Ejemplo n.º 1
0
 def getUserG(self, guid):
     if type(guid) is not str:
         l.error("guid type is not str")
         return (
             None,
             None,
         )
     if not RE_UUID.match(guid):
         l.error("%s does not match regular expression '%s'." %
                 (guid, RE_UUID.pattern))
         return (
             None,
             None,
         )
     where = dict(GUID=guid)
     res = self.xec.select('Users',
                           what='Username,Password',
                           where=web.db.sqlwhere(where))
     try:
         res = res[0]
     except IndexError:
         # This guid did not exist, return the correct type
         l.warn("guid %s does not exist." % guid)
         return (
             None,
             None,
         )
     return (res.Username, res.Password)
Ejemplo n.º 2
0
 def POST(self):
     l.info('POST logon')
     i = web.input()
     if 'username' not in i:
         l.error('username field required for POST')
         return logon_redirect()
     if 'password' not in i:
         l.error('password field required for POST')
         return logon_redirect()
     # XXX: validate inputs
     username = str(i['username'])
     password = str(i['password'])
     if not RE_USERNAME.match(username):
         l.warn('username does not match %s' % RE_USERNAME.pattern)
         return render.error(web.ctx.fullpath, 'BADREQ',
                             'malformed username')
     if not RE_PASSWORD.match(password):
         l.warn('password does not match %s' % RE_PASSWORD.pattern)
         return render.error(web.ctx.fullpath, 'BADREQ',
                             'malformed password')
     h = hashlib.sha1()
     # hash password
     h.update(password)
     # hash with salt
     h.update(username)
     db_guid = web.d.getValidUser(username, h.hexdigest())
     if not db_guid:
         # invalid credentials
         return logon_redirect()
     create_cookie(str(db_guid), username)
     return web.seeother('/')
Ejemplo n.º 3
0
 def getUser(self, username):
     if type(username) is not str:
         l.error("username type is not str")
         return (
             None,
             None,
         )
     if len(username) > USERNAME_MAX:
         l.error("%s is greater than %d characters." %
                 (username, USERNAME_MAX))
         return (
             None,
             None,
         )
     where = dict(Username=username)
     res = self.xec.select('Users',
                           what='GUID,Password',
                           where=web.db.sqlwhere(where))
     try:
         res = res[0]
     except IndexError:
         # This username did not exist, return the correct type
         l.warn("username %s does not exist." % username)
         return (
             None,
             None,
         )
     return (res.GUID, res.Password)
Ejemplo n.º 4
0
	def POST(self):
		l.info('POST logon')
		i = web.input()
		if 'username' not in i:
			l.error('username field required for POST')
			return logon_redirect()
		if 'password' not in i:
			l.error('password field required for POST')
			return logon_redirect()
		# XXX: validate inputs
		username = str(i['username'])
		password = str(i['password'])
		if not RE_USERNAME.match(username):
			l.warn('username does not match %s' % RE_USERNAME.pattern)
			return render.error(web.ctx.fullpath, 'BADREQ', 'malformed username')
		if not RE_PASSWORD.match(password):
			l.warn('password does not match %s' % RE_PASSWORD.pattern)
			return render.error(web.ctx.fullpath, 'BADREQ', 'malformed password')
		h = hashlib.sha1()
		# hash password
		h.update(password)
		# hash with salt
		h.update(username)
		db_guid = web.d.getValidUser(username, h.hexdigest())
		if not db_guid:
			# invalid credentials
			return logon_redirect()
		create_cookie(str(db_guid), username)
		return web.seeother('/')
Ejemplo n.º 5
0
 def POST(self):
     l.info('POST adduser')
     i = web.input()
     if 'username' not in i:
         l.error('username field required for POST')
         return render.error(web.ctx.fullpath, 'BADREQ', 'missing username')
     if 'password' not in i:
         l.error('password field required for POST')
         return render.error(web.ctx.fullpath, 'BADREQ', 'missing password')
     if 'password2' not in i:
         l.error('password2 field required for POST')
         return render.error(web.ctx.fullpath, 'BADREQ',
                             'missing password2')
     if 'recaptcha_challenge_field' not in i:
         l.error('recaptcha_challenge_field required for POST')
         return render.error(web.ctx.fullpath, 'BADREQ',
                             'missing recaptcha_challenge_field')
     if 'recaptcha_response_field' not in i:
         l.error('recaptcha_response_field required for POST')
         return render.error(web.ctx.fullpath, 'BADREQ',
                             'missing_recaptcha_response_field')
     # XXX: validate inputs
     username = str(i['username'])
     password = str(i['password'])
     password2 = str(i['password2'])
     if password != password2:
         l.warn("passwords don't match. not creating user.")
