remove webdav digest_auth

doc/apache.md

@@ -109,6 +109,10 @@ Add `webdav` at `root_path` in the `[tracim_path]/tracim/wsgidav.conf`:
     
     root_path = ''
     
+    # Tracim doesn't support digest auth for webdav
+    acceptbasic = True
+    acceptdigest = False
+    defaultdigest = False
     #===============================================================================
     # Lock Manager
     #

tracim/migration/versions/2b4043fa2502_remove_webdav_right_digest_response_.py

@@ -0,0 +1,26 @@
+"""remove webdav_right_digest_response_hash from database
+
+Revision ID: 2b4043fa2502
+Revises: f3852e1349c4
+Create Date: 2018-03-13 14:41:38.590375
+
+"""
+
+# revision identifiers, used by Alembic.
+revision = '2b4043fa2502'
+down_revision = 'f3852e1349c4'
+
+from alembic import op
+from sqlalchemy import Column, Unicode
+
+
+def upgrade():
+    with op.batch_alter_table('users') as batch_op:
+        batch_op.drop_column('webdav_left_digest_response_hash')
+
+
+def downgrade():
+    with op.batch_alter_table('users') as batch_op:
+        batch_op.add_column(
+            Column('webdav_left_digest_response_hash', Unicode(128))
+        )

tracim/tracim/lib/daemons.py

@@ -390,14 +390,14 @@ class WsgiDavDaemon(Daemon):
             print(
                 "WARNING: Could not import lxml: using xml instead (slower). Consider installing lxml from http://codespeak.net/lxml/.")
         from wsgidav.dir_browser import WsgiDavDirBrowser
-        from tracim.lib.webdav.tracim_http_authenticator import TracimHTTPAuthenticator
+        from wsgidav.http_authenticator import HTTPAuthenticator
         from wsgidav.error_printer import ErrorPrinter
         from tracim.lib.webdav.utils import TracimWsgiDavDebugFilter
 
         config['middleware_stack'] = [
             TracimEnforceHTTPS,
             WsgiDavDirBrowser,
-            TracimHTTPAuthenticator,
+            HTTPAuthenticator,
             ErrorPrinter,
             TracimWsgiDavDebugFilter,
         ]

tracim/tracim/lib/webdav/sql_domain_controller.py

@@ -2,6 +2,9 @@
 
 from tracim.lib.user import UserApi
 
+class DigestAuthNotImplemented(Exception):
+    pass
+
 class TracimDomainController(object):
     """
     The domain controller is used by http_authenticator to authenticate the user every time a request is
@@ -15,13 +18,11 @@ class TracimDomainController(object):
 
     def getRealmUserPassword(self, realmname, username, environ):
         """
-        Warning ! This return hashed version of password !
+        This method is normally only use for digest auth. wsgidav need
+        plain password to deal with it. as we didn't
+        provide support for this kind of auth, this method raise an exception.
         """
-        try:
-            user = self._api.get_one_by_email(username)
-            return user.password
-        except:
-            return False
+        raise DigestAuthNotImplemented
 
     def requireAuthentication(self, realmname, environ):
         return True
@@ -37,17 +38,6 @@ class TracimDomainController(object):
         except:
             return False
 
-    def get_left_digest_response_hash(self, realmname, username, environ):
-        """
-        Called by our http_authenticator to get the hashed md5 digest for the current user that is also sent by
-        the webdav client
-        """
-        try:
-            user = self._api.get_one_by_email(username)
-            return user.webdav_left_digest_response_hash
-        except:
-            return None
-
     def authDomainUser(self, realmname, username, password, environ):
         """
         If you ever feel the need to send a request al-mano with a curl, this is the function that'll be called by

