def verify_user(self):
attempts = 3
self.user_entry = input("\nUsername: "******"Password: "******"secret.txt", "r") as f:
for line in f:
if line.strip():
key, value = [x.strip() for x in line.strip().split(':', 1)]
if bcrypt_sha256.verify(pass_entry, value) and self.user_entry in key:
print(f"\n[+] Welcome {self.user_entry}!")
return True
elif not bcrypt_sha256.verify(pass_entry, value) or self.user_entry not in key:
while attempts > 0:
print("[-] Invalid Username or Password")
self.user_entry = input("Username: "******"Password: "******"[-] Too Many Password Attempts. Goodbye.")
exit(0)
if bcrypt_sha256.verify(pass_entry, value):
print(f"\n[+] Welcome {self.user_entry}!")
return True
f.close()
def login():
if request.method == 'POST':
errors = []
# team = Teams.query.filter_by(name=request.form['name'], password=sha512(request.form['password'])).first()
team = Teams.query.filter_by(name=request.form['name']).first()
if team and bcrypt_sha256.verify(request.form['password'],
team.password):
# session.regenerate() # NO SESSION FIXATION FOR YOU
session['username'] = team.name
session['id'] = team.id
session['admin'] = team.admin
session['nonce'] = sha512(os.urandom(10))
db.session.close()
logger = logging.getLogger('logins')
logger.warn("[{0}] {1} logged in".format(
time.strftime("%m/%d/%Y %X"),
session['username'].encode('utf-8')))
# if request.args.get('next') and is_safe_url(request.args.get('next')):
# return redirect(request.args.get('next'))
return redirect('/team/{0}'.format(team.id))
else:
errors.append("That account doesn't seem to exist")
db.session.close()
return render_template('login.html', errors=errors)
else:
db.session.close()
return render_template('login.html')
def check_password(pwd, b64ph, pep):
# decode the encrypted base64 hash
ph = base64.b64decode(b64ph)
# decrypt the hash (remove pepper)
h = pep.decrypt(ph)
# let passlib check the hash
return bcrypt_sha256.verify(pwd, h)
def login():
if request.method == 'POST':
errors = []
name = request.form['name']
team = Teams.query.filter_by(name=name).first()
if team and bcrypt_sha256.verify(request.form['password'], team.password):
try:
session.regenerate() # NO SESSION FIXATION FOR YOU
except:
pass # TODO: Some session objects don't implement regenerate :(
session['username'] = team.name
session['id'] = team.id
session['admin'] = team.admin
session['nonce'] = sha512(os.urandom(10))
db.session.close()
logger = logging.getLogger('logins')
logger.warn("[{0}] {1} logged in".format(time.strftime("%m/%d/%Y %X"), session['username'].encode('utf-8')))
if request.args.get('next') and is_safe_url(request.args.get('next')):
return redirect(request.args.get('next'))
return redirect(url_for('challenges.challenges_view'))
else:
errors.append("That account doesn't seem to exist")
db.session.close()
return render_template('login.html', errors=errors)
else:
db.session.close()
return render_template('login.html')
def login():
if request.method == 'POST':
email = request.form['email']
password_candidate = request.form['password']
cursor = mysql.connection.cursor()
result = cursor.execute("SELECT * FROM t_user WHERE use_email = %s", [email])
if result > 0:
data = cursor.fetchone()
password = data['password']
if bcrypt_sha256.verify(password_candidate, password):
session['logged_in'] = True
session['user'] = data['use_name']
flash('You are now logged in', 'success')
return redirect(url_for('dashboard'))
else:
error = 'Invalid credentials'
return render_template('login.html', error = error)
else:
error = 'No user found'
return render_template('login.html', error = error)
cursor.close()
return render_template('login.html')
def login():
if request.method == "POST":
form = tools.LoginForm(request.form)
if form.validate():
email = form.email.data
password = form.password.data
try:
user = db.get_user_with_email(email)
if bcrypt_sha256.verify(password, user['password']):
session['logged_in'] = True
session['id'] = user['id']
session['email'] = email
return redirect(
url_for(
'admin',
COOKIES_NOTIFICATION=tools.show_cookies_policy(),
LOGGED_IN=tools.is_logged_in()))
else:
flash(
"Failed to login, please check both email and password are correct"
)
return render_template('register.html', FORGOT_PASS=True)
except Exception as e:
flash(
"Failed to login, please check both email and password are correct"
)
return redirect(
url_for('register',
COOKIES_NOTIFICATION=tools.show_cookies_policy(),
LOGGED_IN=tools.is_logged_in()))
else:
return render_template(
'register.html',
COOKIES_NOTIFICATION=tools.show_cookies_policy(),
LOGGED_IN=tools.is_logged_in())
def testSetAPIToken(self):
result = connection.execute(auth_user_table.insert({'email': 'a'}))
user_id = result.inserted_primary_key[0]
token = generate_api_token()
connection.execute(set_api_token(token=token, auth_user_id=user_id))
user = get_auth_user(connection, user_id)
self.assertTrue(bcrypt_sha256.verify(token, user.token))
def change_password():
if request.method == 'GET':
return render_template('change_pwd.html')
# if user is not in session, redirect to login page
elif request.method == 'POST':
username = request.form['username']
old_password = request.form['old_password']
new_password = request.form['new_password']
conn = connect_db()
cur = conn.cursor()
cur.execute('SELECT id, password FROM `user` WHERE username=?',
(username, ))
row = cur.fetchone()
# if username is not in database, redirect to login page
if row is None:
flash('This user does not exist. Please check again.', 'error')
return redirect('/login')
else:
message = ""
if bcrypt_sha256.verify(old_password, row[1]):
encrypted_password = bcrypt_sha256.hash(new_password)
cur.execute('UPDATE `user` SET password=? WHERE username=?',
(encrypted_password, username))
message = "You have successfully changed your password."
