Merge branch 'master' into devel

Conflicts: src/octoprint/server/api/__init__.py
2014-10-27 09:39:14 +01:00 · 2014-10-27 09:39:14 +01:00 · ff97fba0f0
commit ff97fba0f0
parent e149689249 ce67e28f96
4 changed files with 39 additions and 4 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -58,6 +58,7 @@
  server start and written back into ``config.yaml``
 * Event subscriptions are now enabled by default (it was an accident that they weren't)
 * Generate the key used for session hashing individually for each server instance
+* Generate the salt used for hashing user passwords individually for each server instance

 ### Bug Fixes

--- a/src/octoprint/server/api/init.py
+++ b/src/octoprint/server/api/init.py
@ -249,7 +249,7 @@ def login():

 		user = octoprint.server.userManager.findUser(username)
 		if user is not None:
-			if user.check_password(octoprint.users.UserManager.createPasswordHash(password)):
+			if octoprint.server.userManager.checkPassword(username, password):
 				if octoprint.server.userManager is not None:
 					user = octoprint.server.userManager.login_user(user)
 					session["usersession.id"] = user.get_session()
--- a/src/octoprint/settings.py
+++ b/src/octoprint/settings.py
@ -130,6 +130,7 @@ default_settings = {
 	},
 	"accessControl": {
 		"enabled": True,
+		"salt": None,
 		"userManager": "octoprint.users.FilebasedUserManager",
 		"userfile": None,
 		"autologinLocal": False,
--- a/src/octoprint/users.py
+++ b/src/octoprint/users.py
@ -70,8 +70,38 @@ class UserManager(object):
 				self.logout_user(user)

 	@staticmethod
-	def createPasswordHash(password):
-		return hashlib.sha512(password + "mvBUTvwzBzD3yPwvnJ4E4tXNf3CGJvvW").hexdigest()
+	def createPasswordHash(password, salt=None):
+		if not salt:
+			salt = settings().get(["accessControl", "salt"])
+			if salt is None:
+				import string
+				from random import choice
+				chars = string.ascii_lowercase + string.ascii_uppercase + string.digits
+				salt = "".join(choice(chars) for _ in xrange(32))
+				settings().set(["accessControl", "salt"], salt)
+				settings().save()
+
+		return hashlib.sha512(password + salt).hexdigest()
+
+	def checkPassword(self, username, password):
+		user = self.findUser(username)
+		if not user:
+			return False
+
+		hash = UserManager.createPasswordHash(password)
+		if user.check_password(hash):
+			# new hash matches, correct password
+			return True
+		else:
+			# new hash doesn't match, but maybe the old one does, so check that!
+			oldHash = UserManager.createPasswordHash(password, salt="mvBUTvwzBzD3yPwvnJ4E4tXNf3CGJvvW")
+			if user.check_password(oldHash):
+				# old hash matches, we migrate the stored password hash to the new one and return True since it's the correct password
+				self.changeUserPassword(username, password)
+				return True
+			else:
+				# old hash doesn't match either, wrong password
+				return False

 	def addUser(self, username, password, active, roles):
 		pass
@ -165,7 +195,10 @@ class FilebasedUserManager(UserManager):
 			self._dirty = False
 		self._load()

-	def addUser(self, username, password, active=False, roles=["user"], apikey=None):
+	def addUser(self, username, password, active=False, roles=None, apikey=None):
+		if not roles:
+			roles = ["user"]
+
 		if username in self._users.keys():
 			raise UserAlreadyExists(username)