o

/�h|b�@s�
dd
lZdd
l
Z
dd
lZdd
lZdd
lZdd
lZdd
lZddlmZ
ddl	m
Z

ddlmZ
ddl
mZ
ddlmZmZmZmZ
ddlmZ
ddlmZ
d	Zd
Zdd�Zd8dd�
Zd8dd�
Ze��dd��
Ze��dd��
Z ee�
dd��
Z!d9dd�
Z"dd�Z#d:dd�
Z$d d!�Z%Gd"d#�d#�Z&Gd$d%�d%e&�Z'Gd&d'�d'e'�Z(Gd(d)�d)e&�Z)Gd*d+�d+e&�Z*Gd,d-�d-e*�Z+Gd.d/�d/e&�Z,Gd0d1�d1e&�Z-Gd2d3�d3e&�Z.Gd4d5�d5e&�Z/Gd6d7�d7e&�Z0d
S);�N)
�settings)
�ImproperlyConfigured)
�setting_changed)
�receiver)�RANDOM_STRING_CHARS�constant_time_compare�get_random_string�pbkdf2)
�
import_string)
�gettext_noop�
!�(c

Cs|d
up	|�t
�
S)zv
    Return True if this password wasn't generated by
    User.set_unusable_password(), i.e. make_password(None).
    N)�
startswith�UNUSABLE_PASSWORD_PREFIX)
�encoded�r�=/usr/lib/python3/dist-packages/django/contrib/auth/hashers.py�is_password_usablesr�defaultc	Cs�|d
upt|
�
}t
|�
}zt|
�
}Wnty


d}Yn
w|r)ttt�
�

dS|j|jk}|p5|�|
�
}|�	||
�}|sH|sH|rH|�
||
�
|rR|rR|rR||�

|S)z�
    Return a boolean of whether the raw password matches the three
    part encoded digest.

    If setter is specified, it'll be called when you need to
    regenerate the password.
    NTF)r�
get_hasher�identify_hasher�
ValueError�
make_passwordr�UNUSABLE_PASSWORD_SUFFIX_LENGTH�	algorithm�must_update�verify�harden_runtime)	�passwordr�setter�	preferred�fake_runtime�hasher�hasher_changedr�
is_correctrrr�check_passwords$


�





r%cCsT|d
ur
tt
t�
St|ttf�stdt|�
j�
�
t	|�
}|
p#|�
�}
|�||
�S)a|

    Turn a plain-text password into a hash for database storage

    Same as encode() but generate a new random salt. If password is None then
    return a concatenation of UNUSABLE_PASSWORD_PREFIX and a random string,
    which disallows logins. Additional random string reduces chances of gaining
    access to staff or superuser accounts. See ticket #20079 for more info.
    Nz+Password must be a string or bytes, got %s.)rrr�
isinstance�bytes�str�	TypeError�type�__qualname__r�salt�encode)rr,r"rrrrGs	




��

rcCsBg}tj
D]}
t|
�
}|�}t|d
�std|
�
�
|�|�

q|S)Nrz,hasher doesn't specify an algorithm name: %s)r�PASSWORD_HASHERSr
�getattrr�append)�hashers�hasher_path�
hasher_clsr"rrr�get_hashers\s







�
r4cCsd
d�t�D�
S)Nc
Ssi|]}
|
j|
�qSr�
r)�.0r"rrr�
<dictcomp>ksz,get_hashers_by_algorithm.<locals>.<dictcomp>)
r4rrrr�get_hashers_by_algorithmisr8c
Ks$|d
dkrt�
�
t�
�
dSdS)N�settingr.)r4�cache_clearr8)
�kwargsrrr�
reset_hashersns

�r<c
CsLt|d
�r|S|dkrt
�dSt�}
z|
|WSty%


td|�
�
w)z�
    Return an instance of a loaded password hasher.

    If algorithm is 'default', return the default hasher. Lazily import hashers
    specified in the project's settings file if needed.
    rrr
z\Unknown password hashing algorithm '%s'. Did you specify it in the PASSWORD_HASHERS setting?)�hasattrr4r8�KeyErrorr)rr1rrrrus








��rc
Cspt|�
d
kr
d|v
st|�
dkr|�
d�
rd}
t|
�
St|�
dkr,|�
d�
r,d}
t|
�
S|�dd	�d
}
t|
�
S)z�
    Return an instance of a loaded password hasher.

