mirror of
https://github.com/YunoHost/moulinette.git
synced 2024-09-03 20:06:31 +02:00
Try to improve semantic : s_hash -> s_token
This commit is contained in:
parent
bcaf8b2e4a
commit
3822496622
2 changed files with 22 additions and 22 deletions
|
@ -76,7 +76,7 @@ class BaseAuthenticator(object):
|
||||||
instance is returned and the session is registered for the token
|
instance is returned and the session is registered for the token
|
||||||
if 'token' and 'password' are given.
|
if 'token' and 'password' are given.
|
||||||
The token is composed by the session identifier and a session
|
The token is composed by the session identifier and a session
|
||||||
hash - to use for encryption - as a 2-tuple.
|
hash (the "true token") - to use for encryption - as a 2-tuple.
|
||||||
|
|
||||||
Keyword arguments:
|
Keyword arguments:
|
||||||
- password -- A clear text password
|
- password -- A clear text password
|
||||||
|
@ -92,8 +92,8 @@ class BaseAuthenticator(object):
|
||||||
|
|
||||||
if token:
|
if token:
|
||||||
try:
|
try:
|
||||||
# Extract id and hash from token
|
# Extract id and actual token
|
||||||
s_id, s_hash = token
|
s_id, s_token = token
|
||||||
except TypeError as e:
|
except TypeError as e:
|
||||||
logger.error("unable to extract token parts from '%s' because '%s'", token, e)
|
logger.error("unable to extract token parts from '%s' because '%s'", token, e)
|
||||||
if password is None:
|
if password is None:
|
||||||
|
@ -104,7 +104,7 @@ class BaseAuthenticator(object):
|
||||||
else:
|
else:
|
||||||
if password is None:
|
if password is None:
|
||||||
# Retrieve session
|
# Retrieve session
|
||||||
password = self._retrieve_session(s_id, s_hash)
|
password = self._retrieve_session(s_id, s_token)
|
||||||
|
|
||||||
try:
|
try:
|
||||||
# Attempt to authenticate
|
# Attempt to authenticate
|
||||||
|
@ -119,7 +119,7 @@ class BaseAuthenticator(object):
|
||||||
# Store session
|
# Store session
|
||||||
if store_session:
|
if store_session:
|
||||||
try:
|
try:
|
||||||
self._store_session(s_id, s_hash, password)
|
self._store_session(s_id, s_token, password)
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
import traceback
|
import traceback
|
||||||
traceback.print_exc()
|
traceback.print_exc()
|
||||||
|
@ -136,19 +136,19 @@ class BaseAuthenticator(object):
|
||||||
return open_cachefile('%s.asc' % session_id, mode,
|
return open_cachefile('%s.asc' % session_id, mode,
|
||||||
subdir='session/%s' % self.name)
|
subdir='session/%s' % self.name)
|
||||||
|
|
||||||
def _store_session(self, session_id, session_hash, password):
|
def _store_session(self, session_id, session_token, password):
|
||||||
"""Store a session and its associated password"""
|
"""Store a session and its associated password"""
|
||||||
gpg = gnupg.GPG()
|
gpg = gnupg.GPG()
|
||||||
gpg.encoding = 'utf-8'
|
gpg.encoding = 'utf-8'
|
||||||
|
|
||||||
# Encrypt the password using the session hash
|
# Encrypt the password using the session token
|
||||||
s = str(gpg.encrypt(password, None, symmetric=True, passphrase=session_hash))
|
s = str(gpg.encrypt(password, None, symmetric=True, passphrase=session_token))
|
||||||
assert len(s), "For some reason GPG can't perform encryption, maybe check /root/.gnupg/gpg.conf or re-run with gpg = gnupg.GPG(verbose=True) ?"
|
assert len(s), "For some reason GPG can't perform encryption, maybe check /root/.gnupg/gpg.conf or re-run with gpg = gnupg.GPG(verbose=True) ?"
