YunoHost/moulinette
1
0
Fork 0
mirror of https://github.com/YunoHost/moulinette.git synced 2024-09-03 20:06:31 +02:00
Code Issues Projects Releases Packages Wiki Activity

Try to improve semantic : s_hash -> s_token

Browse source
This commit is contained in:
Alexandre Aubin 2019-08-20 19:53:51 +02:00
parent bcaf8b2e4a
commit 3822496622
2 changed files with 22 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
moulinette/authenticators/__init__.py
View file

@ -76,7 +76,7 @@ class BaseAuthenticator(object):
instance is returned and the session is registered for the token
if 'token' and 'password' are given.
The token is composed by the session identifier and a session
hash - to use for encryption - as a 2-tuple.
hash (the "true token") - to use for encryption - as a 2-tuple.
Keyword arguments:
- password -- A clear text password
@ -92,8 +92,8 @@ class BaseAuthenticator(object):
if token:
try:
# Extract id and hash from token
s_id, s_hash = token
# Extract id and actual token
s_id, s_token = token
except TypeError as e:
logger.error("unable to extract token parts from '%s' because '%s'", token, e)
if password is None:
@ -104,7 +104,7 @@ class BaseAuthenticator(object):
else:
if password is None:
# Retrieve session
password = self._retrieve_session(s_id, s_hash)
password = self._retrieve_session(s_id, s_token)
try:
# Attempt to authenticate
@ -119,7 +119,7 @@ class BaseAuthenticator(object):
# Store session
if store_session:
try:
self._store_session(s_id, s_hash, password)
self._store_session(s_id, s_token, password)
except Exception as e:
import traceback
traceback.print_exc()
@ -136,19 +136,19 @@ class BaseAuthenticator(object):
return open_cachefile('%s.asc' % session_id, mode,
subdir='session/%s' % self.name)
def _store_session(self, session_id, session_hash, password):
def _store_session(self, session_id, session_token, password):
"""Store a session and its associated password"""
gpg = gnupg.GPG()
gpg.encoding = 'utf-8'
# Encrypt the password using the session hash
s = str(gpg.encrypt(password, None, symmetric=True, passphrase=session_hash))
# Encrypt the password using the session token
s = str(gpg.encrypt(password, None, symmetric=True, passphrase=session_token))
assert len(s), "For some reason GPG can't perform encryption, maybe check /root/.gnupg/gpg.conf or re-run with gpg = gnupg.GPG(verbose=True) ?"
with self._open_sessionfile(session_id, 'w') as f:
f.write(s)
def _retrieve_session(self, session_id, session_hash):
def _retrieve_session(self, session_id, session_token):
"""Retrieve a session and return its associated password"""
try:
with self._open_sessionfile(session_id, 'r') as f:
@ -160,7 +160,7 @@ class BaseAuthenticator(object):
gpg = gnupg.GPG()
gpg.encoding = 'utf-8'
decrypted = gpg.decrypt(enc_pwd, passphrase=session_hash)
decrypted = gpg.decrypt(enc_pwd, passphrase=session_token)
if decrypted.ok is not True:
error_message = "unable to decrypt password for the session: %s" % decrypted.status
logger.error(error_message)

24
moulinette/interfaces/api.py
View file

@ -332,18 +332,18 @@ class _ActionsMapPlugin(object):
try:
s_secret = self.secrets[s_id]
except KeyError:
s_hashes = {}
s_tokens = {}
else:
s_hashes = request.get_cookie('session.hashes',
s_tokens = request.get_cookie('session.tokens',
secret=s_secret) or {}
s_hash = random_ascii()
s_new_token = random_ascii()
try:
# Attempt to authenticate
authenticator = self.actionsmap.get_authenticator_for_profile(profile)
authenticator(password, token=(s_id, s_hash))
authenticator(password, token=(s_id, s_new_token))
except MoulinetteError as e:
if len(s_hashes) > 0:
if len(s_tokens) > 0:
try:
self.logout(profile)
except:
@ -351,11 +351,11 @@ class _ActionsMapPlugin(object):
raise HTTPUnauthorizedResponse(e.strerror)
else:
# Update dicts with new values
s_hashes[profile] = s_hash
s_tokens[profile] = s_new_token
self.secrets[s_id] = s_secret = random_ascii()
response.set_cookie('session.id', s_id, secure=True)
response.set_cookie('session.hashes', s_hashes, secure=True,
response.set_cookie('session.tokens', s_tokens, secure=True,
secret=s_secret)
return m18n.g('logged_in')
@ -375,8 +375,8 @@ class _ActionsMapPlugin(object):
# for additional security ?
# (An attacker could not craft such signed hashed ? (FIXME : need to make sure of this))
s_secret = self.secrets[s_id]
s_hash = request.get_cookie('session.hashes',
secret=s_secret, default={})[profile]
s_token = request.get_cookie('session.tokens',
secret=s_secret, default={})[profile]
except KeyError:
raise HTTPUnauthorizedResponse(m18n.g('not_logged_in'))
else:
@ -385,7 +385,7 @@ class _ActionsMapPlugin(object):
authenticator._clean_session(s_id)
# TODO: Clean the session for profile only
# Delete cookie and clean the session
response.set_cookie('session.hashes', '', max_age=-1)
response.set_cookie('session.tokens', '', max_age=-1)
return m18n.g('logged_out')
def messages(self):
@ -474,13 +474,13 @@ class _ActionsMapPlugin(object):
s_id = request.get_cookie('session.id')
try:
s_secret = self.secrets[s_id]
s_hash = request.get_cookie('session.hashes',
s_token = request.get_cookie('session.tokens',
secret=s_secret, default={})[authenticator.name]
except KeyError:
msg = m18n.g('authentication_required')
raise HTTPUnauthorizedResponse(msg)
else:
return authenticator(token=(s_id, s_hash))
return authenticator(token=(s_id, s_token))
def _do_display(self, message, style):
"""Display a message