Merge pull request #6 from jellyfin/master

Bringing my branch up to sync

1 files changed, 56 insertions, 122 deletions

diff --git a/Emby.Server.Implementations/Library/DefaultAuthenticationProvider.cs b/Emby.Server.Implementations/Library/DefaultAuthenticationProvider.cs
index fe09b07ff..c95b00ede 100644
--- a/Emby.Server.Implementations/Library/DefaultAuthenticationProvider.cs
+++ b/Emby.Server.Implementations/Library/DefaultAuthenticationProvider.cs
@@ -2,24 +2,30 @@ using System;
 using System.Linq;
 using System.Text;
 using System.Threading.Tasks;
+using MediaBrowser.Common.Cryptography;
 using MediaBrowser.Controller.Authentication;
 using MediaBrowser.Controller.Entities;
 using MediaBrowser.Model.Cryptography;
+using static MediaBrowser.Common.HexHelper;
 
 namespace Emby.Server.Implementations.Library
 {
     public class DefaultAuthenticationProvider : IAuthenticationProvider, IRequiresResolvedUser
     {
         private readonly ICryptoProvider _cryptographyProvider;
-        public DefaultAuthenticationProvider(ICryptoProvider crypto)
+
+        public DefaultAuthenticationProvider(ICryptoProvider cryptographyProvider)
         {
-            _cryptographyProvider = crypto;
+            _cryptographyProvider = cryptographyProvider;
         }
 
+        /// <inheritdoc />
         public string Name => "Default";
 
+        /// <inheritdoc />
         public bool IsEnabled => true;
 
+        /// <inheritdoc />
         // This is dumb and an artifact of the backwards way auth providers were designed.
         // This version of authenticate was never meant to be called, but needs to be here for interface compat
         // Only the providers that don't provide local user support use this
@@ -28,17 +34,18 @@ namespace Emby.Server.Implementations.Library
             throw new NotImplementedException();
         }
 
-        // This is the verson that we need to use for local users. Because reasons.
+        /// <inheritdoc />
+        // This is the version that we need to use for local users. Because reasons.
         public Task<ProviderAuthenticationResult> Authenticate(string username, string password, User resolvedUser)
         {
             bool success = false;
             if (resolvedUser == null)
             {
-                throw new Exception("Invalid username or password");
+                throw new ArgumentNullException(nameof(resolvedUser));
             }
 
-            // As long as jellyfin supports passwordless users, we need this little block here to accomodate
-            if (IsPasswordEmpty(resolvedUser, password))
+            // As long as jellyfin supports passwordless users, we need this little block here to accommodate
+            if (!HasPassword(resolvedUser) && string.IsNullOrEmpty(password))
             {
                 return Task.FromResult(new ProviderAuthenticationResult
                 {
@@ -46,41 +53,27 @@ namespace Emby.Server.Implementations.Library
                 });
             }
 
-            ConvertPasswordFormat(resolvedUser);
             byte[] passwordbytes = Encoding.UTF8.GetBytes(password);
 
-            PasswordHash readyHash = new PasswordHash(resolvedUser.Password);
-            byte[] calculatedHash;
-            string calculatedHashString;
-            if (_cryptographyProvider.GetSupportedHashMethods().Contains(readyHash.Id) || _cryptographyProvider.DefaultHashMethod == readyHash.Id)
+            PasswordHash readyHash = PasswordHash.Parse(resolvedUser.Password);
+            if (_cryptographyProvider.GetSupportedHashMethods().Contains(readyHash.Id)
+                || _cryptographyProvider.DefaultHashMethod == readyHash.Id)
             {
-                if (string.IsNullOrEmpty(readyHash.Salt))
-                {
-                    calculatedHash = _cryptographyProvider.ComputeHash(readyHash.Id, passwordbytes);
-                    calculatedHashString = BitConverter.ToString(calculatedHash).Replace("-", string.Empty);
-                }
-                else
-                {
-                    calculatedHash = _cryptographyProvider.ComputeHash(readyHash.Id, passwordbytes, readyHash.SaltBytes);
-                    calculatedHashString = BitConverter.ToString(calculatedHash).Replace("-", string.Empty);
-                }
+                byte[] calculatedHash = _cryptographyProvider.ComputeHash(readyHash.Id, passwordbytes, readyHash.Salt);
 
