Add option to hash password in config file

2025-07-11 07:46:07 -07:00 · 2016-04-21 00:37:21 -07:00 · 2016-04-21 00:37:21 -07:00 · 11aa7d0140
commit 11aa7d0140
parent 6f97173b00
6 changed files with 245 additions and 5 deletions
--- a/data/interfaces/default/settings.html
+++ b/data/interfaces/default/settings.html
@ -390,7 +390,7 @@ available_notification_agents = sorted(notifiers.available_notification_agents()
                        </div>
                        <div class="checkbox">
                            <label>
-                                <input type="checkbox" name="launch_browser" value="1" ${config['launch_browser']}> Launch Browser on Startup
+                                <input type="checkbox" name="launch_browser" id="launch_browser" value="1" ${config['launch_browser']}> Launch Browser on Startup
                            </label>
                            <p class="help-block">Launch browser pointed to PlexPy on startup.</p>
                        </div>
@ -469,9 +469,18 @@ available_notification_agents = sorted(notifiers.available_notification_agents()
                                <div class="col-md-4">
                                    <input type="password" class="form-control auth-settings" id="http_password" name="http_password" value="${config['http_password']}" size="30">
                                </div>
                                <div id="http_hash_password_error" class="alert alert-danger settings-alert" role="alert"></div>
                            </div>
                            <p class="help-block">Password for web server authentication. Leave empty to disable.</p>
                        </div>
                        <div class="checkbox">
                            <label>
                                <input type="checkbox" name="http_hash_password" id="http_hash_password" value="1" ${config['http_hash_password']} data-parsley-trigger="change"> Hash Password in the Config File
                            </label>
                            <p class="help-block">Store a hashed password in the config.ini file.<br />Warning: Your password cannot be recovered if forgotten!</p>
                        </div>
                        <input type="text" id="http_hashed_password" name="http_hashed_password" value="${config['http_hashed_password']}" style="display: none;" data-parsley-trigger="change" data-parsley-type="integer" data-parsley-range="[0, 1]" 
                               data-parsley-errors-container="#http_hash_password_error" data-parsley-error-message="Cannot un-hash password, please set a new password." data-parsley-no-focus required>
                        <div class="padded-header">
@ -1957,6 +1966,7 @@ $(document).ready(function() {
        if ((serverChanged && $('#monitoring_use_websocket').is(":checked")) || authChanged || httpChanged || monitorChanged || directoryChanged) {
          $('#restart-modal').modal('show');
        }
        $("#http_hashed_password").val($("#http_hash_password").is(":checked") ? 1 : 0)
    }
    var configForm = $("#configUpdate");
@ -2401,6 +2411,19 @@ $(document).ready(function() {
        });
    });
    $("#http_hash_password").click(function(){
        if (!($("#http_hash_password").is(":checked")) && $("#http_hashed_password").val() == "1" && $("#http_password").val() == "    ") {
            $("#http_hashed_password").val(-1);
        } else if ($("#http_hash_password").is(":checked") && $("#http_hashed_password").val() == "-1" && $("#http_password").val() == "    ") {
            $("#http_hashed_password").val(1);
            $("#http_hash_password_error").html("");
        }
    });
    $('#http_password').change(function () {
        $("#http_hashed_password").val($("#http_hash_password").is(":checked") ? 1 : 0);
        $("#http_hash_password_error").html("");
    });
 });
 </script>
 </%def>
--- a/lib/hashing_passwords.py
+++ b/lib/hashing_passwords.py
@ -0,0 +1,66 @@
 # coding: utf8
 """
    Securely hash and check passwords using PBKDF2.
    Use random salts to protect againt rainbow tables, many iterations against
    brute-force, and constant-time comparaison againt timing attacks.
    Keep parameters to the algorithm together with the hash so that we can
    change the parameters and keep older hashes working.
