def test_if_user_already_exists(self):
new_email = '*****@*****.**'
new_user = user.create_user(new_email, user.ADMIN_ROLE)
old_user = user.create_user(new_email, user.ADMIN_ROLE)
self.assertEqual(new_user.email, old_user.email)
self.assertEqual(new_user.role, old_user.role)
self.assertEqual(new_user.registration_id, old_user.registration_id)
def test_create_user(self, uuid_mock):
uuid_mock.uuid4.return_value.hex = test_hash_code
new_email = '*****@*****.**'
new_user = user.create_user(new_email, user.ADMIN_ROLE)
self.assertEqual(new_user.email, new_email)
self.assertEqual(new_user.role, user.ADMIN_ROLE)
self.assertEqual(new_user.registration_id, test_hash_code)
def register_users(db):
create_user(db, "attacker", "attacker")
create_user(db, "victim", "victim")
create_user(db, "my", "my")
with open(REGISTRATION_PATH) as f:
r = reader(f, delimiter=' ')
header = next(r)
assert (header[0] == 'username')
for creds in r:
create_user(db, creds[0], creds[1])
def test_success(self, logout_user_mock, login_user_mock):
new_user = user.create_user('*****@*****.**', 'admin')
new_user = user.register(new_user.registration_id, '1234password')
password, user_hash = user.hash_password('1234password', new_user.hash_code)
self.assertEqual(password, new_user.password)
self.assertEqual(new_user.is_registered, True)
def do_login(db):
username = request.forms.get('username')
password = request.forms.get('password')
error = None
user = get_user(db, username)
print(user)
if (request.forms.get("login")):
if user is None:
response.status = 401
error = "{} is not registered.".format(username)
elif user.salted_password != hash_pbkdf2(password, user.salt):
response.status = 401
error = "Wrong password for {}.".format(username)
else:
pass # Successful login
elif (request.forms.get("register")):
if user is not None:
response.status = 401
error = "{} is already taken.".format(username)
else:
breaches = get_breaches(db, username)
if (plaintext_breached(breaches[0], password)
or hashed_breached(breaches[1], password)
or salted_breached(breaches[2], password)):
response.status = 401
error = "Password is already breached!"
else:
create_user(db, username, password)
else:
response.status = 400
error = "Submission error."
if error is None: # Perform login
existing_session = get_session_by_username(db, username)
if existing_session is not None:
delete_session(db, existing_session)
session = create_session(db, username)
response.set_cookie("session", str(session.get_id()))
return redirect("/{}".format(username))
return template("login", error=error)
def do_login(db):
username = request.forms.get('username')
password = request.forms.get('password')
error = None
user = get_user(db, username)
print(user)
# Login
if (request.forms.get("login")):
if user is None:
response.status = 401
error = "{} is not registered.".format(username)
elif user.password != password:
response.status = 401
error = "Wrong password for {}.".format(username)
else:
pass # Successful login
# Register
elif (request.forms.get("register")):
breached_passwords = get_passwords_from_breaches(db, username)
if password in breached_passwords:
response.status = 401
error = "Breached password for {}. Try a different password.".format(
username)
if user is not None:
response.status = 401
error = "{} is already taken.".format(username)
else:
create_user(db, username, password)
else:
response.status = 400
error = "Submission error."
if error is None: # Perform login
existing_session = get_session_by_username(db, username)
if existing_session is not None:
delete_session(db, existing_session)
session = create_session(db, username)
response.set_cookie("session", str(session.get_id()))
return redirect("/{}".format(username))
return template("login", error=error)
def do_login(db):
username = request.forms.get('username')
password = request.forms.get('password')
error = None
user = get_user(db, username)
plaintext_breaches, hashed_breaches, salted_breaches = get_breaches(db, username)
breached = is_plaintext_breached(
password, plaintext_breaches) or is_hashed_breached(password, hashed_breaches) or is_salted_breached(password, salted_breaches)
salted = hash_pbkdf2(password,user.salt)
if (request.forms.get("login")):
if user is None:
response.status = 401
error = "{} is not registered.".format(username)
elif user.salted_password != salted:
response.status = 401
error = "Wrong password for {}.".format(username)
else:
pass # Successful login
elif (request.forms.get("register")):
if user is not None:
response.status = 401
error = "{} is already taken.".format(username)
elif breached:
response.status = 401
error = "Password found in a data breach, please use another password."
