|
@@ -1,39 +1,39 @@
|
|
|
-using System;
|
|
|
|
|
-using System.Linq;
|
|
|
|
|
-using System.Text;
|
|
|
|
|
-using System.Threading.Tasks;
|
|
|
|
|
-using MediaBrowser.Controller.Authentication;
|
|
|
|
|
-using MediaBrowser.Controller.Entities;
|
|
|
|
|
-using MediaBrowser.Model.Cryptography;
|
|
|
|
|
-
|
|
|
|
|
-namespace Emby.Server.Implementations.Library
|
|
|
|
|
-{
|
|
|
|
|
- public class DefaultAuthenticationProvider : IAuthenticationProvider, IRequiresResolvedUser
|
|
|
|
|
- {
|
|
|
|
|
- private readonly ICryptoProvider _cryptographyProvider;
|
|
|
|
|
- public DefaultAuthenticationProvider(ICryptoProvider crypto)
|
|
|
|
|
- {
|
|
|
|
|
- _cryptographyProvider = crypto;
|
|
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
- public string Name => "Default";
|
|
|
|
|
-
|
|
|
|
|
- public bool IsEnabled => true;
|
|
|
|
|
-
|
|
|
|
|
-
|
|
|
|
|
- //This is dumb and an artifact of the backwards way auth providers were designed.
|
|
|
|
|
- //This version of authenticate was never meant to be called, but needs to be here for interface compat
|
|
|
|
|
- //Only the providers that don't provide local user support use this
|
|
|
|
|
- public Task<ProviderAuthenticationResult> Authenticate(string username, string password)
|
|
|
|
|
- {
|
|
|
|
|
- throw new NotImplementedException();
|
|
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
-
|
|
|
|
|
- //This is the verson that we need to use for local users. Because reasons.
|
|
|
|
|
|
|
+using System;
|
|
|
|
|
+using System.Linq;
|
|
|
|
|
+using System.Text;
|
|
|
|
|
+using System.Threading.Tasks;
|
|
|
|
|
+using MediaBrowser.Controller.Authentication;
|
|
|
|
|
+using MediaBrowser.Controller.Entities;
|
|
|
|
|
+using MediaBrowser.Model.Cryptography;
|
|
|
|
|
+
|
|
|
|
|
+namespace Emby.Server.Implementations.Library
|
|
|
|
|
+{
|
|
|
|
|
+ public class DefaultAuthenticationProvider : IAuthenticationProvider, IRequiresResolvedUser
|
|
|
|
|
+ {
|
|
|
|
|
+ private readonly ICryptoProvider _cryptographyProvider;
|
|
|
|
|
+ public DefaultAuthenticationProvider(ICryptoProvider crypto)
|
|
|
|
|
+ {
|
|
|
|
|
+ _cryptographyProvider = crypto;
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ public string Name => "Default";
|
|
|
|
|
+
|
|
|
|
|
+ public bool IsEnabled => true;
|
|
|
|
|
+
|
|
|
|
|
+
|
|
|
|
|
+ //This is dumb and an artifact of the backwards way auth providers were designed.
|
|
|
|
|
+ //This version of authenticate was never meant to be called, but needs to be here for interface compat
|
|
|
|
|
+ //Only the providers that don't provide local user support use this
|
|
|
|
|
+ public Task<ProviderAuthenticationResult> Authenticate(string username, string password)
|
|
|
|
|
+ {
|
|
|
|
|
+ throw new NotImplementedException();
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+
|
|
|
|
|
+ //This is the verson that we need to use for local users. Because reasons.
