Merge branch 'master' into h265

1 files changed, 78 insertions, 55 deletions

diff --git a/Emby.Server.Implementations/Library/DefaultAuthenticationProvider.cs b/Emby.Server.Implementations/Library/DefaultAuthenticationProvider.cs
index 0527464ff..b07244fda 100644
--- a/Emby.Server.Implementations/Library/DefaultAuthenticationProvider.cs
+++ b/Emby.Server.Implementations/Library/DefaultAuthenticationProvider.cs
@@ -11,9 +11,9 @@ namespace Emby.Server.Implementations.Library
     public class DefaultAuthenticationProvider : IAuthenticationProvider, IRequiresResolvedUser
     {
         private readonly ICryptoProvider _cryptographyProvider;
-        public DefaultAuthenticationProvider(ICryptoProvider crypto)
+        public DefaultAuthenticationProvider(ICryptoProvider cryptographyProvider)
         {
-            _cryptographyProvider = crypto;
+            _cryptographyProvider = cryptographyProvider;
         }
 
         public string Name => "Default";
@@ -28,17 +28,17 @@ namespace Emby.Server.Implementations.Library
             throw new NotImplementedException();
         }
 
-        // This is the verson that we need to use for local users. Because reasons.
+        // This is the version that we need to use for local users. Because reasons.
         public Task<ProviderAuthenticationResult> Authenticate(string username, string password, User resolvedUser)
         {
             bool success = false;
             if (resolvedUser == null)
             {
-                throw new Exception("Invalid username or password");
+                throw new ArgumentNullException(nameof(resolvedUser));
             }
 
             // As long as jellyfin supports passwordless users, we need this little block here to accomodate
-            if (IsPasswordEmpty(resolvedUser, password))
+            if (!HasPassword(resolvedUser) && string.IsNullOrEmpty(password))
             {
                 return Task.FromResult(new ProviderAuthenticationResult
                 {
@@ -50,37 +50,24 @@ namespace Emby.Server.Implementations.Library
             byte[] passwordbytes = Encoding.UTF8.GetBytes(password);
 
             PasswordHash readyHash = new PasswordHash(resolvedUser.Password);
-            byte[] calculatedHash;
-            string calculatedHashString;
-            if (_cryptographyProvider.GetSupportedHashMethods().Contains(readyHash.Id) || _cryptographyProvider.DefaultHashMethod == readyHash.Id)
+            if (_cryptographyProvider.GetSupportedHashMethods().Contains(readyHash.Id)
+                || _cryptographyProvider.DefaultHashMethod == readyHash.Id)
             {
-                if (string.IsNullOrEmpty(readyHash.Salt))
-                {
-                    calculatedHash = _cryptographyProvider.ComputeHash(readyHash.Id, passwordbytes);
-                    calculatedHashString = BitConverter.ToString(calculatedHash).Replace("-", string.Empty);
-                }
-                else
-                {
-                    calculatedHash = _cryptographyProvider.ComputeHash(readyHash.Id, passwordbytes, readyHash.SaltBytes);
-                    calculatedHashString = BitConverter.ToString(calculatedHash).Replace("-", string.Empty);
-                }
+                byte[] calculatedHash = _cryptographyProvider.ComputeHash(readyHash.Id, passwordbytes, readyHash.Salt);
 
-                if (calculatedHashString == readyHash.Hash)
+                if (calculatedHash.SequenceEqual(readyHash.Hash))
                 {
                     success = true;
-                    // throw new Exception("Invalid username or password");
                 }
             }
             else
             {
-                throw new Exception(string.Format($"Requested crypto method not available in provider: {readyHash.Id}"));
+                throw new AuthenticationException($"Requested crypto method not available in provider: {readyHash.Id}");
             }
 
-            // var success = string.Equals(GetPasswordHash(resolvedUser), GetHashedString(resolvedUser, password), StringComparison.OrdinalIgnoreCase);
-
             if (!success)
             {
-                throw new Exception("Invalid username or password");
+                throw new AuthenticationException("Invalid username or password");
             }
 
             return Task.FromResult(new ProviderAuthenticationResult
@@ -98,29 +85,22 @@ namespace Emby.Server.Implementations.Library
                 return;
             }
 
-            if (!user.Password.Contains("$"))
+            if (user.Password.IndexOf('$') == -1)
             {
                 string hash = user.Password;
                 user.Password = string.Format("$SHA1${0}", hash);
             }
 
-            if (user.EasyPassword != null && !user.EasyPassword.Contains("$"))
+            if (user.EasyPassword != null
+                && user.EasyPassword.IndexOf('$') == -1)
             {
                 string hash = user.EasyPassword;
                 user.EasyPassword = string.Format("$SHA1${0}", hash);
             }
         }
 