#print ("I am here")
else:
message = "You fail to change your password."
conn.commit()
conn.close()
flash(message, 'info')
return redirect('/login')
def checkpasswd (username, password):
user = userdb[username]
try:
return bcrypt.verify(password, user['secret'])
except PasswordSizeError:
print("Authentication error for {:s}: Password too long".format(username))
return False
def authenticate(session, email, password):
user = session.query(User).filter_by(email=email).first()
if user and bcrypt_sha256.verify(password, user.password):
return user
raise LoginFailed()
def post(self):
parser = reqparse.RequestParser()
parser.add_argument('username')
parser.add_argument('password')
args = parser.parse_args()
user = User.query.get(args.username)
if (user is not None
and bcrypt_sha256.verify(args.password, user.password)):
user.current_session_uid = uuid4()
user.last_active_timedate = datetime.now()
try:
db.session.commit()
except InvalidRequestError:
return {'loginError': True, 'databaseError': True}, 401
return {
'loginError': False
}, 200, {
'Authorization':
'"Custom ' + user.username + ' ' + user.current_session_uid +
'"'
}
else:
return {'loginError': True, 'invalidCredentials': True}, 401
return {'loginError': True}, 401
def is_authenticated(self, admin_only=True):
"""Return whether the request has been authenticated."""
# A logged-in user (or specifically Administrator) is authenticated.
if self.r_handler.current_user is not None:
not_an_admin_but_should_be = (
admin_only
and self.r_handler.current_user_model.role != 'administrator')
if not_an_admin_but_should_be:
return False
if self.request_method() not in {'GET', 'HEAD', 'OPTIONS'}:
self._check_xsrf_cookie()
return True
# An Administrator can log in with a token.
try:
token = self.r_handler.request.headers['Token']
email = self.r_handler.request.headers['Email']
except KeyError:
return False
# Get the user's token hash and expiration time.
try:
user = (self.session.query(
Administrator.token,
Administrator.token_expiration).join(Email).filter(
Email.address == email).one())
except NoResultFound:
return False
if user.token is None:
return False
if user.token_expiration.timetuple() < localtime():
return False
return bcrypt_sha256.verify(token, user.token)
def loginAndroid():
errors = []
name = request.form['name']
student = Students.query.filter_by(name=name).first()
if student:
if student and bcrypt_sha256.verify(request.form['password'], student.password):
try:
session.regenerate() # NO SESSION FIXATION FOR YOU
except:
pass # TODO: Some session objects don't implement regenerate :(
session['username'] = student.name
session['id'] = student.id
session['admin'] = student.admin
session['nonce'] = sha512(os.urandom(10))
session.modified = True
db.session.close()
logger = logging.getLogger('logins')
logger.warn("[{0}] {1} logged in".format(time.strftime("%m/%d/%Y %X"), session['username'].encode('utf-8')))
if request.args.get('next') and is_safe_url(request.args.get('next')):
return redirect(request.args.get('next'))
return jsonify({'status': '200', 'nonce': session['nonce']})
else: # This user exists but the password is wrong
errors.append("Your username or password is incorrect")
db.session.close()
return jsonify({'status': '400', 'message': 'Invalid Login'})
else: # This user just doesn't exist
errors.append("Your username or password is incorrect")
db.session.close()
return render_template('login.html', errors=errors)
def login(username: str, password: str) -> str:
"""Validate username and password. Return associated phone number."""
