Esempio n. 1
class FailedAttempt(db.Model):
    """Represent a failed password reset attempt."""

    id = db.Column(db.Integer(), primary_key=True)
    user_id = db.Column(db.Integer(),
                        db.ForeignKey('', ondelete='CASCADE'),
    time = db.Column(db.DateTime, nullable=False)
Esempio n. 2
class Answer(db.Model):
    """Contain the user's answers to the secret questions they've chosen."""

    id = db.Column(db.Integer(), primary_key=True)
    answer = db.Column(db.String(256), nullable=False)
    user_id = db.Column(db.Integer(),
                        db.ForeignKey('', ondelete='CASCADE'),
    question_id = db.Column(db.Integer(),
                            db.ForeignKey('', ondelete='CASCADE'),
Esempio n. 3
class User(db.Model):
    """Represent the Active Directory user."""

    id = db.Column(db.Integer(), primary_key=True)
    # We store the GUID as a string for easier auditing in Active Directory. This must be 36
    # characters because the GUID as a string is 32 characters + 4 hyphens.
    ad_guid = db.Column(db.String(36), nullable=False, unique=True, index=True)
    answers = db.relationship('adreset.models.questions.Answer',
    blacklisted_tokens = db.relationship(
        'adreset.models.tokens.BlacklistedToken', backref='user')
Esempio n. 4
class BlacklistedToken(db.Model):
    """Contain issued JSON web tokens."""

    id = db.Column(db.Integer, primary_key=True)
    user_id = db.Column(
        db.Integer(), db.ForeignKey('', ondelete='CASCADE'), nullable=False)
    jti = db.Column(db.String(36), nullable=False)
    expires = db.Column(db.DateTime, nullable=False)

    def add_token(token):
        Add a new token to the database in the unrevoked state.

        :param dict token: the decoded token to blacklist
        user = User.query.filter_by(ad_guid=token['sub']).one()
        db_token = BlacklistedToken(

    def is_token_revoked(token):
        Check if the token is revoked and default to True if the token is not present.

        :param dict token: the decoded JSON web token to check
        :rtype: bool
        :return: a boolean representing if the token is revoked
        jti = token['jti']
        return bool(BlacklistedToken.query.filter_by(jti=jti).first())

    def revoke_token(jti):
        Revoke a token for the given user.

        :param str jti: the GUID that identifies the token
        :raises werkzeug.exceptions.NotFound: if the specified token does not exist in the database
        return bool(BlacklistedToken.query.filter_by(jti=jti).first())
Esempio n. 5
class Question(db.Model):
    """Contain the secret questions the administrator decides to configure ADReset with."""

    id = db.Column(db.Integer(), primary_key=True)
    question = db.Column(db.String(256), nullable=False, unique=True)
    answers = db.relationship('Answer', backref='question')
    enabled = db.Column(db.Boolean, default=True, nullable=False)

    def validate_question(self, key, question):
        Ensure the question is a string of 256 characters or less.

        :param str key: the key/column being validated
        :param str question: the question being validated
        :return: the question being validated
        :rtype: str
        :raises ValidationError: if the string is more than 256 characters
        :raises RuntimeError: if the question is an invalid type
        if not isinstance(question, string_types):
            raise RuntimeError(_must_be_str.format(key))
        elif len(question) > 256:
            raise ValidationError(
                'The question must be less than 256 characters')
        return question

    def to_json(self, include_url=True):
        """Represent the row as a dictionary for JSON output."""
        rv = {
            'question': self.question,
            'enabled': self.enabled,
        if include_url:
            rv['url'] = url_for('api_v1.get_question',
        return rv
Esempio n. 6
class User(db.Model):
    """Represent the Active Directory user."""

    id = db.Column(db.Integer(), primary_key=True)
    # We store the GUID as a string for easier auditing in Active Directory. This must be 36
    # characters because the GUID as a string is 32 characters + 4 hyphens.
    ad_guid = db.Column(db.String(36), nullable=False, unique=True, index=True)
    answers = db.relationship('adreset.models.questions.Answer',
    blacklisted_tokens = db.relationship(
        'adreset.models.tokens.BlacklistedToken', backref='user')
    failed_reset__attempts = db.relationship('FailedAttempt', backref='user')

    def get_id_from_ad_username(username, ad=None):
        Query Active Directory to find the user's ID in the database.

