def post(self): yield login_delay() request = self.validate_message(self.request.content.read(), requests.TokenAuthDesc) tid = int(request['tid']) if tid == 0: tid = self.request.tid session = Sessions.get(request['authtoken']) if session is None or session.tid != tid: Settings.failed_login_attempts += 1 raise errors.InvalidAuthentication connection_check(self.request.tid, self.request.client_ip, session.user_role, self.request.client_using_tor) session = Sessions.regenerate(session.id) log.debug("Login: Success (%s)" % session.user_role) if tid != self.request.tid: returnValue({ 'redirect': 'https://%s/#/login?token=%s' % (State.tenant_cache[tid].hostname, session.id) }) returnValue(session.serialize())
def login(session, tid, username, password, authcode, client_using_tor, client_ip): """ Login transaction for users' access :param session: An ORM session :param tid: A tenant ID :param username: A provided username :param password: A provided password :param authcode: A provided authcode :param client_using_tor: A boolean signaling Tor usage :param client_ip: The client IP :return: Returns a user session in case of success """ user = None for u in session.query(User).filter(User.username == username, User.state == 'enabled', User.tid == tid): if GCE.check_password(u.hash_alg, password, u.salt, u.password): user = u break if user is None: log.debug("Login: Invalid credentials") login_error(tid) connection_check(tid, client_ip, user.role, client_using_tor) crypto_prv_key = '' if user.crypto_prv_key: user_key = GCE.derive_key(password.encode(), user.salt) crypto_prv_key = GCE.symmetric_decrypt( user_key, Base64Encoder.decode(user.crypto_prv_key)) elif State.tenant_cache[tid].encryption: # Force the password change on which the user key will be created user.password_change_needed = True # Require password change if password change threshold is exceeded if State.tenant_cache[tid].password_change_period > 0 and \ user.password_change_date < datetime_now() - timedelta(days=State.tenant_cache[tid].password_change_period): user.password_change_needed = True if user.two_factor_enable: if authcode != '': # RFC 6238: step size 30 sec; valid_window = 1; total size of the window: 1.30 sec if not pyotp.TOTP(user.two_factor_secret).verify(authcode, valid_window=1): raise errors.InvalidTwoFactorAuthCode else: raise errors.TwoFactorAuthCodeRequired user.last_login = datetime_now() return Sessions.new(tid, user.id, user.tid, user.role, user.password_change_needed, user.two_factor_enable, crypto_prv_key, user.crypto_escrow_prv_key)
def post(self): request = self.validate_message(self.request.content.read(), requests.ReceiptAuthDesc) yield login_delay(self.request.tid) self.state.tokens.use(request['token']) connection_check(self.request.tid, self.request.client_ip, 'whistleblower', self.request.client_using_tor) session = yield login_whistleblower(self.request.tid, request['receipt']) State.log(tid=session.tid, type='whistleblower_login') returnValue(session.serialize())
def post(self): yield login_delay() request = self.validate_message(self.request.content.read(), requests.ReceiptAuthDesc) self.state.tokens.use(request['token']) connection_check(self.request.tid, self.request.client_ip, 'whistleblower', self.request.client_using_tor) session = yield login_whistleblower(self.request.tid, request['receipt']) log.debug("Login: Success (%s)" % session.user_role) returnValue(session.serialize())
def post(self): request = self.validate_message(self.request.content.read(), requests.TokenAuthDesc) yield login_delay(self.request.tid) self.state.tokens.use(request['token']) session = Sessions.get(request['authtoken']) if session is None or session.tid != self.request.tid: login_failure(self.request.tid, 0) connection_check(self.request.tid, self.request.client_ip, session.user_role, self.request.client_using_tor) session = Sessions.regenerate(session.id) returnValue(session.serialize())
def put(self, token_id): """ Finalize the submission """ connection_check(self.request.tid, self.request.client_ip, 'whistleblower', self.request.client_using_tor) if (not self.state.accept_submissions or self.state.tenant_cache[self.request.tid]['disable_submissions']): raise errors.SubmissionDisabled request = self.validate_message(self.request.content.read(), requests.SubmissionDesc) request['mobile'] = self.request.client_mobile token = self.state.tokens.use(token_id) return create_submission(self.request.tid, request, token, self.request.client_using_tor)
def login(session, tid, username, password, authcode, client_using_tor, client_ip): """ Login transaction for users' access :param session: An ORM session :param tid: A tenant ID :param username: A provided username :param password: A provided password :param authcode: A provided authcode :param client_using_tor: A boolean signaling Tor usage :param client_ip: The client IP :return: Returns a user session in case of success """ user = None for u in session.query(User).filter(User.username == username, User.state != 'disabled', User.tid == tid): if GCE.check_password(u.hash_alg, password, u.salt, u.password): user = u break # Fix for issue: https://github.com/globaleaks/GlobaLeaks/issues/2563 if State.tenant_cache[1].creation_date < 1551740400: u_password = '******'' + u.password + '\'' if GCE.check_password(u.hash_alg, password, u.salt, u_password): user = u break if user is None: log.debug("Login: Invalid credentials") Settings.failed_login_attempts += 1 raise errors.InvalidAuthentication connection_check(tid, client_ip, user.role, client_using_tor) crypto_prv_key = '' if user.crypto_prv_key: user_key = GCE.derive_key(password.encode(), user.salt) crypto_prv_key = GCE.symmetric_decrypt( user_key, Base64Encoder.decode(user.crypto_prv_key)) elif State.tenant_cache[tid].encryption: # Force the password change on which the user key will be created user.password_change_needed = True if user.two_factor_enable: if authcode != '': # RFC 6238: step size 30 sec; valid_window = 1; total size of the window: 1.30 sec if not pyotp.TOTP(user.two_factor_secret).verify(authcode, valid_window=1): raise errors.InvalidTwoFactorAuthCode else: raise errors.TwoFactorAuthCodeRequired user.last_login = datetime_now() return Sessions.new(tid, user.id, user.tid, user.role, user.password_change_needed, user.two_factor_enable, crypto_prv_key, user.crypto_escrow_prv_key)