-                if (calculatedHashString == readyHash.Hash)
+                if (calculatedHash.SequenceEqual(readyHash.Hash))
                 {
                     success = true;
-                    // throw new Exception("Invalid username or password");
                 }
             }
             else
             {
-                throw new Exception(string.Format($"Requested crypto method not available in provider: {readyHash.Id}"));
+                throw new AuthenticationException($"Requested crypto method not available in provider: {readyHash.Id}");
             }
 
-            // var success = string.Equals(GetPasswordHash(resolvedUser), GetHashedString(resolvedUser, password), StringComparison.OrdinalIgnoreCase);
-
             if (!success)
             {
-                throw new Exception("Invalid username or password");
+                throw new AuthenticationException("Invalid username or password");
             }
 
             return Task.FromResult(new ProviderAuthenticationResult
@@ -89,89 +82,31 @@ namespace Emby.Server.Implementations.Library
             });
         }
 
-        // This allows us to move passwords forward to the newformat without breaking. They are still insecure, unsalted, and dumb before a password change
-        // but at least they are in the new format.
-        private void ConvertPasswordFormat(User user)
-        {
-            if (string.IsNullOrEmpty(user.Password))
-            {
-                return;
-            }
-
-            if (!user.Password.Contains("$"))
-            {
-                string hash = user.Password;
-                user.Password = string.Format("$SHA1${0}", hash);
-            }
-
-            if (user.EasyPassword != null && !user.EasyPassword.Contains("$"))
-            {
-                string hash = user.EasyPassword;
-                user.EasyPassword = string.Format("$SHA1${0}", hash);
-            }
-        }
-
-        public Task<bool> HasPassword(User user)
-        {
-            var hasConfiguredPassword = !IsPasswordEmpty(user, GetPasswordHash(user));
-            return Task.FromResult(hasConfiguredPassword);
-        }
-
-        private bool IsPasswordEmpty(User user, string password)
-        {
-            return (string.IsNullOrEmpty(user.Password) && string.IsNullOrEmpty(password));
-        }
+        /// <inheritdoc />
+        public bool HasPassword(User user)
+            => !string.IsNullOrEmpty(user.Password);
 
+        /// <inheritdoc />
         public Task ChangePassword(User user, string newPassword)
         {
-            ConvertPasswordFormat(user);
-            // This is needed to support changing a no password user to a password user
-            if (string.IsNullOrEmpty(user.Password))
+            if (string.IsNullOrEmpty(newPassword))
             {
-                PasswordHash newPasswordHash = new PasswordHash(_cryptographyProvider);
-                newPasswordHash.SaltBytes = _cryptographyProvider.GenerateSalt();
-                newPasswordHash.Salt = PasswordHash.ConvertToByteString(newPasswordHash.SaltBytes);
-                newPasswordHash.Id = _cryptographyProvider.DefaultHashMethod;
-                newPasswordHash.Hash = GetHashedStringChangeAuth(newPassword, newPasswordHash);
-                user.Password = newPasswordHash.ToString();
+                user.Password = null;
                 return Task.CompletedTask;
             }
 
-            PasswordHash passwordHash = new PasswordHash(user.Password);
-            if (passwordHash.Id == "SHA1" && string.IsNullOrEmpty(passwordHash.Salt))
-            {
-                passwordHash.SaltBytes = _cryptographyProvider.GenerateSalt();
-                passwordHash.Salt = PasswordHash.ConvertToByteString(passwordHash.SaltBytes);
-                passwordHash.Id = _cryptographyProvider.DefaultHashMethod;
-                passwordHash.Hash = GetHashedStringChangeAuth(newPassword, passwordHash);
-            }
-            else if (newPassword != null)
-            {
-                passwordHash.Hash = GetHashedString(user, newPassword);
-            }
-
-            if (string.IsNullOrWhiteSpace(passwordHash.Hash))
-            {
-                throw new ArgumentNullException(nameof(passwordHash.Hash));
-            }
-
-            user.Password = passwordHash.ToString();
+            PasswordHash newPasswordHash = _cryptographyProvider.CreatePasswordHash(newPassword);
+            user.Password = newPasswordHash.ToString();
 