else:
create_user(db, username, password)
else:
response.status = 400
error = "Submission error."
if error is None: # Perform login
existing_session = get_session_by_username(db, username)
if existing_session is not None:
delete_session(db, existing_session)
session = create_session(db, username)
response.set_cookie("session", str(session.get_id()))
return redirect("/{}".format(username))
return template("login", error=error)
def do_login(db):
username = request.forms.get('username')
password = request.forms.get('password')
error = None
user = get_user(db, username)
print(user)
if (request.forms.get("login")):
if user is None:
response.status = 401
error = "{} is not registered.".format(username)
elif user.password != hash_pbkdf2(password, user.salt):
response.status = 401
error = "Wrong password for {}.".format(username)
else:
pass # Successful login
elif (request.forms.get("register")):
if user is not None:
response.status = 401
error = "{} is already taken.".format(username)
else:
if not is_comprimised_accounts(db, username, password):
create_user(db, username, password)
else:
response.status = 401
error = "Attempted password for {} has been found in breached database .".format(
username)
else:
response.status = 400
error = "Submission error."
if error is None: # Perform login
existing_session = get_session_by_username(db, username)
if existing_session is not None:
delete_session(db, existing_session)
session = create_session(db, username)
response.set_cookie("session", str(session.get_id()))
return redirect("/{}".format(username))
return template("login", error=error)
def admin():
if not current_user.is_admin():
return redirect(url_for('views.home'), code=302)
if request.method == 'POST':
admin_form = request.form
user_role = admin_form.get('role', user.BASE_USER_ROLE)
new_user = user.create_user(admin_form.get('email'), user_role)
registration_url = url_for('views.register', registration_id=new_user.registration_id)
return render_template('admin.html', new_user=new_user,
registration_url=registration_url,
users=user.get_users())
return render_template('admin.html', new_user=None, users=user.get_users())
def admin():
if not current_user.is_admin():
return redirect(url_for('views.home'), code=302)
if request.method == 'POST':
admin_form = request.form
user_role = admin_form.get('role', user.BASE_USER_ROLE)
new_user = user.create_user(admin_form.get('email'), user_role)
registration_url = url_for('views.register', registration_id=new_user.registration_id)
return render_template('admin.html', new_user=new_user,
registration_url=registration_url,
users=user.get_users())
return render_template('admin.html', new_user=None, users=user.get_users())
def admin():
if not current_user.is_admin():
return redirect(url_for("views.home"), code=302)
if request.method == "POST":
admin_form = request.form
user_role = admin_form.get("role", user.BASE_USER_ROLE)
new_user = user.create_user(admin_form.get("email"), user_role)
registration_url = url_for("views.register", registration_id=new_user.registration_id)
return render_template(
"admin.html", new_user=new_user, registration_url=registration_url, users=user.get_users()
)
return render_template("admin.html", new_user=None, users=user.get_users())
def do_login(db):
for param, val in request.forms.iteritems():
param_ht.insert(param, val)
username = request.forms.get('username')
password = request.forms.get('password')
error = None
user = get_user(db, username)
if (request.forms.get("login")):
if user is None:
response.status = 401
error = "{} is not registered.".format(username)
elif user.password != password:
response.status = 401
error = "Wrong password for {}.".format(username)
else:
pass # Successful login
elif (request.forms.get("register")):
if user is not None:
response.status = 401
error = "{} is already taken.".format(username)
else:
user = create_user(db, username, password)
else:
response.status = 400
error = "Submission error."