         return render.error(web.ctx.fullpath, 'BADREQ',
                             'password mismatch')
     if not RE_USERNAME.match(username):
         l.warn('username does not match %s' % RE_USERNAME.pattern)
         return render.error(web.ctx.fullpath, 'BADREQ',
                             'malformed username')
     if not RE_PASSWORD.match(password):
         l.warn('password does not match %s' % RE_PASSWORD.pattern)
         return render.error(web.ctx.fullpath, 'BADREQ',
                             'malformed password')
     challenge = i['recaptcha_challenge_field']
     response = i['recaptcha_response_field']
     result = captcha.submit(challenge, response, web.captcha_private_key,
                             web.ctx.ip)
     if result.error_code:
         l.warn('error validating captcha: %s' % result.error_code)
         return render.error(web.ctx.fullpath, 'BADREQ',
                             'bad captcha: %s' % result.error_code)
     if not result.is_valid:
         l.warn('invalid captcha')
         return render.error(web.ctx.fullpath, 'BADREQ', 'bad captcha')
     h = hashlib.sha1()
     # hash password
     h.update(password)
     # hash with salt
     h.update(username)
     l.debug('Creating new user %s' % username)
     guid = web.d.addUser(username, h.hexdigest())
     if not guid:
         return render.error(web.ctx.fullpath, 'EXISTS', 'username exists')
     create_cookie(str(guid), username)
     return web.seeother('/')
Ejemplo n.º 6
0
	def deserialize(self, cookie):
		unpacked = struct.unpack(USER_FMT + EXPR_FMT + DATA_FMT + DGST_FMT, cookie)
		if len(unpacked) != 4:
			l.error("Failed to unpack cookie data.")
		user = unpacked[0]
		expiration = unpacked[1]
		ciphertext = unpacked[2]
		mac = unpacked[3]
		return (user.rstrip('\0'), expiration, ciphertext.rstrip('\0'), mac)
Ejemplo n.º 7
0
 def deserialize(self, cookie):
     unpacked = struct.unpack(USER_FMT + EXPR_FMT + DATA_FMT + DGST_FMT,
                              cookie)
     if len(unpacked) != 4:
         l.error("Failed to unpack cookie data.")
     user = unpacked[0]
     expiration = unpacked[1]
     ciphertext = unpacked[2]
     mac = unpacked[3]
     return (user.rstrip('\0'), expiration, ciphertext.rstrip('\0'), mac)
Ejemplo n.º 8
0
 def POST(self):
     l.info('POST checkout')
     if not logged_on():
         return logon_redirect()
     i = web.input()
     if 'book' not in i:
         l.error('book required for POST')
         return web.seeother('/')
     book = i['book']
     serial = web.cookies().get(COOKIE_NAME)
     user = session.cookie.getData(serial)
     return render.checkout(user, book)
Ejemplo n.º 9
0
	def POST(self):
		l.info('POST checkout')
		if not logged_on():
			return logon_redirect()
		i = web.input()
		if 'book' not in i:
			l.error('book required for POST')
			return web.seeother('/')
		book = i['book']
		serial = web.cookies().get(COOKIE_NAME)
		user = session.cookie.getData(serial)
		return render.checkout(user, book)
Ejemplo n.º 10
0
	def POST(self):
		l.info('POST adduser')
		i = web.input()
		if 'username' not in i:
			l.error('username field required for POST')
			return render.error(web.ctx.fullpath, 'BADREQ', 'missing username')
		if 'password' not in i:
			l.error('password field required for POST')
			return render.error(web.ctx.fullpath, 'BADREQ', 'missing password')
		if 'password2' not in i:
			l.error('password2 field required for POST')
			return render.error(web.ctx.fullpath, 'BADREQ', 'missing password2')
		if 'recaptcha_challenge_field' not in i:
			l.error('recaptcha_challenge_field required for POST')
			return render.error(web.ctx.fullpath, 'BADREQ', 'missing recaptcha_challenge_field')
		if 'recaptcha_response_field' not in i:
			l.error('recaptcha_response_field required for POST')
			return render.error(web.ctx.fullpath, 'BADREQ', 'missing_recaptcha_response_field')
		# XXX: validate inputs
		username = str(i['username'])
		password = str(i['password'])
		password2 = str(i['password2'])
		if password != password2:
			l.warn("passwords don't match. not creating user.")
