def validate_machine_token(self, token):
s = Signer(self.secret)
try:
s.unsign(token)
return True
except BadSignature:
return False
def validate_csrf_token(csrf_token):
secret_key = current_app.config.get("WTF_CSRF_SECRET_KEY", current_app.secret_key)
signer = Signer(secret_key)
# if current_user.is_anonymous():
# return False
try:
signer.unsign(csrf_token)
except BadSignature:
return False
# if str(current_user.get_id()) == id:
# return True
return True
def get_from_signed_code(cls, code):
"""Returns a discount policy given a valid signed code, returns None otherwise"""
if not cls.is_signed_code_format(code):
return None
discount_code_base = code.split('.')[0]
policy = cls.query.filter_by(discount_code_base=discount_code_base).one_or_none()
if not policy:
return None
signer = Signer(policy.secret)
try:
signer.unsign(code)
return policy
except BadSignature:
return None
def get_username_from_confirmation_token(app, confirmation_token):
signer = Signer(app.config['SECRET_KEY'], salt='confirmation')
try:
username = signer.unsign(confirmation_token)
except BadSignature:
return None
return username
def reset_password():
form = ResetPasswordForm(request.form)
if request.method == "POST" and form.validate():
token = form.token.data
s = Signer(app.config['SECRET_KEY'])
try:
email = s.unsign(token)
except BadSignature:
return render_template("reset_invalid_token.html")
user = User.query.filter_by(email=email).first()
if user:
user.set_password(form.password.data)
print user.password
login_user(user)
return redirect("/")
else:
return render_template("reset_invalid_token.html")
token = request.args.get('token', None)
if not token:
return render_template("reset_invalid_token.html")
return render_template("reset_password.html", form=form, token=token)
def on_confirm_email(token):
"""Email confirmation endpoint.
We try to confirm the specified signup and redirect to a webpage.
"""
try:
s = Signer(get_token_secret())
signup_id = ObjectId(s.unsign(token).decode('utf-8'))
except BadSignature:
return "Unknown token"
patch_internal('eventsignups', {'confirmed': True},
skip_validation=True, concurrency_check=False,
**{current_app.config['ID_FIELD']: signup_id})
# Now the user may be able to get accepted, so update the events waiting
# list
lookup = {current_app.config['ID_FIELD']: signup_id}
signup = current_app.data.find_one('eventsignups', None, **lookup)
update_waiting_list(signup['event'])
redirect_url = current_app.config.get('EMAIL_CONFIRMED_REDIRECT')
if redirect_url:
return redirect(redirect_url)
else:
return current_app.config['CONFIRM_TEXT']
def reset_password():
form = ResetPasswordForm(request.form)
if request.method == "POST" and form.validate():
token = form.token.data
s = Signer(app.config['SECRET_KEY'])
try:
email = s.unsign(token)
except BadSignature:
return render_template("reset_invalid_token.html")
user = User.query.filter_by(email=email).first()
if user:
user.set_password(form.password.data)
print user.password
login_user(user)
return redirect("/")
else:
return render_template("reset_invalid_token.html")
token = request.args.get('token', None)
if not token:
return render_template("reset_invalid_token.html")
return render_template("reset_password.html", form=form, token=token)
def mailbox_confirm_change_route():
s = Signer(MAILBOX_SECRET)
mailbox_id = request.args.get("mailbox_id")
try:
r_id = int(s.unsign(mailbox_id))
except Exception:
flash("Invalid link", "error")
return redirect(url_for("dashboard.index"))
else:
mailbox = Mailbox.get(r_id)
# new_email can be None if user cancels change in the meantime
if mailbox and mailbox.new_email:
mailbox.email = mailbox.new_email
mailbox.new_email = None
# mark mailbox as verified if the change request is sent from an unverified mailbox
mailbox.verified = True
db.session.commit()
LOG.d("Mailbox change %s is verified", mailbox)
flash(f"The {mailbox.email} is updated", "success")
return redirect(
url_for("dashboard.mailbox_detail_route",
mailbox_id=mailbox.id))
else:
flash("Invalid link", "error")
return redirect(url_for("dashboard.index"))
def confirm_user(data=None):
if not utils.get_config('verify_emails'):
return redirect(url_for('challenges.challenges_view'))
if data and request.method == "GET": # User is confirming email account
try:
s = Signer(app.config['SECRET_KEY'])
email = s.unsign(urllib.unquote_plus(data.decode('base64')))
except BadSignature:
return render_template(
'confirm.html', errors=['Your confirmation link seems wrong'])
except:
return render_template(
'confirm.html',
errors=['Your link appears broken, please try again.'])
