def setmfa():
user = User.query.filter_by(username=session.get("username")).first()
if request.method == "GET":
if not user.mfa_status:
user.secret = get_secret()
db.session.add(user)
db.session.commit()
return render_template("mfa.html",
secret=user.secret,
nickname=user.nickname)
else:
return render_template("closemfa.html")
if request.method == "POST":
onecode = request.form.get("onecode")
twocode = request.form.get("twocode")
# 判断身份宝验证码是否正确
if totp.valid_totp(token=twocode,
secret=user.secret) and totp.valid_totp(
token=onecode,
secret=user.secret,
clock=int(time.time()) - 30):
if user.mfa_status == False:
user.mfa_status = True
else:
user.mfa_status = False
db.session.add(user)
db.session.commit()
return redirect(request.referrer)
else:
print(onecode, twocode)
return redirect(request.referrer)
def post(self, request, format=None):
valid = False
user_id = request.data['userId']
verification_code = request.data['verificationCode']
user = BoxUsers.objects.annotate(
bu_roleid=F('boxuserrole__boxRoles__br_id'),
bu_fullname=Case(When(Q(bu_lastname=None) | Q(bu_lastname=''),
then='bu_firstname'),
default=Concat('bu_firstname', Value(' '),
'bu_lastname')),
).get(pk=user_id)
box_user_info = BoxUserinfo.objects.filter(boxUsers__bu_id=user_id)
if len(box_user_info) > 0:
certify = box_user_info[0].ui_certify
valid = otp.valid_totp(verification_code, certify)
if valid is False:
return Response({
'code': Code.IMPROPER_CODE.value,
'message': Code.IMPROPER_CODE.name
})
return login_success(request, user)
def test_validating_invalid_totp_for_same_secret(self):
"""
Test case when the same secret is used, but the token differs
"""
secret = b'MFRGGZDFMZTWQ2LK'
with timecop.freeze(time.time()):
self.assertFalse(valid_totp(get_totp(secret)+1, secret))
def test_validating_totp_for_same_secret(self):
"""
Check if validating TOTP generated for the same secret works
"""
secret = b'MFRGGZDFMZTWQ2LK'
with timecop.freeze(time.time()):
self.assertTrue(valid_totp(get_totp(secret), secret))
def login_totp():
nickname = request.forms.get('nickname')
password = request.forms.get('password')
totp = request.forms.get('totp')
usuarios = db.users.find({'_id': nickname})
if usuarios.count() != 1:
return template("errorUsuarioContrasenia.tpl")
#Obtenermos al usuario:
for i in usuarios:
name = i['name']
saltNick = str(i['salt'])
passwordNick = i['password']
seed = i['seed']
password = password + PEPPER
#Hacemos la funcion hash
dk = hashlib.pbkdf2_hmac('sha256', str.encode(password),
str.encode(saltNick), 100000)
password = binascii.hexlify(dk)
#Una vez conseguida la contraseña la comparamos con la que haya metido el usuario.
if password != passwordNick:
return template("errorUsuarioContrasenia.tpl")
#Validamos el TOTP
valid_totp = onetimepass.valid_totp(token=totp, secret=seed)
if valid_totp:
return template("errorUsuarioContrasenia.tpl")
else:
return template('logeado.tpl', name=name)
def login_(totp=False):
req_fields = ['nickname', 'password']
if totp:
req_fields.append('totp')
valid, data, msg = form_data(req_fields)
if valid:
# busca un usuario con ese id (nickname)
r = c.find_one({'_id': data['nickname']})
# Si lo encuentra continua con las comprobaciones
valid = False
if r:
# Verifica la contraseña pasada
if argon2.verify(data['password'], r['password']):
# Si ha entrado por /login y en la BD no tiene el campo totp (login normal)
try:
if not totp and not ('totp' in r.keys()):
valid = True
# Si ha entrado por /login_totp y en la BD existe el campo totp y este es válido (login con totp)
elif totp and ('totp' in r.keys()) and otp.valid_totp(token=data['totp'], secret=r['totp']):
valid = True
except KeyError:
pass
if valid:
msg = "Bienvenido " + r['name']
print(msg)
return msg
else:
msg = "Usuario o contraseña incorrectos"
print(msg)
return msg
else:
msg = "Datos inválidos: " + msg
print(msg)
return msg
def totp_verify_token(userid, token): otp_secret = totp_get_secret_key(userid) if otp_secret == None: return False else: return onetimepass.valid_totp(token, otp_secret)
def login_totp():
username = str(request.forms.get('username')).lower()
password = str(request.forms.get('password')).lower()
totpCode = str(request.forms.get('totpCode')).lower()
User = db.users.find_one({
"_id" : username
});
if not User: # Username doesn't exists
return template('result', message='Usuario o contraseña incorrectos');
if not validPassword(password, User['password']): # Old password doesnt match
return template('result', message='Usuario o contraseña incorrectos');
token = totpCode
secret = User['secretKey']
valid = otp.valid_totp(token, secret)
if not valid:
return template('result', message='Usuario o contraseña incorrectos')
