From d18a691f6327d45b462cc45962ae282543199c86 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Mon, 3 Jan 2022 13:23:42 +0100 Subject: [PATCH] core: prevent LDAP password being set for internal hash upgrades Signed-off-by: Jens Langhammer --- authentik/core/models.py | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/authentik/core/models.py b/authentik/core/models.py index a987ca3ad..69c899009 100644 --- a/authentik/core/models.py +++ b/authentik/core/models.py @@ -7,6 +7,7 @@ from uuid import uuid4 from deepmerge import always_merger from django.conf import settings +from django.contrib.auth.hashers import check_password from django.contrib.auth.models import AbstractUser from django.contrib.auth.models import UserManager as DjangoUserManager from django.db import models @@ -160,6 +161,22 @@ class User(GuardianUserMixin, AbstractUser): self.password_change_date = now() return super().set_password(password) + def check_password(self, raw_password: str) -> bool: + """ + Return a boolean of whether the raw_password was correct. Handles + hashing formats behind the scenes. + + Slightly changed version which doesn't send a signal for such internal hash upgrades + """ + + def setter(raw_password): + self.set_password(raw_password, signal=False) + # Password hash upgrades shouldn't be considered password changes. + self._password = None + self.save(update_fields=["password"]) + + return check_password(raw_password, self.password, setter) + @property def uid(self) -> str: """Generate a globall unique UID, based on the user ID and the hashed secret key"""