team = Teams.query.filter_by(email=email).first_or_404()
team.verified = True
db.session.commit()
logger = logging.getLogger('regs')
logger.warn("[{0}] {1} confirmed {2}".format(
time.strftime("%m/%d/%Y %X"), team.name.encode('utf-8'),
team.email.encode('utf-8')))
db.session.close()
if utils.authed():
return redirect(url_for('challenges.challenges_view'))
return redirect(url_for('auth.login'))
if not data and request.method == "GET": # User has been directed to the confirm page because his account is not verified
if not utils.authed():
return redirect(url_for('auth.login'))
team = Teams.query.filter_by(id=session['id']).first_or_404()
if team.verified:
return redirect(url_for('views.profile'))
else:
utils.verify_email(team.email)
return render_template('confirm.html', team=team)
def action():
if not 'action' in request.json:
abort(400)
s = Signer(signkey)
try:
action = s.unsign(request.json['action'])
except:
abort(403)
action = action.split('.', 1)
if action[0] == 'LIST':
return getList()
if action[0] == 'GET':
if len(action) != 2:
abort(400)
obj = action[1].split('.', 1)
if len(obj) != 2:
abort(400)
key = obj[1]
return getObject(key)
if action[0] == 'STORE':
if len(action) != 2:
abort(400)
return store(action[1])
if action[0] == 'DELETE':
if len(action) != 2:
abort(400)
return delete(action[1])
abort(400)
def auth_mfa():
"""
Validate the OTP Token
Input:
mfa_token: OTP token that user enters
mfa_key: MFA key obtained in previous auth request, e.g. /api/auth/login
device: the device name, used to create an ApiKey associated with this device
Output:
200 and user info containing:
{
name: "John Wick",
api_key: "a long string",
email: "user email"
}
"""
data = request.get_json()
if not data:
return jsonify(error="request body cannot be empty"), 400
mfa_token = data.get("mfa_token")
mfa_key = data.get("mfa_key")
device = data.get("device")
s = Signer(FLASK_SECRET)
try:
user_id = int(s.unsign(mfa_key))
except Exception:
return jsonify(error="Invalid mfa_key"), 400
user = User.get(user_id)
if not user:
return jsonify(error="Invalid mfa_key"), 400
elif not user.enable_otp:
return (
jsonify(
error=
"This endpoint should only be used by user who enables MFA"),
400,
)
totp = pyotp.TOTP(user.otp_secret)
if not totp.verify(mfa_token):
return jsonify(error="Wrong TOTP Token"), 400
ret = {"name": user.name, "email": user.email}
api_key = ApiKey.get_by(user_id=user.id, name=device)
if not api_key:
LOG.d("create new api key for %s and %s", user, device)
api_key = ApiKey.create(user.id, device)
db.session.commit()
ret["api_key"] = api_key.code
# so user is logged in automatically on the web
login_user(user)
return jsonify(**ret), 200
def check_token(token):
signer = Signer(flask.current_app.config["SECRET_KEY"])
try:
id = int(signer.unsign(token).decode("ascii"))
except Exception as e:
return None
user = Subscriber.query.filter_by(id=id).first()
return user
def open_session(self, app, request):
signedSessionId = request.cookie.get(app.session_cookie_name)
if not signedSessionId:
sessionId = str(uuid.uuid4())
return self.session_class(sessionId=sessionId)
signer = Signer(app.secret_key, salt=self.salt, key_derivation='hmac')
sessionId = signer.unsign(signedSessionId).decode()
return self.session_class(sessionId=sessionId)
def get_from_signed_code(cls, code, organization_id):
"""Returns a discount policy given a valid signed code, returns None otherwise"""
if not cls.is_signed_code_format(code):
return None
discount_code_base = code.split('.')[0]
policy = cls.query.filter_by(
discount_code_base=discount_code_base,
organization_id=organization_id
).one_or_none()
if not policy:
return None
signer = Signer(policy.secret)
try:
signer.unsign(code)
return policy
except BadSignature:
return None
def attachment(self, att_id):
s = Signer(current_app.config.get('SECRET_KEY'), sep='$')
try:
att_id = int(s.unsign(att_id))
attach_obj = self.model.client.model('ir.attachment')
content = attach_obj.read(att_id, ['datas'])['datas']
image_fp = StringIO(base64.b64decode(content))
return send_file(image_fp)
except BadSignature:
abort(404)
def split_cookie(self, rv):
signer = Signer(self.app.secret_key)
cookie_data = rv.headers['Set-Cookie'].split(';', 1)[0]
for cookie in cookie_data.split('&'):
name, value = cookie_data.split('=')
if name == self.app.session_cookie_name:
unsigned_value = signer.unsign(value)
return unsigned_value.split('_')
def attachment(self, att_id):
s = Signer(current_app.config.get('SECRET_KEY'), sep='$')
try:
att_id = int(s.unsign(att_id))
attach_obj = self.model.client.model('ir.attachment')
content = attach_obj.read(att_id, ['datas'])['datas']
image_fp = StringIO(base64.b64decode(content))
return send_file(image_fp)
except BadSignature:
abort(404)
def split_cookie(app, rv):
signer = Signer(app.secret_key)
cookie_data = rv.headers['Set-Cookie'].split(';', 1)[0]
for cookie in cookie_data.split('&'):
name, value = cookie_data.split('=')
if name == app.session_cookie_name:
unsigned_value = signer.unsign(value)
sid, created = unsigned_value.split(b('_'))
return sid.decode('ascii'), int(created, 16)
def cookie_unserialize(session_data, secure_key):
"""Unserialize the cookie: separate the session_id and expire_time timestamp."""
