glances/password.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127

# -*- coding: utf-8 -*-
#
# This file is part of Glances.
#
# SPDX-FileCopyrightText: 2023 Nicolas Hennion <nicolas@nicolargo.com>
#
# SPDX-License-Identifier: LGPL-3.0-only
#

"""Manage password."""

import getpass
import hashlib
import os
import sys
import uuid
from io import open

from glances.globals import b, safe_makedirs, weak_lru_cache
from glances.config import user_config_dir
from glances.logger import logger


class GlancesPassword(object):

    """This class contains all the methods relating to password."""

    def __init__(self, username='glances', config=None):
        self.username = username

        self.config = config
        self.password_dir = self.local_password_path()
        self.password_filename = self.username + '.pwd'
        self.password_file = os.path.join(self.password_dir, self.password_filename)

    def local_password_path(self):
        """Return the local password path.
        Related to issue: Password files in same configuration dir in effect #2143
        """
        if self.config is None:
            return user_config_dir()[0]
        else:
            return self.config.get_value('passwords', 'local_password_path', default=user_config_dir()[0])

    @weak_lru_cache(maxsize=32)
    def get_hash(self, plain_password, salt=''):
        """Return the hashed password, salt + pbkdf2_hmac."""
        return hashlib.pbkdf2_hmac('sha256', plain_password.encode(), salt.encode(), 100000, dklen=128).hex()

    @weak_lru_cache(maxsize=32)
    def hash_password(self, plain_password):
        """Hash password with a salt based on UUID (universally unique identifier)."""
        salt = uuid.uuid4().hex
        encrypted_password = self.get_hash(plain_password, salt=salt)
        return salt + '$' + encrypted_password

    @weak_lru_cache(maxsize=32)
    def check_password(self, hashed_password, plain_password):
        """Encode the plain_password with the salt of the hashed_password.

        Return the comparison with the encrypted_password.
        """
        logger.info("Check password")
        salt, encrypted_password = hashed_password.split('$')
        re_encrypted_password = self.get_hash(plain_password, salt=salt)
        return encrypted_password == re_encrypted_password

    def get_password(self, description='', confirm=False, clear=False):
        """Get the password from a Glances client or server.

        For Glances server, get the password (confirm=True, clear=False):
            1) from the password file (if it exists)
            2) from the CLI
        Optionally: save the password to a file (hashed with salt + SHA-pbkdf2_hmac)

        For Glances client, get the password (confirm=False, clear=True):
            1) from the CLI
            2) the password is hashed with SHA-pbkdf2_hmac (only SHA string transit
               through the network)
        """
        if os.path.exists(self.password_file) and not clear:
            # If the password file exist then use it
            logger.info("Read password from file {}".format(self.password_file))
            password = self.load_password()
        else:
            # password_hash is the plain SHA-pbkdf2_hmac password
            # password_hashed is the salt + SHA-pbkdf2_hmac password
            password_hash = self.get_hash(getpass.getpass(description))
            password_hashed = self.hash_password(password_hash)
            if confirm:
                # password_confirm is the clear password (only used to compare)
                password_confirm = self.get_hash(getpass.getpass('Password (confirm): '))

                if not self.check_password(password_hashed, password_confirm):
                    logger.critical("Sorry, passwords do not match. Exit.")
                    sys.exit(1)

            # Return the plain SHA-pbkdf2_hmac or the salted password
            if clear:
                password = password_hash
            else:
                password = password_hashed

            # Save the hashed password to the password file
            if not clear:
                save_input = input('Do you want to save the password? [Yes/No]: ')
                if len(save_input) > 0 and save_input[0].upper() == 'Y':
                    self.save_password(password_hashed)

        return password

    def save_password(self, hashed_password):
        """Save the hashed password to the Glances folder."""
        # Create the glances directory
        safe_makedirs(self.password_dir)

        # Create/overwrite the password file
        with open(self.password_file, 'wb') as file_pwd:
            file_pwd.write(b(hashed_password))

    def load_password(self):
        """Load the hashed password from the Glances folder."""
        # Read the password file, if it exists
        with open(self.password_file, 'r') as file_pwd:
            hashed_password = file_pwd.read()

        return hashed_password