trabajo-afectivo/lib/password_hash.rb

# Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/

module PasswordHash
  include ApplicationLib

  extend self

  def crypt(password)
    # take a fresh Argon2::Password instances to ensure randomized salt
    Argon2::Password.new(secret: secret).create(password)
  end

  def verified?(pw_hash, password)
    Argon2::Password.verify_password(password, pw_hash, secret)
  rescue
    false
  end

  def crypted?(pw_hash)
    return false if !pw_hash
    return true if hashed_argon2?(pw_hash)
    return true if hashed_sha2?(pw_hash)

    false
  end

  def legacy?(pw_hash, password)
    return false if pw_hash.blank?
    return false if !password

    return true if sha2?(pw_hash, password)
    return true if hashed_argon2i?(pw_hash, password)

    false
  end

  def hashed_sha2?(pw_hash)
    pw_hash.start_with?('{sha2}')
  end

  def hashed_argon2?(pw_hash)
    Argon2::Password.valid_hash?(pw_hash)
  end

  def hashed_argon2i?(pw_hash, password)
    # taken from: https://github.com/technion/ruby-argon2/blob/7e1f4a2634316e370ab84150e4f5fd91d9263713/lib/argon2.rb#L33
    return false if !pw_hash.match?(%r{^\$argon2i\$.{,112}})

    # Argon2::Password.verify_password verifies argon2i hashes, too
    verified?(pw_hash, password)
  end

  def sha2(password)
    crypted = Digest::SHA2.hexdigest(password)
    "{sha2}#{crypted}"
  end

  private

  def sha2?(pw_hash, password)
    return false if !hashed_sha2?(pw_hash)

    pw_hash == sha2(password)
  end

  def secret
    @secret ||= Setting.get('application_secret')
  end
end
Maintenance: Update copyright information and add a new rubocop cop to watch over it. 2021-06-01 12:20:20 +00:00			`# Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/`
Improved password security by using proper password hash module backed by Argon2 (official winner of the Password Hashing Competition) - thanks to @nomoketo and @benbe. 2017-01-27 08:17:03 +00:00
			`module PasswordHash`
			`include ApplicationLib`

Updated rubocop to latest version (0.62.0) and applied required changes. 2019-01-01 16:54:13 +00:00			`extend self`
Improved password security by using proper password hash module backed by Argon2 (official winner of the Password Hashing Competition) - thanks to @nomoketo and @benbe. 2017-01-27 08:17:03 +00:00
			`def crypt(password)`
Fixed issue #462 - Password hashing: upgrade to argon2 2.x (argon2id), fix non-unique salt bug - huge thanks to @martinvonwittich ! 2019-06-27 11:51:29 +00:00			`# take a fresh Argon2::Password instances to ensure randomized salt`
			`Argon2::Password.new(secret: secret).create(password)`
Improved password security by using proper password hash module backed by Argon2 (official winner of the Password Hashing Competition) - thanks to @nomoketo and @benbe. 2017-01-27 08:17:03 +00:00			`end`

			`def verified?(pw_hash, password)`
			`Argon2::Password.verify_password(password, pw_hash, secret)`
			`rescue`
			`false`
			`end`

			`def crypted?(pw_hash)`
Fixed bug: Legacy hashed passwords (like sha2) will get rehashed when set. This happens when a user password should get set without transfering it in plain like e.g. the REST API, an import or the auto_wizard.json file. Therefore Zammad should accept legacy passwords when set but should convert them on first login to the internal format (as already implemented). Additionally there should be no exclusion for the import mode when setting/ensuring a password since Zammand couldn't handle it later. 2017-05-08 10:04:54 +00:00			`return false if !pw_hash`
			`return true if hashed_argon2?(pw_hash)`
			`return true if hashed_sha2?(pw_hash)`
Updated rubocop to latest version (0.59.2) and applied required changes. 2018-10-09 06:17:41 +00:00
Fixed bug: Legacy hashed passwords (like sha2) will get rehashed when set. This happens when a user password should get set without transfering it in plain like e.g. the REST API, an import or the auto_wizard.json file. Therefore Zammad should accept legacy passwords when set but should convert them on first login to the internal format (as already implemented). Additionally there should be no exclusion for the import mode when setting/ensuring a password since Zammand couldn't handle it later. 2017-05-08 10:04:54 +00:00			`false`
Improved password security by using proper password hash module backed by Argon2 (official winner of the Password Hashing Competition) - thanks to @nomoketo and @benbe. 2017-01-27 08:17:03 +00:00			`end`

			`def legacy?(pw_hash, password)`
Fixed bug: Legacy hashed passwords (like sha2) will get rehashed when set. This happens when a user password should get set without transfering it in plain like e.g. the REST API, an import or the auto_wizard.json file. Therefore Zammad should accept legacy passwords when set but should convert them on first login to the internal format (as already implemented). Additionally there should be no exclusion for the import mode when setting/ensuring a password since Zammand couldn't handle it later. 2017-05-08 10:04:54 +00:00			`return false if pw_hash.blank?`
			`return false if !password`
Updated rubocop to latest version (0.59.2) and applied required changes. 2018-10-09 06:17:41 +00:00
Fixed issue #462 - Password hashing: upgrade to argon2 2.x (argon2id), fix non-unique salt bug - huge thanks to @martinvonwittich ! 2019-06-27 11:51:29 +00:00			`return true if sha2?(pw_hash, password)`
			`return true if hashed_argon2i?(pw_hash, password)`