signer = Signer(secret_key=secure_key)
try:
session_data = signer.unsign(session_data).decode('utf-8')
except BadSignature:
session_data = None
if not session_data:
return None, None
session_id, session_expire = session_data.split('&')
return session_id, session_expire
def main():
k = 'bt6n4k2m'
signer = Signer(k)
s = '11878121-b36d-4c38-9f87-682e8986d1f9'
ss = signer.sign(s)
print('signed str: {}'.format(ss))
us = signer.unsign(ss)
print('unsigned str: {}'.format(us))
# 做点改动
try:
print(signer.unsign('{}a'.format(ss)))
except BadSignature as e:
print e
print('------')
cid = 110000000000000262
uid = 105697106
for i in xrange(10):
print(signer.sign("{}_{}".format(cid, uid + i)))
def split_cookie(app, rv):
signer = Signer(app.secret_key)
cookie_data = rv.headers["Set-Cookie"].split(";", 1)[0]
for cookie in cookie_data.split("&"):
name, value = cookie_data.split("=")
if name == app.session_cookie_name:
unsigned_value = signer.unsign(value)
sid, created = unsigned_value.split(b("_"))
return sid.decode("ascii"), int(created, 16)
def split_cookie(app, rv):
signer = Signer(app.secret_key)
cookie_data = rv.headers['Set-Cookie'].split(';', 1)[0]
for cookie in cookie_data.split('&'):
name, value = cookie_data.split('=')
if name == app.session_cookie_name:
unsigned_value = signer.unsign(value)
sid, created = unsigned_value.split(b('_'))
return sid.decode('ascii'), int(created, 16)
def format():
md = request.form.get(
"text", "# hello\nyou didnt put anything so this is default doc")
filename = '/tmp/' + str(uuid.uuid4())
dbg_option = request.form.get("debug", "")
template = request.form.get(
"template", """
\\documentclass[12pt]{article}
\\begin{document}
$body$
Generated by DocuFMT
\\end{document}
""")
if dbg_option != "":
# this makes us super safe
with open("/key", "r") as key_file:
skey = key_file.read().strip()
s = Signer(skey)
try:
dbg_option = s.unsign(dbg_option).decode('utf-8')
except BadSignature:
return "ERROR: debug option is not signed correctly"
with open(filename + ".md", "w") as text_file:
text_file.write(md)
with open(filename + "_template.tex", "w") as text_file:
text_file.write(template)
try:
p = Popen(('timeout', '5', 'pandoc',
'--template=' + filename + "_template.tex",
'--from=markdown', '-s', '-o', filename + '.pdf',
'--latex-engine-opt', dbg_option, filename + '.md'),
stdout=PIPE,
stderr=PIPE)
out, err = p.communicate()
exitcode = p.returncode
if exitcode != 0:
rsp = make_response(
"%s\n%s\nexited with error code %d" % (out, err, exitcode))
rsp.headers['Content-type'] = 'text/plain'
return rsp
try:
with open(filename + '.pdf', mode='rb') as pdf_file:
rsp = make_response(pdf_file.read())
rsp.headers['Content-type'] = "application/pdf"
return rsp
except FileNotFoundError:
rsp = make_response(
"%s\n%s\nNo response PDF generated" % (out, err))
rsp.headers['Content-type'] = 'text/plain'
return rsp
except Exception as e:
return "ERROR: " + str(e)
def confirm_user(data=None):
if not utils.get_config('verify_emails'):
# If the CTF doesn't care about confirming email addresses then redierct to challenges
return redirect(url_for('challenges.challenges_view'))
# User is confirming email account
if data and request.method == "GET":
try:
s = Signer(app.config['SECRET_KEY'])
email = s.unsign(urllib.unquote_plus(data.decode('base64')))
except BadSignature:
return render_template(
'confirm.html', errors=['Your confirmation link seems wrong'])
except:
return render_template(
'confirm.html',
errors=['Your link appears broken, please try again.'])