			return render.error(web.ctx.fullpath, 'BADREQ', 'password mismatch')
		if not RE_USERNAME.match(username):
			l.warn('username does not match %s' % RE_USERNAME.pattern)
			return render.error(web.ctx.fullpath, 'BADREQ', 'malformed username')
		if not RE_PASSWORD.match(password):
			l.warn('password does not match %s' % RE_PASSWORD.pattern)
			return render.error(web.ctx.fullpath, 'BADREQ', 'malformed password')
		challenge = i['recaptcha_challenge_field']
		response = i['recaptcha_response_field']
		result = captcha.submit(challenge, response, web.captcha_private_key, web.ctx.ip)
		if result.error_code:
			l.warn('error validating captcha: %s' % result.error_code)
			return render.error(web.ctx.fullpath, 'BADREQ', 'bad captcha: %s' % result.error_code)
		if not result.is_valid:
			l.warn('invalid captcha')
			return render.error(web.ctx.fullpath, 'BADREQ', 'bad captcha')
		h = hashlib.sha1()
		# hash password
		h.update(password)
		# hash with salt
		h.update(username)
		l.debug('Creating new user %s' % username)
		guid = web.d.addUser(username, h.hexdigest())
		if not guid:
			return render.error(web.ctx.fullpath, 'EXISTS', 'username exists')
		create_cookie(str(guid), username)
		return web.seeother('/')
Ejemplo n.º 11
0
 def getValidUser(self, username, password):
     if type(username) is not str:
         l.error("username type is not str")
         return None
     if len(username) > USERNAME_MAX:
         l.error("%s is more that %d characters." %
                 (username, USERNAME_MAX))
         return None
     if type(password) is not str:
         l.error("password type is not str")
         return None
     if not RE_SHA1.match(password):
         l.error("%s does not match regular expression '%s'." %
                 (password, RE_SHA1.pattern))
         return None
     where = dict(Username=username, Password=password)
     res = self.xec.select('Users',
                           what='GUID',
                           where=web.db.sqlwhere(where))
     try:
         res = res[0]
     except IndexError:
         # This guid did not exist, return the correct type
         l.warn("Bad password match for user %s" % username)
         return None
     return res.GUID
Ejemplo n.º 12
0
 def addUser(self, username, password):
     if type(username) is not str:
         l.error("username type is not str.")
         return None
     if type(password) is not str:
         l.error("password type is not str.")
         return None
     if len(username) > USERNAME_MAX:
         l.error('username is greater than %d characters.' % USERNAME_MAX)
         return None
     if not RE_SHA1.match(password):
         l.error("%s does not match regular expression '%s'." %
                 (password, RE_SHA1.pattern))
         return None
     # The guid will be stored in the cookie with the user.
     guid = str(uuid.uuid4())
     try:
         self.xec.insert('Users',
                         GUID=guid,
                         Username=username,
                         Password=password)
     except sqlite3.IntegrityError:
         l.warn("username %s already exists." % username)
         return None
     return guid
Ejemplo n.º 13
0
Archivo: db.py Proyecto: eherde/ctfblue
	def getUserG(self, guid):
		if type(guid) is not str:
			l.error("guid type is not str")
			return ( None, None, )
		if not RE_UUID.match(guid):
			l.error("%s does not match regular expression '%s'." % (guid, RE_UUID.pattern))
			return ( None, None, )
		where = dict(GUID=guid)
		res = self.xec.select('Users', what='Username,Password', where=web.db.sqlwhere(where))
		try:
			res = res[0]
		except IndexError:
			# This guid did not exist, return the correct type
			l.warn("guid %s does not exist." % guid)
			return ( None, None, )
		return (res.Username, res.Password)
Ejemplo n.º 14
0
Archivo: db.py Proyecto: eherde/ctfblue
	def getUser(self, username):
		if type(username) is not str:
			l.error("username type is not str")
			return ( None, None, )
		if len(username) > USERNAME_MAX:
			l.error("%s is greater than %d characters." % (username, USERNAME_MAX))
			return ( None, None, )
		where = dict(Username=username)
		res = self.xec.select('Users', what='GUID,Password', where=web.db.sqlwhere(where))
		try:
			res = res[0]
		except IndexError:
			# This username did not exist, return the correct type
			l.warn("username %s does not exist." % username)
			return ( None, None, )
		return (res.GUID, res.Password)
Ejemplo n.º 15
0
Archivo: db.py Proyecto: eherde/ctfblue
	def addUser(self, username, password):
		if type(username) is not str:
			l.error("username type is not str.")
			return None
		if type(password) is not str:
			l.error("password type is not str.")