			`false`
Improved password security by using proper password hash module backed by Argon2 (official winner of the Password Hashing Competition) - thanks to @nomoketo and @benbe. 2017-01-27 08:17:03 +00:00			`end`

Fixed bug: Legacy hashed passwords (like sha2) will get rehashed when set. This happens when a user password should get set without transfering it in plain like e.g. the REST API, an import or the auto_wizard.json file. Therefore Zammad should accept legacy passwords when set but should convert them on first login to the internal format (as already implemented). Additionally there should be no exclusion for the import mode when setting/ensuring a password since Zammand couldn't handle it later. 2017-05-08 10:04:54 +00:00			`def hashed_sha2?(pw_hash)`
			`pw_hash.start_with?('{sha2}')`
			`end`
Improved password security by using proper password hash module backed by Argon2 (official winner of the Password Hashing Competition) - thanks to @nomoketo and @benbe. 2017-01-27 08:17:03 +00:00
Fixed bug: Legacy hashed passwords (like sha2) will get rehashed when set. This happens when a user password should get set without transfering it in plain like e.g. the REST API, an import or the auto_wizard.json file. Therefore Zammad should accept legacy passwords when set but should convert them on first login to the internal format (as already implemented). Additionally there should be no exclusion for the import mode when setting/ensuring a password since Zammand couldn't handle it later. 2017-05-08 10:04:54 +00:00			`def hashed_argon2?(pw_hash)`
Fixed issue #462 - Password hashing: upgrade to argon2 2.x (argon2id), fix non-unique salt bug - huge thanks to @martinvonwittich ! 2019-06-27 11:51:29 +00:00			`Argon2::Password.valid_hash?(pw_hash)`
			`end`

			`def hashed_argon2i?(pw_hash, password)`
Fixed bug: Legacy hashed passwords (like sha2) will get rehashed when set. This happens when a user password should get set without transfering it in plain like e.g. the REST API, an import or the auto_wizard.json file. Therefore Zammad should accept legacy passwords when set but should convert them on first login to the internal format (as already implemented). Additionally there should be no exclusion for the import mode when setting/ensuring a password since Zammand couldn't handle it later. 2017-05-08 10:04:54 +00:00			`# taken from: https://github.com/technion/ruby-argon2/blob/7e1f4a2634316e370ab84150e4f5fd91d9263713/lib/argon2.rb#L33`
Maintenance: Rubocop enforces %r{} regular expression style 2021-05-12 11:37:44 +00:00			`return false if !pw_hash.match?(%r{^\$argon2i\$.{,112}})`
Fixed issue #462 - Password hashing: upgrade to argon2 2.x (argon2id), fix non-unique salt bug - huge thanks to @martinvonwittich ! 2019-06-27 11:51:29 +00:00
			`# Argon2::Password.verify_password verifies argon2i hashes, too`
			`verified?(pw_hash, password)`
Fixed bug: Legacy hashed passwords (like sha2) will get rehashed when set. This happens when a user password should get set without transfering it in plain like e.g. the REST API, an import or the auto_wizard.json file. Therefore Zammad should accept legacy passwords when set but should convert them on first login to the internal format (as already implemented). Additionally there should be no exclusion for the import mode when setting/ensuring a password since Zammand couldn't handle it later. 2017-05-08 10:04:54 +00:00			`end`

			`def sha2(password)`
Improved password security by using proper password hash module backed by Argon2 (official winner of the Password Hashing Competition) - thanks to @nomoketo and @benbe. 2017-01-27 08:17:03 +00:00			`crypted = Digest::SHA2.hexdigest(password)`
Fixed bug: Legacy hashed passwords (like sha2) will get rehashed when set. This happens when a user password should get set without transfering it in plain like e.g. the REST API, an import or the auto_wizard.json file. Therefore Zammad should accept legacy passwords when set but should convert them on first login to the internal format (as already implemented). Additionally there should be no exclusion for the import mode when setting/ensuring a password since Zammand couldn't handle it later. 2017-05-08 10:04:54 +00:00			`"{sha2}#{crypted}"`
			`end`

			`private`

			`def sha2?(pw_hash, password)`
			`return false if !hashed_sha2?(pw_hash)`
Updated rubocop to latest version (0.59.2) and applied required changes. 2018-10-09 06:17:41 +00:00
Fixed bug: Legacy hashed passwords (like sha2) will get rehashed when set. This happens when a user password should get set without transfering it in plain like e.g. the REST API, an import or the auto_wizard.json file. Therefore Zammad should accept legacy passwords when set but should convert them on first login to the internal format (as already implemented). Additionally there should be no exclusion for the import mode when setting/ensuring a password since Zammand couldn't handle it later. 2017-05-08 10:04:54 +00:00			`pw_hash == sha2(password)`
Improved password security by using proper password hash module backed by Argon2 (official winner of the Password Hashing Competition) - thanks to @nomoketo and @benbe. 2017-01-27 08:17:03 +00:00			`end`

			`def secret`
Fixed bug: Argon2 secret differs after app-reinitialization in test env. 2018-09-28 12:14:46 +00:00			`@secret \|\|= Setting.get('application_secret')`
Improved password security by using proper password hash module backed by Argon2 (official winner of the Password Hashing Competition) - thanks to @nomoketo and @benbe. 2017-01-27 08:17:03 +00:00			`end`
			`end`