From 594cfd60b646d28d45d3ff692f4fa8639eca2064 Mon Sep 17 00:00:00 2001
From: ale <ale@incal.net>
Date: Tue, 1 Sep 2015 10:49:41 +0000
Subject: [PATCH] add flag to allow plain passwords if host=localhost

---
 authserv/app_common.py     |  3 ++-
 authserv/auth.py           |  9 +++++++--
 authserv/test/test_auth.py | 12 ++++++++++--
 3 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/authserv/app_common.py b/authserv/app_common.py
index c3681aa..9d5c8df 100644
--- a/authserv/app_common.py
+++ b/authserv/app_common.py
@@ -41,7 +41,8 @@ def do_auth(username, service, shard, password, otp_token, source_ip,
     user = current_app.userdb.get_user(username, service, shard)
     if user:
         retval, errmsg = auth.authenticate(
-            user, service, password, otp_token, source_ip, password_only)
+            user, service, password, otp_token, source_ip, password_only,
+            current_app.config.get('ALLOW_PLAIN_PASSWORD_FROM_LOCALHOST', False))
         out_shard = user.get_shard()
         if shard and out_shard != shard:
             retval = protocol.ERR_AUTHENTICATION_FAILURE
diff --git a/authserv/auth.py b/authserv/auth.py
index 77e6754..295ec36 100644
--- a/authserv/auth.py
+++ b/authserv/auth.py
@@ -31,7 +31,8 @@ def _check_otp(totp_key, token):
 
 
 def authenticate(user, service, password, otp_token, source_ip=None,
-                 password_only=False):
+                 password_only=False,
+                 allow_plain_password_from_localhost=False):
     if not password:
         return protocol.ERR_AUTHENTICATION_FAILURE, 'empty password'
 
@@ -47,7 +48,11 @@ def authenticate(user, service, password, otp_token, source_ip=None,
         if user.app_specific_passwords_enabled():
             result = _check_app_specific_password(
                 user.get_app_specific_passwords(service), password)
-            if result == protocol.OK or source_ip != '127.0.0.1':
+            # If allow_plain_password_from_localhost is set to False,
+            # return the ASP check result in any case. Otherwise fall
+            # back to plain password check (if the host is localhost).
+            if result == protocol.OK or (
+                    not allow_plain_password_from_localhost or source_ip != '127.0.0.1'):
                 return result
 
         # If OTP is enabled for this account, require it along with the
diff --git a/authserv/test/test_auth.py b/authserv/test/test_auth.py
index 7a05011..fd9cdfc 100644
--- a/authserv/test/test_auth.py
+++ b/authserv/test/test_auth.py
@@ -62,12 +62,20 @@ class AuthTest(unittest.TestCase):
             protocol.ERR_AUTHENTICATION_FAILURE,
             authenticate(u, 'svc', 'pass', None, '1.2.3.4')[0])
 
-    def test_app_specific_password_ok_with_main_password_from_localhost(self):
+    def test_app_specific_password_with_main_password_from_localhost(self):
         u = FakeUser('user', 'pass', asps=[
                 ('svc', crypt.crypt('app-specific', 'zz'))])
+        # Result should be OK if the flag is set to True.
         self.assertEquals(
             protocol.OK,
-            authenticate(u, 'svc', 'pass', None, '127.0.0.1')[0])
+            authenticate(u, 'svc', 'pass', None, '127.0.0.1',
+                         allow_plain_password_from_localhost=True)[0])
+        # Expect authentication failure if
+        # allow_plain_password_from_localhost is False.
+        self.assertEquals(
+            protocol.ERR_AUTHENTICATION_FAILURE,
+            authenticate(u, 'svc', 'pass', None, '127.0.0.1',
+                         allow_plain_password_from_localhost=False)[0])
 
     def test_app_specific_password_fail(self):
         u = FakeUser('user', 'pass', asps=[
-- 
GitLab