con = sqlite3.connect(DB_NAME)
# allows indexing rows by column name
con.row_factory = sqlite3.Row
# retrieve user information from the database
# using '?' as a placeholder prevents injection attacks
user_data = con.execute(
'SELECT * FROM account '
'WHERE LOWER(username) = LOWER(?)', (username, )).fetchone()
con.close()
# if no matching username was found
if not user_data:
raise AccountError(f'User "{username}" does not exist')
# if the password was incorrect
if not bcrypt_sha256.verify(password, user_data['password']):
raise AccountError(f'Incorrect password for user "{username}"')
# matching username and password: return the decrypted phone number
return Fernet(create_fernet_key(username, password)).decrypt(
user_data['phone']).decode()
def login():
if request.method == 'POST':
errors = []
username = request.form['username']
password = request.form['password']
member = [
_ for _ in db.session.execute(
text("SELECT password FROM member WHERE username = :Username"
), # selects password from corresponding user
{"Username": username})
]
if len(member) == 1 and bcrypt_sha256.verify(
password, member[0][0]): # verify password using bcrypt
try:
session.regenerate() # NO SESSION FIXATION FOR YOU
except:
pass
session['username'] = username
session['nonce'] = hashlib.sha512(
os.urandom(10)).hexdigest() # generate sha512 hash
db.session.close()
logger = logging.getLogger('logins')
logger.warn("[{0}] {1} logged in".format(
time.strftime("%m/%d/%Y %X"),
session['username'].encode('utf-8')))
return redirect('/home')
else:
errors.append("That account doesn't seem to exist")
db.session.close()
return render_template('login.html', errors=errors) # 2
else:
db.session.close()
return render_template('login.html')
def login():
db_session = SessionDB
try:
username = request.json["username"]
password = request.json["password"]
db_session.rollback()
user = User.query.filter_by(username=username).first()
db_session.close()
if user is not None:
is_password_matched = bcrypt_sha256.verify(password, user.password)
if is_password_matched is True:
print 'Login successful'
return jsonify(user.serialize), 200
else:
return jsonify('Invalid credentials'), 401
return jsonify('User do not exist'), 400
except KeyError as ke:
db_session.rollback()
db_session.close()
return jsonify('Attribute ' + ke.args[0] + ' missing!'), 400
except InvalidRequestError:
db_session.rollback()
db_session.close()
def setup():
#if not is_setup():
if request.method == 'POST':
errors = []
## Admin user
name = request.form['name']
adminname = app.config['ADMINNAME']
adminpassword = app.config['ADMINPASSWORD']
epassword = request.form['epassword']
password = base64.decodestring(epassword)
if name == adminname and bcrypt_sha256.verify(
password, adminpassword):
session.parmanent = False
session['username'] = adminname
session['password'] = adminpassword
session['admin'] = 0
session['nonce'] = sha512(os.urandom(10))
flag = Flag.query.first()
if flag == None:
addlmflag = 0
createkeyflag = 0
exportlmcertflag = 0
configIPflag = 0
restartflag = 0
configrouteflag = 0
importCAflag = 0
importsyscertflag = 0
initialUSBKeyflag = 0
importUSBKeyflag = 0
flag = Flag(addlmflag, createkeyflag, exportlmcertflag,
restartflag, configIPflag, configrouteflag,
importCAflag, importsyscertflag,
initialUSBKeyflag, importUSBKeyflag)
db.session.add(flag)
db.session.commit()
flag = Flag.query.first()
count = flag.addlmflag + flag.createkeyflag + flag.exportlmcertflag + flag.restartflag + flag.configIPflag + flag.configrouteflag + flag.importCAflag + flag.importsyscertflag + flag.initialUSBKeyflag + flag.importUSBKeyflag
if count < 1:
return redirect('/initial1')
elif count < 4:
return redirect('/initial2')
elif count < 5:
return redirect('/initial3')
elif count < 6:
return redirect('/initial4')
elif count < 7:
return redirect('/initial5')
elif count < 8:
return redirect('/initial6')
elif count < 10:
return redirect('/initial8')
else:
return redirect('/initial1')
else:
errors.append("用户名或者密码错误。")
db.session.close()
return render_template('setup.html', errors=errors)
else:
db.session.close()
return render_template('setup.html')
def profile():
if authed():
if request.method == "POST":
errors = []
name = request.form.get('name')
email = request.form.get('email')
website = request.form.get('website')
affiliation = request.form.get('affiliation')
country = request.form.get('country')
user = Teams.query.filter_by(id=session['id']).first()
names = Teams.query.filter_by(name=name).first()
emails = Teams.query.filter_by(email=email).first()
valid_email = re.match("[^@]+@[^@]+\.[^@]+", email)
name_len = len(request.form['name']) == 0
if ('password' in request.form.keys() and not len(request.form['password']) == 0) and \
(not bcrypt_sha256.verify(request.form.get('confirm').strip(), user.password)):
errors.append("Your old password doesn't match what we have.")