|
||||||
|
|
||||||
with self._open_sessionfile(session_id, 'w') as f:
|
with self._open_sessionfile(session_id, 'w') as f:
|
||||||
f.write(s)
|
f.write(s)
|
||||||
|
|
||||||
def _retrieve_session(self, session_id, session_hash):
|
def _retrieve_session(self, session_id, session_token):
|
||||||
"""Retrieve a session and return its associated password"""
|
"""Retrieve a session and return its associated password"""
|
||||||
try:
|
try:
|
||||||
with self._open_sessionfile(session_id, 'r') as f:
|
with self._open_sessionfile(session_id, 'r') as f:
|
||||||
|
@ -160,7 +160,7 @@ class BaseAuthenticator(object):
|
||||||
gpg = gnupg.GPG()
|
gpg = gnupg.GPG()
|
||||||
gpg.encoding = 'utf-8'
|
gpg.encoding = 'utf-8'
|
||||||
|
|
||||||
decrypted = gpg.decrypt(enc_pwd, passphrase=session_hash)
|
decrypted = gpg.decrypt(enc_pwd, passphrase=session_token)
|
||||||
if decrypted.ok is not True:
|
if decrypted.ok is not True:
|
||||||
error_message = "unable to decrypt password for the session: %s" % decrypted.status
|
error_message = "unable to decrypt password for the session: %s" % decrypted.status
|
||||||
logger.error(error_message)
|
logger.error(error_message)
|
||||||
|
|
|
@ -332,18 +332,18 @@ class _ActionsMapPlugin(object):
|
||||||
try:
|
try:
|
||||||
s_secret = self.secrets[s_id]
|
s_secret = self.secrets[s_id]
|
||||||
except KeyError:
|
except KeyError:
|
||||||
s_hashes = {}
|
s_tokens = {}
|
||||||
else:
|
else:
|
||||||
s_hashes = request.get_cookie('session.hashes',
|
s_tokens = request.get_cookie('session.tokens',
|
||||||
secret=s_secret) or {}
|
secret=s_secret) or {}
|
||||||
s_hash = random_ascii()
|
s_new_token = random_ascii()
|
||||||
|
|
||||||
try:
|
try:
|
||||||
# Attempt to authenticate
|
# Attempt to authenticate
|
||||||
authenticator = self.actionsmap.get_authenticator_for_profile(profile)
|
authenticator = self.actionsmap.get_authenticator_for_profile(profile)
|
||||||
authenticator(password, token=(s_id, s_hash))
|
authenticator(password, token=(s_id, s_new_token))
|
||||||
except MoulinetteError as e:
|
except MoulinetteError as e:
|
||||||
if len(s_hashes) > 0:
|
if len(s_tokens) > 0:
|
||||||
try:
|
try:
|
||||||
self.logout(profile)
|
self.logout(profile)
|
||||||
except:
|
except:
|
||||||
|
@ -351,11 +351,11 @@ class _ActionsMapPlugin(object):
|
||||||
raise HTTPUnauthorizedResponse(e.strerror)
|
raise HTTPUnauthorizedResponse(e.strerror)
|
||||||
else:
|
else:
|
||||||
# Update dicts with new values
|
# Update dicts with new values
|
||||||
s_hashes[profile] = s_hash
|
s_tokens[profile] = s_new_token
|
||||||
self.secrets[s_id] = s_secret = random_ascii()
|
self.secrets[s_id] = s_secret = random_ascii()
|
||||||
|
|
||||||
response.set_cookie('session.id', s_id, secure=True)
|
response.set_cookie('session.id', s_id, secure=True)
|
||||||
response.set_cookie('session.hashes', s_hashes, secure=True,
|
response.set_cookie('session.tokens', s_tokens, secure=True,
|
||||||
secret=s_secret)
|
secret=s_secret)
|
||||||
return m18n.g('logged_in')
|
return m18n.g('logged_in')
|
||||||
|
|
||||||
|
@ -375,7 +375,7 @@ class _ActionsMapPlugin(object):
|
||||||
# for additional security ?
|
# for additional security ?
|
||||||
# (An attacker could not craft such signed hashed ? (FIXME : need to make sure of this))
|
# (An attacker could not craft such signed hashed ? (FIXME : need to make sure of this))
|
||||||
s_secret = self.secrets[s_id]
|
s_secret = self.secrets[s_id]
|
||||||
s_hash = request.get_cookie('session.hashes',
|
s_token = request.get_cookie('session.tokens',
|
||||||
secret=s_secret, default={})[profile]
|
secret=s_secret, default={})[profile]
|
||||||
except KeyError:
|
except KeyError:
|
||||||
raise HTTPUnauthorizedResponse(m18n.g('not_logged_in'))
|
raise HTTPUnauthorizedResponse(m18n.g('not_logged_in'))
|
||||||
|
@ -385,7 +385,7 @@ class _ActionsMapPlugin(object):
|
||||||
authenticator._clean_session(s_id)
|
authenticator._clean_session(s_id)
|
||||||
# TODO: Clean the session for profile only
|
# TODO: Clean the session for profile only
|
||||||
# Delete cookie and clean the session
|
# Delete cookie and clean the session
|
||||||
response.set_cookie('session.hashes', '', max_age=-1)
|
response.set_cookie('session.tokens', '', max_age=-1)
|
||||||
return m18n.g('logged_out')
|
return m18n.g('logged_out')
|
||||||
|
|
||||||
def messages(self):
|
def messages(self):
|
||||||
|
@ -474,13 +474,13 @@ class _ActionsMapPlugin(object):
|
||||||
s_id = request.get_cookie('session.id')
|
s_id = request.get_cookie('session.id')
|
||||||
try:
|
try:
|
||||||
s_secret = self.secrets[s_id]
|
s_secret = self.secrets[s_id]
|
||||||
s_hash = request.get_cookie('session.hashes',
|
s_token = request.get_cookie('session.tokens',
|
||||||
secret=s_secret, default={})[authenticator.name]
|
secret=s_secret, default={})[authenticator.name]
|
||||||
except KeyError:
|
except KeyError:
|
||||||
msg = m18n.g('authentication_required')
|
msg = m18n.g('authentication_required')
|
||||||
raise HTTPUnauthorizedResponse(msg)
|
raise HTTPUnauthorizedResponse(msg)
|
||||||
else:
|
else:
|
||||||
return authenticator(token=(s_id, s_hash))
|
return authenticator(token=(s_id, s_token))
|
||||||
|
|
||||||
def _do_display(self, message, style):
|
def _do_display(self, message, style):
|
||||||
"""Display a message
|
"""Display a message
|
||||||
|
|
Loading…
Reference in a new issue