Remove legacy auth code (#1677)

* Remove legacy auth code

* Adds tests so we don't break PasswordHash (again)
* Clean up interfaces
* Remove duplicate code

* Use auto properties

* static using

* Don't use 'this'

* Fix build

1 files changed, 36 insertions, 98 deletions

diff --git a/Emby.Server.Implementations/Library/DefaultAuthenticationProvider.cs b/Emby.Server.Implementations/Library/DefaultAuthenticationProvider.cs
index 2282b8efb..c95b00ede 100644
--- a/Emby.Server.Implementations/Library/DefaultAuthenticationProvider.cs
+++ b/Emby.Server.Implementations/Library/DefaultAuthenticationProvider.cs
@@ -2,24 +2,30 @@ using System;
 using System.Linq;
 using System.Text;
 using System.Threading.Tasks;
+using MediaBrowser.Common.Cryptography;
 using MediaBrowser.Controller.Authentication;
 using MediaBrowser.Controller.Entities;
 using MediaBrowser.Model.Cryptography;
+using static MediaBrowser.Common.HexHelper;
 
 namespace Emby.Server.Implementations.Library
 {
     public class DefaultAuthenticationProvider : IAuthenticationProvider, IRequiresResolvedUser
     {
         private readonly ICryptoProvider _cryptographyProvider;
+
         public DefaultAuthenticationProvider(ICryptoProvider cryptographyProvider)
         {
             _cryptographyProvider = cryptographyProvider;
         }
 
+        /// <inheritdoc />
         public string Name => "Default";
 
+        /// <inheritdoc />
         public bool IsEnabled => true;
 
+        /// <inheritdoc />
         // This is dumb and an artifact of the backwards way auth providers were designed.
         // This version of authenticate was never meant to be called, but needs to be here for interface compat
         // Only the providers that don't provide local user support use this
@@ -28,6 +34,7 @@ namespace Emby.Server.Implementations.Library
             throw new NotImplementedException();
         }
 
+        /// <inheritdoc />
         // This is the version that we need to use for local users. Because reasons.
         public Task<ProviderAuthenticationResult> Authenticate(string username, string password, User resolvedUser)
         {
@@ -46,10 +53,9 @@ namespace Emby.Server.Implementations.Library
                 });
             }
 
-            ConvertPasswordFormat(resolvedUser);
             byte[] passwordbytes = Encoding.UTF8.GetBytes(password);
 
-            PasswordHash readyHash = new PasswordHash(resolvedUser.Password);
+            PasswordHash readyHash = PasswordHash.Parse(resolvedUser.Password);
             if (_cryptographyProvider.GetSupportedHashMethods().Contains(readyHash.Id)
                 || _cryptographyProvider.DefaultHashMethod == readyHash.Id)
             {
@@ -76,72 +82,31 @@ namespace Emby.Server.Implementations.Library
             });
         }
 
-        // This allows us to move passwords forward to the newformat without breaking. They are still insecure, unsalted, and dumb before a password change
-        // but at least they are in the new format.
-        private void ConvertPasswordFormat(User user)
-        {
-            if (string.IsNullOrEmpty(user.Password))
-            {
-                return;
-            }
-
-            if (user.Password.IndexOf('$') == -1)
-            {
-                string hash = user.Password;
-                user.Password = string.Format("$SHA1${0}", hash);
-            }
-
-            if (user.EasyPassword != null
-                && user.EasyPassword.IndexOf('$') == -1)
-            {
-                string hash = user.EasyPassword;
-                user.EasyPassword = string.Format("$SHA1${0}", hash);
-            }
-        }
-
+        /// <inheritdoc />
         public bool HasPassword(User user)
             => !string.IsNullOrEmpty(user.Password);
 
+        /// <inheritdoc />
         public Task ChangePassword(User user, string newPassword)
         {
-            ConvertPasswordFormat(user);
-
-            // This is needed to support changing a no password user to a password user
-            if (string.IsNullOrEmpty(user.Password))
+            if (string.IsNullOrEmpty(newPassword))
             {
-                PasswordHash newPasswordHash = new PasswordHash(_cryptographyProvider);
-                newPasswordHash.Salt = _cryptographyProvider.GenerateSalt();
-                newPasswordHash.Id = _cryptographyProvider.DefaultHashMethod;
-                newPasswordHash.Hash = GetHashedChangeAuth(newPassword, newPasswordHash);
-                user.Password = newPasswordHash.ToString();
+                user.Password = null;
                 return Task.CompletedTask;
             }
 
