alteropen/jellyfin
1
0
Fork 0
mirror of https://github.com/jellyfin/jellyfin.git synced 2026-04-20 09:04:42 +01:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Remove legacy auth code (#1677)

Browse Source 
* Remove legacy auth code

* Adds tests so we don't break PasswordHash (again)
* Clean up interfaces
* Remove duplicate code

* Use auto properties

* static using

* Don't use 'this'

* Fix build
This commit is contained in:
Bond-009
2019-09-17 18:07:15 +02:00
committed by Anthony Lavado
parent adc2a68a98
commit 6f17a0b7af
34 changed files with 353 additions and 3429 deletions
Download Patch File Download Diff File Expand all files Collapse all files

65
Emby.Server.Implementations/Cryptography/CryptographyProvider.cs
View File

@@ -1,10 +1,8 @@
using System;
using System.Collections.Generic;
using System.Globalization;
using System.IO;
using System.Security.Cryptography;
using System.Text;
using MediaBrowser.Model.Cryptography;
using static MediaBrowser.Common.Cryptography.Constants;
namespace Emby.Server.Implementations.Cryptography
{
@@ -30,8 +28,6 @@ namespace Emby.Server.Implementations.Cryptography
private RandomNumberGenerator _randomNumberGenerator;
private const int _defaultIterations = 1000;
private bool _disposed = false;
public CryptographyProvider()
@@ -45,44 +41,13 @@ namespace Emby.Server.Implementations.Cryptography
public string DefaultHashMethod => "PBKDF2";
[Obsolete("Use System.Security.Cryptography.MD5 directly")]
public Guid GetMD5(string str)
=> new Guid(ComputeMD5(Encoding.Unicode.GetBytes(str)));
[Obsolete("Use System.Security.Cryptography.SHA1 directly")]
public byte[] ComputeSHA1(byte[] bytes)
{
using (var provider = SHA1.Create())
{
return provider.ComputeHash(bytes);
}
}
[Obsolete("Use System.Security.Cryptography.MD5 directly")]
public byte[] ComputeMD5(Stream str)
{
using (var provider = MD5.Create())
{
return provider.ComputeHash(str);
}
}
[Obsolete("Use System.Security.Cryptography.MD5 directly")]
public byte[] ComputeMD5(byte[] bytes)
{
using (var provider = MD5.Create())
{
return provider.ComputeHash(bytes);
}
}
public IEnumerable<string> GetSupportedHashMethods()
=> _supportedHashMethods;
private byte[] PBKDF2(string method, byte[] bytes, byte[] salt, int iterations)
{
//downgrading for now as we need this library to be dotnetstandard compliant
//with this downgrade we'll add a check to make sure we're on the downgrade method at the moment
// downgrading for now as we need this library to be dotnetstandard compliant
// with this downgrade we'll add a check to make sure we're on the downgrade method at the moment
if (method == DefaultHashMethod)
{
using (var r = new Rfc2898DeriveBytes(bytes, salt, iterations))
@@ -104,7 +69,7 @@ namespace Emby.Server.Implementations.Cryptography
{
if (hashMethod == DefaultHashMethod)
{
return PBKDF2(hashMethod, bytes, salt, _defaultIterations);
return PBKDF2(hashMethod, bytes, salt, DefaultIterations);
}
else if (_supportedHashMethods.Contains(hashMethod))
{
@@ -129,26 +94,14 @@ namespace Emby.Server.Implementations.Cryptography
}
public byte[] ComputeHashWithDefaultMethod(byte[] bytes, byte[] salt)
=> PBKDF2(DefaultHashMethod, bytes, salt, _defaultIterations);
public byte[] ComputeHash(PasswordHash hash)
{
int iterations = _defaultIterations;
if (!hash.Parameters.ContainsKey("iterations"))
{
hash.Parameters.Add("iterations", iterations.ToString(CultureInfo.InvariantCulture));
}
else if (!int.TryParse(hash.Parameters["iterations"], out iterations))
{
throw new InvalidDataException($"Couldn't successfully parse iterations value from string: {hash.Parameters["iterations"]}");
}
return PBKDF2(hash.Id, hash.Hash, hash.Salt, iterations);
}
=> PBKDF2(DefaultHashMethod, bytes, salt, DefaultIterations);
public byte[] GenerateSalt()
=> GenerateSalt(DefaultSaltLength);
public byte[] GenerateSalt(int length)
{
byte[] salt = new byte[64];
byte[] salt = new byte[length];
_randomNumberGenerator.GetBytes(salt);
return salt;
}