    See more details at http://exyr.org/2011/hashing-passwords/
    Author: Simon Sapin
    License: BSD
 """
 import hashlib
 from os import urandom
 from base64 import b64encode, b64decode
 from itertools import izip
 # From https://github.com/mitsuhiko/python-pbkdf2
 from pbkdf2 import pbkdf2_bin
 # Parameters to PBKDF2. Only affect new passwords.
 SALT_LENGTH = 16
 KEY_LENGTH = 24
 HASH_FUNCTION = 'sha256'  # Must be in hashlib.
 # Linear to the hashing time. Adjust to be high but take a reasonable
 # amount of time on your server. Measure with:
 # python -m timeit -s 'import passwords as p' 'p.make_hash("something")'
 COST_FACTOR = 29000
 def make_hash(password):
    """Generate a random salt and return a new hash for the password."""
    if isinstance(password, unicode):
        password = password.encode('utf-8')
    salt = b64encode(urandom(SALT_LENGTH))
    return 'PBKDF2${}${}${}${}'.format(
        HASH_FUNCTION,
        COST_FACTOR,
        salt,
        b64encode(pbkdf2_bin(password, salt, COST_FACTOR, KEY_LENGTH,
                             getattr(hashlib, HASH_FUNCTION))))
 def check_hash(password, hash_):
    """Check a password against an existing hash."""
    if isinstance(password, unicode):
        password = password.encode('utf-8')
    algorithm, hash_function, cost_factor, salt, hash_a = hash_.split('$')
    assert algorithm == 'PBKDF2'
    hash_a = b64decode(hash_a)
    hash_b = pbkdf2_bin(password, salt, int(cost_factor), len(hash_a),
                        getattr(hashlib, hash_function))
    assert len(hash_a) == len(hash_b)  # we requested this from pbkdf2_bin()
    # Same as "return hash_a == hash_b" but takes a constant time.
    # See http://carlos.bueno.org/2011/10/timing.html
    diff = 0
    for char_a, char_b in izip(hash_a, hash_b):
        diff |= ord(char_a) ^ ord(char_b)
    return diff == 0
--- a/lib/pbkdf2.py
+++ b/lib/pbkdf2.py
@ -0,0 +1,130 @@
 # -*- coding: utf-8 -*-
 """
    pbkdf2
    ~~~~~~
    This module implements pbkdf2 for Python.  It also has some basic
    tests that ensure that it works.  The implementation is straightforward
    and uses stdlib only stuff and can be easily be copy/pasted into
    your favourite application.
    Use this as replacement for bcrypt that does not need a c implementation
    of a modified blowfish crypto algo.
    Example usage:
    >>> pbkdf2_hex('what i want to hash', 'the random salt')
    'fa7cc8a2b0a932f8e6ea42f9787e9d36e592e0c222ada6a9'
    How to use this:
    1.  Use a constant time string compare function to compare the stored hash
        with the one you're generating::
            def safe_str_cmp(a, b):
                if len(a) != len(b):
                    return False
                rv = 0
                for x, y in izip(a, b):
                    rv |= ord(x) ^ ord(y)
                return rv == 0
    2.  Use `os.urandom` to generate a proper salt of at least 8 byte.
        Use a unique salt per hashed password.
    3.  Store ``algorithm$salt:costfactor$hash`` in the database so that
        you can upgrade later easily to a different algorithm if you need
        one.  For instance ``PBKDF2-256$thesalt:10000$deadbeef...``.
    :copyright: (c) Copyright 2011 by Armin Ronacher.
    :license: BSD, see LICENSE for more details.
 """
 import hmac
 import hashlib
 from struct import Struct
 from operator import xor
 from itertools import izip, starmap
 _pack_int = Struct('>I').pack
 def pbkdf2_hex(data, salt, iterations=1000, keylen=24, hashfunc=None):
    """Like :func:`pbkdf2_bin` but returns a hex encoded string."""
    return pbkdf2_bin(data, salt, iterations, keylen, hashfunc).encode('hex')
 def pbkdf2_bin(data, salt, iterations=1000, keylen=24, hashfunc=None):
    """Returns a binary digest for the PBKDF2 hash algorithm of `data`
    with the given `salt`.  It iterates `iterations` time and produces a
    key of `keylen` bytes.  By default SHA-1 is used as hash function,
    a different hashlib `hashfunc` can be provided.