if not valid_email:
errors.append("That email doesn't look right")
if names and name!=session['username']:
errors.append('That team name is already taken')
if emails and emails.id != session['id']:
errors.append('That email has already been used')
if name_len:
errors.append('Pick a longer team name')
if website.strip() and not validate_url(website):
errors.append("That doesn't look like a valid URL")
if len(errors) > 0:
return render_template('profile.html', name=name, email=email, website=website, affiliation=affiliation, country=country, errors=errors)
else:
team = Teams.query.filter_by(id=session['id']).first()
team.name = name
team.email = email
session['username'] = name
if 'password' in request.form.keys() and not len(request.form['password']) == 0:
team.password = bcrypt_sha256.encrypt(request.form.get('password'))
team.website = website
team.affiliation = affiliation
team.country = country
db.session.commit()
db.session.close()
return redirect('/profile')
else:
user = Teams.query.filter_by(id=session['id']).first()
name = user.name
email = user.email
website = user.website
affiliation = user.affiliation
country = user.country
return render_template('profile.html', name=name, email=email, website=website, affiliation=affiliation, country=country)
else:
return redirect('/login')
def login():
logger = logging.getLogger('logins')
if request.method == 'POST':
errors = []
name = request.form['name']
# Check if the user submitted an email address or a team name
if utils.check_email_format(name) is True:
team = Teams.query.filter_by(email=name).first()
elif utils.check_sno_format(name) is True:
team = Teams.query.filter_by(sno=name).first()
else:
team = Teams.query.filter_by(name=name).first()
if team:
if team and bcrypt_sha256.verify(request.form['password'],
team.password):
try:
session.regenerate() # NO SESSION FIXATION FOR YOU
except:
pass # TODO: Some session objects don't implement regenerate :(
session['username'] = team.name
session['id'] = team.id
session['admin'] = team.admin
session['nonce'] = utils.sha512(os.urandom(10))
db.session.close()
logger.warn("[{date}] {ip} - {username} logged in".format(
date=time.strftime("%m/%d/%Y %X"),
ip=utils.get_ip(),
username=session['username'].encode('utf-8')))
if request.args.get('next') and utils.is_safe_url(
request.args.get('next')):
return redirect(request.args.get('next'))
return redirect(url_for('challenges.challenges_view'))
else: # This user exists but the password is wrong
logger.warn(
"[{date}] {ip} - submitted invalid password for {username}"
.format(date=time.strftime("%m/%d/%Y %X"),
ip=utils.get_ip(),
username=team.name.encode('utf-8')))
errors.append("Your username or password is incorrect")
db.session.close()
return render_template('login.html', errors=errors)
else: # This user just doesn't exist
logger.warn(
"[{date}] {ip} - submitted invalid account information".format(
date=time.strftime("%m/%d/%Y %X"), ip=utils.get_ip()))
errors.append("Your username or password is incorrect")
db.session.close()
return render_template('login.html', errors=errors)
else:
db.session.close()
return render_template('login.html')
def Index():
"""Login portal for clients"""
if current_user.is_authenticated:
"""If client is authenticated, return them back to their portal case view"""
return render_template("Client_View.html",
title='client_view',
Client_id=current_user.Client_id,
api_key=current_user.api_key)
form = LoginForm()
if (request.method == 'POST') and (form.validate_on_submit()):
Client_id = form.Client_id.data
Password = form.Password.data
user = User.query.filter_by(Client_id=Client_id).first()
if not user and app.config['NO_PASSWORD'] == True:
"""Allow anyone to create their own account"""
pass_hash = bcrypt_sha256.encrypt(Password, rounds=12)
user = User(Client_id=Client_id, Password=pass_hash, api_key='')
Sample_date = Client_View(client_id=Client_id,
case_name='sample case',
priority='1',
target_date='10/7/2016',
product_area='Engineering',
status='In Progress',
description='something')
db.session.add(user)
db.session.commit()
db.session.add(Sample_date)
db.session.commit()
""" If user is a vaild account, proceed with verifying \
their credentials and provide them the API key"""
if user:
if bcrypt_sha256.verify(
Password, user.Password) and user.Client_id == Client_id:
signer = TimestampSigner(SECRET_KEY)
API_KEY = ''.join([
random.choice(string.ascii_letters + string.digits)
for n in xrange(30)
])
user.api_key = signer.sign(API_KEY)
user.current_login_ip = request.remote_addr