|
|
|
public Task<ProviderAuthenticationResult> Authenticate(string username, string password, User resolvedUser)
|
|
public Task<ProviderAuthenticationResult> Authenticate(string username, string password, User resolvedUser)
|
|
|
- {
|
|
|
|
|
- bool success = false;
|
|
|
|
|
|
|
+ {
|
|
|
|
|
+ bool success = false;
|
|
|
if (resolvedUser == null)
|
|
if (resolvedUser == null)
|
|
|
{
|
|
{
|
|
|
throw new Exception("Invalid username or password");
|
|
throw new Exception("Invalid username or password");
|
|
@@ -42,18 +42,18 @@ namespace Emby.Server.Implementations.Library
|
|
|
byte[] passwordbytes = Encoding.UTF8.GetBytes(password);
|
|
byte[] passwordbytes = Encoding.UTF8.GetBytes(password);
|
|
|
|
|
|
|
|
PasswordHash readyHash = new PasswordHash(resolvedUser.Password);
|
|
PasswordHash readyHash = new PasswordHash(resolvedUser.Password);
|
|
|
- byte[] CalculatedHash;
|
|
|
|
|
|
|
+ byte[] CalculatedHash;
|
|
|
string CalculatedHashString;
|
|
string CalculatedHashString;
|
|
|
if (_cryptographyProvider.GetSupportedHashMethods().Any(i => i == readyHash.Id))
|
|
if (_cryptographyProvider.GetSupportedHashMethods().Any(i => i == readyHash.Id))
|
|
|
{
|
|
{
|
|
|
if (String.IsNullOrEmpty(readyHash.Salt))
|
|
if (String.IsNullOrEmpty(readyHash.Salt))
|
|
|
{
|
|
{
|
|
|
- CalculatedHash = _cryptographyProvider.ComputeHash(readyHash.Id, passwordbytes);
|
|
|
|
|
|
|
+ CalculatedHash = _cryptographyProvider.ComputeHash(readyHash.Id, passwordbytes);
|
|
|
CalculatedHashString = BitConverter.ToString(CalculatedHash).Replace("-", string.Empty);
|
|
CalculatedHashString = BitConverter.ToString(CalculatedHash).Replace("-", string.Empty);
|
|
|
}
|
|
}
|
|
|
else
|
|
else
|
|
|
{
|
|
{
|
|
|
- CalculatedHash = _cryptographyProvider.ComputeHash(readyHash.Id, passwordbytes, readyHash.SaltBytes);
|
|
|
|
|
|
|
+ CalculatedHash = _cryptographyProvider.ComputeHash(readyHash.Id, passwordbytes, readyHash.SaltBytes);
|
|
|
CalculatedHashString = BitConverter.ToString(CalculatedHash).Replace("-", string.Empty);
|
|
CalculatedHashString = BitConverter.ToString(CalculatedHash).Replace("-", string.Empty);
|
|
|
}
|
|
}
|
|
|
if (CalculatedHashString == readyHash.Hash)
|
|
if (CalculatedHashString == readyHash.Hash)
|
|
@@ -64,7 +64,7 @@ namespace Emby.Server.Implementations.Library
|
|
|
}
|
|
}
|
|
|
else
|
|
else
|
|
|
{
|
|
{
|
|
|
- throw new Exception(String.Format("Requested crypto method not available in provider: {0}", readyHash.Id));
|
|
|
|
|
|
|
+ throw new Exception(String.Format("Requested crypto method not available in provider: {0}", readyHash.Id));
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
//var success = string.Equals(GetPasswordHash(resolvedUser), GetHashedString(resolvedUser, password), StringComparison.OrdinalIgnoreCase);
|
|
//var success = string.Equals(GetPasswordHash(resolvedUser), GetHashedString(resolvedUser, password), StringComparison.OrdinalIgnoreCase);
|
|
@@ -78,10 +78,10 @@ namespace Emby.Server.Implementations.Library
|
|
|
{
|
|
{
|
|
|
Username = username
|
|
Username = username
|
|
|
});
|
|
});
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
- //This allows us to move passwords forward to the newformat without breaking. They are still insecure, unsalted, and dumb before a password change
|
|
|
|
|
- //but at least they are in the new format.
|
|
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ //This allows us to move passwords forward to the newformat without breaking. They are still insecure, unsalted, and dumb before a password change
|
|
|
|
|
+ //but at least they are in the new format.