# For security reasons, remove secret Key and password
# from the User Dictionary before return them to the view.
del User['secretKey']
del User['password']
return template('welcome', user=User);
def test_validating_correct_hotp_as_totp(self):
"""
Check if valid TOTP will work as HOTP - should not work, unless for
very big interval number (matching Unix epoch timestamp)
"""
secret = b'MFRGGZDFMZTWQ2LK'
self.assertFalse(valid_totp(get_hotp(secret, 1), secret))
def dispatch_request(self, id):
super(WalletUnlockView, self).dispatch_request(id)
otpsetting = session.query(Setting).get('otpsecret')
if otpsetting:
form = OTPUnlockForm(request.form)
secret = otpsetting.value
otp_valid = otp.valid_totp(token=form.otp.data, secret=secret)
else:
form = UnlockForm(request.form)
otp_valid = True
if request.method == 'POST' and form.validate() and otp_valid:
flash("OTP valid", "success")
try:
ret = self.conn.walletpassphrase(form.passphrase.data,
form.timeout.data)
flash('Wallet unlocked', 'success')
return redirect(
url_for('wallet.wallet_detail', id=self.wallet.id))
except WalletPassphraseIncorrect:
flash('Passphrase incorrect', 'error')
except WalletAlreadyUnlocked:
flash('Wallet already unlocked', 'error')
elif request.method == 'POST' and form.validate() and not otp_valid:
flash("OTP invalid", "error")
return render_template('wallet/wallet/unlock.html',
wallet=self.wallet,
form=form)
def verify_token(userid, token):
otp_secret = get_secret_key(userid)
if otp_secret == None:
return False
else:
return onetimepass.valid_totp(token, otp_secret)
def test_validating_totp_for_same_secret(self):
"""
Check if validating TOTP generated for the same secret works
"""
secret = b'MFRGGZDFMZTWQ2LK'
with timecop.freeze(time.time()):
self.assertTrue(valid_totp(get_totp(secret), secret))
def login_totp():
username = str(request.forms.get('username')).lower()
password = str(request.forms.get('password')).lower()
totpCode = str(request.forms.get('totpCode')).lower()
User = db.users.find_one({
"_id" : username
});
if not User: # Username doesn't exists
return template('result', message='Usuario o contraseña incorrectos');
if not validPassword(password, User['password']): # Old password doesnt match
return template('result', message='Usuario o contraseña incorrectos');
token = totpCode
secret = User['secretKey']
valid = otp.valid_totp(token, secret)
if not valid:
return template('result', message='Usuario o contraseña incorrectos')