db.session.commit()
login_user(user)
flash('You have successfully logged in')
return render_template("Client_View.html",
title='client_view',
Client_id=Client_id,
api_key=user.api_key)
if form.errors:
flash(form.errors, 'danger')
flash(
'Incorrect Credentials, please enter the correct Client Id and Password'
)
return render_template('Index.html', form=form)
if form.errors:
flash(form.errors, 'danger')
return render_template('Index.html', form=form)
def get_user_by_login(cls, email, password):
auth_id = email.lower()
try:
user = cls.get(cls.auth_id == auth_id)
if user.password and bcrypt_sha256.verify(password, user.password):
return user
except DoesNotExist:
pass
def verify_password(username, password):
user = User.query.filter_by(username=username).first()
try:
if not user or not bcrypt_sha256.verify(password, user.pw_hash):
return False
except ValueError:
return False
g.user = user
return True
def verify_login(username, password):
"""check username and password"""
try:
user = Users.get(Users.username == username)
except DoesNotExist:
print("user does not exist")
return False
else:
return bcrypt_sha256.verify(password, user.password) # verify given pass against hash value 'True' if success
def profile():
if authed():
if request.method == "POST":
errors = []
name = request.form.get('name')
email = request.form.get('email')
user = Students.query.filter_by(id=session['id']).first()
if not get_config('prevent_name_change'):
names = Students.query.filter_by(name=name).first()
name_len = len(request.form['name']) == 0
emails = Students.query.filter_by(email=email).first()
valid_email = re.match(r"(^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$)", email)
if ('password' in request.form.keys() and not len(request.form['password']) == 0) and \
(not bcrypt_sha256.verify(request.form.get('confirm').strip(), user.password)):
errors.append("Your old password doesn't match what we have.")
if not valid_email:
errors.append("That email doesn't look right")
if not get_config('prevent_name_change') and names and name != session['username']:
errors.append('That student name is already taken')
if emails and emails.id != session['id']:
errors.append('That email has already been used')
if not get_config('prevent_name_change') and name_len:
errors.append('Pick a longer student name')
if len(errors) > 0:
return render_template('profile.html', name=name, email=email, errors=errors)
else:
student = Students.query.filter_by(id=session['id']).first()
if not get_config('prevent_name_change'):
student.name = name
if student.email != email.lower():
student.email = email.lower()
if get_config('verify_emails'):
student.verified = False
session['username'] = student.name
if 'password' in request.form.keys() and not len(request.form['password']) == 0:
student.password = bcrypt_sha256.encrypt(request.form.get('password'))
db.session.commit()
db.session.close()
return redirect(url_for('views.profile'))
else:
user = Students.query.filter_by(id=session['id']).first()
name = user.name
email = user.email
prevent_name_change = get_config('prevent_name_change')
confirm_email = get_config('verify_emails') and not user.verified
return render_template('profile.html', name=name, email=email, prevent_name_change=prevent_name_change,
confirm_email=confirm_email)
else:
return redirect(url_for('auth.login'))
def verify_password(self, database: Database, password: str) -> bool:
"""Verifies that the given password matches that of the registered user."""
user = database.get_user(self.__email)
if not (user and bcrypt_sha256.verify(password, database.get_password(user))):
self.__user = None
return False
self.__user = user
return True
def verify_secret(secret, hash):
"""
Check to see if the provided secret matches the hashed value.
Companion to `utils.encrypt_secret`
Returns:
Bool indicating whether or not the secret matches the hash.
"""
return bcrypt_sha256.verify(secret, hash)
def profile():
if authed():
if request.method == "POST":
errors = []
name = request.form.get('name')
email = request.form.get('email')
website = request.form.get('website')
affiliation = request.form.get('affiliation')
country = request.form.get('country')
names = Teams.query.filter_by(name=name).first()
emails = Teams.query.filter_by(email=email).first()
valid_email = re.match("[^@]+@[^@]+\.[^@]+", email)
name_len = len(request.form['name']) == 0
if not bcrypt_sha256.verify(request.form.get('confirm').strip(), names.password):
errors.append("Your old password doesn't match what we have.")