|
|
|
private void ConvertPasswordFormat(User user)
|
|
private void ConvertPasswordFormat(User user)
|
|
|
{
|
|
{
|
|
|
if (!string.IsNullOrEmpty(user.Password))
|
|
if (!string.IsNullOrEmpty(user.Password))
|
|
@@ -90,71 +90,71 @@ namespace Emby.Server.Implementations.Library
|
|
|
{
|
|
{
|
|
|
string hash = user.Password;
|
|
string hash = user.Password;
|
|
|
user.Password = String.Format("$SHA1${0}", hash);
|
|
user.Password = String.Format("$SHA1${0}", hash);
|
|
|
- }
|
|
|
|
|
|
|
+ }
|
|
|
if (user.EasyPassword != null && !user.EasyPassword.Contains("$"))
|
|
if (user.EasyPassword != null && !user.EasyPassword.Contains("$"))
|
|
|
{
|
|
{
|
|
|
string hash = user.EasyPassword;
|
|
string hash = user.EasyPassword;
|
|
|
user.EasyPassword = String.Format("$SHA1${0}", hash);
|
|
user.EasyPassword = String.Format("$SHA1${0}", hash);
|
|
|
}
|
|
}
|
|
|
}
|
|
}
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
- public Task<bool> HasPassword(User user)
|
|
|
|
|
- {
|
|
|
|
|
- var hasConfiguredPassword = !IsPasswordEmpty(user, GetPasswordHash(user));
|
|
|
|
|
- return Task.FromResult(hasConfiguredPassword);
|
|
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
- private bool IsPasswordEmpty(User user, string passwordHash)
|
|
|
|
|
- {
|
|
|
|
|
- return string.IsNullOrEmpty(passwordHash);
|
|
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
- public Task ChangePassword(User user, string newPassword)
|
|
|
|
|
- {
|
|
|
|
|
- //string newPasswordHash = null;
|
|
|
|
|
- ConvertPasswordFormat(user);
|
|
|
|
|
- PasswordHash passwordHash = new PasswordHash(user.Password);
|
|
|
|
|
- if(passwordHash.Id == "SHA1" && string.IsNullOrEmpty(passwordHash.Salt))
|
|
|
|
|
- {
|
|
|
|
|
- passwordHash.SaltBytes = _cryptographyProvider.GenerateSalt();
|
|
|
|
|
- passwordHash.Salt = PasswordHash.ConvertToByteString(passwordHash.SaltBytes);
|
|
|
|
|
- passwordHash.Id = _cryptographyProvider.DefaultHashMethod;
|
|
|
|
|
- passwordHash.Hash = GetHashedStringChangeAuth(newPassword, passwordHash);
|
|
|
|
|
- }else if (newPassword != null)
|
|
|
|
|
- {
|
|
|
|
|
- passwordHash.Hash = GetHashedString(user, newPassword);
|
|
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
- if (string.IsNullOrWhiteSpace(passwordHash.Hash))
|
|
|
|
|
- {
|
|
|
|
|
- throw new ArgumentNullException(nameof(passwordHash.Hash));
|
|
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
- user.Password = passwordHash.ToString();
|
|
|
|
|
-
|
|
|
|
|
- return Task.CompletedTask;
|
|
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
- public string GetPasswordHash(User user)
|
|
|
|
|
- {
|
|
|
|
|
- return user.Password;
|
|
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
- public string GetEmptyHashedString(User user)
|
|
|
|
|
- {
|
|
|
|
|
- return null;
|
|
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
- public string GetHashedStringChangeAuth(string newPassword, PasswordHash passwordHash)
|
|
|
|
|
- {
|
|
|
|
|
- passwordHash.HashBytes = Encoding.UTF8.GetBytes(newPassword);
|
|
|
|
|
- return PasswordHash.ConvertToByteString(_cryptographyProvider.ComputeHash(passwordHash));
|
|
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
- /// <summary>
|
|
|
|
|
- /// Gets the hashed string.
