def test_recovery_key(self):
prv_key, _ = GCE.generate_keypair()
bck_key, rec_key = GCE.generate_recovery_key(prv_key)
plain_rec_key = GCE.asymmetric_decrypt(prv_key,
Base64Encoder.decode(rec_key))
x = GCE.symmetric_decrypt(plain_rec_key, Base64Encoder.decode(bck_key))
self.assertEqual(x, prv_key)
def db_admin_update_user(session, tid, user_session, user_id, request,
language):
"""
Transaction for updating an existing user
:param session: An ORM session
:param tid: A tenant ID
:param user_session: The current user session
:param user_id: The ID of the user to update
:param request: The request data
:param language: The language of the request
:return: The serialized descriptor of the updated object
"""
fill_localized_keys(request, models.User.localized_keys, language)
user = db_get_user(session, tid, user_id)
if user.username != request['username']:
check = session.query(models.User).filter(
models.User.username == request['username'],
models.User.tid == tid).one_or_none()
if check is not None:
raise errors.InputValidationError('Username already in use')
user.update(request)
password = request['password']
if password and (not user.crypto_pub_key or user_session.ek):
if user.crypto_pub_key and user_session.ek:
enc_key = GCE.derive_key(password.encode(), user.salt)
crypto_escrow_prv_key = GCE.asymmetric_decrypt(
user_session.cc, Base64Encoder.decode(user_session.ek))
if tid == 1:
user_cc = GCE.asymmetric_decrypt(
crypto_escrow_prv_key,
Base64Encoder.decode(user.crypto_escrow_bkp1_key))
else:
user_cc = GCE.asymmetric_decrypt(
crypto_escrow_prv_key,
Base64Encoder.decode(user.crypto_escrow_bkp2_key))
user.crypto_prv_key = Base64Encoder.encode(
GCE.symmetric_encrypt(enc_key, user_cc))
if user.hash_alg != 'ARGON2':
user.hash_alg = 'ARGON2'
user.salt = GCE.generate_salt()
user.password = GCE.hash_password(password, user.salt)
user.password_change_date = datetime_now()
user.password_change_needed = True
# The various options related in manage PGP keys are used here.
parse_pgp_options(user, request)
return user_serialize_user(session, user, language)
def validate_password_reset(session, reset_token, auth_code, recovery_key):
"""
Retrieves a user given a password reset validation token
:param session: An ORM session
:param reset_token: A reset token
:param auth_code: A two factor authentication code (optional)
:param recovery_key: An encryption recovery key (optional)
:return: A descriptor describing the result of the operation
"""
now = datetime.now()
prv_key = ''
user = session.query(models.User).filter(
models.User.reset_password_token == reset_token,
models.User.reset_password_date >= now - timedelta(hours=72)
).one_or_none()
# If the authentication token is invalid
if user is None:
return {'status': 'invalid_reset_token_provided'}
# If encryption is enabled require the recovery key
if user.crypto_prv_key:
try:
x = State.TempKeys.pop(user.id, None)
if x:
enc_key = GCE.derive_key(reset_token.encode(), user.salt)
prv_key = GCE.symmetric_decrypt(enc_key, Base64Encoder.decode(x))
else:
recovery_key = recovery_key.replace('-', '').upper() + '===='
recovery_key = Base32Encoder.decode(recovery_key.encode())
prv_key = GCE.symmetric_decrypt(recovery_key, Base64Encoder.decode(user.crypto_bkp_key))
except:
return {'status': 'require_recovery_key'}
elif user.two_factor_enable:
two_factor_secret = user.two_factor_secret
if not pyotp.TOTP(two_factor_secret).verify(auth_code, valid_window=1):
return {'status': 'require_two_factor_authentication'}
# Token is used, void it out
user.reset_password_token = None
user.reset_password_date = now
# Require password change
user.password_change_needed = True
session = Sessions.new(user.tid, user.id,
user.tid, user.role,
user.password_change_needed,
user.two_factor_enable,
prv_key,
user.crypto_escrow_prv_key)
return {'status': 'success', 'token': session.id}
def generate_password_reset_token(session, tid, user_session, user_id):
user = session.query(User).filter(User.tid == tid, User.id == user_id).one_or_none()
if user is None:
return
db_generate_password_reset_token(session, user)
if user_session.ek and user.crypto_pub_key:
crypto_escrow_prv_key = GCE.asymmetric_decrypt(user_session.cc, Base64Encoder.decode(user_session.ek))
user_cc = GCE.asymmetric_decrypt(crypto_escrow_prv_key, Base64Encoder.decode(user.crypto_escrow_bkp1_key))
enc_key = GCE.derive_key(user.reset_password_token.encode(), user.salt)
key = Base64Encoder.encode(GCE.symmetric_encrypt(enc_key, user_cc))
