furtka/furtka/passwd.py

"""Stdlib-only password hashing, compatible with werkzeug's hash format.

Why this exists: 26.11-alpha introduced auth via ``werkzeug.security``,
but the target system doesn't have ``werkzeug`` installed (Core runs as
system Python with only the stdlib — pyproject.toml's ``flask>=3.0``
dep is never pip-installed on the box). Fresh installs from a 26.11 /
26.12 ISO crashed on import; upgrades from pre-auth versions were
double-broken by that plus a too-strict updater health check.

Fix: replace werkzeug with stdlib equivalents using the same hash
**format** so existing ``users.json`` files created by 26.11 / 26.12 on
the rare boxes that happened to have werkzeug installed (Medion, .196
after manual pacman) still verify.

Format: ``<method>$<salt>$<hex digest>``
  - ``pbkdf2:<hash>:<iterations>`` — what we generate by default here
  - ``scrypt:<N>:<r>:<p>``          — what werkzeug's default produces
Both are implemented via ``hashlib`` which has been stdlib since 3.6.
"""

from __future__ import annotations

import hashlib
import hmac
import secrets

_PBKDF2_HASH = "sha256"
_PBKDF2_ITERATIONS = 600_000
_SALT_LEN = 16


def hash_password(password: str) -> str:
    """Return a ``pbkdf2:sha256:<iter>$<salt>$<hex>`` hash of *password*.

    PBKDF2-SHA256 over UTF-8. 600k iterations — same as werkzeug's
    default in the 3.x series, roughly OWASP 2023's recommendation.
    """
    if not isinstance(password, str):
        raise TypeError("password must be str")
    salt = secrets.token_urlsafe(_SALT_LEN)[:_SALT_LEN]
    dk = hashlib.pbkdf2_hmac(
        _PBKDF2_HASH, password.encode("utf-8"), salt.encode("utf-8"), _PBKDF2_ITERATIONS
    )
    return f"pbkdf2:{_PBKDF2_HASH}:{_PBKDF2_ITERATIONS}${salt}${dk.hex()}"


def verify_password(password: str, hashed: str) -> bool:
    """Constant-time verify *password* against a stored *hashed* value.

    Accepts both our own pbkdf2 hashes and legacy werkzeug scrypt
    hashes in ``scrypt:N:r:p$salt$hex`` form — so users.json files
    written by 26.11 / 26.12 keep working after upgrade.
    """
    if not isinstance(password, str) or not isinstance(hashed, str):
        return False
    try:
        method, salt, expected = hashed.split("$", 2)
    except ValueError:
        return False
    parts = method.split(":")
    if not parts:
        return False
    algo = parts[0]
    pw_bytes = password.encode("utf-8")
    salt_bytes = salt.encode("utf-8")
    try:
        if algo == "pbkdf2":
            if len(parts) < 3:
                return False
            inner_hash = parts[1]
            iterations = int(parts[2])
            dk = hashlib.pbkdf2_hmac(inner_hash, pw_bytes, salt_bytes, iterations)
        elif algo == "scrypt":
            # werkzeug: scrypt:N:r:p, dklen=64, maxmem=132 MiB. Without
            # the explicit maxmem we'd hit OpenSSL's default memory cap
            # and throw ValueError on N >= 32768.
            if len(parts) < 4:
                return False
            n = int(parts[1])
            r = int(parts[2])
            p = int(parts[3])
            dk = hashlib.scrypt(
                pw_bytes,
                salt=salt_bytes,
                n=n,
                r=r,
                p=p,
                dklen=64,
                maxmem=132 * 1024 * 1024,
            )
        else:
            return False
    except (ValueError, TypeError, OverflowError):
        return False
    return hmac.compare_digest(dk.hex(), expected)
fix: unbreak upgrade path + install-lock race Three interlocking issues that made 26.11/26.12 effectively un-upgradable from pre-auth versions without manual pacman + symlink surgery. Caught while SSH-testing the .196 VM which landed on a rollback loop after every Update-now click. 1. auth.py imported werkzeug.security, but the target system runs core as bare system Python — neither flask nor werkzeug are pip-installed. Fresh 26.11+ boxes died on import. Replaced with a 50-line stdlib `furtka/passwd.py` using hashlib.pbkdf2_hmac for new hashes and parsing werkzeug's `scrypt:N:r:p$salt$hex` format for backward-read so existing users.json survives. 2. updater._health_check pinged /api/apps expecting 200. Post- auth, /api/apps returns 401 for unauth requests → HTTPError caught as URLError → retry loop → 30s timeout → rollback. Now any 2xx-4xx counts as "server alive"; only 5xx / connection errors fail. Server responding at all is proof it came back up. 3. _do_install released the fcntl lock between sync pre-validation and the systemd-run dispatch. A second POST could slip in, pass the lock check, return 202, and leave its install-bg child to die silently on the in-child lock. Now the API also reads install-state.json and refuses 409 on non-terminal stages — the state file is the reliable signal, the fcntl lock is defence in depth. Test coverage: - tests/test_passwd.py (new, 6 cases): roundtrip, salt uniqueness, format shape, werkzeug scrypt backward-compat against a real hash captured from the .196 box, malformed + non-string rejection. - tests/test_updater.py: +3 cases for _health_check — 4xx=healthy, 5xx=unhealthy, URLError retry loop. - tests/test_api.py: +2 cases for install 409 on non-terminal state + 202 after terminal. All 267 tests green, ruff check + format clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-04-21 17:03:28 +02:00			`"""Stdlib-only password hashing, compatible with werkzeug's hash format.`