# For security reasons, remove secret Key and password
# from the User Dictionary before return them to the view.
del User['secretKey']
del User['password']
return template('welcome', user=User);
def register(request):
if request.method == 'POST':
from app.forms import UserForm
user_form = UserForm(data=request.POST)
if user_form.is_valid():
secureKey = request.POST['secureKey']
my_secret = request.POST['key']
if (otp.valid_totp(token=secureKey, secret=my_secret) == False):
request.session[
'message'] = 'the secure key is not correct please try again'
return redirect("/")
user = user_form.save()
user.set_password(user.password)
user.save()
request.session['message'] = 'registration done please login'
return redirect("/")
else:
request.session['error'] = user_form.errors
return redirect("/")
def test_validating_invalid_totp_for_same_secret(self):
"""
Test case when the same secret is used, but the token differs
"""
secret = b'MFRGGZDFMZTWQ2LK'
with timecop.freeze(time.time()):
self.assertFalse(valid_totp(get_totp(secret) + 1, secret))
def post(self, request):
user_id = request.data['userId']
certify = request.data['certify']
verification_code = request.data['verificationCode']
box_user_info = BoxUserinfo.objects.filter(boxUsers__bu_id=user_id)
if len(box_user_info) > 0:
user_info = box_user_info[0]
user_certify = user_info.ui_certify
if user_certify is not None and user_certify != '':
certify = user_certify
else:
user = BoxUsers.objects.get(pk=user_id)
user_info = BoxUserinfo.objects.create(boxUsers=user)
valid = otp.valid_totp(verification_code, certify)
if valid:
user_info.ui_certify = certify
user_info.save()
return Response({'valid': valid})
def verify_otp(self, token):
"""
verifing the otp entered by user
:param token:
:return:
"""
return onetimepass.valid_totp(token, self.second_factor_c)
def dispatch_request(self, id):
super(WalletUnlockView, self).dispatch_request(id)
otpsetting = session.query(Setting).get('otpsecret')
if otpsetting:
form = OTPUnlockForm(request.form)
secret = otpsetting.value
otp_valid = otp.valid_totp(token=form.otp.data, secret=secret)
else:
form = UnlockForm(request.form)
otp_valid = True
if request.method == 'POST' and form.validate() and otp_valid:
flash("OTP valid", "success")
try:
ret = self.conn.walletpassphrase(form.passphrase.data,
form.timeout.data)
flash('Wallet unlocked', 'success')
return redirect(url_for('wallet.wallet_detail',
id=self.wallet.id))
except WalletPassphraseIncorrect:
flash('Passphrase incorrect', 'error')
except WalletAlreadyUnlocked:
flash('Wallet already unlocked', 'error')
elif request.method == 'POST' and form.validate() and not otp_valid:
flash("OTP invalid", "error")
return render_template('wallet/wallet/unlock.html', wallet=self.wallet,
form=form)
def post(self):
cfg = self.application.config.get('deposit_agent')
operator_id = self.current_user['id']
args = self.json_args
auth_num = args.get('auth_num')
type = args.get('type')
secret = None
ttl = 0
interval = 30
if type == 'approve':
secret = cfg['op_secret'].get(operator_id)
ttl = 60 * 60
interval = 30
elif type == 'quota':
secret = cfg['secret']
ttl = 60 * 10
else:
self.send_error(500)
flag = otp.valid_totp(auth_num,
secret,
interval_length=interval,
window=1)
request_log.info('AUTH %s %s', type, flag)
if flag:
self.master.setex('auth:%s:%s' % (operator_id, type), ttl, 'ok')
else:
self.finish(json.dumps({'status': 'fail', 'msg': '认证码错误,请重新操作'}))
return
self.finish(json.dumps({'status': 'success'}))
def is_valid_token(self, token):
"""
Validates a time-based one-time password (TOTP) as generated by a user's
2fa application against the TOTP generated locally by the onetimepass
module. Assuming the user generated a TOTP with a common shared one-time
password secret (otp_secret), these passwords should match.
"""
return onetimepass.valid_totp(token, self.otp_secret)
def valid_otp(passwd, chat_id):
my_secret = base64.b32encode(str(chat_id))
#my_secret = 'MFRGGZDFxMZTWQ2LK'
got_token = passwd # should be probably from some user's input
is_valid = otp.valid_totp(token=got_token,
secret=my_secret,
interval_length=300)
return is_valid
def test_validating_correct_hotp_as_totp(self):
"""
Check if valid TOTP will work as HOTP - should not work, unless for
very big interval number (matching Unix epoch timestamp)
"""
secret = b'MFRGGZDFMZTWQ2LK'
with timecop.freeze(time.time()):
self.assertFalse(valid_totp(get_hotp(secret, 1), secret))
def verify_mfa_setup_complete(self, token):
''' Once the user submits a TOTP that is correct enable MFA'''
if onetimepass.valid_totp(token, self.otp_secret):
self.mfa_enabled = True
self.save()
return True
return False
def clean(self):
username = self.cleaned_data.get('username')
password = self.cleaned_data.get('password')
otp = self.cleaned_data.get('otp')
region = self.cleaned_data.get('region')
tenant = self.cleaned_data.get('tenant')
if not tenant:
tenant = None
if not (username and password):