tracim/tracim/lib/webdav/tracim_http_authenticator.py

@@ -1,76 +0,0 @@
-from wsgidav.http_authenticator import HTTPAuthenticator
-from wsgidav import util
-
-_logger = util.getModuleLogger(__name__, True)
-
-
-class TracimHTTPAuthenticator(HTTPAuthenticator):
-    def computeDigestResponse(
-            self,
-            username,
-            realm,
-            password,
-            method,
-            uri,
-            nonce,
-            cnonce,
-            qop,
-            nc
-    ):
-        """
-        Override standard computeDigestResponse : as user password is already
-        hashed in database, we need to use left_digest_response_hash
-        to have correctly hashed digest_response.
-        """
-
-        # TODO - G.M - 13-03-2018 Check if environ is useful
-        # for get_left_digest_response. If true, find a solution
-        # to obtain it here without recopy-paste whole authDigestAuthRequest
-        # method.
-        left_digest_response_hash = self._domaincontroller.get_left_digest_response_hash(realm, username, None)  # nopep8
-        if left_digest_response_hash:
-            return self.tracim_compute_digest_response(
-                left_digest_response_hash=left_digest_response_hash,
-                method=method,
-                uri=uri,
-                nonce=nonce,
-                cnonce=cnonce,
-                qop=qop,
-                nc=nc,
-            )
-        else:
-            return None
-
-    def tracim_compute_digest_response(
-            self,
-            left_digest_response_hash,
-            method,
-            uri,
-            nonce,
-            cnonce,
-            qop,
-            nc
-    ):
-        # TODO : Rename A to something more correct
-        A = "{method}:{uri}".format(method=method, uri=uri)
-        if qop:
-            right_digest_response_hash = "{nonce}:{nc}:{cnonce}:{qop}:{A}".format(  # nopep8
-                nonce=nonce,
-                nc=nc,
-                cnonce=cnonce,
-                qop=qop,
-                method=method,
-                uri=uri,
-                A=self.md5h(A),
-            )
-        else:
-            right_digest_response_hash = "{nonce}:{A}".format(
-                nonce=nonce,
-                A=self.md5h(A),
-            )
-        digestresp = self.md5kd(
-            left_digest_response_hash,
-            right_digest_response_hash,
-        )
-
-        return digestresp

tracim/tracim/model/auth.py

@@ -128,7 +128,6 @@ class User(DeclarativeBase):
     is_active = Column(Boolean, default=True, nullable=False)
     imported_from = Column(Unicode(32), nullable=True)
     timezone = Column(Unicode(255), nullable=False, server_default='')
-    _webdav_left_digest_response_hash = Column('webdav_left_digest_response_hash', Unicode(128))
     auth_token = Column(Unicode(255))
     auth_token_created = Column(DateTime)
 
@@ -202,10 +201,8 @@ class User(DeclarativeBase):
 
         Hash cleartext password on the fly,
         Store its ciphertext version,
-        Update the WebDAV hash as well.
         """
         self._password = self._hash_password(cleartext_password)
-        self.update_webdav_digest_auth(cleartext_password)
 
     def _get_password(self) -> str:
         """Return the hashed version of the password."""
@@ -214,26 +211,6 @@ class User(DeclarativeBase):
     password = synonym('_password', descriptor=property(_get_password,
                                                         _set_password))
 
-    @classmethod
-    def _hash_digest(cls, digest):
-        return md5(bytes(digest, 'utf-8')).hexdigest()
-
-    def _set_hash_digest(self, digest):
-        self._webdav_left_digest_response_hash = self._hash_digest(digest)
-
-    def _get_hash_digest(self):
-        return self._webdav_left_digest_response_hash
-
-    webdav_left_digest_response_hash = synonym('_webdav_left_digest_response_hash',
-                                               descriptor=property(_get_hash_digest,
-                                                                   _set_hash_digest))
-
-    def update_webdav_digest_auth(self, cleartext_password: str) -> None:
-        self.webdav_left_digest_response_hash \
-            = '{username}:/:{cleartext_password}'.format(
-                username=self.email,
-                cleartext_password=cleartext_password,
-            )
 