|
|
|
|
|
- /// </summary>
|
|
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ public Task<bool> HasPassword(User user)
|
|
|
|
|
+ {
|
|
|
|
|
+ var hasConfiguredPassword = !IsPasswordEmpty(user, GetPasswordHash(user));
|
|
|
|
|
+ return Task.FromResult(hasConfiguredPassword);
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ private bool IsPasswordEmpty(User user, string passwordHash)
|
|
|
|
|
+ {
|
|
|
|
|
+ return string.IsNullOrEmpty(passwordHash);
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ public Task ChangePassword(User user, string newPassword)
|
|
|
|
|
+ {
|
|
|
|
|
+ //string newPasswordHash = null;
|
|
|
|
|
+ ConvertPasswordFormat(user);
|
|
|
|
|
+ PasswordHash passwordHash = new PasswordHash(user.Password);
|
|
|
|
|
+ if (passwordHash.Id == "SHA1" && string.IsNullOrEmpty(passwordHash.Salt))
|
|
|
|
|
+ {
|
|
|
|
|
+ passwordHash.SaltBytes = _cryptographyProvider.GenerateSalt();
|
|
|
|
|
+ passwordHash.Salt = PasswordHash.ConvertToByteString(passwordHash.SaltBytes);
|
|
|
|
|
+ passwordHash.Id = _cryptographyProvider.DefaultHashMethod;
|
|
|
|
|
+ passwordHash.Hash = GetHashedStringChangeAuth(newPassword, passwordHash);
|
|
|
|
|
+ }else if (newPassword != null)
|
|
|
|
|
+ {
|
|
|
|
|
+ passwordHash.Hash = GetHashedString(user, newPassword);
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ if (string.IsNullOrWhiteSpace(passwordHash.Hash))
|
|
|
|
|
+ {
|
|
|
|
|
+ throw new ArgumentNullException(nameof(passwordHash.Hash));
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ user.Password = passwordHash.ToString();
|
|
|
|
|
+
|
|
|
|
|
+ return Task.CompletedTask;
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ public string GetPasswordHash(User user)
|
|
|
|
|
+ {
|
|
|
|
|
+ return user.Password;
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ public string GetEmptyHashedString(User user)
|
|
|
|
|
+ {
|
|
|
|
|
+ return null;
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ public string GetHashedStringChangeAuth(string newPassword, PasswordHash passwordHash)
|
|
|
|
|
+ {
|
|
|
|
|
+ passwordHash.HashBytes = Encoding.UTF8.GetBytes(newPassword);
|
|
|
|
|
+ return PasswordHash.ConvertToByteString(_cryptographyProvider.ComputeHash(passwordHash));
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ /// <summary>
|
|
|
|
|
+ /// Gets the hashed string.
|
|
|
|
|
+ /// </summary>
|
|
|
public string GetHashedString(User user, string str)
|
|
public string GetHashedString(User user, string str)
|
|
|
{
|
|
{
|
|
|
PasswordHash passwordHash;
|
|
PasswordHash passwordHash;
|
|
@@ -163,23 +163,23 @@ namespace Emby.Server.Implementations.Library
|
|
|
passwordHash = new PasswordHash(_cryptographyProvider);
|
|
passwordHash = new PasswordHash(_cryptographyProvider);
|
|
|
}
|
|
}
|
|
|
else
|
|
else
|
|
|
- {
|
|
|
|
|
|
|
+ {
|
|
|
ConvertPasswordFormat(user);
|
|
ConvertPasswordFormat(user);
|
|
|
passwordHash = new PasswordHash(user.Password);
|
|
passwordHash = new PasswordHash(user.Password);
|
|
|
}
|
|
}
|
|
|
if (passwordHash.SaltBytes != null)
|
|
if (passwordHash.SaltBytes != null)
|
|
|
- {
|
|
|
|
|
- //the password is modern format with PBKDF and we should take advantage of that
|
|
|
|
|
- passwordHash.HashBytes = Encoding.UTF8.GetBytes(str);
|
|
|
|
|
|
|
+ {
|
|
|
|
|
+ //the password is modern format with PBKDF and we should take advantage of that
|
|
|
|
|
+ passwordHash.HashBytes = Encoding.UTF8.GetBytes(str);
|
|
|
return PasswordHash.ConvertToByteString(_cryptographyProvider.ComputeHash(passwordHash));
|
|
return PasswordHash.ConvertToByteString(_cryptographyProvider.ComputeHash(passwordHash));
|
|
|
}
|
|
}
|
|
|
else
|
|
else
|
|
|
- {
|
|
|
|
|
|
|
+ {
|
|
|
//the password has no salt and should be called with the older method for safety
|
|
//the password has no salt and should be called with the older method for safety
|
|
|
return PasswordHash.ConvertToByteString(_cryptographyProvider.ComputeHash(passwordHash.Id, Encoding.UTF8.GetBytes(str)));
|
|
return PasswordHash.ConvertToByteString(_cryptographyProvider.ComputeHash(passwordHash.Id, Encoding.UTF8.GetBytes(str)));
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
-
|
|
|
|
|
- }
|
|
|
|
|
- }
|
|
|
|
|
-}
|
|
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+
|
|
|
|
|
+ }
|
|
|
|
|
+ }
|
|
|
|
|
+}
|
Claus Vium