def register_student_csv(self, csv_data_file, lecturer): csv_reader = csv.reader(csv_data_file) data = list(csv_reader) auth = [] reg = [] pas = Password() first = True for i in data: if first: first = False continue name = handle_tr(i[0]).title() surname = handle_tr(i[1]).title() student_number = str(int(float(i[2]))) mail = i[3] role = 4 username = name.split()[0].lower() + surname.lower() password = passwordGenerator(8) try: self.execute( "INSERT INTO members(PersonID, Role, Name, Surname, Username, Password, Email) " "values(%s, '%s', '%s', '%s', '%s', '%s', '%s');" % (student_number, role, name, surname, username, pas.hash_password(password), mail)) auth.append((name + " " + surname, mail, password, username)) except IntegrityError: pass reg.append(student_number) threading.Thread(target=send_mail_first_login, args=(auth, lecturer)).start() self.register_student(reg) return "Done"
from User import User from Password import Password import hashlib import os import bcrypt #Example to trigger a sonar vulnerability #import socket #ip = '127.0.0.1' #sock = socket.socket() #sock.bind((ip, 9090)) #Hari gajmer developer #typical bandit findings #>>> bandit -r <folder> #deprecated md5 will not be found by sonar... password = os.getenv("123_x&5s") hash_object = bcrypt.hashpw((b'123_x32&'), bcrypt.gensalt()) password = "******".encode() user1 = User() user1.set_name("Bert") p = Password() hashed_password = p.hash_password(password) user1.set_password(hashed_password) hashed_password = user1.get_password() p.hash_check(password, hashed_password)
def test_password(self): user_hash_pwd = Password.hash_password(self.password) self.assertTrue(Password.hash_check(self.password, user_hash_pwd), (True))
def test_hash_password_hash_check(self): hashed_pwd = Password.hash_password(self.password) self.assertTrue(Password.hash_check(self.password, hashed_pwd), (True))
class User: def __init__(self, db, organization, username): self.db = db self.execute = db.execute self.execute("USE %s" % organization) self.username = username self.organization = organization self.allowed_extensions = {'png', 'jpg', 'jpeg'} self.pass_word = Password() self.user_id = None self.role = None self.name = None self.surname = None self.hashed_pass = None self.email = None self.department = None self.profile_pic_path = None self.role_name = None self.get = self.get_user_info() def get_user_info(self): """ :return: List, [studentID, roleID, name, surname, username, password_hash, email, department, profile_pic_path] """ try: self.user_id, self.role, self.name, self.surname, self.username, \ self.hashed_pass, self.email, self.department, self.profile_pic_path = \ self.execute("SELECT * FROM members WHERE Username='******'" % self.username)[0] self.role_name = self.execute( "SELECT Role FROM roles WHERE roleID = %s" % self.role)[0][0] return [ self.username, self.name, self.surname, self.user_id, self.role_name, self.email, self.department ] except InterfaceError: return "No such a person!" def change_password_or_email(self, old_password, new_val, email=False): if self.pass_word.verify_password_hash(old_password, self.hashed_pass): if email: self.execute( "UPDATE members SET Email='%s' WHERE Username = '******'" % (new_val, self.username)) return "Mail Changed" else: print new_val password = self.pass_word.hash_password(new_val) self.execute( "UPDATE members SET Password='******' WHERE Username = '******'" % (password, self.username)) return "Password Changed" else: return "Not Authorized" def allowed_file(self, filename): # to check if file type is appropriate. return '.' in filename and filename.rsplit( '.', 1)[1].lower() in self.allowed_extensions def upload_profile_pic(self, pic): if pic and self.allowed_file(pic.filename): extension = "." + pic.filename.rsplit('.', 1)[1].lower() base_path = "/var/www/SEAS/uploads/%s/profile_pictures/" % self.organization path = base_path + str(self.user_id) + extension if not os.path.exists(base_path): os.makedirs(base_path) with open(path, "wb") as f: data = None while data != "": data = pic.read() f.write(data) self.execute( "update members set ProfilePic = '%s' where PersonID = '%s';" % (path, self.user_id)) return "Done" return "Not allowed extension." def get_profile_picture(self, ): return self.profile_pic_path def verify_password(self, password): return self.pass_word.verify_password_hash(password, self.hashed_pass) def reset_password(self): password = passwordGenerator(8) try: password_ = self.pass_word.hash_password(password) self.execute("INSERT INTO temporary_passwords (UserID, Password)" "VALUES (%d, '%s');" % (int(self.user_id), password_)) self.execute( "CREATE EVENT user_%d ON SCHEDULE AT date_add(now(), INTERVAL 30 MINUTE) " "DO DELETE FROM temporary_passwords WHERE UserID = %d;" % (int(self.user_id), int(self.user_id))) auth = [ "%s %s" % (self.name, self.surname), self.email, password, self.username ] threading.Thread(target=send_mail_password_reset, args=(auth, )).start() return "Check your mail address for credentials." except IntegrityError: return "Your account has been reset already." def check_and_change_password(self, temp_pass, new_pass): password = self.execute( "SELECT Password FROM temporary_passwords WHERE UserID = %d;" % (int(self.user_id)))[0][0] if self.pass_word.verify_password_hash(temp_pass, password): try: self.execute( "DELETE FROM temporary_passwords WHERE UserID = %d;" % (int(self.user_id))) except IndexError: return "There is not any reset request for the user!" new_pass = self.pass_word.hash_password(new_pass) return self.execute( "UPDATE members SET members.Password = '******' WHERE PersonID = %d;" % (new_pass, int(self.user_id))) return "Wrong Temporary Password!" def get_last_activity(self, endpoint): if endpoint == "last_login": rtn = self.execute( "SELECT Api_Endpoint, Time, IP FROM istanbul_sehir_university.last_activities " "where username = '******' and Api_Endpoint = 'sign_in' order by Time DESC limit 5;" % self.username) else: rtn = self.execute( "SELECT Api_Endpoint, Time, IP FROM istanbul_sehir_university.last_activities " "where username = '******' order by Time DESC limit 5;" % self.username) while len(rtn) < 5: rtn.append("") return rtn