-        public Task<bool> HasPassword(User user)
-        {
-            var hasConfiguredPassword = !IsPasswordEmpty(user, GetPasswordHash(user));
-            return Task.FromResult(hasConfiguredPassword);
-        }
-
-        private bool IsPasswordEmpty(User user, string password)
-        {
-            return (string.IsNullOrEmpty(user.Password) && string.IsNullOrEmpty(password));
-        }
+        public bool HasPassword(User user)
+            => !string.IsNullOrEmpty(user.Password);
 
         public Task ChangePassword(User user, string newPassword)
         {
@@ -129,46 +109,63 @@ namespace Emby.Server.Implementations.Library
             if (string.IsNullOrEmpty(user.Password))
             {
                 PasswordHash newPasswordHash = new PasswordHash(_cryptographyProvider);
-                newPasswordHash.SaltBytes = _cryptographyProvider.GenerateSalt();
-                newPasswordHash.Salt = PasswordHash.ConvertToByteString(newPasswordHash.SaltBytes);
+                newPasswordHash.Salt = _cryptographyProvider.GenerateSalt();
                 newPasswordHash.Id = _cryptographyProvider.DefaultHashMethod;
-                newPasswordHash.Hash = GetHashedStringChangeAuth(newPassword, newPasswordHash);
+                newPasswordHash.Hash = GetHashedChangeAuth(newPassword, newPasswordHash);
                 user.Password = newPasswordHash.ToString();
                 return Task.CompletedTask;
             }
 
             PasswordHash passwordHash = new PasswordHash(user.Password);
-            if (passwordHash.Id == "SHA1" && string.IsNullOrEmpty(passwordHash.Salt))
+            if (passwordHash.Id == "SHA1"
+                && passwordHash.Salt.Length == 0)
             {
-                passwordHash.SaltBytes = _cryptographyProvider.GenerateSalt();
-                passwordHash.Salt = PasswordHash.ConvertToByteString(passwordHash.SaltBytes);
+                passwordHash.Salt = _cryptographyProvider.GenerateSalt();
                 passwordHash.Id = _cryptographyProvider.DefaultHashMethod;
-                passwordHash.Hash = GetHashedStringChangeAuth(newPassword, passwordHash);
+                passwordHash.Hash = GetHashedChangeAuth(newPassword, passwordHash);
             }
             else if (newPassword != null)
             {
-                passwordHash.Hash = GetHashedString(user, newPassword);
+                passwordHash.Hash = GetHashed(user, newPassword);
             }
 
-            if (string.IsNullOrWhiteSpace(passwordHash.Hash))
+            user.Password = passwordHash.ToString();
+
+            return Task.CompletedTask;
+        }
+
+        public void ChangeEasyPassword(User user, string newPassword, string newPasswordHash)
+        {
+            ConvertPasswordFormat(user);
+
+            if (newPassword != null)
             {
-                throw new ArgumentNullException(nameof(passwordHash.Hash));
+                newPasswordHash = string.Format("$SHA1${0}", GetHashedString(user, newPassword));
             }
 
-            user.Password = passwordHash.ToString();
+            if (string.IsNullOrWhiteSpace(newPasswordHash))
+            {
+                throw new ArgumentNullException(nameof(newPasswordHash));
+            }
 
-            return Task.CompletedTask;
+            user.EasyPassword = newPasswordHash;
         }
 
-        public string GetPasswordHash(User user)
+        public string GetEasyPasswordHash(User user)
         {
-            return user.Password;
+            // This should be removed in the future. This was added to let user login after
+            // Jellyfin 10.3.3 failed to save a well formatted PIN.
+            ConvertPasswordFormat(user);
+
+            return string.IsNullOrEmpty(user.EasyPassword)
+                ? null
+                : PasswordHash.ConvertToByteString(new PasswordHash(user.EasyPassword).Hash);
         }
 
-        public string GetHashedStringChangeAuth(string newPassword, PasswordHash passwordHash)
+        internal byte[] GetHashedChangeAuth(string newPassword, PasswordHash passwordHash)
         {
-            passwordHash.HashBytes = Encoding.UTF8.GetBytes(newPassword);
-            return PasswordHash.ConvertToByteString(_cryptographyProvider.ComputeHash(passwordHash));
+            passwordHash.Hash = Encoding.UTF8.GetBytes(newPassword);
+            return _cryptographyProvider.ComputeHash(passwordHash);
         }
 
         /// <summary>
@@ -187,10 +184,10 @@ namespace Emby.Server.Implementations.Library
                 passwordHash = new PasswordHash(user.Password);
             }
 
-            if (passwordHash.SaltBytes != null)
+            if (passwordHash.Salt != null)
             {
                 // the password is modern format with PBKDF and we should take advantage of that
-                passwordHash.HashBytes = Encoding.UTF8.GetBytes(str);
+                passwordHash.Hash = Encoding.UTF8.GetBytes(str);
                 return PasswordHash.ConvertToByteString(_cryptographyProvider.ComputeHash(passwordHash));
             }
             else
@@ -199,5 +196,31 @@ namespace Emby.Server.Implementations.Library
                 return PasswordHash.ConvertToByteString(_cryptographyProvider.ComputeHash(passwordHash.Id, Encoding.UTF8.GetBytes(str)));
             }
         }
+
+        public byte[] GetHashed(User user, string str)
+        {
+            PasswordHash passwordHash;
+            if (string.IsNullOrEmpty(user.Password))
+            {
+                passwordHash = new PasswordHash(_cryptographyProvider);
+            }
+            else
+            {
+                ConvertPasswordFormat(user);
+                passwordHash = new PasswordHash(user.Password);
+            }
+
+            if (passwordHash.Salt != null)
+            {
+                // the password is modern format with PBKDF and we should take advantage of that
+                passwordHash.Hash = Encoding.UTF8.GetBytes(str);
+                return _cryptographyProvider.ComputeHash(passwordHash);
+            }
+            else
+            {
+                // the password has no salt and should be called with the older method for safety
+                return _cryptographyProvider.ComputeHash(passwordHash.Id, Encoding.UTF8.GetBytes(str));
+            }
+        }
     }
 }