team = Teams.query.filter_by(email=email).first_or_404()
team.verified = True
db.session.commit()
logger = logging.getLogger('regs')
logger.warn("[{0}] {1} confirmed {2}".format(
time.strftime("%m/%d/%Y %X"), team.name.encode('utf-8'),
team.email.encode('utf-8')))
db.session.close()
if utils.authed():
return redirect(url_for('challenges.challenges_view'))
return redirect(url_for('auth.login'))
# User is trying to start or restart the confirmation flow
if not utils.authed():
return redirect(url_for('auth.login'))
team = Teams.query.filter_by(id=session['id']).first_or_404()
if data is None:
if request.method == "POST":
# User wants to resend their confirmation email
if team.verified:
return redirect(url_for('views.profile'))
else:
utils.verify_email(team.email)
return render_template(
'confirm.html',
team=team,
infos=['Your confirmation email has been resent!'])
elif request.method == "GET":
# User has been directed to the confirm page
team = Teams.query.filter_by(id=session['id']).first_or_404()
if team.verified:
# If user is already verified, redirect to their profile
return redirect(url_for('views.profile'))
return render_template('confirm.html', team=team)
def open_session(self, app, request):
signed_id = request.cookies.get(app.session_cookie_name)
if not signed_id:
return InMemorySession()
try:
signer = Signer(app.secret_key)
session_id = signer.unsign(signed_id).decode("utf-8")
if session_id in self._sessions:
return self._sessions[session_id]
else:
return InMemorySession()
except BadSignature:
return InMemorySession()
def verify():
s = Signer(
bytes(input("Enter a secret(!!) key: "),
encoding="UTF-8"))
try:
unsigned = s.unsign(bytes(
input("Enter data\n"),
encoding="UTF-8")).decode('UTF-8')
except BadSignature:
print("!!!!! FAILED !!!!!")
return 0
print("---")
print(unsigned)
def alias_transfer_receive_route():
"""
URL has ?alias_id=signed_alias_id
"""
s = Signer(ALIAS_TRANSFER_SECRET)
signed_alias_id = request.args.get("alias_id")
try:
alias_id = int(s.unsign(signed_alias_id))
except Exception:
flash("Invalid link", "error")
return redirect(url_for("dashboard.index"))
else:
alias = Alias.get(alias_id)
# alias already belongs to this user
if alias.user_id == current_user.id:
flash("You already own this alias", "warning")
return redirect(url_for("dashboard.index"))
mailboxes = current_user.mailboxes()
if request.method == "POST":
mailbox_ids = request.form.getlist("mailbox_ids")
# check if mailbox is not tempered with
mailboxes = []
for mailbox_id in mailbox_ids:
mailbox = Mailbox.get(mailbox_id)
if (not mailbox or mailbox.user_id != current_user.id
or not mailbox.verified):
flash("Something went wrong, please retry", "warning")
return redirect(request.url)
mailboxes.append(mailbox)
if not mailboxes:
flash("You must select at least 1 mailbox", "warning")
return redirect(request.url)
LOG.d("transfer alias from %s to %s with %s", alias.user, current_user,
mailboxes)
transfer(alias, current_user, mailboxes)
flash(f"You are now owner of {alias.email}", "success")
return redirect(url_for("dashboard.index",
highlight_alias_id=alias.id))
return render_template(
"dashboard/alias_transfer_receive.html",
alias=alias,
mailboxes=mailboxes,
)
def reset_password(token):
signerU = Signer(app.secret_key)
try:
email = signerU.unsign(token)
except BadSignature:
flash('Invalid token')
return redirect(url_for('index'))
else:
flash(email)
return render_template('reset_password.html', email=email)
def task_run():
signer = Signer(current_app.secret_key)
_data = request.form['_']
data = json.loads(signer.unsign(_data))
callname = data.get('call')
a, kw = data['args'], data['kwargs']
modname, symname = callname.rsplit('.', 1)
mod = __import__(modname, fromlist=[symname])
call = getattr(mod, symname)
call.direct(*a, **kw)
return 'ok'
def share():
if not 'sig' in request.args:
abort(403)
s = Signer(signkey)
try:
action = s.unsign(request.args['sig'])
except:
abort(403)
action = action.split('.', 1)
key = action[0]
if not key in objects:
abort(404)
return getObject(key)
def open_session(self, app, request):
signed_id = request.cookies.get(app.session_cookie_name)
if not signed_id:
return Session(new=True)
try:
signer = Signer(app.secret_key)
session_id = signer.unsign(signed_id)
if self.r.exists(b"session." + session_id):
return msgpack.unpackb(self.r.get(b"session." + session_id),
object_hook=unpack_hook,
raw=False)
else:
return Session(new=True)
except BadSignature:
return Session(new=True)
def _get_user_id():
if current_app.config.get('DEBUG'):
return request.values.get('user_id')
if 'mws-track-id' not in request.cookies:
raise MWSServerError(400, "Invalid request (missing cookie)")
key = current_app.config.get('EDX_SHARED_KEY')
s = Signer(key)
try:
user_id = s.unsign(request.cookies['mws-track-id'])
except (BadSignature, TypeError) as e:
_logger.exception(e)
raise MWSServerError(403, "Invalid request (invalid cookie)")
return user_id
def _get_user_id():
if current_app.config.get('DEBUG'):
return request.values.get('user_id')
if 'mws-track-id' not in request.cookies:
raise MWSServerError(400, "Invalid request (missing cookie)")
key = current_app.config.get('EDX_SHARED_KEY')
s = Signer(key)
try:
user_id = s.unsign(request.cookies['mws-track-id'])
except (BadSignature, TypeError) as e:
_logger.exception(e)
raise MWSServerError(403, "Invalid request (invalid cookie)")
return user_id
def get_public_deploy_key(instance_dns_name, secret, salt):
''' Wait for and retrieve instance public key.