    """
    hashfunc = hashfunc or hashlib.sha1
    mac = hmac.new(data, None, hashfunc)
    def _pseudorandom(x, mac=mac):
        h = mac.copy()
        h.update(x)
        return map(ord, h.digest())
    buf = []
    for block in xrange(1, -(-keylen // mac.digest_size) + 1):
        rv = u = _pseudorandom(salt + _pack_int(block))
        for i in xrange(iterations - 1):
            u = _pseudorandom(''.join(map(chr, u)))
            rv = starmap(xor, izip(rv, u))
        buf.extend(rv)
    return ''.join(map(chr, buf))[:keylen]
 def test():
    failed = []
    def check(data, salt, iterations, keylen, expected):
        rv = pbkdf2_hex(data, salt, iterations, keylen)
        if rv != expected:
            print 'Test failed:'
            print '  Expected:   %s' % expected
            print '  Got:        %s' % rv
            print '  Parameters:'
            print '    data=%s' % data
            print '    salt=%s' % salt
            print '    iterations=%d' % iterations
            print
            failed.append(1)
    # From RFC 6070
    check('password', 'salt', 1, 20,
          '0c60c80f961f0e71f3a9b524af6012062fe037a6')
    check('password', 'salt', 2, 20,
          'ea6c014dc72d6f8ccd1ed92ace1d41f0d8de8957')
    check('password', 'salt', 4096, 20,
          '4b007901b765489abead49d926f721d065a429c1')
    check('passwordPASSWORDpassword', 'saltSALTsaltSALTsaltSALTsaltSALTsalt',
          4096, 25, '3d2eec4fe41c849b80c8d83662c0e44a8b291a964cf2f07038')
    check('pass\x00word', 'sa\x00lt', 4096, 16,
          '56fa6aa75548099dcc37d7f03425e0c3')
    # This one is from the RFC but it just takes for ages
    ##check('password', 'salt', 16777216, 20,
    ##      'eefe3d61cd4da4e4e9945b3d6ba2158c2634e984')
    # From Crypt-PBKDF2
    check('password', 'ATHENA.MIT.EDUraeburn', 1, 16,
          'cdedb5281bb2f801565a1122b2563515')
    check('password', 'ATHENA.MIT.EDUraeburn', 1, 32,
          'cdedb5281bb2f801565a1122b25635150ad1f7a04bb9f3a333ecc0e2e1f70837')
    check('password', 'ATHENA.MIT.EDUraeburn', 2, 16,
          '01dbee7f4a9e243e988b62c73cda935d')
    check('password', 'ATHENA.MIT.EDUraeburn', 2, 32,
          '01dbee7f4a9e243e988b62c73cda935da05378b93244ec8f48a99e61ad799d86')
    check('password', 'ATHENA.MIT.EDUraeburn', 1200, 32,
          '5c08eb61fdf71e4e4ec3cf6ba1f5512ba7e52ddbc5e5142f708a31e2e62b1e13')
    check('X' * 64, 'pass phrase equals block size', 1200, 32,
          '139c30c0966bc32ba55fdbf212530ac9c5ec59f1a452f5cc9ad940fea0598ed1')
    check('X' * 65, 'pass phrase exceeds block size', 1200, 32,
          '9ccad6d468770cd51b10e6a68721be611a8b4d282601db3b36be9246915ec82a')
    raise SystemExit(bool(failed))
 if __name__ == '__main__':
    test()
--- a/plexpy/config.py
+++ b/plexpy/config.py
@ -144,6 +144,8 @@ _CONFIG_DEFINITIONS = {
    'HTTPS_DOMAIN': (str, 'General', 'localhost'),
    'HTTPS_IP': (str, 'General', '127.0.0.1'),
    'HTTP_ENVIRONMENT': (str, 'General', 'production'),
    'HTTP_HASH_PASSWORD': (int, 'General', 0),
    'HTTP_HASHED_PASSWORD': (int, 'General', 0),
    'HTTP_HOST': (str, 'General', '0.0.0.0'),
    'HTTP_PASSWORD': (str, 'General', ''),
    'HTTP_PORT': (int, 'General', 8181),
--- a/plexpy/webauth.py
+++ b/plexpy/webauth.py
@ -20,6 +20,7 @@
 import cherrypy
 from cgi import escape
 from hashing_passwords import check_hash
 import plexpy
 from plexpy import logger
@ -30,8 +31,10 @@ SESSION_KEY = '_cp_username'
 def check_credentials(username, password):
    """Verifies credentials for username and password.
