o Mf6a@sddlZddlZddlZddlZddlZddlZddlZddlmZddl m Z ddl m Z ddl mZddlmZmZmZmZddlmZddlmZd Zd Zd d Zd8ddZd8ddZeddZeddZ ee ddZ!d9ddZ"ddZ#d:ddZ$d d!Z%Gd"d#d#Z&Gd$d%d%e&Z'Gd&d'd'e'Z(Gd(d)d)e&Z)Gd*d+d+e&Z*Gd,d-d-e*Z+Gd.d/d/e&Z,Gd0d1d1e&Z-Gd2d3d3e&Z.Gd4d5d5e&Z/Gd6d7d7e&Z0dS);N)settings)ImproperlyConfigured)setting_changed)receiver)RANDOM_STRING_CHARSconstant_time_compareget_random_stringpbkdf2) import_string) gettext_noop!(cCs|dup |t S)zv Return True if this password wasn't generated by User.set_unusable_password(), i.e. make_password(None). N) startswithUNUSABLE_PASSWORD_PREFIX)encodedr]/var/www/html/analyze/labelStudio/lib/python3.10/site-packages/django/contrib/auth/hashers.pyis_password_usablesrdefaultcCs|dust|s dSt|}zt|}Wn tyYdSw|j|jk}|p+||}|||}|s>|s>|r>||||rH|rH|rH|||S)z Return a boolean of whether the raw password matches the three part encoded digest. If setter is specified, it'll be called when you need to regenerate the password. NF)r get_hasheridentify_hasher ValueError algorithm must_updateverifyharden_runtime)passwordrsetter preferredhasherhasher_changedr is_correctrrrcheck_passwords        r"cCsT|dur tttSt|ttfstdt|jt |}|p#| }| ||S)a| Turn a plain-text password into a hash for database storage Same as encode() but generate a new random salt. If password is None then return a concatenation of UNUSABLE_PASSWORD_PREFIX and a random string, which disallows logins. Additional random string reduces chances of gaining access to staff or superuser accounts. See ticket #20079 for more info. Nz+Password must be a string or bytes, got %s.) rrUNUSABLE_PASSWORD_SUFFIX_LENGTH isinstancebytesstr TypeErrortype __qualname__rsaltencode)rr*rrrr make_passwordAs   r,cCsBg}tjD]}t|}|}t|dstd|||q|S)Nrz,hasher doesn't specify an algorithm name: %s)rPASSWORD_HASHERSr getattrrappend)hashers hasher_path hasher_clsrrrr get_hashersVs   r3cCsddtDS)NcSsi|]}|j|qSrr).0rrrr esz,get_hashers_by_algorithm..)r3rrrrget_hashers_by_algorithmcsr7cKs$|ddkrttdSdS)Nsettingr-)r3 cache_clearr7)kwargsrrr reset_hashershs  r;cCsLt|dr|S|dkrtdSt}z||WSty%td|w)z Return an instance of a loaded password hasher. If algorithm is 'default', return the default hasher. Lazily import hashers specified in the project's settings file if needed. rrrz\Unknown password hashing algorithm '%s'. Did you specify it in the PASSWORD_HASHERS setting?)hasattrr3r7KeyErrorr)rr0rrrros    rcCspt|dkr d|vst|dkr|drd}t|St|dkr,|dr,d}t|S|dd d }t|S) z Return an instance of a loaded password hasher. Identify hasher algorithm by examining encoded hash, and call get_hasher() to return hasher. Raise ValueError if algorithm cannot be identified, or if hasher is not loaded. $%md5$$ unsalted_md5.sha1$$ unsalted_sha1r)lenrsplitr)rrrrrrs r*cCs(|d|}||t||d7}|S)z Return the given hash, with only the first ``show`` number shown. The rest are masked with ``char`` for security reasons. N)rG)hashshowcharmaskedrrr mask_hashs rOcCst|ttt|kSN)rGmathlog2r)r*expected_entropyrrrmust_update_saltsrTc@s\eZdZdZdZdZdZddZddZdd Z d d Z d d Z ddZ ddZ ddZdS)BasePasswordHasherz Abstract base class for password hashers When creating your own hasher, you need to override algorithm, verify(), encode() and safe_summary(). PasswordHasher objects are immutable. Nc