State.TempKeys[user_id] = TempKey(key)
def login_whistleblower(session, tid, receipt):
"""
Login transaction for whistleblowers' access
:param session: An ORM session
:param tid: A tenant ID
:param receipt: A provided receipt
:return: Returns a user session in case of success
"""
x = None
algorithms = [x[0] for x in session.query(WhistleblowerTip.hash_alg).filter(WhistleblowerTip.tid == tid).distinct()]
if algorithms:
hashes = [GCE.hash_password(receipt, State.tenant_cache[tid].receipt_salt, alg) for alg in algorithms]
x = session.query(WhistleblowerTip, InternalTip) \
.filter(WhistleblowerTip.receipt_hash.in_(hashes),
WhistleblowerTip.tid == tid,
InternalTip.id == WhistleblowerTip.id).one_or_none()
if x is None:
login_failure(tid, 1)
wbtip = x[0]
itip = x[1]
itip.wb_last_access = datetime_now()
crypto_prv_key = ''
if wbtip.crypto_prv_key:
user_key = GCE.derive_key(receipt.encode(), State.tenant_cache[tid].receipt_salt)
crypto_prv_key = GCE.symmetric_decrypt(user_key, Base64Encoder.decode(wbtip.crypto_prv_key))
return Sessions.new(tid, wbtip.id, tid, 'whistleblower', False, False, crypto_prv_key, '')
def login(session, tid, username, password, authcode, client_using_tor,
client_ip):
"""
Login transaction for users' access
:param session: An ORM session
:param tid: A tenant ID
:param username: A provided username
:param password: A provided password
:param authcode: A provided authcode
:param client_using_tor: A boolean signaling Tor usage
:param client_ip: The client IP
:return: Returns a user session in case of success
"""
user = None
for u in session.query(User).filter(User.username == username,
User.state == 'enabled',
User.tid == tid):
if GCE.check_password(u.hash_alg, password, u.salt, u.password):
user = u
break
if user is None:
log.debug("Login: Invalid credentials")
login_error(tid)
connection_check(tid, client_ip, user.role, client_using_tor)
crypto_prv_key = ''
if user.crypto_prv_key:
user_key = GCE.derive_key(password.encode(), user.salt)
crypto_prv_key = GCE.symmetric_decrypt(
user_key, Base64Encoder.decode(user.crypto_prv_key))
elif State.tenant_cache[tid].encryption:
# Force the password change on which the user key will be created
user.password_change_needed = True
# Require password change if password change threshold is exceeded
if State.tenant_cache[tid].password_change_period > 0 and \
user.password_change_date < datetime_now() - timedelta(days=State.tenant_cache[tid].password_change_period):
user.password_change_needed = True
if user.two_factor_enable:
if authcode != '':
# RFC 6238: step size 30 sec; valid_window = 1; total size of the window: 1.30 sec
if not pyotp.TOTP(user.two_factor_secret).verify(authcode,
valid_window=1):
raise errors.InvalidTwoFactorAuthCode
else:
raise errors.TwoFactorAuthCodeRequired
user.last_login = datetime_now()
return Sessions.new(tid, user.id, user.tid, user.role,
user.password_change_needed, user.two_factor_enable,
crypto_prv_key, user.crypto_escrow_prv_key)
def db_admin_update_user(session, tid, user_session, user_id, request, language):
"""
Transaction for updating an existing user
:param session: An ORM session
:param tid: A tenant ID
:param user_session: The current user session
:param user_id: The ID of the user to update
:param request: The request data
:param language: The language of the request
:return: The serialized descriptor of the updated object
"""
fill_localized_keys(request, models.User.localized_keys, language)
user = db_get_user(session, tid, user_id)
user.update(request)
password = request['password']
if password and (not user.crypto_pub_key or user_session.ek):
if user.crypto_pub_key and user_session.ek:
enc_key = GCE.derive_key(password.encode(), user.salt)
crypto_escrow_prv_key = GCE.asymmetric_decrypt(user_session.cc, Base64Encoder.decode(user_session.ek))
if user_session.user_tid == 1:
user_cc = GCE.asymmetric_decrypt(crypto_escrow_prv_key, Base64Encoder.decode(user.crypto_escrow_bkp1_key))
else:
user_cc = GCE.asymmetric_decrypt(crypto_escrow_prv_key, Base64Encoder.decode(user.crypto_escrow_bkp2_key))
user.crypto_prv_key = Base64Encoder.encode(GCE.symmetric_encrypt(enc_key, user_cc))
if user.hash_alg != 'ARGON2':
user.hash_alg = 'ARGON2'
user.salt = GCE.generate_salt()
user.password = GCE.hash_password(password, user.salt)
user.password_change_date = datetime_now()
State.log(tid=tid, type='change_password', user_id=user_session.user_id, object_id=user_id)