134
Emby.Server.Implementations/Library/DefaultAuthenticationProvider.cs
View File

@@ -2,24 +2,30 @@ using System;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using MediaBrowser.Common.Cryptography;
using MediaBrowser.Controller.Authentication;
using MediaBrowser.Controller.Entities;
using MediaBrowser.Model.Cryptography;
using static MediaBrowser.Common.HexHelper;
namespace Emby.Server.Implementations.Library
{
public class DefaultAuthenticationProvider : IAuthenticationProvider, IRequiresResolvedUser
{
private readonly ICryptoProvider _cryptographyProvider;
public DefaultAuthenticationProvider(ICryptoProvider cryptographyProvider)
{
_cryptographyProvider = cryptographyProvider;
}
/// <inheritdoc />
public string Name => "Default";
/// <inheritdoc />
public bool IsEnabled => true;
/// <inheritdoc />
// This is dumb and an artifact of the backwards way auth providers were designed.
// This version of authenticate was never meant to be called, but needs to be here for interface compat
// Only the providers that don't provide local user support use this
@@ -28,6 +34,7 @@ namespace Emby.Server.Implementations.Library
throw new NotImplementedException();
}
/// <inheritdoc />
// This is the version that we need to use for local users. Because reasons.
public Task<ProviderAuthenticationResult> Authenticate(string username, string password, User resolvedUser)
{
@@ -46,10 +53,9 @@ namespace Emby.Server.Implementations.Library
});
}
ConvertPasswordFormat(resolvedUser);
byte[] passwordbytes = Encoding.UTF8.GetBytes(password);
PasswordHash readyHash = new PasswordHash(resolvedUser.Password);
PasswordHash readyHash = PasswordHash.Parse(resolvedUser.Password);
if (_cryptographyProvider.GetSupportedHashMethods().Contains(readyHash.Id)
|| _cryptographyProvider.DefaultHashMethod == readyHash.Id)
{
@@ -76,72 +82,31 @@ namespace Emby.Server.Implementations.Library
});
}
// This allows us to move passwords forward to the newformat without breaking. They are still insecure, unsalted, and dumb before a password change
// but at least they are in the new format.
private void ConvertPasswordFormat(User user)
{
if (string.IsNullOrEmpty(user.Password))
{
return;
}
if (user.Password.IndexOf('$') == -1)
{
string hash = user.Password;
user.Password = string.Format("$SHA1${0}", hash);
}
if (user.EasyPassword != null
&& user.EasyPassword.IndexOf('$') == -1)
{
string hash = user.EasyPassword;
user.EasyPassword = string.Format("$SHA1${0}", hash);
}
}
/// <inheritdoc />
public bool HasPassword(User user)
=> !string.IsNullOrEmpty(user.Password);
/// <inheritdoc />
public Task ChangePassword(User user, string newPassword)
{
ConvertPasswordFormat(user);
// This is needed to support changing a no password user to a password user
if (string.IsNullOrEmpty(user.Password))
if (string.IsNullOrEmpty(newPassword))
{
PasswordHash newPasswordHash = new PasswordHash(_cryptographyProvider);
newPasswordHash.Salt = _cryptographyProvider.GenerateSalt();
newPasswordHash.Id = _cryptographyProvider.DefaultHashMethod;
newPasswordHash.Hash = GetHashedChangeAuth(newPassword, newPasswordHash);
user.Password = newPasswordHash.ToString();
user.Password = null;
return Task.CompletedTask;
}
PasswordHash passwordHash = new PasswordHash(user.Password);
if (passwordHash.Id == "SHA1"
&& passwordHash.Salt.Length == 0)
{
passwordHash.Salt = _cryptographyProvider.GenerateSalt();
passwordHash.Id = _cryptographyProvider.DefaultHashMethod;
passwordHash.Hash = GetHashedChangeAuth(newPassword, passwordHash);
}
else if (newPassword != null)
{