'''
signer = Signer(secret, salt)
path = '/.well-known/deploy-key.txt'
while True:
print(' Waiting for', path)
sleep(5)
resp = requests.get('http://{}{}'.format(instance_dns_name, path))
if resp.status_code == 200:
break
return signer.unsign(resp.content)
def on_delete_signup(token):
"""Endpoint to delete signups via email"""
try:
s = Signer(get_token_secret())
signup_id = ObjectId(s.unsign(token).decode('utf-8'))
except BadSignature:
return "Unknown token"
deleteitem_internal('eventsignups', concurrency_check=False,
**{current_app.config['ID_FIELD']: signup_id})
redirect_url = current_app.config.get('SIGNUP_DELETED_REDIRECT')
if redirect_url:
return redirect(redirect_url)
else:
return current_app.config['SIGNUP_DELETED_TEXT']
def get_public_deploy_key(instance_dns_name, secret, salt):
''' Wait for and retrieve instance public key.
'''
signer = Signer(secret, salt)
path = '/.well-known/deploy-key.txt'
while True:
print(' Waiting for', path)
sleep(5)
resp = requests.get('http://{}{}'.format(instance_dns_name, path))
if resp.status_code == 200:
break
return signer.unsign(resp.content)
def confirmation(token):
signer = Signer(app.secret_key)
try:
email = signer.unsign(token)
except BadSignature:
flash('Invalid token')
return redirect(url_for('index'))
else:
userC = p.PeopleProfile.query.filter_by(email=email).first()
userC.active = True
db.session.add(userC)
db.session.commit()
flash('Your account is verified')
return redirect(url_for('user'))
def uid_is_valid(user, uid, festival):
s = Signer(SECRET_SIGN_KEY)
# cookie is uid hashed with our private key, check that the cookie was sent
cookie = cherrypy.request.cookie.get('mfc_sch'+str(uid))
if cookie:
# and if it's correct
return str(uid) == s.unsign(str(cookie.value))
elif user:
#check if this user is the user that's allowed for this uid.
with get_db() as cur:
cur.execute("select id from mfc.schedules where username = %s and festival = %s", [user['email'], festival])
r = cur.fetchall()
if r:
return str(uid) == str(r[0]['id'])
# else not valid
else:
return False
def confirm_user(data=None):
if not utils.get_config('verify_emails'):
# If the CTF doesn't care about confirming email addresses then redierct to challenges
return redirect(url_for('challenges.challenges_view'))
# User is confirming email account
if data and request.method == "GET":
try:
s = Signer(app.config['SECRET_KEY'])
email = s.unsign(urllib.unquote_plus(data.decode('base64')))
except BadSignature:
return render_template('confirm.html', errors=['Your confirmation link seems wrong'])
except:
return render_template('confirm.html', errors=['Your link appears broken, please try again.'])
team = Teams.query.filter_by(email=email).first_or_404()
team.verified = True
db.session.commit()
logger = logging.getLogger('regs')
logger.warn("[{0}] {1} confirmed {2}".format(time.strftime("%m/%d/%Y %X"), team.name.encode('utf-8'), team.email.encode('utf-8')))
db.session.close()
if utils.authed():
return redirect(url_for('challenges.challenges_view'))
return redirect(url_for('auth.login'))
# User is trying to start or restart the confirmation flow
if not utils.authed():
return redirect(url_for('auth.login'))
team = Teams.query.filter_by(id=session['id']).first_or_404()
if data is None:
if request.method == "POST":
# User wants to resend their confirmation email
if team.verified:
return redirect(url_for('views.profile'))
else:
utils.verify_email(team.email)
return render_template('confirm.html', team=team, infos=['Your confirmation email has been resent!'])