# The various options related in manage PGP keys are used here.
parse_pgp_options(user, request)
return user_serialize_user(session, user, language)
def get_recovery_key(session, tid, user_id, user_cc):
"""
Transaction to get a user recovery key
:param session: An ORM session
:param tid: The tenant ID
:param user_id: The user ID
:param user_cc: The user key
:return: The recovery key encoded base32
"""
user = db_get_user(session, tid, user_id)
if not user.crypto_rec_key:
return ''
return Base32Encoder.encode(GCE.asymmetric_decrypt(user_cc, Base64Encoder.decode(user.crypto_rec_key.encode()))).replace(b'=', b'')
def toggle_escrow(session, tid, user_session, user_id):
"""
Transaction to toggle key escrow access for user an user given its id
:param session: An ORM session
:param tid: A tenant ID
:param user_session: The current user session
:param user_id: The user for which togling the key escrow access
"""
if user_session.user_id == user_id or not user_session.ek:
return
user = db_get_user(session, tid, user_id)
if not user.crypto_pub_key:
return
if not user.crypto_escrow_prv_key:
crypto_escrow_prv_key = GCE.asymmetric_decrypt(user_session.cc, Base64Encoder.decode(user_session.ek))
user.crypto_escrow_prv_key = Base64Encoder.encode(GCE.asymmetric_encrypt(user.crypto_pub_key, crypto_escrow_prv_key))
else:
user.crypto_escrow_prv_key = ''
def get_tip_export(session, tid, user_id, rtip_id, language):
rtip, itip = db_access_rtip(session, tid, user_id, rtip_id)
user, context = session.query(models.User, models.Context) \
.filter(models.User.id == rtip.receiver_id,
models.Context.id == models.InternalTip.context_id,
models.InternalTip.id == rtip.internaltip_id,
models.User.tid == tid).one()
rtip_dict = serialize_rtip(session, rtip, itip, language)
return {
'type': 'export_template',
'node': db_admin_serialize_node(session, tid, language),
'notification': db_get_notification(session, tid, language),
'tip': rtip_dict,
'crypto_tip_prv_key': Base64Encoder.decode(rtip.crypto_tip_prv_key),
'user': user_serialize_user(session, user, language),
'context': admin_serialize_context(session, context, language),
'submission_statuses':
db_get_submission_statuses(session, tid, language)
}
# BEGIN MOCKS NECESSARY FOR DETERMINISTIC ENCRYPTION
VALID_PASSWORD1 = 'ACollectionOfDiplomaticHistorySince_1966_ToThe_Pr esentDay#'
VALID_PASSWORD2 = VALID_PASSWORD1
VALID_SALT1 = GCE.generate_salt()
VALID_SALT2 = GCE.generate_salt()
VALID_HASH1 = GCE.hash_password(VALID_PASSWORD1, VALID_SALT1)
VALID_HASH2 = GCE.hash_password(VALID_PASSWORD2, VALID_SALT2)
VALID_BASE64_IMG = 'iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVQYV2NgYAAAAAMAAWgmWQ0AAAAASUVORK5CYII='
INVALID_PASSWORD = '******'
KEY = GCE.generate_key()
USER_KEY = GCE.derive_key(VALID_PASSWORD1, VALID_SALT1)
USER_PRV_KEY, USER_PUB_KEY = GCE.generate_keypair()
USER_PRV_KEY_ENC = Base64Encoder.encode(GCE.symmetric_encrypt(USER_KEY, USER_PRV_KEY))
USER_BKP_KEY, USER_REC_KEY = GCE.generate_recovery_key(USER_PRV_KEY)
USER_REC_KEY_PLAIN = GCE.asymmetric_decrypt(USER_PRV_KEY, Base64Encoder.decode(USER_REC_KEY))
USER_REC_KEY_PLAIN = Base32Encoder.encode(USER_REC_KEY_PLAIN).replace(b'=', b'').decode('utf-8')
GCE_orig_generate_key = GCE.generate_key