    Identify hasher algorithm by examining encoded hash, and call
    get_hasher() to return hasher. Raise ValueError if
    algorithm cannot be identified, or if hasher is not loaded.
    � �
$�%�md5$$�unsalted_md5�.�sha1$$�
unsalted_sha1�
r
)�lenr�splitr)rrrrrr�s


�
�
r��
*cCs(|d
|
�}||t||
d
��
7}|S)z�
    Return the given hash, with only the first ``show`` number shown. The
    rest are masked with ``char`` for security reasons.
    N)
rH)�hash�show�char�maskedrrr�	mask_hash�s

rPcCst|�
t
�tt�
�
|
kS�
N)rH�math�log2r)r,�expected_entropyrrr�must_update_salt�srUc@s\eZ
dZd
ZdZdZdZdd�Zdd�Zdd	�Z	d
d�Z
dd
�Zdd�Zdd�Z
dd�ZdS)�BasePasswordHasherz�
    Abstract base class for password hashers

    When creating your own hasher, you need to override algorithm,
    verify(), encode() and safe_summary().

    PasswordHasher objects are immutable.
    N�c

Csz|jdu
r5t
|jttf�r|j\}
}n|j}zt�|�
}W|Sty4
}
z
td
|jj	|f�
�
d}~w
wtd|jj	�
�
)Nz&Couldn't load %r algorithm library: %sz-Hasher %r doesn't specify a library attribute)
�libraryr&�tuple�list�	importlib�
import_module�ImportErrorr�	__class__�__name__)�self�name�mod_path�module�
errr�
_load_library�s 





�


���
�z BasePasswordHasher._load_libraryc
Cs&t�
|jt�tt�
�
�
}
t|
td
�S)z�
        Generate a cryptographically secure nonce salt in ASCII with an entropy
        of at least `salt_entropy` bits.
        )
�
allowed_chars)rR�ceil�salt_entropyrSrHrr)r`�
char_countrrrr,�s
zBasePasswordHasher.saltcC�td
�
�
)z'Check if the given password is correct.z?subclasses of BasePasswordHasher must provide a verify() method�
�NotImplementedError�r`rrrrrr�szBasePasswordHasher.verifycCrj)z�
        Create an encoded database value.

        The result is normally formatted as "algorithm$salt$hash" and
        must be fewer than 128 characters.
        z@subclasses of BasePasswordHasher must provide an encode() methodrk�r`rr,rrrr-��zBasePasswordHasher.encodecCrj)z�
        Return a decoded database value.

        The result is a dictionary and should contain `algorithm`, `hash`, and
        `salt`. Extra keys can be algorithm specific like `iterations` or
        `work_factor`.
        z@subclasses of BasePasswordHasher must provide a decode() method.rk�r`rrrr�decode�s
�zBasePasswordHasher.decodecCrj)z�
        Return a summary of safe values.

        The result is a dictionary and will be used where the password field
        must be displayed to construct a safe representation of the password.
        zEsubclasses of BasePasswordHasher must provide a safe_summary() methodrkrprrr�safe_summary�rozBasePasswordHasher.safe_summaryc
C�d
S)NFrrprrrr��
zBasePasswordHasher.must_updatecCst�
d
�

dS)a�

        Bridge the runtime gap between the work factor supplied in `encoded`
        and the work factor suggested by this hasher.

        Taking PBKDF2 as an example, if `encoded` contains 20000 iterations and
        `self.iterations` is 30000, this method should run password through
        another 10000 iterations of PBKDF2. Similar approaches should exist
        for any hasher that has a work factor. If not, this method should be
        defined as a no-op to silence the warning.
        zIsubclasses of BasePasswordHasher should provide a harden_runtime() methodN)�warnings�warnrmrrrr�sz!BasePasswordHasher.harden_runtime)r_�
__module__r+�__doc__rrXrhrer,rr-rqrrrrrrrrrV�s



		rVc@sPeZ
dZd
ZdZdZejZddd�
Z	dd�Z
d	d
�Zdd�Zd
d�Z
dd�ZdS)�PBKDF2PasswordHashera

    Secure password hashing using the PBKDF2 algorithm (recommended)

    Configured to use PBKDF2 + HMAC + SHA256.
    The result is a 64 byte binary string.  Iterations may be changed
    safely but you must rename the algorithm if you change SHA256.
    �
pbkdf2_sha256i��NcCs^|
du
sJ�
|rd
|v
sJ�
|p|j}t
|
|||jd�}t�|�
�d�
��}d|j|||fS)Nr@)
�digest�asciiz%s$%d$%s$%s)�
iterationsr	r{�base64�	b64encoderq�stripr)r`rr,r}rLrrrr-
s






zPBKDF2PasswordHasher.encodecCs4|
�d
d�\}}}}||j
ksJ�
||t|�
|d�S)Nr@�)rrLr}r,�rIr�int)r`rrr}r,rLrrrrq
s