elif request.method == "GET":
# User has been directed to the confirm page
team = Teams.query.filter_by(id=session['id']).first_or_404()
if team.verified:
# If user is already verified, redirect to their profile
return redirect(url_for('views.profile'))
return render_template('confirm.html', team=team)
def decorated_view(*args, **kwargs):
"""
"""
if '_session_id' in login_session:
s = Signer('secret_key')
user_id = s.unsign(login_session.get('_session_id'))
try:
user = session.query(User).filter_by(id=user_id).one()
except NoResultFound:
app.logger.error("Error: {}.".format(NoResultFound))
if user:
return fnc(*args, **kwargs)
else:
flash("Session exists, but user does not exist (anymore)")
return make_response('not authorized')
else:
flash("Please log in")
return make_response('not authorized')
def mailbox_verify():
s = Signer(MAILBOX_SECRET)
mailbox_id = request.args.get("mailbox_id")
try:
r_id = int(s.unsign(mailbox_id))
except Exception:
flash("Invalid link. Please delete and re-add your mailbox", "error")
return redirect(url_for("dashboard.mailbox_route"))
else:
mailbox = Mailbox.get(r_id)
mailbox.verified = True
db.session.commit()
LOG.d("Mailbox %s is verified", mailbox)
return render_template("dashboard/mailbox_validation.html",
mailbox=mailbox)
def join_team(team_link):
errors = []
if authed():
user = Users.query.filter_by(id=session.get('id')).first_or_404()
s = Signer(app.config['SECRET_KEY'])
team_id = s.unsign(urllib.unquote_plus(team_link.decode('base64')))
team = Teams.query.filter_by(id=team_id).first_or_404()
user_ids = [
u.id for u in Users.query.with_entities(Users.id).filter_by(
teamid=team.id)
]
team_captain = Teams.query.filter_by(captain=user.id).first()
print team_captain
if request.method == "POST":
if len(user_ids) >= get_config('team_limit'):
errors.append('This team is full')
if team_captain:
errors.append(
"You are captain of another team, you can't join another team"
)
if errors:
return render_template('join_team.html',
team=team,
errors=errors)
user.teamid = int(team.id)
db.session.commit()
db.session.close()
return redirect(url_for('views.team_management'))
else:
if len(user_ids) >= get_config('team_limit'):
errors.append('This team is full')
if user.teamid:
errors.append(
'You are already on a team. <br>Joining a new team will take all your solves with you.'
)
if team_captain:
errors.append(
"You are captain of another team, you can't join another team"
)
return render_template('join_team.html', team=team, errors=errors)
else:
return redirect(url_for('auth.login', next=request.path))
class DriverAuth:
def __init__(self, secret_key=settings.SECRET_KEY):
if secret_key is None:
raise Exception("secret key not set")
self.s = Signer(secret_key)
def createtoken(self, id):
token = self.s.sign(str(id).encode())
return base64.b64encode(token).decode('UTF-8')
def verifytoken(self, token):
"""Returns if the token is valid otherwise, returns throws does not
exist exception """
try:
bytesToken = base64.b64decode(token.encode())
id = self.s.unsign(bytesToken)
driver = Driver.objects.get(pk=id)
return driver
except (ObjectDoesNotExist, BadSignature):
raise BadTokenError()
def confirm_user(data=None):
if not get_config('verify_emails'):
return redirect(url_for('challenges.challenges_view'))
if data and request.method == "GET": ## User is confirming email account
try:
s = Signer(app.config['SECRET_KEY'])
email = s.unsign(data.decode('base64'))
except BadSignature:
return render_template('confirm.html', errors=['Your confirmation link seems wrong'])
team = Teams.query.filter_by(email=email).first()
team.verified = True
db.session.commit()
db.session.close()
if authed():
return redirect(url_for('challenges.challenges_view'))
return redirect(url_for('auth.login'))
if not data and request.method == "GET": ## User has been directed to the confirm page because his account is not verified
team = Teams.query.filter_by(id=session['id']).first()
if team.verified:
return redirect(url_for('views.profile'))
return render_template('confirm.html', team=team)
def create_item():
"""
Create a new item for the catalog
"""
s = Signer('secret_key')
user_id = s.unsign(login_session.get('_session_id'))
category_list = session.query(Category).all()
if request.method == 'POST':
new_item = Item(name=request.form['name'],
description=request.form['description'],
category_id=request.form['category'],
created_by=user_id,
price=request.form['price'])
session.add(new_item)
try:
session.commit()
except IntegrityError:
app.logger.error("Error: {}".format(IntegrityError))
flash("Created new catalog item.")
