remove pbkdf2 upgrade path (#18736)

2018-11-27 04:42:56 -05:00 · 2018-11-27 04:42:56 -05:00 · 4f2e7fc912
commit 4f2e7fc912
parent c2f8dfcb9f
2 changed files with 0 additions and 120 deletions
--- a/homeassistant/auth/providers/homeassistant.py
+++ b/homeassistant/auth/providers/homeassistant.py
@ -1,8 +1,6 @@
 """Home Assistant auth provider."""
 import base64
 from collections import OrderedDict
-import hashlib
-import hmac
 from typing import Any, Dict, List, Optional, cast

 import bcrypt
@ -11,7 +9,6 @@ import voluptuous as vol
 from homeassistant.const import CONF_ID
 from homeassistant.core import callback, HomeAssistant
 from homeassistant.exceptions import HomeAssistantError
-from homeassistant.util.async_ import run_coroutine_threadsafe

 from . import AuthProvider, AUTH_PROVIDER_SCHEMA, AUTH_PROVIDERS, LoginFlow

@ -94,39 +91,11 @@ class Data:

        user_hash = base64.b64decode(found['password'])

-        # if the hash is not a bcrypt hash...
-        # provide a transparant upgrade for old pbkdf2 hash format
-        if not (user_hash.startswith(b'$2a$')
-                or user_hash.startswith(b'$2b$')
-                or user_hash.startswith(b'$2x$')
-                or user_hash.startswith(b'$2y$')):
-            # IMPORTANT! validate the login, bail if invalid
-            hashed = self.legacy_hash_password(password)
-            if not hmac.compare_digest(hashed, user_hash):
-                raise InvalidAuth
-            # then re-hash the valid password with bcrypt
-            self.change_password(found['username'], password)
-            run_coroutine_threadsafe(
-                self.async_save(), self.hass.loop
-            ).result()
-            user_hash = base64.b64decode(found['password'])
-
        # bcrypt.checkpw is timing-safe
        if not bcrypt.checkpw(password.encode(),
                              user_hash):
            raise InvalidAuth

-    def legacy_hash_password(self, password: str,
-                             for_storage: bool = False) -> bytes:
-        """LEGACY password encoding."""
-        # We're no longer storing salts in data, but if one exists we
-        # should be able to retrieve it.
-        salt = self._data['salt'].encode()  # type: ignore
-        hashed = hashlib.pbkdf2_hmac('sha512', password.encode(), salt, 100000)
-        if for_storage:
-            hashed = base64.b64encode(hashed)
-        return hashed
-
    # pylint: disable=no-self-use
    def hash_password(self, password: str, for_storage: bool = False) -> bytes:
        """Encode a password."""