kallithea Changeset - 04e8b31fb245

Changeset - 04e8b31fb245

Parent rev.

Child rev.

[Not reviewed]

default

0 3 0

Marcin Kuzminski - 15 years ago 2010-08-20 10:59:18
marcin@python-works.com

Changed password crypting scheme to bcrypt, added dependency for setup

3 files changed with 10 insertions and 8 deletions:

pylons_app/lib/auth.py

pylons_app/model/forms.py

setup.py

0 comments (0 inline, 0 general)

pylons_app/lib/auth.py

➞

Show inline comments

@@ @@ -9,81 +9,82 @@ @@
 # of the License or (at your opinion) any later version of the license.
+#
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
+#
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
 # MA  02110-1301, USA.
 """
 Created on April 4, 2010
 @author: marcink
 """
 from beaker.cache import cache_region
 from pylons import config, session, url, request
 from pylons.controllers.util import abort, redirect
 from pylons_app.lib.utils import get_repo_slug
 from pylons_app.model import meta
 from pylons_app.model.db import User, RepoToPerm, Repository, Permission
 from sqlalchemy.exc import OperationalError
 from sqlalchemy.orm.exc import NoResultFound, MultipleResultsFound
-import hashlib
+import bcrypt
 from decorator import decorator
 import logging
 log = logging.getLogger(__name__)
 def get_crypt_password(password):
     """Cryptographic function used for password hashing based on sha1
     @param password: password to hash
     """
     hashed = hashlib.sha1(password).hexdigest()
     return hashed[3:] + hashed[:3]
     return bcrypt.hashpw(password, bcrypt.gensalt(10))
 def check_password(password, hashed):
     return bcrypt.hashpw(password, hashed) == hashed
 @cache_region('super_short_term', 'cached_user')
 def get_user_cached(username):
     sa = meta.Session
     try:
         user = sa.query(User).filter(User.username == username).one()
     finally:
         meta.Session.remove()
     return user
 def authfunc(environ, username, password):
     password_crypt = get_crypt_password(password)
     try:
         user = get_user_cached(username)
     except (NoResultFound, MultipleResultsFound, OperationalError) as e:
         log.error(e)
         user = None
     if user:
         if user.active:
-            if user.username == username and user.password == password_crypt:
+            if user.username == username and check_password(password, user.password):
                 log.info('user %s authenticated correctly', username)
                 return True
         else:
             log.error('user %s is disabled', username)
     return False
 class  AuthUser(object):
     """
     A simple object that handles a mercurial username for authentication
     """
     def __init__(self):
         self.username = 'None'
         self.name = ''
         self.lastname = ''
         self.email = ''
         self.user_id = None
         self.is_authenticated = False
         self.is_admin = False
         self.permissions = {}
 def set_available_permissions(config):
     """