if not valid_email:
errors.append("That email doesn't look right")
if names and name!=session['username']:
errors.append('That team name is already taken')
if emails and emails.id != session['id']:
errors.append('That email has already been used')
if name_len:
errors.append('Pick a longer team name')
if not validate_url(website):
errors.append("That doesn't look like a valid URL")
if len(errors) > 0:
return render_template('profile.html', name=name, email=email, website=website, affiliation=affiliation, country=country, errors=errors)
else:
team = Teams.query.filter_by(id=session['id']).first()
team.name = name
team.email = email
if 'password' in request.form.keys() and not len(request.form['password']) == 0:
team.password = bcrypt_sha256.encrypt(request.form.get('password'))
team.website = website
team.affiliation = affiliation
team.country = country
db.session.commit()
db.session.close()
return redirect('/profile')
else:
user = Teams.query.filter_by(id=session['id']).first()
name = user.name
email = user.email
website = user.website
affiliation = user.affiliation
country = user.country
return render_template('profile.html', name=name, email=email, website=website, affiliation=affiliation, country=country)
else:
return redirect('/login')
def check_password(pwdhash, password):
"""Check the password hash from :func:`password_hash`.
.. versionchanged:: 1.1.0
:param str pwdhash: Hash from :func:`password_hash` to check
:param str password: Password in plaintext
:return: password match
:rtype: bool
"""
return bcrypt_sha256.verify(password, pwdhash)
def check_password(pwdhash, password):
"""Check the password hash from :func:`password_hash`.
.. versionchanged:: 1.1.0
:param str pwdhash: Hash from :func:`password_hash` to check
:param str password: Password in plaintext
:return: password match
:rtype: bool
"""
return bcrypt_sha256.verify(password, pwdhash)
def _check_password(_session, password):
if not isinstance(account, Account):
# They entered an account email and it didn't exist.
if fail is not None:
fail(_session, account)
else:
# Check the given password against the account.
if password and bcrypt_sha256.verify(password,
account.password):
success(_session, account)
else:
fail(_session, account)
def _check_password(_session, password):
if not isinstance(account, Account):
# They entered an account email and it didn't exist.
if fail is not None:
fail(_session, account)
else:
# Check the given password against the account.
if password and bcrypt_sha256.verify(password,
account.password):
success(_session, account)
else:
fail(_session, account)
def re_initialize():
adminpassword = app.config['ADMINPASSWORD']
epassword = request.form['epassword']
password = base64.decodestring(epassword)
if bcrypt_sha256.verify(password, adminpassword):
flag = Flag.query.first()
flag.addlmflag = 0
flag.createkeyflag = 0
flag.exportlmcertflag = 0
flag.configIPflag = 0
flag.restartflag = 0
flag.configrouteflag = 0
flag.importCAflag = 0
flag.importsyscertflag = 0
flag.initialUSBKeyflag = 0
flag.importUSBKeyflag = 0
db.session.add(flag)
db.session.commit()
sql2 = "truncate table terminallogs"
DeleteData(sql2)
sql3 = "delete from users"
DeleteData(sql3)
sql4 = "truncate table cipermachine"
DeleteData(sql4)
sql5 = "truncate table tree"
DeleteData(sql5)
sql6 = "truncate table lead_machine"
DeleteData(sql6)
sql7 = "truncate table equipments_status"
DeleteData(sql7)
sql8 = "truncate table prinvate_equipment_common_info"
DeleteData(sql8)
session.clear()
dirPath = app.config['CERTIFICATE_FOLDER']
if not os.path.isdir(dirPath):
return
files = os.listdir(dirPath)
try:
for file in files:
filePath = os.path.join(dirPath, file)
if os.path.isfile(filePath):
os.remove(filePath)
elif os.path.isdir(filePath):
removeDir(filePath)
#os.rmdir(dirPath)
#os.mkdir(dirPath)
except Exception, e:
print e
return "1"
def allianceauth_check_hash(password, hash, hash_type):
"""
Python implementation of the AllianceAuth MumbleUser hash function
:param password: Password to be verified
:param hash: Hash for the password to be checked against
:param hash_type: Hashing function originally used to generate the hash
"""
if hash_type == 'sha1':
return sha1(password).hexdigest() == hash
elif hash_type == 'bcrypt-sha256':
return bcrypt_sha256.verify(password, hash)
else:
