authentik/passbook/policies/hibp/models.py

"""passbook HIBP Models"""
from hashlib import sha1

from django.db import models
from django.utils.translation import gettext as _
from requests import get
from structlog import get_logger

from passbook.policies.models import Policy
from passbook.policies.types import PolicyRequest, PolicyResult

LOGGER = get_logger()


class HaveIBeenPwendPolicy(Policy):
    """Check if password is on HaveIBeenPwned's list by upload the first
    5 characters of the SHA1 Hash."""

    allowed_count = models.IntegerField(default=0)

    form = "passbook.policies.hibp.forms.HaveIBeenPwnedPolicyForm"

    def passes(self, request: PolicyRequest) -> PolicyResult:
        """Check if password is in HIBP DB. Hashes given Password with SHA1, uses the first 5
        characters of Password in request and checks if full hash is in response. Returns 0
        if Password is not in result otherwise the count of how many times it was used."""
        # Only check if password is being set
        if not hasattr(request.user, "__password__"):
            return PolicyResult(True)
        password = getattr(request.user, "__password__")
        pw_hash = sha1(password.encode("utf-8")).hexdigest()  # nosec
        url = "https://api.pwnedpasswords.com/range/%s" % pw_hash[:5]
        result = get(url).text
        final_count = 0
        for line in result.split("\r\n"):
            full_hash, count = line.split(":")
            if pw_hash[5:] == full_hash.lower():
                final_count = int(count)
        LOGGER.debug("got hibp result", count=final_count, hash=pw_hash[:5])
        if final_count > self.allowed_count:
            message = _(
                "Password exists on %(count)d online lists." % {"count": final_count}
            )
            return PolicyResult(False, message)
        return PolicyResult(True)

    class Meta:

        verbose_name = _("Have I Been Pwned Policy")
        verbose_name_plural = _("Have I Been Pwned Policies")
add experimental HaveIBeenPwned Password Policy 2019-02-25 16:21:56 +00:00			`"""passbook HIBP Models"""`
			`from hashlib import sha1`

			`from django.db import models`
			`from django.utils.translation import gettext as _`
			`from requests import get`
*(minor): stdlib logging to structlog 2019-10-01 08:24:10 +00:00			`from structlog import get_logger`
add experimental HaveIBeenPwned Password Policy 2019-02-25 16:21:56 +00:00
*: providers and sources -> channels, PolicyModel to PolicyBindingModel that uses custom M2M through 2020-05-15 20:15:01 +00:00			`from passbook.policies.models import Policy`
			`from passbook.policies.types import PolicyRequest, PolicyResult`
add experimental HaveIBeenPwned Password Policy 2019-02-25 16:21:56 +00:00
*(minor): remove __name__ param from get_logger 2019-10-04 08:08:53 +00:00			`LOGGER = get_logger()`
add experimental HaveIBeenPwned Password Policy 2019-02-25 16:21:56 +00:00
all: implement black as code formatter 2019-12-31 11:51:16 +00:00
add experimental HaveIBeenPwned Password Policy 2019-02-25 16:21:56 +00:00			`class HaveIBeenPwendPolicy(Policy):`
			`"""Check if password is on HaveIBeenPwned's list by upload the first`
			`5 characters of the SHA1 Hash."""`

			`allowed_count = models.IntegerField(default=0)`

all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`form = "passbook.policies.hibp.forms.HaveIBeenPwnedPolicyForm"`
add experimental HaveIBeenPwned Password Policy 2019-02-25 16:21:56 +00:00
*: providers and sources -> channels, PolicyModel to PolicyBindingModel that uses custom M2M through 2020-05-15 20:15:01 +00:00			`def passes(self, request: PolicyRequest) -> PolicyResult:`
add experimental HaveIBeenPwned Password Policy 2019-02-25 16:21:56 +00:00			`"""Check if password is in HIBP DB. Hashes given Password with SHA1, uses the first 5`
			`characters of Password in request and checks if full hash is in response. Returns 0`
			`if Password is not in result otherwise the count of how many times it was used."""`
			`# Only check if password is being set`
*: providers and sources -> channels, PolicyModel to PolicyBindingModel that uses custom M2M through 2020-05-15 20:15:01 +00:00			`if not hasattr(request.user, "__password__"):`
policy(minor): Move policy-related code to separate package 2019-10-01 08:17:39 +00:00			`return PolicyResult(True)`
*: providers and sources -> channels, PolicyModel to PolicyBindingModel that uses custom M2M through 2020-05-15 20:15:01 +00:00			`password = getattr(request.user, "__password__")`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`pw_hash = sha1(password.encode("utf-8")).hexdigest() # nosec`
			`url = "https://api.pwnedpasswords.com/range/%s" % pw_hash[:5]`
add experimental HaveIBeenPwned Password Policy 2019-02-25 16:21:56 +00:00			`result = get(url).text`
			`final_count = 0`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`for line in result.split("\r\n"):`
			`full_hash, count = line.split(":")`
add experimental HaveIBeenPwned Password Policy 2019-02-25 16:21:56 +00:00			`if pw_hash[5:] == full_hash.lower():`
			`final_count = int(count)`
all: cleanup logging to be structured 2020-02-18 20:35:58 +00:00			`LOGGER.debug("got hibp result", count=final_count, hash=pw_hash[:5])`
add experimental HaveIBeenPwned Password Policy 2019-02-25 16:21:56 +00:00			`if final_count > self.allowed_count:`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`message = _(`
			`"Password exists on %(count)d online lists." % {"count": final_count}`
			`)`
policy(minor): Move policy-related code to separate package 2019-10-01 08:17:39 +00:00			`return PolicyResult(False, message)`
			`return PolicyResult(True)`
add experimental HaveIBeenPwned Password Policy 2019-02-25 16:21:56 +00:00
			`class Meta:`

all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`verbose_name = _("Have I Been Pwned Policy")`
			`verbose_name_plural = _("Have I Been Pwned Policies")`