChangeAuth(newPassword, newPasswordHash);
user.Password = newPasswordHash.ToString();
return Task.CompletedTask;
}
2019-02-20 09:17:30 +00:00
PasswordHash passwordHash = new PasswordHash(user.Password);
if (passwordHash.Id == "SHA1" && string.IsNullOrEmpty(passwordHash.Salt))
{
passwordHash.SaltBytes = _cryptographyProvider.GenerateSalt();
passwordHash.Salt = PasswordHash.ConvertToByteString(passwordHash.SaltBytes);
passwordHash.Id = _cryptographyProvider.DefaultHashMethod;
passwordHash.Hash = GetHashedStringChangeAuth(newPassword, passwordHash);
}
else if (newPassword != null)
{
passwordHash.Hash = GetHashedString(user, newPassword);
}
if (string.IsNullOrWhiteSpace(passwordHash.Hash))
{
throw new ArgumentNullException(nameof(passwordHash.Hash));
}
user.Password = passwordHash.ToString();
return Task.CompletedTask;
}
public string GetPasswordHash(User user)
{
return user.Password;
}
public void ChangeEasyPassword(User user, string newPassword, string newPasswordHash)
{
ConvertPasswordFormat(user);
if (newPassword != null)
{
newPasswordHash = string.Format("$SHA1${0}", GetHashedString(user, newPassword));
}
if (string.IsNullOrWhiteSpace(newPasswordHash))
{
throw new ArgumentNullException(nameof(newPasswordHash));
}
user.EasyPassword = newPasswordHash;
}
public string GetEasyPasswordHash(User user)
{
// This should be removed in the future. This was added to let user login after
// Jellyfin 10.3.3 failed to save a well formatted PIN.
ConvertPasswordFormat(user);
return string.IsNullOrEmpty(user.EasyPassword)
? null
: (new PasswordHash(user.EasyPassword)).Hash;
}
2019-02-20 09:17:30 +00:00
public string GetHashedStringChangeAuth(string newPassword, PasswordHash passwordHash)
{
passwordHash.HashBytes = Encoding.UTF8.GetBytes(newPassword);
return PasswordHash.ConvertToByteString(_cryptographyProvider.ComputeHash(passwordHash));
}
/// <summary>
/// Gets the hashed string.
/// </summary>
public string GetHashedString(User user, string str)
{
PasswordHash passwordHash;
2019-03-05 07:58:25 +00:00
if (string.IsNullOrEmpty(user.Password))
2019-02-20 09:17:30 +00:00
{
passwordHash = new PasswordHash(_cryptographyProvider);
}
else
{
ConvertPasswordFormat(user);
passwordHash = new PasswordHash(user.Password);
}
if (passwordHash.SaltBytes != null)
{
2019-03-05 07:58:25 +00:00
// the password is modern format with PBKDF and we should take advantage of that
2019-02-20 09:17:30 +00:00
passwordHash.HashBytes = Encoding.UTF8.GetBytes(str);
return PasswordHash.ConvertToByteString(_cryptographyProvider.ComputeHash(passwordHash));
}
else
{
2019-03-05 07:58:25 +00:00
// the password has no salt and should be called with the older method for safety
2019-02-20 09:17:30 +00:00
return PasswordHash.ConvertToByteString(_cryptographyProvider.ComputeHash(passwordHash.Id, Encoding.UTF8.GetBytes(str)));
}
}
}
}