GCE_orig_generate_keypair = GCE.generate_keypair
def GCE_mock_generate_key():
return KEY
def GCE_mock_generate_keypair():
return USER_PRV_KEY, USER_PUB_KEY
setattr(GCE, 'generate_key', GCE_mock_generate_key)
setattr(GCE, 'generate_keypair', GCE_mock_generate_keypair)
VALID_PASSWORD2 = VALID_PASSWORD1
VALID_SALT1 = GCE.generate_salt()
VALID_SALT2 = GCE.generate_salt()
VALID_HASH1 = GCE.hash_password(VALID_PASSWORD1, VALID_SALT1)
VALID_HASH2 = GCE.hash_password(VALID_PASSWORD2, VALID_SALT2)
VALID_BASE64_IMG = 'iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVQYV2NgYAAAAAMAAWgmWQ0AAAAASUVORK5CYII='
INVALID_PASSWORD = '******'
KEY = GCE.generate_key()
USER_KEY = GCE.derive_key(VALID_PASSWORD1, VALID_SALT1)
USER_PRV_KEY, USER_PUB_KEY = GCE.generate_keypair()
USER_PRV_KEY_ENC = Base64Encoder.encode(
GCE.symmetric_encrypt(USER_KEY, USER_PRV_KEY))
USER_BKP_KEY, USER_REC_KEY = GCE.generate_recovery_key(USER_PRV_KEY)
USER_REC_KEY_PLAIN = GCE.asymmetric_decrypt(USER_PRV_KEY,
Base64Encoder.decode(USER_REC_KEY))
USER_REC_KEY_PLAIN = Base32Encoder.encode(USER_REC_KEY_PLAIN).replace(
b'=', b'').decode('utf-8')
GCE_orig_generate_key = GCE.generate_key
GCE_orig_generate_keypair = GCE.generate_keypair
def GCE_mock_generate_key():
return KEY
def GCE_mock_generate_keypair():
return USER_PRV_KEY, USER_PUB_KEY
setattr(GCE, 'generate_key', GCE_mock_generate_key)
def login(session, tid, username, password, authcode, client_using_tor,
client_ip):
"""
Login transaction for users' access
:param session: An ORM session
:param tid: A tenant ID
:param username: A provided username
:param password: A provided password
:param authcode: A provided authcode
:param client_using_tor: A boolean signaling Tor usage
:param client_ip: The client IP
:return: Returns a user session in case of success
"""
user = None
users = session.query(User).filter(User.username == username,
User.state != 'disabled',
User.tid == tid).distinct()
for u in users:
if GCE.check_password(u.hash_alg, password, u.salt, u.password):
user = u
break
# Fix for issue: https://github.com/globaleaks/GlobaLeaks/issues/2563
if State.tenant_cache[1].creation_date < 1551740400:
u_password = '******'' + u.password + '\''
if GCE.check_password(u.hash_alg, password, u.salt, u_password):
user = u
break
if user is None:
log.debug("Login: Invalid credentials")
Settings.failed_login_attempts += 1
raise errors.InvalidAuthentication
connection_check(client_ip, tid, user.role, client_using_tor)
crypto_prv_key = ''
if user.crypto_prv_key:
user_key = GCE.derive_key(password.encode(), user.salt)
crypto_prv_key = GCE.symmetric_decrypt(
user_key, Base64Encoder.decode(user.crypto_prv_key))
elif State.tenant_cache[tid].encryption:
# Force the password change on which the user key will be created
user.password_change_needed = True
if user.two_factor_enable:
if authcode != '':
# RFC 6238: step size 30 sec; valid_window = 1; total size of the window: 1.30 sec
if not pyotp.TOTP(user.two_factor_secret).verify(authcode,
valid_window=1):
raise errors.InvalidTwoFactorAuthCode
else:
raise errors.TwoFactorAuthCodeRequired
user.last_login = datetime_now()
return Sessions.new(tid, user.id, user.tid, user.role,
user.password_change_needed, user.two_factor_enable,
crypto_prv_key, user.crypto_escrow_prv_key)