pylons_app/model/forms.py

➞

Show inline comments

@@ @@ -3,49 +3,49 @@ http://formencode.org/module-formencode. @@
 for list off all availible validators
 we can create our own validators
 The table below outlines the options which can be used in a schema in addition to the validators themselves
 pre_validators          []     These validators will be applied before the schema
 chained_validators      []     These validators will be applied after the schema
 allow_extra_fields      False     If True, then it is not an error when keys that aren't associated with a validator are present
 filter_extra_fields     False     If True, then keys that aren't associated with a validator are removed
 if_key_missing          NoDefault If this is given, then any keys that aren't available but are expected will be replaced with this value (and then validated). This does not override a present .if_missing attribute on validators. NoDefault is a special FormEncode class to mean that no default values has been specified and therefore missing keys shouldn't take a default value.
 ignore_key_missing      False     If True, then missing keys will be missing in the result, if the validator doesn't have .if_missing on it already
 <name> = formencode.validators.<name of validator>
 <name> must equal form name
 list=[1,2,3,4,5]
 for SELECT use formencode.All(OneOf(list), Int())
 """
 from formencode import All
 from formencode.validators import UnicodeString, OneOf, Int, Number, Regex, \
     Email, Bool, StringBoolean
 from pylons import session
 from pylons.i18n.translation import _
-from pylons_app.lib.auth import get_crypt_password
+from pylons_app.lib.auth import check_password
 from pylons_app.model import meta
 from pylons_app.model.db import User, Repository
 from sqlalchemy.exc import OperationalError
 from sqlalchemy.orm.exc import NoResultFound, MultipleResultsFound
 from webhelpers.pylonslib.secure_form import authentication_token
 import datetime
 import formencode
 import logging
 import os
 import pylons_app.lib.helpers as h
 log = logging.getLogger(__name__)
 #this is needed to translate the messages using _() in validators
 class State_obj(object):
     _ = staticmethod(_)
 #===============================================================================
 # VALIDATORS
 #===============================================================================
 class ValidAuthToken(formencode.validators.FancyValidator):
     messages = {'invalid_token':_('Token mismatch')}
     def validate_python(self, value, state):
@@ @@ -73,61 +73,61 @@ def ValidUsername(edit, old_data): @@
             meta.Session.remove()
     return _ValidUsername
 class ValidPassword(formencode.validators.FancyValidator):
     def to_python(self, value, state):
         if value:
             return get_crypt_password(value)
 class ValidAuth(formencode.validators.FancyValidator):
     messages = {
             'invalid_password':_('invalid password'),
             'invalid_login':_('invalid user name'),
             'disabled_account':_('Your acccount is disabled')
+            }
     #error mapping
     e_dict = {'username':messages['invalid_login'],
               'password':messages['invalid_password']}
     e_dict_disable = {'username':messages['disabled_account']}
     def validate_python(self, value, state):
         sa = meta.Session
-        crypted_passwd = get_crypt_password(value['password'])
+        password = value['password']
         username = value['username']
         try:
             user = sa.query(User).filter(User.username == username).one()
         except (NoResultFound, MultipleResultsFound, OperationalError) as e:
             log.error(e)
             user = None
             raise formencode.Invalid(self.message('invalid_password',
                                      state=State_obj), value, state,
                                      error_dict=self.e_dict)
         if user:
             if user.active:
-                if user.username == username and user.password == crypted_passwd:
+                if user.username == username and check_password(password, user.password):
                     from pylons_app.lib.auth import AuthUser
                     auth_user = AuthUser()
                     auth_user.username = username
                     auth_user.is_authenticated = True
                     auth_user.is_admin = user.admin
                     auth_user.user_id = user.user_id
                     auth_user.name = user.name
                     auth_user.lastname = user.lastname
                     session['hg_app_user'] = auth_user
                     session.save()
                     log.info('user %s is now authenticated', username)
                     try:
                         user.last_login = datetime.datetime.now()
                         sa.add(user)
                         sa.commit()
                     except (OperationalError) as e:
                         log.error(e)
                         sa.rollback()
                     return value
                 else:
                     log.warning('user %s not authenticated', username)
                     raise formencode.Invalid(self.message('invalid_password',

setup.py

➞

Show inline comments

@@ @@ -3,44 +3,45 @@ try: @@
     from setuptools import setup, find_packages
 except ImportError:
     from ez_setup import use_setuptools
     use_setuptools()
     from setuptools import setup, find_packages
 setup(
     name='hg_app',
     version=get_version(),
     description='Mercurial repository serving and browsing app',
     keywords='mercurial web hgwebdir replacement serving hgweb',
     license='BSD',
     author='marcin kuzminski',
     author_email='marcin@python-works.com',
     url='http://hg.python-works.com',
     install_requires=[
         "Pylons>=1.0.0",
         "SQLAlchemy>=0.6",
         "Mako>=0.3.2",
         "vcs>=0.1.4",
         "pygments>=1.3.0",
         "mercurial>=1.6",
         "pysqlite",
         "whoosh>=1.0.0b5",
         "py-bcrypt",
     ],
     setup_requires=["PasteScript>=1.6.3"],
     packages=find_packages(exclude=['ez_setup']),
     include_package_data=True,
     test_suite='nose.collector',
     package_data={'pylons_app': ['i18n/*/LC_MESSAGES/*.mo']},
     message_extractors={'pylons_app': [
             ('**.py', 'python', None),
             ('templates/**.mako', 'mako', {'input_encoding': 'utf-8'}),
             ('public/**', 'ignore', None)]},
     zip_safe=False,
     paster_plugins=['PasteScript', 'Pylons'],
     entry_points="""
     [paste.app_factory]
     main = pylons_app.config.middleware:make_app
     [paste.app_install]
     main = pylons.util:PylonsInstaller
     """,
+)

0 comments (0 inline, 0 general)