        :param str username: the user's sAMAccountName
        :kwarg ad: an optional Active Directory session that is logged in with the
            service account
        :return: the user's ID in the database
        :rtype: int or None
        if not ad:
            ad =
            user_guid = ad.get_guid(username)
        except adreset.error.ADError:
            return None

        return db.session.query(

    def get_ad_username_from_id(user_id, ad=None):
        Query Active Directory to find the user's sAMAccountName from the ID in the database.

        :param int user_id: the user's ID in the database
        :kwarg ad: an optional Active Directory session that is logged in with the
            service account
        :return: the user's sAMAccountName
        :rtype: str or None
        if not ad:
            ad =

        user_guid = db.session.query(
            username = ad.get_sam_account_name(user_guid)
        except adreset.error.ADError:
            return None

        return username

    def is_user_locked_out(user_id):
        Check if the passed-in user is locked out.

        :param int user_id: the user ID to check
        :return: a boolean determining if the user is locked out
        :rtype: bool
        lockout_mins = current_app.config['LOCKOUT_MINUTES']
        lockout_datetime = datetime.utcnow() - timedelta(minutes=lockout_mins)
        failed_attempts = (db.session.query(func.count(
                FailedAttempt.time >= lockout_datetime).scalar())
        return failed_attempts >= current_app.config['ATTEMPTS_BEFORE_LOCKOUT']

    def is_locked_out(self):
        Check if the current user is locked out.

        :return: a boolean determining if the user is locked out
        :rtype: bool
        return self.is_user_locked_out(
Esempio n. 7
class Answer(db.Model):
    """Contain the user's answers to the secret questions they've chosen."""

    id = db.Column(db.Integer(), primary_key=True)
    # The hashed answer should be around 120 characters, but give it plenty of room to expand in
    # the event the hashing algorithm is updated
    answer = db.Column(db.String(256), nullable=False)
    user_id = db.Column(db.Integer(),
                        db.ForeignKey('', ondelete='CASCADE'),
    question_id = db.Column(db.Integer(),
                            db.ForeignKey('', ondelete='CASCADE'),

    def validate_answer(self, key, answer):
        Ensure the answer is hashed.

        :param str key: the key/column being validated
        :param str answer: the answer being validated
        :return: the answer being validated
        :rtype: str
        :raises RuntimeError: if the answer is not hashed or isn't a string
        if not isinstance(answer, string_types):
            raise RuntimeError(_must_be_str.format(key))
        elif not passlib.hash.sha512_crypt.identify(answer):
            raise RuntimeError('The answer must be stored as a SHA512 hash')
        return answer

    def hash_answer(answer):
        Hash the answer using the SHA512 algorithm.

        :param str answer: the answer to hash
        :return: a SHA512 hash of the string
        :rtype: str
        return passlib.hash.sha512_crypt.hash(answer)

    def verify_answer(input_answer, hashed_answer):
        Verify the input answer and the hashed answer stored in the database are the same.

        :param str input_answer: the answer to verify
        :param str hashed_answer: the hashed answer to verify against
        :return: a boolean determining if the answers match
        :rtype: bool
        return passlib.hash.sha512_crypt.verify(input_answer, hashed_answer)

    def to_json(self, include_url=True):
        """Represent the row as a dictionary for JSON output."""
        rv = {
            'user_id': self.user_id,
            'question': self.question.to_json(),
        if include_url:
            rv['url'] = url_for('api_v1.get_answer',
        return rv
Esempio n. 8
class Question(db.Model):
    """Contain the secret questions the administrator decides to configure ADReset with."""

    id = db.Column(db.Integer(), primary_key=True)
    question = db.Column(db.String(256), nullable=False, unique=True)
    answers = db.relationship('Answer', backref='question')