# Don't authenticate, just let the other validators handle it.
return self.cleaned_data
#trunglq add
parser = argparse.ArgumentParser()
parser.add_argument('-c',default='/etc/keystone/keystone.conf')
options = parser.parse_args()
conf_file_options = PropertyCollecter.collect_properties(open(options.c))
cflag=0
for k, v in sorted(conf_file_options.items()):
if k=='connection':
cflag=1
break
if cflag==0:
print "No connection string"
return self.cleaned_data
engine = create_engine(v[0])
connstring="select extra from user where name= '%s'" %(username)
connection = engine.connect()
result = connection.execute(connstring)
rflag=0
for row in result:
sk = json.loads(row['extra'])
rflag=1
connection.close()
if rflag==0:
return self.cleaned_data
else:
try:
my_secret=sk['secretkey']
if my_secret=='':
self.user_cache = authenticate(request=self.request, username=username, password=password, tenant=tenant, auth_url=region)
else:
if onetimepass.valid_totp(token=otp, secret=my_secret):
try:
self.user_cache = authenticate(request=self.request,
username=username,
password=password,
tenant=tenant,
auth_url=region)
except KeystoneAuthException as exc:
self.request.session.flush()
raise forms.ValidationError(exc)
except Exception as err:
self.user_cache = authenticate(request=self.request, username=username, password=password, tenant=tenant, auth_url=region)
self.check_for_test_cookie()
return self.cleaned_data
def verify_totp(self, token: str) -> bool:
"""
This method will return true if the totp secret is none,
maybe 2fa has been enabled in the database without providing a totp secret by an admin
"""
ret = True
if self.totp_secret:
ret = onetimepass.valid_totp(token, self.totp_secret)
return ret
def check_time_based_token(self):
my_token = self.token
my_secret = self.organization.secretKey
if my_secret is None:
raise Exception("Error during checking time-based token. The secret key of the Apigee organization %s is empty" % (self.organization.organizationName))
print("Checking the time-based token")
is_valid = otp.valid_totp(token=my_token, secret=my_secret)
print(is_valid)
return is_valid
def validate(username, token):
session = Session()
user = session.query(User).filter(User.name == username).one()
secret = user.otp_secret
response = 'invalid'
if otp.valid_totp(token=token, secret=secret):
user.missed_alerts = 0
response = 'valid'
session.commit()
session.close()
return response
def verifyuser(userid,token):
db = DB()
cur, status = db.query("select email, secret from Users where Id=%s",(userid,))
row = cur.fetchone()
if row == None:
#should never happen
print "Invalid user entered"
return False, None
else:
#print otp.valid_totp(token, row['secret'])
return otp.valid_totp(token, row['secret']), row['email']
def authenticate(self, username=None, password=None, token=None):
user = super(TOTPBackend, self).authenticate(username, password)
try:
secret = TOTPAuth.objects.get(user=user)
except TOTPAuth.DoesNotExist:
if token == None:
return user
else:
return None
is_valid = otp.valid_totp(token=token, secret=secret)
if is_valid:
return user
def login_totp():
nickname = request.forms.get('nickname')
password = request.forms.get('password')
totp = request.forms.get('totp')
#Comprobamos que el usuario exista y que la contraseña introducida sea la correcta.