�zPBKDF2PasswordHasher.decodecCs*|�|�
}|�
|
|d
|d�}t||�S�Nr,r}�rqr-r�r`rr�decoded�	encoded_2rrrr'
s




zPBKDF2PasswordHasher.verifyc
CsF|�|
�
}t
d
�
|d
t
d�
|dt
d�
t|d�
t
d�
t|d�
iS)Nrr}r,rL�rq�
_rP�r`rr�rrrrr,
�




�z!PBKDF2PasswordHasher.safe_summarycCs,|�|
�
}t
|d
|j�}|d|jkp|Sr�)rqrUrhr})r`rr��update_saltrrrr5
s



z PBKDF2PasswordHasher.must_updatecCs:|�|�
}|j
|d
}|dkr|�|
|d|�
dSdS)Nr}r
r,)rqr}r-)r`rrr��extra_iterationsrrrr:
s





�z#PBKDF2PasswordHasher.harden_runtimerQ)r_rwr+rxrr}�hashlib�sha256r{r-rqrrrrrrrrrry	
s




	ryc
@seZ
dZd
ZdZejZdS)�PBKDF2SHA1PasswordHasherz�
    Alternate PBKDF2 hasher which uses SHA1, the default PRF
    recommended by PKCS #5. This is compatible with other
    implementations of PBKDF2, such as openssl's
    PKCS5_PBKDF2_HMAC_SHA1().
    �pbkdf2_sha1N)r_rwr+rxrr��sha1r{rrrrr�A
s


r�c@s\eZ
dZd
ZdZdZdZdZdZdd�Z	dd	�Z
d
d�Zdd
�Zdd�Z
dd�Zdd�ZdS)�Argon2PasswordHashera

    Secure password hashing using the argon2 algorithm.

    This is the winner of the Password Hashing Competition 2013-2015
    (https://password-hashing.net). It requires the argon2-cffi library which
    depends on native C code and might cause portability issues.
    �argon2�i�
�c	CsL|��}|�
�}|jj|
��|��|j|j|j|j|j	d
�}|j
|�d�
S)N)�	time_cost�memory_cost�parallelism�hash_lenr*r|)re�params�	low_level�hash_secretr-r�r�r�r�r*rrq)r`rr,r�r��datarrrr-[
s









�	zArgon2PasswordHasher.encodec
Cs�|��}|
�
d
d�\}}||jksJ�
|�d
|�
}|�
d
�
�^
}}}}	|dt|�
d7}t�|�
�d�
}
||	|j|j	|
|j
||j|d�	S)Nr@rG�
=��latin1)	rrLr�r�r,r��variety�versionr�)rerIr�extract_parametersrHr~�	b64decoderqr�r�r�r�)r`rr�r�restr�r�r��b64saltrLr,rrrrqi
s"













�zArgon2PasswordHasher.decodecCsV|��}|�
d
d�\}}||jksJ�
z|���d
||
�WS|jjy*


YdSw)Nr@rGF)rerIr�PasswordHasherr�
exceptions�VerificationError)r`rrr�rr�rrrr~
s






�zArgon2PasswordHasher.verifycCsv|�|
�
}t
d
�
|d
t
d�
|dt
d�
|dt
d�
|dt
d�
|dt
d�
|dt
d	�
t|d	�
t
d
�
t|d
�
iS)Nrr�r�zmemory costr�z	time costr�r�r,rLr�r�rrrrr�
s








�z!Argon2PasswordHasher.safe_summarycCs>|�|
�
}|d
}|�
�}|j|_t|d|j�}||kp|S)Nr�r,)rqr��salt_lenrUrh)r`rr��current_params�
new_paramsr�rrrr�
s





z Argon2PasswordHasher.must_updatec
C�dSrQrrmrrrr�
sz#Argon2PasswordHasher.harden_runtimec
	Cs4|��}
|
j
|
jjj|
jj|
j|
j|j|j	|j
d
�S)N)r*r�r�r�r�r�r�)re�
Parametersr��Type�ID�ARGON2_VERSION�DEFAULT_RANDOM_SALT_LENGTH�DEFAULT_HASH_LENGTHr�r�r�)r`r�rrrr��
s







�zArgon2PasswordHasher.paramsN)r_rwr+rxrrXr�r�r�r-rqrrrrrr�rrrrr�L
s



	

r�c@sZeZ
dZd
ZdZejZdZdZ	dd�Z
dd�Zd	d
�Zdd�Z
d
d�Zdd�Zdd�ZdS)�BCryptSHA256PasswordHashera&