return redirect(url_for('get_categories'))
return render_template('createitem.html', category_list=category_list)
class Pastie:
SECRET_KEY = '\x85\xe1Pc\x11n\xe0\xc76\xa1\xd9\x93$\x1ei\x06'
HTTBL_KEY = 'THIS IS NOT A VALID HTTPBL KEY'
def __init__(self, data_dir='pastes/', host='http://localhost/'):
self.httpbl = HttpBL(self.HTTBL_KEY)
self.signer = Signer(self.SECRET_KEY)
self.jinja_env = Environment(loader=FileSystemLoader(
join(dirname(__file__), 'layouts'))
)
self.host = host
self.data_dir = data_dir
if not isdir(data_dir):
makedirs(data_dir)
def render_template(self, template_name, **kwargs):
return self.jinja_env.get_template(template_name).render(**kwargs)
def sign(self, value):
return self.signer.sign(value)
def unsign(self, value):
return self.signer.unsign(value)
def dispatch(self, request, start_response):
adapter = urlmap.bind_to_environ(request.environ)
request.adapter = adapter
try:
endpoint, values = adapter.match()
return endpoint(self, request, **values)
except NotFound, e:
return Response('Not Found', 404)
except HTTPException, e:
return e
def load_user_from_signed_token(signed_token):
s = Signer(current_app.config['SECRET_KEY'])
auth_token = None
try:
auth_token = s.unsign(signed_token)
except:
pass
if auth_token:
user = User.query.filter_by(auth_token=auth_token).first()
if user:
session['auth_token'] = user.auth_token
LogEvent.remember_me_authenticated(user)
return user
else:
LogEvent.remember_me_bad_auth_token()
else:
LogEvent.remember_me_cookie_malformed()
# This causes Flask-Login to clear the "remember me" cookie. This could
# break if Flask-Login's internal implementation changes. A better way
# should be implemented. Perhaps install an after_request hook.
session['remember'] = 'clear'
return None
def open_session(self, app, request):
sessionid = request.cookies.get(app.session_cookie_name, None)
if sessionid is None:
sessionid = self.generate_sessionid()
return ServerSession(session_id=sessionid)
if self.use_sign and app.secret_key:
signer = Signer(app.secret_key, salt='flask-redis-session',
key_derivation='hmac')
try:
sessionid = signer.unsign(sessionid).decode('utf-8')
except BadSignature:
sessionid = 'None'
data = self.redis.get(self.session_prefix + sessionid)
if data is None:
return ServerSession(session_id=sessionid)
try:
json_data = self.serialization_method.loads(data)
return ServerSession(json_data, session_id=sessionid)
except:
return ServerSession(session_id=sessionid)
def attachments(self):
attach_obj = self.model.client.model('ir.attachment')
obj_id = request.args.get('id')
if not obj_id:
return abort(404)
if request.method == 'POST':
if request.args.get('action') == "delete":
attach_id = request.args.get('attach_id')
if not attach_id:
return abort(404)
try:
s = Signer(current_app.config.get('SECRET_KEY'), sep='$')
attach_id = int(s.unsign(attach_id))
except BadSignature:
return abort(404)
attach_obj.unlink([attach_id])
flash("Attachment deleted succesfully", "info")
else:
created = 0
for key, value in request.files.items():
if key.startswith('attachment_'):
content = base64.b64encode(value.read())
if not content:
continue
name_field = 'name_'+key.split('_')[1]
name = request.form.get(name_field, value.filename)
attach_obj.create({
'name': name,
'datas': content,
'datas_fname': value.filename,
'res_model': self.model._name,
'res_id': obj_id
})
created += 1
flash("%s new attachments created" % created, "info")
return redirect(url_for('.edit_view', id=obj_id))
def get_sign_safe(true_file):
s= Signer(Config.login_sign)
return s.unsign(true_file)
def unsign(s, config):
signer = Signer(config['SIGNING_KEY'])
try:
return signer.unsign(s)
except BadSignature:
raise BadRequestError()
#
# Free Coding session for 2015-03-09
# Written by Matt Warren
#
if __name__ == '__main__':
s = Signer('secret-password')
signed_string = s.sign(b'data to sign')
print(signed_string) # HMAC SHA1 signed string
# tamper with string
signed_string = b'my ' + signed_string
try:
s.unsign(signed_string)
except BadSignature as e:
print("failed to unsign the modified data")
s = TimestampSigner('secret-password', salt='signup') # adds current time to data
signed_string = s.sign(b'data to sign')
print(signed_string)
s.unsign(signed_string, max_age=5) # would only unsign if signed less than 5 seconds ago
time.sleep(2)
try:
s.unsign(signed_string, max_age=1) # would only unsign if signed less than 1 seconds ago
except SignatureExpired as e:
print('tried to unsign expired data')
s = JSONWebSignatureSerializer('secret-password')
print(s.dumps({'name': 'matt'}))
class User():
def __init__(self,secret_key):
#initialize signer
self.s = Signer(secret_key)
def deserialize(self,request):
#it runs in framework BEFORE_REQUEST function
self.cookies = request.cookies
#check stat in cookie and verify it
stat_str = str(self.cookies.get('stat'))
stat_signature = str(self.cookies.get('stat_signature'))
stat_token = stat_str+'.'+stat_signature
if stat_str=='None' or self.s.validate(stat_token)==False:
self._create_new_stat(request)
#if validation success
else:
self.stat = json.loads(stat_str)
#increase kolvo_visits
self._increase_kolvo_visits()
#add actual IP for checking log_token
self.stat['ip'] = request.environ['REMOTE_ADDR']
self.log_token = str(self.cookies.get('log_token'))
#initialize DB
self._db_init()
def serialize(self,response):
#it runs in framework AFTER_REQUEST function
stat_str = json.dumps(self.stat)
sign_str = self.s.sign(stat_str)
last_elem = len(sign_str.split('.'))