Csz|jdur5t|jttfr|j\}}n|j}zt|}W|Sty4}z td|jj |fd}~wwtd|jj )Nz&Couldn't load %r algorithm library: %sz-Hasher %r doesn't specify a library attribute) libraryr$tuplelist importlib import_module ImportErrorr __class____name__)selfnamemod_pathmoduleerrr _load_librarys    z BasePasswordHasher._load_librarycCs&t|jttt}t|tdS)z Generate a cryptographically secure nonce salt in ASCII with an entropy of at least `salt_entropy` bits. ) allowed_chars)rQceil salt_entropyrRrGrr)r_ char_countrrrr*s zBasePasswordHasher.saltcCtd)z'Check if the given password is correct.z?subclasses of BasePasswordHasher must provide a verify() methodNotImplementedErrorr_rrrrrrszBasePasswordHasher.verifycCri)z Create an encoded database value. The result is normally formatted as "algorithm$salt$hash" and must be fewer than 128 characters. z@subclasses of BasePasswordHasher must provide an encode() methodrjr_rr*rrrr+zBasePasswordHasher.encodecCri)z Return a decoded database value. The result is a dictionary and should contain `algorithm`, `hash`, and `salt`. Extra keys can be algorithm specific like `iterations` or `work_factor`. z@subclasses of BasePasswordHasher must provide a decode() method.rjr_rrrrdecodeszBasePasswordHasher.decodecCri)z Return a summary of safe values. The result is a dictionary and will be used where the password field must be displayed to construct a safe representation of the password. zEsubclasses of BasePasswordHasher must provide a safe_summary() methodrjrorrr safe_summaryrnzBasePasswordHasher.safe_summarycCdS)NFrrorrrrzBasePasswordHasher.must_updatecCstddS)a Bridge the runtime gap between the work factor supplied in `encoded` and the work factor suggested by this hasher. Taking PBKDF2 as an example, if `encoded` contains 20000 iterations and `self.iterations` is 30000, this method should run password through another 10000 iterations of PBKDF2. Similar approaches should exist for any hasher that has a work factor. If not, this method should be defined as a no-op to silence the warning. zIsubclasses of BasePasswordHasher should provide a harden_runtime() methodN)warningswarnrlrrrrs z!BasePasswordHasher.harden_runtime)r^ __module__r)__doc__rrWrgrdr*rr+rprqrrrrrrrUs    rUc@sPeZdZdZdZdZejZdddZ ddZ d d Z d d Z d dZ ddZdS)PBKDF2PasswordHashera Secure password hashing using the PBKDF2 algorithm (recommended) Configured to use PBKDF2 + HMAC + SHA256. The result is a 64 byte binary string. Iterations may be changed safely but you must rename the algorithm if you change SHA256. pbkdf2_sha256iNcCs^|dusJ|r d|vsJ|p|j}t||||jd}t|d}d|j|||fS)Nr?)digestasciiz %s$%d$%s$%s) iterationsr rzbase64 b64encoderpstripr)r_rr*r|rKrrrr+s  zPBKDF2PasswordHasher.encodecCs4|dd\}}}}||jksJ||t||dS)Nr?)rrKr|r*rHrint)r_rrr|r*rKrrrrpszPBKDF2PasswordHasher.decodecCs*||}|||d|d}t||SNr*r|rpr+rr_rrdecoded encoded_2rrrr!s  zPBKDF2PasswordHasher.verifyc CsF||}td|dtd|dtdt|dtdt|diS)Nrr|r*rKrp_rOr_rrrrrrq&   z!PBKDF2PasswordHasher.safe_summarycCs,||}t|d|j}|d|jkp|Sr)rprTrgr|)r_rr update_saltrrrr/s z PBKDF2PasswordHasher.must_updatecCs:||}|j|d}|dkr|||d|dSdS)Nr|rr*)rpr|r+)r_rrrextra_iterationsrrrr4s z#PBKDF2PasswordHasher.harden_runtimerP)r^rvr)rwrr|hashlibsha256rzr+rprrqrrrrrrrxs   rxc@seZdZdZdZejZdS)PBKDF2SHA1PasswordHasherz Alternate