    Secure password hashing using the bcrypt algorithm (recommended)

    This is considered by many to be the most secure algorithm but you
    must first install the bcrypt library.  Please be warned that
    this library depends on native C code and might cause portability
    issues.
    �
bcrypt_sha256)�bcryptr��c
Cs|��}
|
�
|j�
SrQ)re�gensalt�rounds)r`r�rrrr,�
s

zBCryptSHA256PasswordHasher.saltcCsN|��}|
�
�}
|jdu
rt�|�|
�
���
}
|�|
|�}d
|j|�d�
fS)Nz%s$%sr|)rer-r{�binascii�hexlify�hashpwrrq)r`rr,r�r�rrrr-�
s



z!BCryptSHA256PasswordHasher.encodecCsH|
�d
d�\}}}}}||j
ksJ�
|||dd�|dd�t|�
d�S)Nr@r��)r�algostr�checksumr,�work_factorr�)r`rr�emptyr�r�r�rrrrq�
s







�z!BCryptSHA256PasswordHasher.decodecCs:|�d
d�\}}||j
ksJ�
|�|
|�d�
�}t||�S)Nr@rGr|)rIrr-r)r`rrrr�r�rrrr�
s




z!BCryptSHA256PasswordHasher.verifyc
CsF|�|
�
}t
d
�
|d
t
d�
|dt
d�
t|d�
t
d�
t|d�
iS)Nrzwork factorr�r,r�r�r�rrrrr�
r�z'BCryptSHA256PasswordHasher.safe_summarycCs|�|
�
}|d
|j
kS)Nr�)rqr�r�rrrr�
s


z&BCryptSHA256PasswordHasher.must_updatecCsr|�d
d�\}}|dd�}|�d
�
d}d|j
t|�
d}|dkr7|�|
|�d�
�
|d8}|dks$dSdS)Nr@rG�r�r
r|)rIr�r�r-)r`rrr�r�r,r��diffrrrr�
s





�z)BCryptSHA256PasswordHasher.harden_runtimeN)r_rwr+rxrr�r�r{rXr�r,r-rqrrrrrrrrrr��
s



	r�c
@seZ
dZd
ZdZdZdS)�BCryptPasswordHashera�

    Secure password hashing using the bcrypt algorithm

    This is considered by many to be the most secure algorithm but you
    must first install the bcrypt library.  Please be warned that
    this library depends on native C code and might cause portability
    issues.

    This hasher does not first hash the password which means it is subject to
    bcrypt's 72 bytes password truncation. Most use cases should prefer the
    BCryptSHA256PasswordHasher.
    r�N)r_rwr+rxrr{rrrrr��
s

r�c@�DeZ
dZd
ZdZdd�Zdd�Zdd�Zd	d
�Zdd�Z	d
d�Z
dS)�SHA1PasswordHasherz?
    The SHA1 password hashing algorithm (not recommended)
    r�cC�B|
du
sJ�
|rd
|v
sJ�
t�
||
���
��}d|j||fS�Nr@�%s$%s$%s)r�r�r-�	hexdigestr�r`rr,rLrrrr-�



zSHA1PasswordHasher.encodecC�,|
�d
d�\}}}||j
ksJ�
|||d�S�Nr@r��rrLr,�rIr�r`rrr,rLrrrrq�



�zSHA1PasswordHasher.decodecC�$|�|�
}|�
|
|d
�}t||�S�Nr,r�r�rrrr�




zSHA1PasswordHasher.verifycC�>|�|
�
}t
d
�
|d
t
d�
t|ddd�t
d�
t|d�
iS�Nrr,r��
rMrLr�r�rrrrr#�




�zSHA1PasswordHasher.safe_summarycC�|�|
�
}t
|d
|j�Sr��rqrUrhr�rrrr+�


zSHA1PasswordHasher.must_updatec
Cr�rQrrmrrrr/rtz!SHA1PasswordHasher.harden_runtimeN�r_rwr+rxrr-rqrrrrrrrrrr�	�
	r�c@r�)�MD5PasswordHasherzE
    The Salted MD5 password hashing algorithm (not recommended)
    �md5cCr�r�)r�r�r-r�rr�rrrr-9r�zMD5PasswordHasher.encodecCr�r�r�r�rrrrq?r�zMD5PasswordHasher.decodecCr�r�r�r�rrrrHr�zMD5PasswordHasher.verifycCr�r�r�r�rrrrrMr�zMD5PasswordHasher.safe_summarycCr�r�r�r�rrrrUr�zMD5PasswordHasher.must_updatec
Cr�rQrrmrrrrYrtz MD5PasswordHasher.harden_runtimeNr�rrrrr�3r�r�c@r�)�UnsaltedSHA1PasswordHashera7

    Very insecure algorithm that you should *never* use; store SHA1 hashes
    with an empty salt.