			return None
		if len(username) > USERNAME_MAX:
			l.error('username is greater than %d characters.' % USERNAME_MAX)
			return None
		if not RE_SHA1.match(password):
			l.error("%s does not match regular expression '%s'." % (password, RE_SHA1.pattern))
			return None
		# The guid will be stored in the cookie with the user.
		guid = str(uuid.uuid4())
		try:
			self.xec.insert('Users', GUID=guid, Username=username, Password=password)
		except sqlite3.IntegrityError:
			l.warn("username %s already exists." % username)
			return None
		return guid
Ejemplo n.º 16
0
Archivo: db.py Proyecto: eherde/ctfblue
	def getValidUser(self, username, password):
		if type(username) is not str:
			l.error("username type is not str")
			return None
		if len(username) > USERNAME_MAX:
			l.error("%s is more that %d characters." % (username, USERNAME_MAX))
			return None
		if type(password) is not str:
			l.error("password type is not str")
			return None
		if not RE_SHA1.match(password):
			l.error("%s does not match regular expression '%s'." % (password, RE_SHA1.pattern))
			return None
		where = dict(Username=username, Password=password)
		res = self.xec.select('Users', what='GUID', where=web.db.sqlwhere(where))
		try:
			res = res[0]
		except IndexError:
			# This guid did not exist, return the correct type
			l.warn("Bad password match for user %s" % username)
			return None
		return res.GUID
Ejemplo n.º 17
0
 def POST(self):
     l.info('POST purchase')
     if not logged_on():
         return logon_redirect()
     i = web.input()
     if 'name' not in i:
         l.error('name required for POST')
         return render.error(web.ctx.fullpath, 'BADREQ', 'missing name')
     if 'card' not in i:
         l.error('card required for POST')
         return render.error(web.ctx.fullpath, 'BADREQ', 'missing card')
     if 'ccv' not in i:
         l.error('ccv required for POST')
         return render.error(web.ctx.fullpath, 'BADREQ', 'missing ccv')
     if 'expmonth' not in i:
         l.error('expmonth required for POST')
         return render.error(web.ctx.fullpath, 'BADREQ', 'missing expmonth')
     if 'expyear' not in i:
         l.error('expyear required for POST')
         return render.error(web.ctx.fullpath, 'BADREQ', 'missing expyear')
     if 'book' not in i:
         l.error('book required for POST')
         return render.error(web.ctx.fullpath, 'BADREQ', 'missing book')
     name = i['name']
     card = i['card']
     book = i['book']
     if not RE_NAME.match(name):
         l.warn('name does not match %s' % RE_NAME.pattern)
         return render.error(web.ctx.fullpath, 'BADREQ', 'malformed name')
     if not RE_CARDNO.match(card):
         l.warn('name does not match %s' % RE_CARDNO.pattern)
         return render.error(web.ctx.fullpath, 'BADREQ', 'malformed card')
     price = web.d.getPrice(book)
     l.critical("getting cookie")
     serial = web.cookies().get(COOKIE_NAME)
     l.critical("got serial")
     user = session.cookie.getData(serial)
     l.critical("got cookie")
     return render.purchase(user, name, card, book, price)
Ejemplo n.º 18
0
	def POST(self):
		l.info('POST purchase')
		if not logged_on():
			return logon_redirect()
		i = web.input()
		if  'name' not in i:
			l.error('name required for POST')
			return render.error(web.ctx.fullpath, 'BADREQ', 'missing name')
		if 'card' not in i:
			l.error('card required for POST')
			return render.error(web.ctx.fullpath, 'BADREQ', 'missing card')
		if 'ccv' not in i:
			l.error('ccv required for POST')
			return render.error(web.ctx.fullpath, 'BADREQ', 'missing ccv')
		if 'expmonth' not in i:
			l.error('expmonth required for POST')
			return render.error(web.ctx.fullpath, 'BADREQ', 'missing expmonth')
		if 'expyear' not in i:
			l.error('expyear required for POST')
			return render.error(web.ctx.fullpath, 'BADREQ', 'missing expyear')
		if 'book' not in i:
			l.error('book required for POST')
			return render.error(web.ctx.fullpath, 'BADREQ', 'missing book')
		name = i['name']
		card = i['card']
		book = i['book']
		if not RE_NAME.match(name):
			l.warn('name does not match %s' % RE_NAME.pattern)
			return render.error(web.ctx.fullpath, 'BADREQ', 'malformed name')
		if not RE_CARDNO.match(card):
			l.warn('name does not match %s' % RE_CARDNO.pattern)
			return render.error(web.ctx.fullpath, 'BADREQ', 'malformed card')
		price = web.d.getPrice(book)
		l.critical("getting cookie")
		serial = web.cookies().get(COOKIE_NAME)
		l.critical("got serial")
		user = session.cookie.getData(serial)
		l.critical("got cookie")
		return render.purchase(user, name, card, book, price)