user = get_user(nickname)
if (not check_password(nickname, password)
or not op.valid_totp(token=totp, secret=user['seed'])):
result = "Usuario o contrase~na incorrectos"
else:
user = get_user(nickname)
result = "Bienvenido " + user['name']
return template('result.tpl', msg=result)
def login():
if request.method=="POST":
# GEt form fields
username = request.form['username']
password_candidate = request.form['password']
if request.form.get('2FA_chekbox') != None:
token_candidate = request.form['token']
else:
token_candidate = None
result = Rootdb.query.filter_by(username = username).first() or 0
if result:
password = result.password
token = result.secret
if token_candidate != None and token!='None':
condition = onetimepass.valid_totp(token_candidate, token)
elif token!='None' and token_candidate == None:
condition = False
elif token_candidate != None and token == 'None':
condition = False
else:
condition = True
#app.logger.info(token)
#Compare the password
if sha256_crypt.verify(password_candidate,password) and condition:
#app.logger.info("Password Matched")
session['logged_in'] = True
session['Name'] = result.name
session['username'] = result.username
flash("You are now logged in",'success')
try:
return redirect(url_for(session['faild_page']))
except:
return redirect(url_for('dashboard'))
else:
error = "Invalid Credentials"
return render_template('login.html', error=error)
#app.logger.info("Password Does not Match",error=error)
else:
error = "Username not found"
return render_template('login.html',error=error)
#app.logger.info("No User",error=error)
return render_template('login.html')
def authenticate(self, username=None, password=None, secureKey=None):
""" Authenticate a user based onu sername, password and secureKey. """
try:
User = get_user_model()
user = User.objects.get(username=username)
if user.check_password(password):
my_secret = user.get_key()
if( otp.valid_totp(token=secureKey, secret=my_secret) ):
return user
return None
except User.DoesNotExist:
return None
return None
def verify_password(username, password):
if "expire_at" in session:
if dt.datetime.strptime(
session.get("expire_at"),
"%Y-%m-%dT%H:%M:%S.%fZ") <= dt.datetime.utcnow():
session.clear()
return False
else:
return True
check = onetimepass.valid_totp(password, app.config['TOTP_SECRET'])
if check:
session["auth"] = "totp"
session["expire_at"] = (dt.datetime.utcnow() +
dt.timedelta(hours=24)).isoformat() + "Z"
session["domain"] = request.host
return check
def validate_token(token, user=None):
"""
Validates the given token.
:param string token:
:return bool:
"""
if user is None:
user = api.user.get_current()
secret = get_secret(user)
# logger.debug('secret: {0}'.format(secret))
validation_result = valid_totp(token=token, secret=secret)
return validation_result
def test_validating_totp_with_a_window(self):
"""
validate if a totp token falls within a certain window
"""
secret = b'MFRGGZDFMZTWQ2LK'
totp = get_totp(secret=secret, clock=(int(time.time()-30)))
self.assertFalse(valid_totp(totp,secret))
self.assertTrue(valid_totp(totp,secret,window=1))
totp = get_totp(secret=secret, clock=(int(time.time()+30)))
self.assertFalse(valid_totp(totp,secret))
self.assertTrue(valid_totp(totp,secret,window=1))
totp = get_totp(secret=secret, clock=(int(time.time()-59)))
self.assertFalse(valid_totp(totp,secret))
self.assertFalse(valid_totp(totp,secret,window=1))
self.assertTrue(valid_totp(totp,secret,window=2))
def test_validating_totp_with_a_window(self):
"""
validate if a totp token falls within a certain window
"""
secret = b'MFRGGZDFMZTWQ2LK'
with timecop.freeze(time.time()):
totp = get_totp(secret=secret, clock=(int(time.time() - 30)))
self.assertFalse(valid_totp(totp, secret))
self.assertTrue(valid_totp(totp, secret, window=1))
totp = get_totp(secret=secret, clock=(int(time.time() + 30)))
self.assertFalse(valid_totp(totp, secret))
self.assertTrue(valid_totp(totp, secret, window=1))
totp = get_totp(secret=secret, clock=(int(time.time() - 60)))
self.assertFalse(valid_totp(totp, secret))
self.assertFalse(valid_totp(totp, secret, window=1))
self.assertTrue(valid_totp(totp, secret, window=2))
def code():
if not session.get('pass', False):
flash('Password must be entered.')