			Why this exists: 26.11-alpha introduced auth via ``werkzeug.security``,
			but the target system doesn't have ``werkzeug`` installed (Core runs as
			system Python with only the stdlib — pyproject.toml's ``flask>=3.0``
			`dep is never pip-installed on the box). Fresh installs from a 26.11 /`
			`26.12 ISO crashed on import; upgrades from pre-auth versions were`
			`double-broken by that plus a too-strict updater health check.`

			`Fix: replace werkzeug with stdlib equivalents using the same hash`
			format so existing ``users.json`` files created by 26.11 / 26.12 on
			`the rare boxes that happened to have werkzeug installed (Medion, .196`
			`after manual pacman) still verify.`

			Format: ``<method>$<salt>$<hex digest>``
			- ``pbkdf2:<hash>:<iterations>`` — what we generate by default here
			- ``scrypt:<N>:<r>:<p>`` — what werkzeug's default produces
			Both are implemented via ``hashlib`` which has been stdlib since 3.6.
			`"""`

			`from __future__ import annotations`

			`import hashlib`
			`import hmac`
			`import secrets`

			`_PBKDF2_HASH = "sha256"`
			`_PBKDF2_ITERATIONS = 600_000`
			`_SALT_LEN = 16`


			`def hash_password(password: str) -> str:`
			"""Return a ``pbkdf2:sha256:<iter>$<salt>$<hex>`` hash of password.

			`PBKDF2-SHA256 over UTF-8. 600k iterations — same as werkzeug's`
			`default in the 3.x series, roughly OWASP 2023's recommendation.`
			`"""`
			`if not isinstance(password, str):`
			`raise TypeError("password must be str")`
			`salt = secrets.token_urlsafe(_SALT_LEN)[:_SALT_LEN]`
			`dk = hashlib.pbkdf2_hmac(`
			`_PBKDF2_HASH, password.encode("utf-8"), salt.encode("utf-8"), _PBKDF2_ITERATIONS`
			`)`
			`return f"pbkdf2:{_PBKDF2_HASH}:{_PBKDF2_ITERATIONS}${salt}${dk.hex()}"`


			`def verify_password(password: str, hashed: str) -> bool:`
			`"""Constant-time verify password against a stored hashed value.`

			`Accepts both our own pbkdf2 hashes and legacy werkzeug scrypt`
			hashes in ``scrypt:N:r:p$salt$hex`` form — so users.json files
			`written by 26.11 / 26.12 keep working after upgrade.`
			`"""`
			`if not isinstance(password, str) or not isinstance(hashed, str):`
			`return False`
			`try:`
			`method, salt, expected = hashed.split("$", 2)`
			`except ValueError:`
			`return False`
			`parts = method.split(":")`
			`if not parts:`
			`return False`
			`algo = parts[0]`
			`pw_bytes = password.encode("utf-8")`
			`salt_bytes = salt.encode("utf-8")`
			`try:`
			`if algo == "pbkdf2":`
			`if len(parts) < 3:`
			`return False`
			`inner_hash = parts[1]`
			`iterations = int(parts[2])`
			`dk = hashlib.pbkdf2_hmac(inner_hash, pw_bytes, salt_bytes, iterations)`
			`elif algo == "scrypt":`
			`# werkzeug: scrypt:N:r:p, dklen=64, maxmem=132 MiB. Without`
			`# the explicit maxmem we'd hit OpenSSL's default memory cap`
			`# and throw ValueError on N >= 32768.`
			`if len(parts) < 4:`
			`return False`
			`n = int(parts[1])`
			`r = int(parts[2])`
			`p = int(parts[3])`
			`dk = hashlib.scrypt(`
			`pw_bytes,`
			`salt=salt_bytes,`
			`n=n,`
			`r=r,`
			`p=p,`
			`dklen=64,`
			`maxmem=132 * 1024 * 1024,`
			`)`
			`else:`
			`return False`
			`except (ValueError, TypeError, OverflowError):`
			`return False`
			`return hmac.compare_digest(dk.hex(), expected)`