PBKDF2 hasher which uses SHA1, the default PRF recommended by PKCS #5. This is compatible with other implementations of PBKDF2, such as openssl's PKCS5_PBKDF2_HMAC_SHA1(). pbkdf2_sha1N)r^rvr)rwrrsha1rzrrrrr;s rc@s\eZdZdZdZdZdZdZdZddZ dd Z d d Z d d Z ddZ ddZddZdS)Argon2PasswordHashera Secure password hashing using the argon2 algorithm. This is the winner of the Password Hashing Competition 2013-2015 (https://password-hashing.net). It requires the argon2-cffi library which depends on native C code and might cause portability issues. argon2ic CsL|}|}|jj|||j|j|j|j|j d}|j | dS)N) time_cost memory_cost parallelismhash_lenr(r{) rdparams low_level hash_secretr+rrrrr(rrp)r_rr*rrdatarrrr+Us zArgon2PasswordHasher.encodec Cs|}|dd\}}||jksJ|d|}|d^}}}} |dt| d7}t|d} || |j|j | |j ||j |d S)Nr?rF=latin1) rrKrrr*rvarietyversionr) rdrHrextract_parametersrGr} b64decoderprrrr) r_rrrrestrrrb64saltrKr*rrrrpcs"zArgon2PasswordHasher.decodecCsV|}|dd\}}||jksJz |d||WS|jjy*YdSw)Nr?rFF)rdrHrPasswordHasherr exceptionsVerificationError)r_rrrrrrrrrxszArgon2PasswordHasher.verifycCsv||}td|dtd|dtd|dtd|dtd|dtd|dtd t|d td t|d iS) Nrrrz memory costrz time costrrr*rKrrrrrrqs       z!Argon2PasswordHasher.safe_summarycCs>||}|d}|}|j|_t|d|j}||kp|S)Nrr*)rprsalt_lenrTrg)r_rrcurrent_params new_paramsrrrrrs  z Argon2PasswordHasher.must_updatecCdSrPrrlrrrrsz#Argon2PasswordHasher.harden_runtimec Cs4|}|j|jjj|jj|j|j|j|j |j dS)N)r(rrrrrr) rd ParametersrTypeIDARGON2_VERSIONDEFAULT_RANDOM_SALT_LENGTHDEFAULT_HASH_LENGTHrrr)r_rrrrrszArgon2PasswordHasher.paramsN)r^rvr)rwrrWrrrr+rprrqrrrrrrrrFs   rc@sZeZdZdZdZejZdZdZ ddZ ddZ d d Z d d Z d dZddZddZdS)BCryptSHA256PasswordHashera& Secure password hashing using the bcrypt algorithm (recommended) This is considered by many to be the most secure algorithm but you must first install the bcrypt library. Please be warned that this library depends on native C code and might cause portability issues. bcrypt_sha256)bcryptr cCs|}||jSrP)rdgensaltrounds)r_rrrrr*s zBCryptSHA256PasswordHasher.saltcCsN|}|}|jdurt||}|||}d|j|dfS)Nz%s$%sr{)rdr+rzbinasciihexlifyhashpwrrp)r_rr*rrrrrr+s   z!BCryptSHA256PasswordHasher.encodecCsH|dd\}}}}}||jksJ|||dd|ddt|dS)Nr?r)ralgostrchecksumr* work_factorr)r_rremptyrrrrrrrps  z!BCryptSHA256PasswordHasher.decodecCs:|dd\}}||jksJ|||d}t||S)Nr?rFr{)rHrr+r)r_rrrrrrrrrs z!BCryptSHA256PasswordHasher.verifyc CsF||}td|dtd|dtdt|dtdt|diS)Nrz work factorrr*rrrrrrrqrz'BCryptSHA256PasswordHasher.safe_summarycCs||}|d|jkS)Nr)rprrrrrrs z&BCryptSHA256PasswordHasher.must_updatecCsr|dd\}}|dd}|dd}d|jt|d}|dkr7|||d|d8}|dks$dSdS)Nr?rFrrr{)rHrrr+)r_rrrrr*rdiffrrrrs z)BCryptSHA256PasswordHasher.harden_runtimeN)r^rvr)rwrrrrzrWrr*r+rprrqrrrrrrrs   rc@seZdZdZdZdZdS)BCryptPasswordHashera Secure password hashing using the bcrypt algorithm This is considered by many to be the most secure algorithm but you must first install the bcrypt library. Please be warned that this library depends on native C code and might cause portability issues. This hasher does not first hash the password which means it is subject to bcrypt's 72 bytes password truncation. Most use cases should prefer the BCryptSHA256PasswordHasher. rN)r^rvr)rwrrzrrrrrs rc@DeZdZdZdZddZddZddZd d Zd d Z d dZ dS)SHA1PasswordHasherz? The SHA1 password hashing algorithm (not recommended) rcCB|dusJ|r d|vsJt||}d|j||fSNr?