YunoHost/moulinette
1
0
Fork 0
mirror of https://github.com/YunoHost/moulinette.git synced 2024-09-03 20:06:31 +02:00
Code Issues Projects Releases Packages Wiki Activity

Try to improve semantic : s_hash -> s_token

Browse source
This commit is contained in:
Alexandre Aubin 2019-08-20 19:53:51 +02:00
parent bcaf8b2e4a
commit 3822496622
2 changed files with 22 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
moulinette/authenticators/__init__.py
View file

@ -76,7 +76,7 @@ class BaseAuthenticator(object):
instance is returned and the session is registered for the token instance is returned and the session is registered for the token
if 'token' and 'password' are given. if 'token' and 'password' are given.
The token is composed by the session identifier and a session The token is composed by the session identifier and a session
hash - to use for encryption - as a 2-tuple. hash (the "true token") - to use for encryption - as a 2-tuple.
Keyword arguments: Keyword arguments:
- password -- A clear text password - password -- A clear text password
@ -92,8 +92,8 @@ class BaseAuthenticator(object):
if token: if token:
try: try:
# Extract id and hash from token # Extract id and actual token
s_id, s_hash = token s_id, s_token = token
except TypeError as e: except TypeError as e:
logger.error("unable to extract token parts from '%s' because '%s'", token, e) logger.error("unable to extract token parts from '%s' because '%s'", token, e)
if password is None: if password is None:
@ -104,7 +104,7 @@ class BaseAuthenticator(object):
else: else:
if password is None: if password is None:
# Retrieve session # Retrieve session
password = self._retrieve_session(s_id, s_hash) password = self._retrieve_session(s_id, s_token)
try: try:
# Attempt to authenticate # Attempt to authenticate
@ -119,7 +119,7 @@ class BaseAuthenticator(object):
# Store session # Store session
if store_session: if store_session:
try: try:
self._store_session(s_id, s_hash, password) self._store_session(s_id, s_token, password)
except Exception as e: except Exception as e:
import traceback import traceback
traceback.print_exc() traceback.print_exc()
@ -136,19 +136,19 @@ class BaseAuthenticator(object):
return open_cachefile('%s.asc' % session_id, mode, return open_cachefile('%s.asc' % session_id, mode,
subdir='session/%s' % self.name) subdir='session/%s' % self.name)
def _store_session(self, session_id, session_hash, password): def _store_session(self, session_id, session_token, password):
"""Store a session and its associated password""" """Store a session and its associated password"""
gpg = gnupg.GPG() gpg = gnupg.GPG()
gpg.encoding = 'utf-8' gpg.encoding = 'utf-8'
# Encrypt the password using the session hash # Encrypt the password using the session token
s = str(gpg.encrypt(password, None, symmetric=True, passphrase=session_hash)) s = str(gpg.encrypt(password, None, symmetric=True, passphrase=session_token))
assert len(s), "For some reason GPG can't perform encryption, maybe check /root/.gnupg/gpg.conf or re-run with gpg = gnupg.GPG(verbose=True) ?" assert len(s), "For some reason GPG can't perform encryption, maybe check /root/.gnupg/gpg.conf or re-run with gpg = gnupg.GPG(verbose=True) ?"
with self._open_sessionfile(session_id, 'w') as f: with self._open_sessionfile(session_id, 'w') as f:
f.write(s) f.write(s)
def _retrieve_session(self, session_id, session_hash): def _retrieve_session(self, session_id, session_token):
"""Retrieve a session and return its associated password""" """Retrieve a session and return its associated password"""
try: try:
with self._open_sessionfile(session_id, 'r') as f: with self._open_sessionfile(session_id, 'r') as f:
@ -160,7 +160,7 @@ class BaseAuthenticator(object):
gpg = gnupg.GPG() gpg = gnupg.GPG()
gpg.encoding = 'utf-8' gpg.encoding = 'utf-8'
decrypted = gpg.decrypt(enc_pwd, passphrase=session_hash) decrypted = gpg.decrypt(enc_pwd, passphrase=session_token)
if decrypted.ok is not True: if decrypted.ok is not True:
error_message = "unable to decrypt password for the session: %s" % decrypted.status error_message = "unable to decrypt password for the session: %s" % decrypted.status
logger.error(error_message) logger.error(error_message)