return redirect(url_for('index'))
if request.method == 'GET':
return render_template('code.html')
token = request.form.get('code', '')
if USE_DEVICE_COMMUNICATION:
valid = validate_totp_with_arduino(token)
else:
valid = otp.valid_totp(token=token, secret=TOTP_SECRET_ENCODED)
if valid:
session['code'] = True
return redirect(url_for('secret'))
flash('Invalid code')
return redirect(url_for('code'))
def verify_mfa_code():
if request.method == "POST":
# 获取json数据
code = json.loads(request.get_data())["code"].strip()
user = User.query.filter_by(username=session.get("username")).first()
if len(code) > 0:
if totp.valid_totp(secret=user.secret, token=code):
session["userid"] = user.id
log = Loginlog(user.id, request.remote_addr)
log.mfa_status = True
db.session.add(log)
db.session.commit()
return jsonify({
"code": 0,
"msg": "登录成功",
"redirect": url_for("admin.index")
})
else:
return jsonify({"code": 1, "msg": "动态口令无效"})
else:
return jsonify({"code": 2, "msg": "动态口令必填"})
def login():
if request.method == "GET":
return render_template('login.html')
if request.method == "POST":
if 'login' in request.form and 'code' in request.form:
login = request.form["login"]
try:
code = int(request.form["code"])
except:
flash("Forbidden.", "danger")
return redirect(request.referrer, code=302)
try:
user = User.get(User.login == login)
except User.DoesNotExist:
flash("Forbidden.", "danger")
return redirect(request.referrer, code=302)
if otp.valid_totp(token=code, secret=user.secret, window=0) or valid_emergency(user, code):
sid = str(uuid.uuid4())
resp = make_response(redirect(request.referrer, code=302))
try:
user.sid = sid
user.save()
resp.set_cookie('x-factor-sid', sid, httponly=True)
except Exception, e:
print "Unexpected error: %s" % e
return resp
else:
flash("Forbidden.", "danger")
return redirect(request.referrer, code=302)
else:
flash("Forbidden.", "danger")
return redirect(request.referrer, code=302)
def check_2fa(data, token):
if 'secret' not in data:
secret = base64.b32encode(os.urandom(10)).decode('utf-8')
ApiAccess.get_skynet_db().users.update_one(
{'username': data['username'].upper()},
{'$set': {
'secret': secret,
'2fa_active': False
}})
return {
'status': LoginStates.active_2fa.value,
'qr_code': 'otpauth://totp/Skynet:{}?secret={}&issuer=Skynet' \
.format(data['username'], secret)}
is_token_valid = onetimepass.valid_totp(token, data['secret'])
if not is_token_valid:
return {
'status': LoginStates.active_2fa.value,
'qr_code': 'otpauth://totp/Skynet:{}?secret={}&issuer=Skynet' \
.format(data['username'], data['secret'])} if not data['2fa_active'] \
else {'status': LoginStates.fail.value}
return None
def verify_totp():
userid = session['userid']
if user_dal.check_disabled_user_by_id(userid) == True:
return render_template(
'login.html',
error=
'This account has been disable due to many failure on login or verify token'
)
token = request.form['token']
otp_secret = session['user']['otp_secret']
if token is None:
return render_template('verify-token.html', error='Token is empty')
verify = onetimepass.valid_totp(token, otp_secret)
if verify == True:
username = session['user']['username']
session['verified'] = True
user_dal.increase_number_of_failure(username, 0)
return redirect(url_for('main'))
else:
username = session['user']['username']
user_dal.increase_number_of_failure(username, 1)
return render_template('verify-token.html',
error='Failed to verify token')
def verify_totp(self, token):
return onetimepass.valid_totp(token, self.otp_secret)
def verify_totp(self, token): print self print "SECRET", self.otp_secret return onetimepass.valid_totp(token, self.otp_secret)
def verify_onetimepass(self, token):
if not self.password_hash:
return None
return valid_totp(token, self.onetime_secret)
def verify_otp(self, otp): return onetimepass.valid_totp(token=otp, secret=self.otp_secret)
def valid_otp(passwd,chat_id):
my_secret = base64.b32encode(str(chat_id))
#my_secret = 'MFRGGZDFxMZTWQ2LK'
got_token = passwd # should be probably from some user's input
is_valid = otp.valid_totp(token=got_token, secret=my_secret, interval_length= 300)
return is_valid
def alive_token(user_name, totp_token):
totp_secret = dao_user.get_user_secret(user_name)
token_valid = otp.valid_totp(totp_token, totp_secret)
return token_valid