passwordHash.Hash = GetHashed(user, newPassword);
}
user.Password = passwordHash.ToString();
PasswordHash newPasswordHash = _cryptographyProvider.CreatePasswordHash(newPassword);
user.Password = newPasswordHash.ToString();
return Task.CompletedTask;
}
/// <inheritdoc />
public void ChangeEasyPassword(User user, string newPassword, string newPasswordHash)
{
ConvertPasswordFormat(user);
if (newPassword != null)
{
newPasswordHash = string.Format("$SHA1${0}", GetHashedString(user, newPassword));
newPasswordHash = _cryptographyProvider.CreatePasswordHash(newPassword).ToString();
}
if (string.IsNullOrWhiteSpace(newPasswordHash))
@@ -152,21 +117,12 @@ namespace Emby.Server.Implementations.Library
user.EasyPassword = newPasswordHash;
}
/// <inheritdoc />
public string GetEasyPasswordHash(User user)
{
// This should be removed in the future. This was added to let user login after
// Jellyfin 10.3.3 failed to save a well formatted PIN.
ConvertPasswordFormat(user);
return string.IsNullOrEmpty(user.EasyPassword)
? null
: PasswordHash.ConvertToByteString(new PasswordHash(user.EasyPassword).Hash);
}
internal byte[] GetHashedChangeAuth(string newPassword, PasswordHash passwordHash)
{
passwordHash.Hash = Encoding.UTF8.GetBytes(newPassword);
return _cryptographyProvider.ComputeHash(passwordHash);
: ToHexString(PasswordHash.Parse(user.EasyPassword).Hash);
}
/// <summary>
@@ -174,54 +130,36 @@ namespace Emby.Server.Implementations.Library
/// </summary>
public string GetHashedString(User user, string str)
{
PasswordHash passwordHash;
if (string.IsNullOrEmpty(user.Password))
{
passwordHash = new PasswordHash(_cryptographyProvider);
}
else
{
ConvertPasswordFormat(user);
passwordHash = new PasswordHash(user.Password);
return _cryptographyProvider.CreatePasswordHash(str).ToString();
}
if (passwordHash.Salt != null)
{
// the password is modern format with PBKDF and we should take advantage of that
passwordHash.Hash = Encoding.UTF8.GetBytes(str);
return PasswordHash.ConvertToByteString(_cryptographyProvider.ComputeHash(passwordHash));
}
else
{
// the password has no salt and should be called with the older method for safety
return PasswordHash.ConvertToByteString(_cryptographyProvider.ComputeHash(passwordHash.Id, Encoding.UTF8.GetBytes(str)));
}
// TODO: make use of iterations parameter?
PasswordHash passwordHash = PasswordHash.Parse(user.Password);
return new PasswordHash(
passwordHash.Id,
_cryptographyProvider.ComputeHash(
passwordHash.Id,
Encoding.UTF8.GetBytes(str),
passwordHash.Salt),
passwordHash.Salt,
passwordHash.Parameters.ToDictionary(x => x.Key, y => y.Value)).ToString();
}
public byte[] GetHashed(User user, string str)
{
PasswordHash passwordHash;
if (string.IsNullOrEmpty(user.Password))
{
passwordHash = new PasswordHash(_cryptographyProvider);
}
else
{
ConvertPasswordFormat(user);
passwordHash = new PasswordHash(user.Password);
return _cryptographyProvider.CreatePasswordHash(str).Hash;
}
if (passwordHash.Salt != null)
{
// the password is modern format with PBKDF and we should take advantage of that
passwordHash.Hash = Encoding.UTF8.GetBytes(str);
return _cryptographyProvider.ComputeHash(passwordHash);
}
else
{
// the password has no salt and should be called with the older method for safety
return _cryptographyProvider.ComputeHash(passwordHash.Id, Encoding.UTF8.GetBytes(str));
}
// TODO: make use of iterations parameter?
PasswordHash passwordHash = PasswordHash.Parse(user.Password);
return _cryptographyProvider.ComputeHash(
passwordHash.Id,
Encoding.UTF8.GetBytes(str),
passwordHash.Salt);
}
}
}

