Home Esplora Aiuto
Accedi
piratas
/
biblioteca
Segui 2
Vota 0
Forka 0
File Problemi 6 Pull Requests 0 Wiki
Ramo (Branch): master
Rami (Branch) Tag
biblioteca
/
mediagoblin
/
plugins
/
basic_auth
/
tools.py

tools.py 4.1 KB
Permalink Cronologia Originale

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124 
  1. # GNU MediaGoblin -- federated, autonomous media hosting
    2. 

  2. # Copyright (C) 2011, 2012 MediaGoblin contributors.  See AUTHORS.
    3. 

  3. #
    4. 

  4. # This program is free software: you can redistribute it and/or modify
    5. 

  5. # it under the terms of the GNU Affero General Public License as published by
    6. 

  6. # the Free Software Foundation, either version 3 of the License, or
    7. 

  7. # (at your option) any later version.
    8. 

  8. #
    9. 

  9. # This program is distributed in the hope that it will be useful,
    10. 

  10. # but WITHOUT ANY WARRANTY; without even the implied warranty of
    11. 

  11. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    12. 

  12. # GNU Affero General Public License for more details.
    13. 

  13. #
    14. 

  14. # You should have received a copy of the GNU Affero General Public License
    15. 

  15. # along with this program.  If not, see <http://www.gnu.org/licenses/>.
    16. 

  16. import bcrypt
    17. 

  17. import random
    18. 

  18. 

  19. import six
    20. 

  20. 

  21. from mediagoblin import mg_globals
    22. 

  22. from mediagoblin.tools.crypto import get_timed_signer_url
    23. 

  23. from mediagoblin.tools.mail import send_email
    24. 

  24. from mediagoblin.tools.template import render_template
    25. 

  25. 

  26. 

  27. def bcrypt_check_password(raw_pass, stored_hash, extra_salt=None):
    28. 

  28.     """
    29. 

  29.     Check to see if this password matches.
    30. 

  30. 

  31.     Args:
    32. 

  32.     - raw_pass: user submitted password to check for authenticity.
    33. 

  33.     - stored_hash: The hash of the raw password (and possibly extra
    34. 

  34.       salt) to check against
    35. 

  35.     - extra_salt: (optional) If this password is with stored with a
    36. 

  36.       non-database extra salt (probably in the config file) for extra
    37. 

  37.       security, factor this into the check.
    38. 

  38. 

  39.     Returns:
    40. 

  40.       True or False depending on success.
    41. 

  41.     """
    42. 

  42.     if extra_salt:
    43. 

  43.         raw_pass = u"%s:%s" % (extra_salt, raw_pass)
    44. 

  44. 

  45.     hashed_pass = bcrypt.hashpw(raw_pass.encode('utf-8'), stored_hash)
    46. 

  46. 

  47.     # Reduce risk of timing attacks by hashing again with a random
    48. 

  48.     # number (thx to zooko on this advice, which I hopefully
    49. 

  49.     # incorporated right.)
    50. 

  50.     #
    51. 

  51.     # See also:
    52. 

  52.     rand_salt = bcrypt.gensalt(5)
    53. 

  53.     randplus_stored_hash = bcrypt.hashpw(stored_hash, rand_salt)
    54. 

  54.     randplus_hashed_pass = bcrypt.hashpw(hashed_pass, rand_salt)
    55. 

  55. 

  56.     return randplus_stored_hash == randplus_hashed_pass
    57. 

  57. 

  58. 

  59. def bcrypt_gen_password_hash(raw_pass, extra_salt=None):
    60. 

  60.     """
    61. 

  61.     Generate a salt for this new password.
    62. 

  62. 

  63.     Args:
    64. 

  64.     - raw_pass: user submitted password
    65. 

  65.     - extra_salt: (optional) If this password is with stored with a
    66. 

  66.       non-database extra salt
    67. 

  67.     """
    68. 

  68.     if extra_salt:
    69. 

  69.         raw_pass = u"%s:%s" % (extra_salt, raw_pass)
    70. 

  70. 

  71.     return six.text_type(
    72. 

  72.         bcrypt.hashpw(raw_pass.encode('utf-8'), bcrypt.gensalt()))
    73. 

  73. 

  74. 

  75. def fake_login_attempt():
    76. 

  76.     """
    77. 

  77.     Pretend we're trying to login.
    78. 

  78. 

  79.     Nothing actually happens here, we're just trying to take up some
    80. 

  80.     time, approximately the same amount of time as
    81. 

  81.     bcrypt_check_password, so as to avoid figuring out what users are
    82. 

  82.     on the system by intentionally faking logins a bunch of times.
    83. 

  83.     """
    84. 

  84.     rand_salt = bcrypt.gensalt(5)
    85. 

  85. 

  86.     hashed_pass = bcrypt.hashpw(str(random.random()), rand_salt)
    87. 

  87. 

  88.     randplus_stored_hash = bcrypt.hashpw(str(random.random()), rand_salt)
    89. 

  89.     randplus_hashed_pass = bcrypt.hashpw(hashed_pass, rand_salt)
    90. 

  90. 

  91.     randplus_stored_hash == randplus_hashed_pass
    92. 

  92. 

  93. 

  94. EMAIL_FP_VERIFICATION_TEMPLATE = (
    95. 

  95.     u"{uri}?"
    96. 

  96.     u"token={fp_verification_key}")
    97. 

  97. 

  98. 

  99. def send_fp_verification_email(user, request):
    100. 

  100.     """
    101. 

  101.     Send the verification email to users to change their password.
    102. 

  102. 

  103.     Args:
    104. 

  104.     - user: a user object
    105. 

  105.     - request: the request
    106. 

  106.     """
    107. 

  107.     fp_verification_key = get_timed_signer_url('mail_verification_token') \
    108. 

  108.             .dumps(user.id)
    109. 

  109. 

  110.     rendered_email = render_template(
    111. 

  111.         request, 'mediagoblin/plugins/basic_auth/fp_verification_email.txt',
    112. 

  112.         {'username': user.username,
    113. 

  113.          'verification_url': EMAIL_FP_VERIFICATION_TEMPLATE.format(
    114. 

  114.              uri=request.urlgen('mediagoblin.plugins.basic_auth.verify_forgot_password',
    115. 

  115.                                 qualified=True),
    116. 

  116.              fp_verification_key=fp_verification_key)})
    117. 

  117. 

  118.     # TODO: There is no error handling in place
    119. 

  119.     send_email(
    120. 

  120.         mg_globals.app_config['email_sender_address'],
    121. 

  121.         [user.email],
    122. 

  122.         'GNU MediaGoblin - Change forgotten password!',
    123. 

  123.         rendered_email)
    124. 

  124.