diff --git a/moulinette/authenticators/__init__.py b/moulinette/authenticators/__init__.py index aa6840ac..09bc209e 100644 --- a/moulinette/authenticators/__init__.py +++ b/moulinette/authenticators/__init__.py @@ -76,7 +76,7 @@ class BaseAuthenticator(object): instance is returned and the session is registered for the token if 'token' and 'password' are given. The token is composed by the session identifier and a session - hash - to use for encryption - as a 2-tuple. + hash (the "true token") - to use for encryption - as a 2-tuple. Keyword arguments: - password -- A clear text password @@ -92,8 +92,8 @@ class BaseAuthenticator(object): if token: try: - # Extract id and hash from token - s_id, s_hash = token + # Extract id and actual token + s_id, s_token = token except TypeError as e: logger.error("unable to extract token parts from '%s' because '%s'", token, e) if password is None: @@ -104,7 +104,7 @@ class BaseAuthenticator(object): else: if password is None: # Retrieve session - password = self._retrieve_session(s_id, s_hash) + password = self._retrieve_session(s_id, s_token) try: # Attempt to authenticate @@ -119,7 +119,7 @@ class BaseAuthenticator(object): # Store session if store_session: try: - self._store_session(s_id, s_hash, password) + self._store_session(s_id, s_token, password) except Exception as e: import traceback traceback.print_exc() @@ -136,19 +136,19 @@ class BaseAuthenticator(object): return open_cachefile('%s.asc' % session_id, mode, subdir='session/%s' % self.name) - def _store_session(self, session_id, session_hash, password): + def _store_session(self, session_id, session_token, password): """Store a session and its associated password""" gpg = gnupg.GPG() gpg.encoding = 'utf-8' - # Encrypt the password using the session hash - s = str(gpg.encrypt(password, None, symmetric=True, passphrase=session_hash)) + # Encrypt the password using the session token + s = str(gpg.encrypt(password, None, symmetric=True, passphrase=session_token)) assert len(s), "For some reason GPG can't perform encryption, maybe check /root/.gnupg/gpg.conf or re-run with gpg = gnupg.GPG(verbose=True) ?" with self._open_sessionfile(session_id, 'w') as f: f.write(s) - def _retrieve_session(self, session_id, session_hash): + def _retrieve_session(self, session_id, session_token): """Retrieve a session and return its associated password""" try: with self._open_sessionfile(session_id, 'r') as f: @@ -160,7 +160,7 @@ class BaseAuthenticator(object): gpg = gnupg.GPG() gpg.encoding = 'utf-8' - decrypted = gpg.decrypt(enc_pwd, passphrase=session_hash) + decrypted = gpg.decrypt(enc_pwd, passphrase=session_token) if decrypted.ok is not True: error_message = "unable to decrypt password for the session: %s" % decrypted.status logger.error(error_message) diff --git a/moulinette/interfaces/api.py b/moulinette/interfaces/api.py index 2b41dfa7..b5fae7a0 100644 --- a/moulinette/interfaces/api.py +++ b/moulinette/interfaces/api.py @@ -332,18 +332,18 @@ class _ActionsMapPlugin(object): try: s_secret = self.secrets[s_id] except KeyError: - s_hashes = {} + s_tokens = {} else: - s_hashes = request.get_cookie('session.hashes', + s_tokens = request.get_cookie('session.tokens', secret=s_secret) or {} - s_hash = random_ascii() + s_new_token = random_ascii() try: # Attempt to authenticate authenticator = self.actionsmap.get_authenticator_for_profile(profile) - authenticator(password, token=(s_id, s_hash)) + authenticator(password, token=(s_id, s_new_token)) except MoulinetteError as e: - if len(s_hashes) > 0: + if len(s_tokens) > 0: try: self.logout(profile) except: @@ -351,11 +351,11 @@ class _ActionsMapPlugin(object): raise HTTPUnauthorizedResponse(e.strerror) else: # Update dicts with new values - s_hashes[profile] = s_hash + s_tokens[profile] = s_new_token self.secrets[s_id] = s_secret = random_ascii() response.set_cookie('session.id', s_id, secure=True) - response.set_cookie('session.hashes', s_hashes, secure=True, + response.set_cookie('session.tokens', s_tokens, secure=True, secret=s_secret) return m18n.g('logged_in') @@ -375,8 +375,8 @@ class _ActionsMapPlugin(object): # for additional security ? # (An attacker could not craft such signed hashed ? (FIXME : need to make sure of this)) s_secret = self.secrets[s_id] - s_hash = request.get_cookie('session.hashes', - secret=s_secret, default={})[profile] + s_token = request.get_cookie('session.tokens', + secret=s_secret, default={})[profile] except KeyError: raise HTTPUnauthorizedResponse(m18n.g('not_logged_in')) else: @@ -385,7 +385,7 @@ class _ActionsMapPlugin(object): authenticator._clean_session(s_id) # TODO: Clean the session for profile only # Delete cookie and clean the session - response.set_cookie('session.hashes', '', max_age=-1) + response.set_cookie('session.tokens', '', max_age=-1) return m18n.g('logged_out') def messages(self): @@ -474,13 +474,13 @@ class _ActionsMapPlugin(object): s_id = request.get_cookie('session.id') try: s_secret = self.secrets[s_id] - s_hash = request.get_cookie('session.hashes', + s_token = request.get_cookie('session.tokens', secret=s_secret, default={})[authenticator.name] except KeyError: msg = m18n.g('authentication_required') raise HTTPUnauthorizedResponse(msg) else: - return authenticator(token=(s_id, s_hash)) + return authenticator(token=(s_id, s_token)) def _do_display(self, message, style): """Display a message