58
Emby.Server.Implementations/Library/UserManager.cs
View File

@@ -8,6 +8,7 @@ using System.Text;
using System.Text.RegularExpressions;
using System.Threading;
using System.Threading.Tasks;
using MediaBrowser.Common.Cryptography;
using MediaBrowser.Common.Events;
using MediaBrowser.Common.Net;
using MediaBrowser.Controller;
@@ -23,7 +24,6 @@ using MediaBrowser.Controller.Providers;
using MediaBrowser.Controller.Security;
using MediaBrowser.Controller.Session;
using MediaBrowser.Model.Configuration;
using MediaBrowser.Model.Cryptography;
using MediaBrowser.Model.Dto;
using MediaBrowser.Model.Entities;
using MediaBrowser.Model.Events;
@@ -31,6 +31,7 @@ using MediaBrowser.Model.IO;
using MediaBrowser.Model.Serialization;
using MediaBrowser.Model.Users;
using Microsoft.Extensions.Logging;
using static MediaBrowser.Common.HexHelper;
namespace Emby.Server.Implementations.Library
{
@@ -450,53 +451,38 @@ namespace Emby.Server.Implementations.Library
}
}
private async Task<(IAuthenticationProvider authenticationProvider, string username, bool success)> AuthenticateLocalUser(string username, string password, string hashedPassword, User user, string remoteEndPoint)
private async Task<(IAuthenticationProvider authenticationProvider, string username, bool success)> AuthenticateLocalUser(
string username,
string password,
string hashedPassword,
User user,
string remoteEndPoint)
{
bool success = false;
IAuthenticationProvider authenticationProvider = null;
if (password != null && user != null)
foreach (var provider in GetAuthenticationProviders(user))
{
// Doesn't look like this is even possible to be used, because of password == null checks below
hashedPassword = _defaultAuthenticationProvider.GetHashedString(user, password);
}
var providerAuthResult = await AuthenticateWithProvider(provider, username, password, user).ConfigureAwait(false);
var updatedUsername = providerAuthResult.username;
success = providerAuthResult.success;
if (password == null)
{
// legacy
success = string.Equals(user.Password, hashedPassword.Replace("-", string.Empty), StringComparison.OrdinalIgnoreCase);
}
else
{
foreach (var provider in GetAuthenticationProviders(user))
if (success)
{
var providerAuthResult = await AuthenticateWithProvider(provider, username, password, user).ConfigureAwait(false);
var updatedUsername = providerAuthResult.username;
success = providerAuthResult.success;
if (success)
{
authenticationProvider = provider;
username = updatedUsername;
break;
}
authenticationProvider = provider;
username = updatedUsername;
break;
}
}
if (user != null
&& !success
if (!success
&& _networkManager.IsInLocalNetwork(remoteEndPoint)
&& user.Configuration.EnableLocalPassword)
{
if (password == null)
{
// legacy
success = string.Equals(GetLocalPasswordHash(user), hashedPassword.Replace("-", string.Empty), StringComparison.OrdinalIgnoreCase);
}
else
{
success = string.Equals(GetLocalPasswordHash(user), _defaultAuthenticationProvider.GetHashedString(user, password), StringComparison.OrdinalIgnoreCase);
}
success = string.Equals(
GetLocalPasswordHash(user),
_defaultAuthenticationProvider.GetHashedString(user, password),
StringComparison.OrdinalIgnoreCase);
}
return (authenticationProvider, username, success);
@@ -506,7 +492,7 @@ namespace Emby.Server.Implementations.Library
{
return string.IsNullOrEmpty(user.EasyPassword)
? null
: PasswordHash.ConvertToByteString(new PasswordHash(user.EasyPassword).Hash);
: ToHexString(PasswordHash.Parse(user.EasyPassword).Hash);
}
private void ResetInvalidLoginAttemptCount(User user)

4
Emby.Server.Implementations/Updates/InstallationManager.cs
View File

@@ -9,7 +9,6 @@ using System.Threading;
using System.Threading.Tasks;
using MediaBrowser.Common;
using MediaBrowser.Common.Configuration;
using MediaBrowser.Common.Extensions;
using MediaBrowser.Common.Net;
using MediaBrowser.Common.Plugins;
using MediaBrowser.Common.Updates;
@@ -19,6 +18,7 @@ using MediaBrowser.Model.IO;
using MediaBrowser.Model.Serialization;
using MediaBrowser.Model.Updates;
using Microsoft.Extensions.Logging;
using static MediaBrowser.Common.HexHelper;
namespace Emby.Server.Implementations.Updates
{
@@ -454,7 +454,7 @@ namespace Emby.Server.Implementations.Updates
{
cancellationToken.ThrowIfCancellationRequested();
var hash = HexHelper.ToHexString(md5.ComputeHash(stream));
var hash = ToHexString(md5.ComputeHash(stream));
if (!string.Equals(package.checksum, hash, StringComparison.OrdinalIgnoreCase))
{
_logger.LogDebug("{0}, {1}", package.checksum, hash);