-            PasswordHash passwordHash = new PasswordHash(user.Password);
-            if (passwordHash.Id == "SHA1"
-                && passwordHash.Salt.Length == 0)
-            {
-                passwordHash.Salt = _cryptographyProvider.GenerateSalt();
-                passwordHash.Id = _cryptographyProvider.DefaultHashMethod;
-                passwordHash.Hash = GetHashedChangeAuth(newPassword, passwordHash);
-            }
-            else if (newPassword != null)
-            {
-                passwordHash.Hash = GetHashed(user, newPassword);
-            }
-
-            user.Password = passwordHash.ToString();
+            PasswordHash newPasswordHash = _cryptographyProvider.CreatePasswordHash(newPassword);
+            user.Password = newPasswordHash.ToString();
 
             return Task.CompletedTask;
         }
 
+        /// <inheritdoc />
         public void ChangeEasyPassword(User user, string newPassword, string newPasswordHash)
         {
-            ConvertPasswordFormat(user);
-
             if (newPassword != null)
             {
-                newPasswordHash = string.Format("$SHA1${0}", GetHashedString(user, newPassword));
+                newPasswordHash = _cryptographyProvider.CreatePasswordHash(newPassword).ToString();
             }
 
             if (string.IsNullOrWhiteSpace(newPasswordHash))
@@ -152,21 +117,12 @@ namespace Emby.Server.Implementations.Library
             user.EasyPassword = newPasswordHash;
         }
 
+        /// <inheritdoc />
         public string GetEasyPasswordHash(User user)
         {
-            // This should be removed in the future. This was added to let user login after
-            // Jellyfin 10.3.3 failed to save a well formatted PIN.
-            ConvertPasswordFormat(user);
-
             return string.IsNullOrEmpty(user.EasyPassword)
                 ? null
-                : PasswordHash.ConvertToByteString(new PasswordHash(user.EasyPassword).Hash);
-        }
-
-        internal byte[] GetHashedChangeAuth(string newPassword, PasswordHash passwordHash)
-        {
-            passwordHash.Hash = Encoding.UTF8.GetBytes(newPassword);
-            return _cryptographyProvider.ComputeHash(passwordHash);
+                : ToHexString(PasswordHash.Parse(user.EasyPassword).Hash);
         }
 
         /// <summary>
@@ -174,54 +130,36 @@ namespace Emby.Server.Implementations.Library
         /// </summary>
         public string GetHashedString(User user, string str)
         {
-            PasswordHash passwordHash;
             if (string.IsNullOrEmpty(user.Password))
             {
-                passwordHash = new PasswordHash(_cryptographyProvider);
-            }
-            else
-            {
-                ConvertPasswordFormat(user);
-                passwordHash = new PasswordHash(user.Password);
+                return _cryptographyProvider.CreatePasswordHash(str).ToString();
             }
 
-            if (passwordHash.Salt != null)
-            {
-                // the password is modern format with PBKDF and we should take advantage of that
-                passwordHash.Hash = Encoding.UTF8.GetBytes(str);
-                return PasswordHash.ConvertToByteString(_cryptographyProvider.ComputeHash(passwordHash));
-            }
-            else
-            {
-                // the password has no salt and should be called with the older method for safety
-                return PasswordHash.ConvertToByteString(_cryptographyProvider.ComputeHash(passwordHash.Id, Encoding.UTF8.GetBytes(str)));
-            }
+            // TODO: make use of iterations parameter?
+            PasswordHash passwordHash = PasswordHash.Parse(user.Password);
+            return new PasswordHash(
+                passwordHash.Id,
+                _cryptographyProvider.ComputeHash(
+                    passwordHash.Id,
+                    Encoding.UTF8.GetBytes(str),
+                    passwordHash.Salt),
+                passwordHash.Salt,
+                passwordHash.Parameters.ToDictionary(x => x.Key, y => y.Value)).ToString();
         }
 
         public byte[] GetHashed(User user, string str)
         {
-            PasswordHash passwordHash;
             if (string.IsNullOrEmpty(user.Password))
             {
-                passwordHash = new PasswordHash(_cryptographyProvider);
-            }
-            else
-            {
-                ConvertPasswordFormat(user);
-                passwordHash = new PasswordHash(user.Password);
+                return _cryptographyProvider.CreatePasswordHash(str).Hash;
             }
 
-            if (passwordHash.Salt != null)
-            {
-                // the password is modern format with PBKDF and we should take advantage of that
-                passwordHash.Hash = Encoding.UTF8.GetBytes(str);
-                return _cryptographyProvider.ComputeHash(passwordHash);
-            }
-            else
-            {
-                // the password has no salt and should be called with the older method for safety
-                return _cryptographyProvider.ComputeHash(passwordHash.Id, Encoding.UTF8.GetBytes(str));
-            }
+            // TODO: make use of iterations parameter?
+            PasswordHash passwordHash = PasswordHash.Parse(user.Password);
+            return _cryptographyProvider.ComputeHash(
+                    passwordHash.Id,
+                    Encoding.UTF8.GetBytes(str),
+                    passwordHash.Salt);
         }
     }
 }