    Returns None on success or a string describing the error on failure"""
-    # Adapt to your needs
+    if plexpy.CONFIG.HTTP_HASHED_PASSWORD and \
-    if username ==  plexpy.CONFIG.HTTP_USERNAME and password == plexpy.CONFIG.HTTP_PASSWORD:
+        username == plexpy.CONFIG.HTTP_USERNAME and check_hash(password, plexpy.CONFIG.HTTP_PASSWORD):
        return None
    elif username == plexpy.CONFIG.HTTP_USERNAME and password == plexpy.CONFIG.HTTP_PASSWORD:
        return None
    else:
        return u"Incorrect username or password."
--- a/plexpy/webserve.py
+++ b/plexpy/webserve.py
@ -20,6 +20,7 @@ from plexpy.webauth import AuthController, require, member_of, name_is
 from mako.lookup import TemplateLookup
 from mako import exceptions
 from hashing_passwords import make_hash
 import plexpy
 import threading
@ -1192,6 +1193,8 @@ class WebInterface(object):
            http_password = ''
        config = {
            "http_hash_password": checked(plexpy.CONFIG.HTTP_HASH_PASSWORD),
            "http_hashed_password": plexpy.CONFIG.HTTP_HASHED_PASSWORD,
            "http_host": plexpy.CONFIG.HTTP_HOST,
            "http_username": plexpy.CONFIG.HTTP_USERNAME,
            "http_port": plexpy.CONFIG.HTTP_PORT,
@ -1315,7 +1318,7 @@ class WebInterface(object):
            "ip_logging_enable", "movie_logging_enable", "tv_logging_enable", "music_logging_enable",
            "pms_is_remote", "home_stats_type", "group_history_tables", "notify_consecutive", "notify_upload_posters",
            "notify_recently_added", "notify_recently_added_grandparent",
-            "monitor_pms_updates", "monitor_remote_access", "get_file_sizes", "log_blacklist"
+            "monitor_pms_updates", "monitor_remote_access", "get_file_sizes", "log_blacklist", "http_hash_password"
        ]
        for checked_config in checked_configs:
            if checked_config not in kwargs:
@ -1327,8 +1330,21 @@ class WebInterface(object):
        # If http password exists in config, do not overwrite when blank value received
        if kwargs.get('http_password'):
            if kwargs['http_password'] == '    ' and plexpy.CONFIG.HTTP_PASSWORD != '':
                if kwargs.get('http_hash_password') and not plexpy.CONFIG.HTTP_HASHED_PASSWORD:
                    kwargs['http_password'] = make_hash(plexpy.CONFIG.HTTP_PASSWORD)
                    kwargs['http_hashed_password'] = 1
                else:
                    kwargs['http_password'] = plexpy.CONFIG.HTTP_PASSWORD
            elif kwargs['http_password'] and kwargs.get('http_hash_password'):
                kwargs['http_password'] = make_hash(kwargs['http_password'])
                kwargs['http_hashed_password'] = 1
            elif not kwargs.get('http_hash_password'):
                kwargs['http_hashed_password'] = 0
        else:
            kwargs['http_hashed_password'] = 0
        for plain_config, use_config in [(x[4:], x) for x in kwargs if x.startswith('use_')]:
            # the use prefix is fairly nice in the html, but does not match the actual config
            kwargs[plain_config] = kwargs[use_config]