warning("No valid hash function found for %s" % hash_type)
return False
def allianceauth_check_hash(password, hash, hash_type):
"""
Python implementation of the AllianceAuth MumbleUser hash function
:param password: Password to be verified
:param hash: Hash for the password to be checked against
:param hash_type: Hashing function originally used to generate the hash
"""
if hash_type == 'sha1':
return sha1(password).hexdigest() == hash
elif hash_type == 'bcrypt-sha256':
return bcrypt_sha256.verify(password, hash)
else:
warning("No valid hash function found for %s" % hash_type)
return False
def verifyUserPassword(userName, userPassword):
retVal = None
with lock:
try:
dataBase = TinyDB(dbFileName)
userTable = dataBase.table('users')
q = Query()
r = userTable.search(q.userName == userName)
if len(r) > 0:
u = r[0]
pw = u["userPassword"]
if bcrypt_sha256.verify(userPassword, pw):
retVal = u["sessionID"]
except:
pass
return retVal
def login():
try:
username = request.json["username"]
password = request.json["password"]
user = User.query.filter_by(username=username).first()
if user is not None:
is_password_matched = bcrypt_sha256.verify(password, user.password)
if is_password_matched is True:
print 'Login successful'
return jsonify(user.serialize), 200
else:
return jsonify({'error': 'Invalid credentials'}), 401
return jsonify({'error': 'User do not exist'}), 400
except KeyError as ke:
return jsonify({'error': 'Attribute ' + ke.args[0] + ' missing!'}), 400
def validate(self): if not Form.validate(self): return False user = Users.query.filter_by(user = self.user.data).first() if user and bcrypt_sha256.verify(self.password.data, user.password): try: session.regenerate() # NO SESSION FIXATION FOR YOU except: pass # TODO: Some session objects don't implement regenerate :( session['username'] = user.user session['id'] = user.id session['nonce'] = sha512(os.urandom(10)) db.session.close() return True else: db.session.close() return False
def verify_api_token(connection: Connection,
*,
token: str,
email: str) -> bool:
"""
Checks whether the supplied API token is valid for the specified user.
:param connection: a SQLAlchemy Connection
:param token: the API token
:param email: the e-mail address of the user
:return: whether the token is correct and not expired
"""
try:
auth_user = get_auth_user_by_email(connection, email)
except UserDoesNotExistError:
return False
token_is_fresh = auth_user.expires_on.timetuple() >= localtime()
not_blank = auth_user.token != ''
token_matches = not_blank and bcrypt_sha256.verify(token, auth_user.token)
return token_is_fresh and token_matches
def admin_view():
if request.method == 'POST':
username = request.form.get('name')
password = request.form.get('password')
admin_user= Teams.query.filter_by(name=request.form['name'], admin=True).first()
if admin_user and bcrypt_sha256.verify(request.form['password'], admin_user.password):
try:
session.regenerate() # NO SESSION FIXATION FOR YOU
except:
pass # TODO: Some session objects dont implement regenerate :(
session['username'] = admin_user.name
session['id'] = admin_user.id
session['admin'] = True
session['nonce'] = sha512(os.urandom(10))
db.session.close()
return redirect('/admin/graphs')
if is_admin():
return redirect('/admin/graphs')
return render_template('admin/login.html')
def getUser(self, email, password):
""" Given the user's login information, return the user """
session = db.session
ua = None
try:
ua = session.query(UserAuthentication)\
.join(User)\
.filter(UserAuthentication.provider == self.provider)\
.filter(User.email == email)\
.one()
except NoResultFound:
pass
if not ua:
return None
user = ua.user
if bcrypt_sha256.verify(password, ua.key):
return user
else:
return None
def is_authenticated(self, admin_only=True):
"""Return whether the request has been authenticated."""
# A logged-in user (or specifically Administrator) is authenticated.
if self.r_handler.current_user is not None:
not_an_admin_but_should_be = (
admin_only and
self.r_handler.current_user_model.role != 'administrator'
)
if not_an_admin_but_should_be:
return False
if self.request_method() not in {'GET', 'HEAD', 'OPTIONS'}:
self._check_xsrf_cookie()
return True
# An Administrator can log in with a token.
try:
token = self.r_handler.request.headers['Token']
email = self.r_handler.request.headers['Email']
except KeyError:
