From 505b3b198ed00bcb32678eb10b1f8d30826caec1 Mon Sep 17 00:00:00 2001
From: Fabian Affolter <fabian@affolter-engineering.ch>
Date: Sat, 19 Mar 2016 22:15:23 +0100
Subject: [PATCH] Allow encrypted passwords

---
 homeassistant/components/http.py | 24 ++++++++++++++++++------
 script/gen_hash.py               | 15 +++++++++++++++
 2 files changed, 33 insertions(+), 6 deletions(-)
 create mode 100755 script/gen_hash.py

diff --git a/homeassistant/components/http.py b/homeassistant/components/http.py
index 7c252385d5d..5084440b0ea 100644
--- a/homeassistant/components/http.py
+++ b/homeassistant/components/http.py
@@ -32,6 +32,8 @@ from homeassistant.const import (
 
 DOMAIN = "http"
 
+REQUIREMENTS = ["passlib==1.6.5"]
+
 CONF_API_PASSWORD = "api_password"
 CONF_SERVER_HOST = "server_host"
 CONF_SERVER_PORT = "server_port"
@@ -176,6 +178,8 @@ class RequestHandler(SimpleHTTPRequestHandler):
 
     def _handle_request(self, method):  # pylint: disable=too-many-branches
         """Perform some common checks and call appropriate method."""
+        from passlib import hash
+
         url = urlparse(self.path)
 
         # Read query input. parse_qs gives a list for each value, we want last
@@ -198,12 +202,20 @@ class RequestHandler(SimpleHTTPRequestHandler):
                     "Error parsing JSON", HTTP_UNPROCESSABLE_ENTITY)
                 return
 
-        self.authenticated = (self.server.api_password is None or
-                              self.headers.get(HTTP_HEADER_HA_AUTH) ==
-                              self.server.api_password or
-                              data.get(DATA_API_PASSWORD) ==
-                              self.server.api_password or
-                              self.verify_session())
+        try:
+            self.authenticated = (hash.sha256_crypt.verify(
+                                      self.headers.get(HTTP_HEADER_HA_AUTH),
+                                      self.server.api_password) or
+                                  hash.sha256_crypt.verify(
+                                      data.get(DATA_API_PASSWORD),
+                                      self.server.api_password) or
+                                  self.verify_session())
+        except (TypeError, ValueError):
+            self.authenticated = (self.server.api_password is None or
+                                  self.headers.get(HTTP_HEADER_HA_AUTH) ==
+                                  self.server.api_password or
+                                  data.get(DATA_API_PASSWORD) ==
+                                  self.server.api_password)
 
         if '_METHOD' in data:
             method = data.pop('_METHOD')
diff --git a/script/gen_hash.py b/script/gen_hash.py
new file mode 100755
index 00000000000..8d96c1f4e07
--- /dev/null
+++ b/script/gen_hash.py
@@ -0,0 +1,15 @@
+#!/usr/bin/python3
+"""Generate hashes from given strings."""
+import getpass
+from passlib import hash
+
+response1 = getpass.getpass('Please enter your string/password/API key: ')
+response2 = getpass.getpass('Please enter the string/password/API key again: ')
+
+hashed = hash.sha256_crypt.encrypt(response1)
+
+if hash.sha256_crypt.verify(response2, hashed):
+    print('Put the hash in your configuration.yaml file.')
+    print(hashed)
+else:
+    print('No match! Please try again.')