     def validate_password(self, cleartext_password: str) -> bool:
         """
@@ -252,8 +229,6 @@ class User(DeclarativeBase):
             hash = sha256()
             hash.update((cleartext_password + self.password[:64]).encode('utf-8'))
             result = self.password[64:] == hash.hexdigest()
-            if result and not self.webdav_left_digest_response_hash:
-                self.update_webdav_digest_auth(cleartext_password)
         return result
 
     def get_display_name(self, remove_email_part: bool=False) -> str:

tracim/tracim/tests/command/user.py

@@ -14,7 +14,6 @@ class TestUserCommand(TestCommand):
         # Check webdav digest exist for this user
         user = DBSession.query(User)\
             .filter(User.email == 'new-user@algoo.fr').one()
-        ok_(user.webdav_left_digest_response_hash)
 
     def test_update_password(self):
         self._create_user('new-user@algoo.fr', 'toor')
@@ -22,7 +21,6 @@ class TestUserCommand(TestCommand):
         # Grab webdav digest
         user = DBSession.query(User) \
             .filter(User.email == 'new-user@algoo.fr').one()
-        webdav_digest = user.webdav_left_digest_response_hash
 
         self._execute_command(
             UpdateUserCommand,
@@ -35,10 +33,6 @@ class TestUserCommand(TestCommand):
         # Grab new webdav digest to compare it
         user = DBSession.query(User) \
             .filter(User.email == 'new-user@algoo.fr').one()
-        ok_(
-            webdav_digest != user.webdav_left_digest_response_hash,
-            msg='Webdav digest should be different',
-        )
 
     def test_create_with_group(self):
         more_args = ['--add-to-group', 'managers', '--add-to-group', 'administrators']

tracim/tracim/tests/functional/test_admin.py

@@ -43,9 +43,6 @@ class TestAuthentication(TracimTestController):
         ok_(user, msg="User should exist now")
         ok_(user.validate_password('password'))
 
-        # User must have webdav digest
-        ok_(user.webdav_left_digest_response_hash)
-
     def test_update_user_password(self):
         self._connect_user(
             'admin@admin.admin',
@@ -67,7 +64,6 @@ class TestAuthentication(TracimTestController):
 
         user = DBSession.query(User) \
             .filter(User.email == 'an-other-email@test.local').one()
-        webdav_digest = user.webdav_left_digest_response_hash
 
         self.app.post(
             '/admin/users/{user_id}/password?_method=PUT'.format(
@@ -82,7 +78,3 @@ class TestAuthentication(TracimTestController):
         user = DBSession.query(User) \
             .filter(User.email == 'an-other-email@test.local').one()
         ok_(user.validate_password('new-password'))
-        ok_(
-            webdav_digest != user.webdav_left_digest_response_hash,
-            msg='Webdav digest should be updated',
-        )

tracim/tracim/tests/functional/test_user.py

@@ -22,7 +22,6 @@ class TestAuthentication(TracimTestController):
 
         user = DBSession.query(User) \
             .filter(User.email == 'lawrence-not-real-email@fsf.local').one()
-        webdav_digest = user.webdav_left_digest_response_hash
 
         try_post_user = self.app.post(
             '/user/{user_id}/password?_method=PUT'.format(
@@ -40,7 +39,3 @@ class TestAuthentication(TracimTestController):
         user = DBSession.query(User) \
             .filter(User.email == 'lawrence-not-real-email@fsf.local').one()
         ok_(user.validate_password('new-password'))
-        ok_(
-            webdav_digest != user.webdav_left_digest_response_hash,
-            msg='Webdav digest should be updated',
-        )

tracim/wsgidav.conf.sample

@@ -25,6 +25,10 @@ manager_locks = True
 
 root_path = ''
 
+# Tracim doesn't support digest auth for webdav
+acceptbasic = True
+acceptdigest = False
+defaultdigest = False
 #===============================================================================
 # Lock Manager
 #