%s$%s$%s)rrr+ hexdigestrr_rr*rKrrrr+  zSHA1PasswordHasher.encodecC,|dd\}}}||jksJ|||dSNr?rrrKr*rHrr_rrr*rKrrrrp zSHA1PasswordHasher.decodecC$||}|||d}t||SNr*rrrrrr  zSHA1PasswordHasher.verifycC>||}td|dtdt|dddtdt|diSNrr*rrLrKrrrrrrq  zSHA1PasswordHasher.safe_summarycC||}t|d|jSrrprTrgrrrrr% zSHA1PasswordHasher.must_updatecCrrPrrlrrrr)rsz!SHA1PasswordHasher.harden_runtimeN r^rvr)rwrr+rprrqrrrrrrr  rc@r)MD5PasswordHasherzE The Salted MD5 password hashing algorithm (not recommended) md5cCrr)rrr+rrrrrrr+3rzMD5PasswordHasher.encodecCrrrrrrrrp9rzMD5PasswordHasher.decodecCrrrrrrrrBrzMD5PasswordHasher.verifycCrrrrrrrrqGrzMD5PasswordHasher.safe_summarycCrrrrrrrrOrzMD5PasswordHasher.must_updatecCrrPrrlrrrrSrsz MD5PasswordHasher.harden_runtimeNrrrrrr-rrc@r)UnsaltedSHA1PasswordHashera7 Very insecure algorithm that you should *never* use; store SHA1 hashes with an empty salt. This class is implemented because Django used to accept such password hashes. Some older Django installs still have these values lingering around so we need to handle and upgrade them properly. rEcCrrNrr_rrrr*brszUnsaltedSHA1PasswordHasher.saltcCs&|dksJt|}d|S)Nrzsha1$$%s)rrr+rrrrrr+es z!UnsaltedSHA1PasswordHasher.encodecCs$|dsJ|j|ddddS)NrDrIr)rrrorrrrpjs  z!UnsaltedSHA1PasswordHasher.decodecCs||d}t||Sr)r+rr_rrrrrrrrs  z!UnsaltedSHA1PasswordHasher.verifycCs*||}td|dtdt|diS)NrrKrrrrrrqvs  z'UnsaltedSHA1PasswordHasher.safe_summarycCrrPrrlrrrr}rsz)UnsaltedSHA1PasswordHasher.harden_runtimeN r^rvr)rwrr*r+rprrqrrrrrrWs rc@r)UnsaltedMD5PasswordHashera Incredibly insecure algorithm that you should *never* use; stores unsalted MD5 hashes without the algorithm prefix, also accepts MD5 hashes with an empty salt. This class is implemented because Django used to store passwords this way and to accept such password hashes. Some older Django installs still have these values lingering around so we need to handle and upgrade them properly. rBcCrrrrrrrrr*rszUnsaltedMD5PasswordHasher.saltcCs|dksJt|Sr)rrr+rrmrrrr+s z UnsaltedMD5PasswordHasher.encodecCs|j|ddS)Nrr4rorrrrpsz UnsaltedMD5PasswordHasher.decodecCs8t|dkr|dr|dd}||d}t||S)Nr@rAr)rGrr+rrrrrrs   z UnsaltedMD5PasswordHasher.verifycCs.||}td|dtdt|dddiS)NrrKrrrrrrrrqs  z&UnsaltedMD5PasswordHasher.safe_summarycCrrPrrlrrrrrsz(UnsaltedMD5PasswordHasher.harden_runtimeNrrrrrrs  rc@sHeZdZdZdZdZddZddZddZd d Z d d Z d dZ dS)CryptPasswordHasherzv Password hashing using UNIX crypt (not recommended) The crypt module is not supported on all platforms. cryptcCstdS)Nr)rrrrrr*szCryptPasswordHasher.saltcCs@|}t|dks J|||}|dusJd|jd|fS)Nrrr)rdrGrr)r_rr*rrKrrrr+s   zCryptPasswordHasher.encodecCrrrrrrrrprzCryptPasswordHasher.decodecCs0|}||}|||d}t|d|S)NrK)rdrprr)r_rrrrrrrrrs zCryptPasswordHasher.verifyc Cs:||}td|dtd|dtdt|dddiS)Nrr*rKrrrrrrrrqs   z CryptPasswordHasher.safe_summarycCrrPrrlrrrrrsz"CryptPasswordHasher.harden_runtimeN) r^rvr)rwrrWr*r+rprrqrrrrrrs  r)Nr)r)rIrJ)1r}r functoolsrrZrQrt django.confrdjango.core.exceptionsrdjango.core.signalsrdjango.dispatchrdjango.utils.cryptorrrr django.utils.module_loadingr django.utils.translationr rrr#rr"r, lru_cacher3r7r;rrrOrTrUrxrrrrrrrrrrrrrsP        "      Y8 eG***,