    This class is implemented because Django used to accept such password
    hashes. Some older Django installs still have these values lingering
    around so we need to handle and upgrade them properly.
    rFc


Crs�N�r�
r`rrrr,hrtzUnsaltedSHA1PasswordHasher.saltcCs&|d
ksJ�
t�
|
���
��}d|S)Nr�zsha1$$%s)r�r�r-r�r�rrrr-ks


z!UnsaltedSHA1PasswordHasher.encodecCs$|
�d
�
sJ�
|j
|
dd�dd�S)NrErJr�)rrrprrrrqps




�z!UnsaltedSHA1PasswordHasher.decodecCs|�|
d
�}t
||�Sr�)r-r�r`rrr�rrrrxs


z!UnsaltedSHA1PasswordHasher.verifycCs*|�|
�
}t
d
�
|d
t
d�
t|d�
iS)NrrLr�r�rrrrr|s


�z'UnsaltedSHA1PasswordHasher.safe_summaryc
Cr�rQrrmrrrr�rtz)UnsaltedSHA1PasswordHasher.harden_runtimeN�r_rwr+rxrr,r-rqrrrrrrrrr�]s
r�c@r�)�UnsaltedMD5PasswordHashera�

    Incredibly insecure algorithm that you should *never* use; stores unsalted
    MD5 hashes without the algorithm prefix, also accepts MD5 hashes with an
    empty salt.

    This class is implemented because Django used to store passwords this way
    and to accept such password hashes. Some older Django installs still have
    these values lingering around so we need to handle and upgrade them
    properly.
    rCc


Crsr�rr�rrrr,�rtzUnsaltedMD5PasswordHasher.saltcCs|d
ksJ�
t�
|
���
��Sr�)r�r�r-r�rnrrrr-�s

z UnsaltedMD5PasswordHasher.encodecCs|j|
dd
�S)Nr�r5rprrrrq�s

�z UnsaltedMD5PasswordHasher.decodecCs8t|�
d
kr|�
d�
r|dd�}|�|
d�}t||�S)NrArB�r�)rHrr-rr�rrrr�s




z UnsaltedMD5PasswordHasher.verifycCs.|�|
�
}t
d
�
|d
t
d�
t|ddd�iS)NrrLr�r�r�r�rrrrr�s


�z&UnsaltedMD5PasswordHasher.safe_summaryc
Cr�rQrrmrrrr�rtz(UnsaltedMD5PasswordHasher.harden_runtimeNr�rrrrr��s

r�c@sHeZ
dZd
ZdZdZdd�Zdd�Zdd�Zd	d
�Z	dd�Z
d
d�ZdS)�CryptPasswordHasherzv
    Password hashing using UNIX crypt (not recommended)

    The crypt module is not supported on all platforms.
    �cryptc

Cstd
�
S)Nr�)
rr�rrrr,�s
zCryptPasswordHasher.saltcCs@|��}t
|�
d
ksJ�
|�|
|�}|du
sJ�
d|jd|fS)Nr�r�r�)rerHr�r)r`rr,r�rLrrrr-�s




zCryptPasswordHasher.encodecCr�r�r�r�rrrrq�r�zCryptPasswordHasher.decodecCs0|��}|�
|�
}|�|
|d
�}t|d
|�S)NrL)rerqr�r)r`rrr�r�r�rrrr�s




zCryptPasswordHasher.verifyc	Cs:|�|
�
}t
d
�
|d
t
d�
|dt
d�
t|ddd�iS)Nrr,rLr�r�r�r�rrrrr�s




�z CryptPasswordHasher.safe_summaryc
Cr�rQrrmrrrr�rtz"CryptPasswordHasher.harden_runtimeN)r_rwr+rxrrXr,r-rqrrrrrrrrr��s

	r�)Nr)
r)rJrK)1r~r��	functoolsr�r[rRru�django.confr�django.core.exceptionsr�django.core.signalsr�django.dispatchr�django.utils.cryptorrrr	�django.utils.module_loadingr
�django.utils.translationrr�rrrr%r�	lru_cacher4r8r<rrrPrUrVryr�r�r�r�r�r�r�r�r�rrrr�<module>
sP













(








Y8eG***,