24
moulinette/interfaces/api.py
View file

@ -332,18 +332,18 @@ class _ActionsMapPlugin(object):
try: try:
s_secret = self.secrets[s_id] s_secret = self.secrets[s_id]
except KeyError: except KeyError:
s_hashes = {} s_tokens = {}
else: else:
s_hashes = request.get_cookie('session.hashes', s_tokens = request.get_cookie('session.tokens',
secret=s_secret) or {} secret=s_secret) or {}
s_hash = random_ascii() s_new_token = random_ascii()
try: try:
# Attempt to authenticate # Attempt to authenticate
authenticator = self.actionsmap.get_authenticator_for_profile(profile) authenticator = self.actionsmap.get_authenticator_for_profile(profile)
authenticator(password, token=(s_id, s_hash)) authenticator(password, token=(s_id, s_new_token))
except MoulinetteError as e: except MoulinetteError as e:
if len(s_hashes) > 0: if len(s_tokens) > 0:
try: try:
self.logout(profile) self.logout(profile)
except: except:
@ -351,11 +351,11 @@ class _ActionsMapPlugin(object):
raise HTTPUnauthorizedResponse(e.strerror) raise HTTPUnauthorizedResponse(e.strerror)
else: else:
# Update dicts with new values # Update dicts with new values
s_hashes[profile] = s_hash s_tokens[profile] = s_new_token
self.secrets[s_id] = s_secret = random_ascii() self.secrets[s_id] = s_secret = random_ascii()
response.set_cookie('session.id', s_id, secure=True) response.set_cookie('session.id', s_id, secure=True)
response.set_cookie('session.hashes', s_hashes, secure=True, response.set_cookie('session.tokens', s_tokens, secure=True,
secret=s_secret) secret=s_secret)
return m18n.g('logged_in') return m18n.g('logged_in')
@ -375,8 +375,8 @@ class _ActionsMapPlugin(object):
# for additional security ? # for additional security ?
# (An attacker could not craft such signed hashed ? (FIXME : need to make sure of this)) # (An attacker could not craft such signed hashed ? (FIXME : need to make sure of this))
s_secret = self.secrets[s_id] s_secret = self.secrets[s_id]
s_hash = request.get_cookie('session.hashes', s_token = request.get_cookie('session.tokens',
secret=s_secret, default={})[profile] secret=s_secret, default={})[profile]
except KeyError: except KeyError:
raise HTTPUnauthorizedResponse(m18n.g('not_logged_in')) raise HTTPUnauthorizedResponse(m18n.g('not_logged_in'))
else: else:
@ -385,7 +385,7 @@ class _ActionsMapPlugin(object):
authenticator._clean_session(s_id) authenticator._clean_session(s_id)
# TODO: Clean the session for profile only # TODO: Clean the session for profile only
# Delete cookie and clean the session # Delete cookie and clean the session
response.set_cookie('session.hashes', '', max_age=-1) response.set_cookie('session.tokens', '', max_age=-1)
return m18n.g('logged_out') return m18n.g('logged_out')
def messages(self): def messages(self):
@ -474,13 +474,13 @@ class _ActionsMapPlugin(object):
s_id = request.get_cookie('session.id') s_id = request.get_cookie('session.id')
try: try:
s_secret = self.secrets[s_id] s_secret = self.secrets[s_id]
s_hash = request.get_cookie('session.hashes', s_token = request.get_cookie('session.tokens',
secret=s_secret, default={})[authenticator.name] secret=s_secret, default={})[authenticator.name]
except KeyError: except KeyError:
msg = m18n.g('authentication_required') msg = m18n.g('authentication_required')
raise HTTPUnauthorizedResponse(msg) raise HTTPUnauthorizedResponse(msg)
else: else:
return authenticator(token=(s_id, s_hash)) return authenticator(token=(s_id, s_token))
def _do_display(self, message, style): def _do_display(self, message, style):
"""Display a message """Display a message