#because dots in IP
self.stat_signature = sign_str.split('.')[last_elem-1]
response.set_cookie('stat',value=stat_str)
response.set_cookie('stat_signature',value=self.stat_signature)
if self.log_token!='None':
response.set_cookie('log_token',value=self.log_token)
else:
response.set_cookie('log_token','',expires=0)
#increase visits
return response
def _create_new_stat(self,request):
self.stat = {}
self.stat['ip'] = request.environ['REMOTE_ADDR']
self.stat['first_reg'] = int(time.time())
self.stat['kolvo_visits'] = 1
self.stat['_id'] = 'yap'+str(int(time.time()))
self.stat['last_visit'] = int(time.time()/86400)
def _increase_kolvo_visits(self):
new_day = int(time.time()/86400)
if self.stat.get('last_visit')==None:
self.stat['last_visit'] = int(time.time()/86400)
if int(self.stat.get('last_visit'))<new_day:
self.stat['kolvo_visits'] = self.stat['kolvo_visits']+1
self.stat['last_visit'] = new_day
def check_auth(self,roles):
if self.log_token=='None':
return 'Error User:Not Login, Please Log IN'
if self.s.validate(self.log_token)!=True:
return 'Error User:Not Valid Login Token. Please, Log IN'
self.session = self._get_json(self.log_token)
if self.session['ip']!=self.stat['ip']:
return 'Error User:Not valid IP. Please, log IN'
if (int(time.time()) - int(self.session['ts']))>int(self.session['live_time']):
return 'Error User:Session nor fresh, please Log IN'
#check permission
for each in self.session['roles']:
if each in roles:
return True
return 'Error User:Not enough permission'
def _gen_token(self,user_id,u_doc):
self.session = {}
self.session['_id'] = user_id
self.session['name'] = u_doc['name']
self.session['ts'] = int(time.time())
self.session['roles'] = u_doc['roles']
self.session['live_time'] = u_doc.get('token_live_time')
self.session['ip'] = self.stat['ip']
#create JSON from dict and compress
j = json.dumps(self.session)
j64 = base64.b64encode(j)
#create signature
j64_sign = self.s.sign(j64)
return j64_sign
def _get_json(self,token):
if self.s.validate(token)!=True:
return 'Error User: not valid Log Token'
jb64 = self.s.unsign(token)
j = base64.b64decode(jb64)
j = json.loads(j)
return j
def login(self,user_name,user_pass):
#if user id in db and pass is equal md5 with secret
#check user name and get user doc
u_doc,u_id = self._db_check_in(user_name)
if u_doc==False:
return 'Error User:No such User'
#check pass
if self._md5_trans(user_pass)!=u_doc['pass']:
return 'Error User:Wrong Pass'
self.log_token = self._gen_token(u_id, u_doc)
return True
def registr(self,u_doc):
user_id = 'yap'+str(int(time.time()))
if self._db_check_in(u_doc['name'])!=[False,False]:
return 'Error User:There is user with the name '+u_doc['name']
u_doc['pass'] = self._md5_trans(u_doc['pass'])
self._db_add(user_id,u_doc)
return True
def drop_log_token(self):
self.log_token = 'None'
return True
def _md5_trans(self,rec):
m = md5.new()
m.update(rec)
return m.hexdigest()
########## DB #################
def _db_init(self):
cl = MongoClient('localhost',27017)
_db = cl['users']
self.db = _db['users']
def _db_check_in(self,u_name):
u_doc = self.db.find_one({'name':u_name})
if u_doc==None:
return [False,False]
return u_doc,u_doc['_id']
def _db_add(self,u_id,user_d):
user_d['_id'] = u_id
self.db.insert_one(user_d)