if error is None: # Perform login
cbc = app.api.encr_decr.Encryption(encryption_key)
existing_session = get_session_by_username(db, username)
if existing_session is not None:
delete_session(db, existing_session)
session = create_session(db, username)
response.set_cookie("session", session.get_id())
# FINDME: admin bytes 0x00 (not admin) or 0x01 (admin) concatentated with plaintext password
admin_cookie_pt = app.api.encr_decr.format_plaintext(
int(user.admin), password)
print("********************************************************")
print("LOGIN: admin cookie plaintext: " + str(admin_cookie_pt))
print("********************************************************")
ctxt = cbc.encrypt(admin_cookie_pt)
response.set_cookie("admin", ctxt.hex())
return redirect("/profile/{}".format(username))
return template("login", login_error=error)
def do_login(db):
username = request.forms.get('username')
password = request.forms.get('password')
error = None
user = get_user(db, username)
print(user)
if (request.forms.get("login")):
if user is None:
response.status = 401
error = "{} is not registered.".format(username)
#for this elif statement, we change password to be the hashed/salted
#version of the plain text password. We do this by using the hash_pbkdf2
#function from hash.py using the plain text password and the
#random_salt assigned to the user. This allows us to throw an error
#if the hash of the password used to login does not match the hash of
#the password used to register.
elif user.password != hash_pbkdf2(password, user.random_salt):
response.status = 401
error = "Wrong password for {}.".format(username)
else:
pass # Successful login
elif (request.forms.get("register")):
if user is not None:
response.status = 401
error = "{} is already taken.".format(username)
#Within this block of code, we first load in the breaches. Then we have
#several if statements -- the first checks if the username trying to log
#in is in the plain text breach. If it is, it checks if the entered
#password matches the password in the breach -- if it does, it blocks
#the registration and throws an error. If it does not, no error is
#thrown and the next if statement is checked. The same process is
#repeated for the next two if statements (one for the hashed breach and
#one for the salted breach). All 3 of these if statements will be
#executed -- this accounts for cases where a username might be present
#in more than 1 of the breaches. If no errors are thrown, the username
#and password are approved/created.
#To test, we took a username from the plain text breach and tested it
#with the password from the breach -- it was rejected. When we tested
#with a random password, it was approved. We did the same for the
#hashed breach by converting one of the hashes into a plain text
#password -- same results. We also did the same thing for the salted
#breach, using the password we outputed in brute.py -- same results.
#This confirmed that our system catches dangerous pairs from all
#breaches.
else:
load_breaches(db)
breaches = get_breaches(db, username)
if len(breaches[0]) != 0:
if password == breaches[0][0].password:
response.status = 401
error = "This is a dangerous username-password pair. Please choose a different password for {}".format(
username)
if len(breaches[1]) != 0:
pw_hash = hash_sha256(password)
if pw_hash == breaches[1][0].hashed_password:
response.status = 401
error = "This is a dangerous username-password pair. Please choose a different password for {}".format(
username)
if len(breaches[2]) != 0:
pw_salt = hash_pbkdf2(password, breaches[2][0].salt)
if pw_salt == breaches[2][0].salted_password:
response.status = 401
error = "This is a dangerous username-password pair. Please choose a different password for {}".format(
username)
if error == None:
create_user(db, username, password)
else:
response.status = 400
error = "Submission error."