return False
# Get the user's token hash and expiration time.
try:
user = (
self.session
.query(Administrator.token, Administrator.token_expiration)
.join(Email)
.filter(Email.address == email)
.one()
)
except NoResultFound:
return False
if user.token is None:
return False
if user.token_expiration.timetuple() < localtime():
return False
return bcrypt_sha256.verify(token, user.token)
def verify( password, h):
return bcrypt_sha256.verify(password, h)
def verify_password(password, hashed_password):
return bcrypt_sha256.verify(password, hashed_password)
def profile():
if authed():
if request.method == "POST":
errors = []
name = request.form.get('name')
email = request.form.get('email')
schoolCode = request.form.get('schoolCode')
website = request.form.get('website')
affiliation = request.form.get('affiliation')
country = request.form.get('country')
user = Teams.query.filter_by(id=session['id']).first()
if not get_config('prevent_name_change'):
names = Teams.query.filter_by(name=name).first()
name_len = len(request.form['name']) == 0
emails = Teams.query.filter_by(email=email).first()
valid_email = re.match("[^@]+@[^@]+\.[^@]+", email)
if ('password' in request.form.keys() and not len(request.form['password']) == 0) and \
(not bcrypt_sha256.verify(request.form.get('confirm').strip(), user.password)):
errors.append("Your old password doesn't match what we have.")
if not valid_email:
errors.append("That email doesn't look right")
if not get_config('prevent_name_change') and names and name!=session['username']:
errors.append('That team name is already taken')
if emails and emails.id != session['id']:
errors.append('That email has already been used')
if not get_config('prevent_name_change') and name_len:
errors.append('Pick a longer team name')
if website.strip() and not validate_url(website):
errors.append("That doesn't look like a valid URL")
if len(errors) > 0:
return render_template('profile.html', name=name, email=email, schoolCode=schoolCode, website=website,
affiliation=affiliation, country=country, errors=errors)
else:
team = Teams.query.filter_by(id=session['id']).first()
if not get_config('prevent_name_change'):
team.name = name
if team.email != email.lower():
team.email = email.lower()
if get_config('verify_emails'):
team.verified = False
session['username'] = team.name
if 'password' in request.form.keys() and not len(request.form['password']) == 0:
team.password = bcrypt_sha256.encrypt(request.form.get('password'))
team.schoolCode = schoolCode
team.website = website
team.affiliation = affiliation
team.country = country
db.session.commit()
db.session.close()
return redirect(url_for('views.profile'))
else:
user = Teams.query.filter_by(id=session['id']).first()
name = user.name
email = user.email
schoolCode = user.schoolCode
website = user.website
affiliation = user.affiliation
country = user.country
prevent_name_change = get_config('prevent_name_change')
confirm_email = get_config('verify_emails') and not user.verified
return render_template('profile.html', name=name, email=email, schoolCode=schoolCode, website=website, affiliation=affiliation,
country=country, prevent_name_change=prevent_name_change, confirm_email=confirm_email)
else:
return redirect(url_for('auth.login'))
def profile():
if authed():
if request.method == "POST":
errors = []
name = request.form.get("name")
email = request.form.get("email")
website = request.form.get("website")
affiliation = request.form.get("affiliation")
country = request.form.get("country")
user = Teams.query.filter_by(id=session["id"]).first()
if not get_config("prevent_name_change"):
names = Teams.query.filter_by(name=name).first()
name_len = len(request.form["name"]) == 0
emails = Teams.query.filter_by(email=email).first()
valid_email = re.match("[^@]+@[^@]+\.[^@]+", email)
if ("password" in request.form.keys() and not len(request.form["password"]) == 0) and (
not bcrypt_sha256.verify(request.form.get("confirm").strip(), user.password)
):
errors.append("Your old password doesn't match what we have.")
if not valid_email:
errors.append("That email doesn't look right")
if not get_config("prevent_name_change") and names and name != session["username"]:
errors.append("That team name is already taken")
if emails and emails.id != session["id"]:
errors.append("That email has already been used")
if not get_config("prevent_name_change") and name_len:
errors.append("Pick a longer team name")
if website.strip() and not validate_url(website):
errors.append("That doesn't look like a valid URL")
if len(errors) > 0:
return render_template(
"profile.html",
name=name,
email=email,
website=website,
affiliation=affiliation,
country=country,
errors=errors,
)
else:
team = Teams.query.filter_by(id=session["id"]).first()
if not get_config("prevent_name_change"):
team.name = name
team.email = email
session["username"] = team.name
if "password" in request.form.keys() and not len(request.form["password"]) == 0:
team.password = bcrypt_sha256.encrypt(request.form.get("password"))
team.website = website
team.affiliation = affiliation
team.country = country
db.session.commit()
db.session.close()
return redirect("/profile")
else:
user = Teams.query.filter_by(id=session["id"]).first()
name = user.name
email = user.email
website = user.website
affiliation = user.affiliation
country = user.country
prevent_name_change = get_config("prevent_name_change")
return render_template(
"profile.html",
name=name,
email=email,
website=website,
affiliation=affiliation,
country=country,
prevent_name_change=prevent_name_change,
)
else:
return redirect("/login")
