Merge pull request #667 from kaiyou/fix-password-performance

Improve password checking performance
master
mergify[bot] 6 years ago committed by GitHub
commit 4a5c0a6d21
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -12,7 +12,7 @@ import docker
import socket import socket
import uuid import uuid
from werkzeug.contrib import fixers from werkzeug.contrib import fixers, profiler
# Create application # Create application
app = flask.Flask(__name__) app = flask.Flask(__name__)
@ -62,7 +62,10 @@ default_config = {
'HOST_IMAP': 'imap', 'HOST_IMAP': 'imap',
'HOST_POP3': 'imap', 'HOST_POP3': 'imap',
'HOST_SMTP': 'smtp', 'HOST_SMTP': 'smtp',
'HOST_WEBMAIL': 'webmail',
'HOST_FRONT': 'front',
'HOST_AUTHSMTP': os.environ.get('HOST_SMTP', 'smtp'), 'HOST_AUTHSMTP': os.environ.get('HOST_SMTP', 'smtp'),
'POD_ADDRESS_RANGE': None
} }
# Load configuration from the environment if available # Load configuration from the environment if available
@ -80,6 +83,10 @@ if app.config.get("DEBUG"):
import flask_debugtoolbar import flask_debugtoolbar
toolbar = flask_debugtoolbar.DebugToolbarExtension(app) toolbar = flask_debugtoolbar.DebugToolbarExtension(app)
# Profiler
if app.config.get("DEBUG"):
app.wsgi_app = profiler.ProfilerMiddleware(app.wsgi_app, restrictions=[30])
# Manager commnad # Manager commnad
manager = flask_script.Manager(app) manager = flask_script.Manager(app)
manager.add_command('db', flask_migrate.MigrateCommand) manager.add_command('db', flask_migrate.MigrateCommand)
@ -129,4 +136,5 @@ class PrefixMiddleware(object):
environ['SCRIPT_NAME'] = prefix environ['SCRIPT_NAME'] = prefix
return self.app(environ, start_response) return self.app(environ, start_response)
app.wsgi_app = PrefixMiddleware(fixers.ProxyFix(app.wsgi_app)) app.wsgi_app = PrefixMiddleware(fixers.ProxyFix(app.wsgi_app))

@ -1,14 +1,24 @@
from mailu import db, models from mailu import db, models, app
from mailu.internal import internal from mailu.internal import internal
import flask import flask
import socket
@internal.route("/dovecot/passdb/<user_email>") @internal.route("/dovecot/passdb/<user_email>")
def dovecot_passdb_dict(user_email): def dovecot_passdb_dict(user_email):
user = models.User.query.get(user_email) or flask.abort(404) user = models.User.query.get(user_email) or flask.abort(404)
allow_nets = []
allow_nets.append(
app.config.get("POD_ADDRESS_RANGE") or
socket.gethostbyname(app.config["HOST_FRONT"])
)
allow_nets.append(socket.gethostbyname(app.config["HOST_WEBMAIL"]))
print(allow_nets)
return flask.jsonify({ return flask.jsonify({
"password": user.password, "password": None,
"nopassword": "Y",
"allow_nets": ",".join(allow_nets)
}) })

@ -276,7 +276,8 @@ class User(Base, Email):
else: else:
return self.email return self.email
scheme_dict = {'BLF-CRYPT': "bcrypt", scheme_dict = {'PBKDF2': "pbkdf2_sha512",
'BLF-CRYPT': "bcrypt",
'SHA512-CRYPT': "sha512_crypt", 'SHA512-CRYPT': "sha512_crypt",
'SHA256-CRYPT': "sha256_crypt", 'SHA256-CRYPT': "sha256_crypt",
'MD5-CRYPT': "md5_crypt", 'MD5-CRYPT': "md5_crypt",
@ -287,8 +288,14 @@ class User(Base, Email):
) )
def check_password(self, password): def check_password(self, password):
context = User.pw_context
reference = re.match('({[^}]+})?(.*)', self.password).group(2) reference = re.match('({[^}]+})?(.*)', self.password).group(2)
return User.pw_context.verify(password, reference) result = context.verify(password, reference)
if result and context.identify(reference) != context.default_scheme():
self.set_password(password)
db.session.add(self)
db.session.commit()
return result
def set_password(self, password, hash_scheme=app.config['PASSWORD_SCHEME'], raw=False): def set_password(self, password, hash_scheme=app.config['PASSWORD_SCHEME'], raw=False):
"""Set password for user with specified encryption scheme """Set password for user with specified encryption scheme

@ -130,8 +130,8 @@ LOG_DRIVER=json-file
COMPOSE_PROJECT_NAME=mailu COMPOSE_PROJECT_NAME=mailu
# Default password scheme used for newly created accounts and changed passwords # Default password scheme used for newly created accounts and changed passwords
# (value: BLF-CRYPT, SHA512-CRYPT, SHA256-CRYPT, MD5-CRYPT, CRYPT) # (value: PBKDF2, BLF-CRYPT, SHA512-CRYPT, SHA256-CRYPT)
PASSWORD_SCHEME=BLF-CRYPT PASSWORD_SCHEME=PBKDF2
# Header to take the real ip from # Header to take the real ip from
REAL_IP_HEADER= REAL_IP_HEADER=

Loading…
Cancel
Save