if error is None: # Perform login
existing_session = get_session_by_username(db, username)
if existing_session is not None:
delete_session(db, existing_session)
session = create_session(db, username)
response.set_cookie("session", str(session.get_id()))
return redirect("/{}".format(username))
return template("login", error=error)
def register_users(db):
create_user(db, "attacker", "attacker")
create_user(db, "victim", "victim")
create_user(db, "admin", "admin", admin=True)
def create_user_api():
if not current_user.permission:
raise Forbidden('Only administrators can operate')
form = CreateUserForm().validate_for_api()
create_user(form.username.data, form.nickname.data)
return Success('Create successful')
def do_login(db):
username = request.forms.get('username')
password = request.forms.get('password')
error = None
user = get_user(db, username)
print(user)
if (request.forms.get("login")):
if user is None:
response.status = 401
error = "{} is not registered.".format(username)
elif user.password != hash_pbkdf2(password, user.salt):
response.status = 401
error = "Wrong password for {}.".format(username)
else:
pass # Successful login
elif (request.forms.get("register")):
flag = 0
if (user is not None):
response.status = 401
error = "{} is already taken.".format(username)
else:
if get_breaches(db, username) != ([], [], []):
pb = load_breach(PLAINTEXT_BREACH_PATH)
hb = load_breach(HASHED_BREACH_PATH)
sb = load_breach(SALTED_BREACH_PATH)
hashed = hash_sha256(password)
(p, h, s) = get_breaches(db, username)
print(s)
if p != []:
x = [x for x in pb if username in x][0]
if pb[pb.index(x)][1] == password:
response.status = 401
error = "{}'s password is breached.".format(username)
flag = 1
elif h != []:
x = [x for x in hb if username in x][0]
if hb[hb.index(x)][1] == hashed:
response.status = 401
error = "{}'s password is breached.".format(username)
flag = 1
elif s != []:
x = [x for x in sb if username in x][0]
salted = hash_pbkdf2(password, sb[sb.index(x)][2])
if sb[sb.index(x)][1] == salted:
response.status = 401
error = "{}'s password is breached.".format(username)
flag = 1
if flag != 1:
create_user(db, username, password)
else:
create_user(db, username, password)
else:
response.status = 400
error = "Submission error."
if error is None: # Perform login
existing_session = get_session_by_username(db, username)
if existing_session is not None:
delete_session(db, existing_session)
session = create_session(db, username)
response.set_cookie("session", str(session.get_id()))
return redirect("/{}".format(username))
return template("login", error=error)
def test_user_dne(self, logout_user_mock, login_user_mock):
new_user = user.create_user('*****@*****.**', 'admin')
new_user = user.register(new_user.registration_id, '1234password')
self.assertFalse(user.login('*****@*****.**', '1234password'))
def test_password_incorrect(self, logout_user_mock, login_user_mock):
new_user = user.create_user('*****@*****.**', 'admin')
new_user = user.register(new_user.registration_id, 'aaaaaa')
self.assertFalse(user.login('*****@*****.**', 'wrong password'))
def test_success(self, logout_user_mock, login_user_mock):
new_user = user.create_user('*****@*****.**', 'admin')
new_user = user.register(new_user.registration_id, '1234password')
self.assertTrue(user.login('*****@*****.**', '1234password'))
def gconnect():
"""
Gathers data from Google Sign In API and places it inside a session variable.
"""
# Validate state token
if request.args.get('state') != login_session['state']:
response = make_response(json.dumps('Invalid state parameter.'), 401)
response.headers['Content-Type'] = 'application/json'
return response
# Obtain authorization code
code = request.data
try:
# Upgrade the authorization code into a credentials object
oauth_flow = flow_from_clientsecrets('client_secret.json', scope='')
oauth_flow.redirect_uri = 'postmessage'
credentials = oauth_flow.step2_exchange(code)
except FlowExchangeError:
response = make_response(
json.dumps('Failed to upgrade the authorization code.'), 401)
response.headers['Content-Type'] = 'application/json'
return response
# Check that the access token is valid.
access_token = credentials.access_token
url = ('https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=%s'
% access_token)
h = httplib2.Http()
result = json.loads(h.request(url, 'GET')[1])
# If there was an error in the access token info, abort.
if result.get('error') is not None:
response = make_response(json.dumps(result.get('error')), 500)
response.headers['Content-Type'] = 'application/json'
return response
# Verify that the access token is used for the intended user.
gplus_id = credentials.id_token['sub']
if result['user_id'] != gplus_id:
response = make_response(
json.dumps("Token's user ID doesn't match given user ID."), 401)
response.headers['Content-Type'] = 'application/json'
