[Zope] SimpleUserFolder and sha-crypted passwd

Bjørge Solli Bjørge Solli
Sun, 29 Dec 2002 21:31:19 +0100 (CET) 

Hi again

On Fri, 27 Dec 2002, Chris Withers wrote:
> Adam Manock wrote:
> > On Mon, 2002-12-16 at 05:23, Bjørge Solli wrote:
> >>I want to put my old loginmanager to rest and put something simple in. 
> >>SimpleUserFolder sounds nice, but it seems to do the password matching 
> >>itself, and since I have sha-crypted passwords, I need to match the 
> >>passwords in encrypted format. Any ideas? If none, can u please tell me to 
> >>*not* use SimpleUserFolder(perhaps you have an alternative as well?).
> 
> Have you tried it? It might just work on its own ;-)

It works fine if I use only sql with the easy table from createTable.sql 
and I copy all the tests/*.sql into my folder where the SUF-object is. I 
can also change the getUsers so it gets my correct users. But my roles are 
stored in different tables, and I have no good way of making a query 
returning on the format SUF understands(my sql-expert is working on it 
though;-) So what I have been trying is to make a pythonscript returning a 
dictionary on the prefered form; 
{'password':########, 'roles':[role1,role2]}
In addition to this problem my encryption is different than the one normal 
userfolder standard, so I also change the encryption(basically I unhexlify 
it and encode it with binascii.b2a_base64. I also add the prefix '{SHA}' 
to the password after changing it.

>From /lib/python/AccessControl/AuthEncoding.py I find that the SHA-scheme 
looks like this:
class SHADigestScheme:

    def encrypt(self, pw):
        return b2a_base64(sha.new(pw).digest())[:-1]

    def validate(self, reference, attempt):
        compare = b2a_base64(sha.new(attempt).digest())[:-1]
        return (compare == reference)

registerScheme('SHA', SHADigestScheme())

I encrypt the password in this way:
	crypted = sha.new(plaintext).hexdigest()

I change the passwords I get from my database in this way:
	prefiks = '{SHA}'
        passord = binascii.b2a_base64(binascii.unhexlify(crypted))[:-1]
	passwd = '%s%s' %(prefiks,passord)

But this does not work! I really don't understand why!

I also include the full sourcecode of my getUserDetails, it is partly 
written in norwegian, but u should understand everything important(many 
similar words). Parameter List: self, name

import binascii

student = 0
KursMedArbeider = 0
KursAns = 0
StudieVeileder = 0
passwd = ''
roller = []

#finner passordet	prefiks = '{SHA}'
        passord = binascii.b2a_base64(binascii.unhexlify(kryptert))[:-1]
	passwd = '%s%s' %(prefiks,passord)
kryptertTab = self.SQL_findPasswd(email=name)
for i in kryptertTab:
	kryptert = i[1]
	prefiks = '{SHA}'
        passord = binascii.b2a_base64(binascii.unhexlify(kryptert))[:-1]
	passwd = '%s%s' %(prefiks,passord)
        #passwd = passord

if passwd == '':
	name = 'Anonymous User'

#Sjekker om det er mr. anonymous :)
if name == 'Anonymous User':
	roller.append('Anonymous')
	ret = {'password':passwd, 'roles':roller}
	return ret
else:
	student = 1

# Sjekker om personen har roller fra personEmne
rolleTab = self.SQL_RolesFromPersonEmne(email=name)

for i in rolleTab:
	rolle = i[1]
   	if rolle == 'KursMedArbeider':
		KursMedArbeider = 1
	if rolle == 'KursAns':
		KursAns = 1


# Sjekker om personen har roller fra et institutt
studieveilederTab = self.SQL_isStudieveileder(epost=name)

for i in studieveilederTab:
	StudieVeileder = 1


rolleTab = self.SQL_RolesFromPersonRolle(email=name)
for i in rolleTab:
	roller.append(i[1])

if student:
	roller.append('student')
if KursMedArbeider:
	roller.append('KursMedArbeider')
if KursAns:
	roller.append('KursAns')
if StudieVeileder:
	roller.append('StudieVeileder')

#slaa sammen svaret til en dict
ret = {'password':passwd, 'roles':roller}

return ret

(yes importing binascii works!)

Hope u see a terrible mistake I have done right away;-)

One question I have asked is if it is possible to mix sql and py(?).

And if u really do bother reading all this and help me, I am really 
greatfull!

cheers
Bjorge

> Take a look in lib/python/AccessControl/AuthEncoding.py and see if your SHA 
> stuff is supported there. If it is, Zope's normal userfolder stuff (and 
> therefore SUF too) will use it if it can...
> 
> Lemme know how you get on, I'll help if things need changing to make it work...
> 
> cheers,
> 
> Chris
> 
> 

-- 
http://www.ii.uib.no/~bjorge/smile/Smiles
--
Bjørge Solli - Universitas Bergensis, Norway
mailto:Bjorge@Kvarteret.no icq#29210281 MSN:bobelloco@hotmail.com
Møllendalsv.19, 5009 Bergen, Norway tel:+47 55202853/91614343