             return Task.CompletedTask;
         }
 
-        public string GetPasswordHash(User user)
-        {
-            return user.Password;
-        }
-
+        /// <inheritdoc />
         public void ChangeEasyPassword(User user, string newPassword, string newPasswordHash)
         {
-            ConvertPasswordFormat(user);
-
             if (newPassword != null)
             {
-                newPasswordHash = string.Format("$SHA1${0}", GetHashedString(user, newPassword));
+                newPasswordHash = _cryptographyProvider.CreatePasswordHash(newPassword).ToString();
             }
 
             if (string.IsNullOrWhiteSpace(newPasswordHash))
@@ -182,21 +117,12 @@ namespace Emby.Server.Implementations.Library
             user.EasyPassword = newPasswordHash;
         }
 
+        /// <inheritdoc />
         public string GetEasyPasswordHash(User user)
         {
-            // This should be removed in the future. This was added to let user login after
-            // Jellyfin 10.3.3 failed to save a well formatted PIN.
-            ConvertPasswordFormat(user);
-
             return string.IsNullOrEmpty(user.EasyPassword)
                 ? null
-                : (new PasswordHash(user.EasyPassword)).Hash;
-        }
-
-        public string GetHashedStringChangeAuth(string newPassword, PasswordHash passwordHash)
-        {
-            passwordHash.HashBytes = Encoding.UTF8.GetBytes(newPassword);
-            return PasswordHash.ConvertToByteString(_cryptographyProvider.ComputeHash(passwordHash));
+                : ToHexString(PasswordHash.Parse(user.EasyPassword).Hash);
         }
 
         /// <summary>
@@ -204,28 +130,36 @@ namespace Emby.Server.Implementations.Library
         /// </summary>
         public string GetHashedString(User user, string str)
         {
-            PasswordHash passwordHash;
             if (string.IsNullOrEmpty(user.Password))
             {
-                passwordHash = new PasswordHash(_cryptographyProvider);
-            }
-            else
-            {
-                ConvertPasswordFormat(user);
-                passwordHash = new PasswordHash(user.Password);
+                return _cryptographyProvider.CreatePasswordHash(str).ToString();
             }
 
-            if (passwordHash.SaltBytes != null)
-            {
-                // the password is modern format with PBKDF and we should take advantage of that
-                passwordHash.HashBytes = Encoding.UTF8.GetBytes(str);
-                return PasswordHash.ConvertToByteString(_cryptographyProvider.ComputeHash(passwordHash));
-            }
-            else
+            // TODO: make use of iterations parameter?
+            PasswordHash passwordHash = PasswordHash.Parse(user.Password);
+            return new PasswordHash(
+                passwordHash.Id,
+                _cryptographyProvider.ComputeHash(
+                    passwordHash.Id,
+                    Encoding.UTF8.GetBytes(str),
+                    passwordHash.Salt),
+                passwordHash.Salt,
+                passwordHash.Parameters.ToDictionary(x => x.Key, y => y.Value)).ToString();
+        }
+
+        public byte[] GetHashed(User user, string str)
+        {
+            if (string.IsNullOrEmpty(user.Password))
             {
-                // the password has no salt and should be called with the older method for safety
-                return PasswordHash.ConvertToByteString(_cryptographyProvider.ComputeHash(passwordHash.Id, Encoding.UTF8.GetBytes(str)));
+                return _cryptographyProvider.CreatePasswordHash(str).Hash;
             }
+
+            // TODO: make use of iterations parameter?
+            PasswordHash passwordHash = PasswordHash.Parse(user.Password);
+            return _cryptographyProvider.ComputeHash(
+                    passwordHash.Id,
+                    Encoding.UTF8.GetBytes(str),
+                    passwordHash.Salt);
         }
     }
 }