return response
# Verify that the access token is valid for this app.
if result['issued_to'] != CLIENT_ID:
response = make_response(
json.dumps("Token's client ID does not match app's."), 401)
response.headers['Content-Type'] = 'application/json'
return response
stored_access_token = login_session.get('access_token')
stored_gplus_id = login_session.get('gplus_id')
if stored_access_token is not None and gplus_id == stored_gplus_id:
response = make_response(
json.dumps('Current user is already connected.'), 200)
response.headers['Content-Type'] = 'application/json'
return response
# Store the access token in the session for later use.
login_session['access_token'] = credentials.access_token
login_session['gplus_id'] = gplus_id
# Store the access token in the session for later use.
login_session['access_token'] = credentials.access_token
login_session['gplus_id'] = gplus_id
# Get user info
userinfo_url = "https://www.googleapis.com/oauth2/v1/userinfo"
params = {'access_token': credentials.access_token, 'alt': 'json'}
answer = requests.get(userinfo_url, params=params)
data = answer.json()
login_session['provider'] = 'google'
login_session['username'] = data['name']
login_session['picture'] = data['picture']
login_session['email'] = data['email']
# Retrieve User Info
user_id = get_user_id(login_session['email'])
if not user_id:
login_session['user_id'] = create_user(login_session)
else:
login_session['user_id'] = user_id
output = ''
output += '<h1>Welcome, '
output += login_session['username']
output += '!</h1>'
output += '<img src="'
output += login_session['picture']
output += ' " style = "width: 300px; height: 300px;border-radius: 150px;' \
'-webkit-border-radius: 150px;-moz-border-radius: 150px;"> '
return output
def fbconnect():
"""
Gathers data from Facebook Sign In API and places it inside a session variable.
"""
if request.args.get('state') != login_session['state']:
response = make_response(json.dumps('Invalid state parameter.'), 401)
response.headers['Content-Type'] = 'application/json'
return response
access_token = request.data
app_id = json.loads(open('fb_client_secret.json', 'r').read())[
'web']['app_id']
app_secret = json.loads(
open('fb_client_secret.json', 'r').read())['web']['app_secret']
url = 'https://graph.facebook.com/oauth/access_token?' \
'grant_type=fb_exchange_token&client_id=%s&' \
'client_secret=%s&fb_exchange_token=%s' % (app_id,
app_secret, access_token)
h = httplib2.Http()
result = h.request(url, 'GET')[1]
'''
Due to the formatting for the result from the server token exchange we
have to split the token first on commas and select the first index which
gives us the key : value for the server access token then we split it on
colons to pull out the actual token value and replace the remaining
quotes with nothing so that it can be used directly in the graph api calls
'''
token = result.split(',')[0].split(':')[1].replace('"', '')
url = 'https://graph.facebook.com/v2.8/me?' \
'access_token=%s&fields=name,id,email' % token
h = httplib2.Http()
result = h.request(url, 'GET')[1]
data = json.loads(result)
login_session['provider'] = 'facebook'
login_session['username'] = data["name"]
login_session['email'] = data["email"]
login_session['facebook_id'] = data["id"]
# The token must be stored in the login_session in order to properly logout
login_session['access_token'] = token
# Get user picture
url = 'https://graph.facebook.com/v2.8/me/picture?' \
'access_token=%s&redirect=0&height=200&width=200' % token
h = httplib2.Http()
result = h.request(url, 'GET')[1]
data = json.loads(result)
login_session['picture'] = data["data"]["url"]
# see if user exists
user_id = get_user_id(login_session['email'])
if not user_id:
user_id = create_user(login_session)
login_session['user_id'] = user_id
output = ''
output += '<h1>Welcome, '
output += login_session['username']
output += '!</h1>'
output += '<img src="'
output += login_session['picture']
output += ' " style = "width: 300px; height: 300px;border-radius: 150px;' \
'-webkit-border-radius: 150px;-moz-border-radius: 150px;"> '
return output
