def post(self):
yield login_delay()
request = self.validate_message(self.request.content.read(), requests.TokenAuthDesc)
tid = int(request['tid'])
if tid == 0:
tid = self.request.tid
session = Sessions.get(request['authtoken'])
if session is None or session.tid != tid:
Settings.failed_login_attempts += 1
raise errors.InvalidAuthentication
connection_check(self.request.tid, self.request.client_ip,
session.user_role, self.request.client_using_tor)
session = Sessions.regenerate(session.id)
log.debug("Login: Success (%s)" % session.user_role)
if tid != self.request.tid:
returnValue({
'redirect': 'https://%s/#/login?token=%s' % (State.tenant_cache[tid].hostname, session.id)
})
returnValue(session.serialize())
def login(session, tid, username, password, authcode, client_using_tor,
client_ip):
"""
Login transaction for users' access
:param session: An ORM session
:param tid: A tenant ID
:param username: A provided username
:param password: A provided password
:param authcode: A provided authcode
:param client_using_tor: A boolean signaling Tor usage
:param client_ip: The client IP
:return: Returns a user session in case of success
"""
user = None
for u in session.query(User).filter(User.username == username,
User.state == 'enabled',
User.tid == tid):
if GCE.check_password(u.hash_alg, password, u.salt, u.password):
user = u
break
if user is None:
log.debug("Login: Invalid credentials")
login_error(tid)
connection_check(tid, client_ip, user.role, client_using_tor)
crypto_prv_key = ''
if user.crypto_prv_key:
user_key = GCE.derive_key(password.encode(), user.salt)
crypto_prv_key = GCE.symmetric_decrypt(
user_key, Base64Encoder.decode(user.crypto_prv_key))
elif State.tenant_cache[tid].encryption:
# Force the password change on which the user key will be created
user.password_change_needed = True
# Require password change if password change threshold is exceeded
if State.tenant_cache[tid].password_change_period > 0 and \
user.password_change_date < datetime_now() - timedelta(days=State.tenant_cache[tid].password_change_period):
user.password_change_needed = True
if user.two_factor_enable:
if authcode != '':
# RFC 6238: step size 30 sec; valid_window = 1; total size of the window: 1.30 sec
if not pyotp.TOTP(user.two_factor_secret).verify(authcode,
valid_window=1):
raise errors.InvalidTwoFactorAuthCode
else:
raise errors.TwoFactorAuthCodeRequired
user.last_login = datetime_now()
return Sessions.new(tid, user.id, user.tid, user.role,
user.password_change_needed, user.two_factor_enable,
crypto_prv_key, user.crypto_escrow_prv_key)
def post(self):
request = self.validate_message(self.request.content.read(), requests.ReceiptAuthDesc)
yield login_delay(self.request.tid)
self.state.tokens.use(request['token'])
connection_check(self.request.tid, self.request.client_ip,
'whistleblower', self.request.client_using_tor)
session = yield login_whistleblower(self.request.tid, request['receipt'])
State.log(tid=session.tid, type='whistleblower_login')
returnValue(session.serialize())
def post(self):
yield login_delay()
request = self.validate_message(self.request.content.read(), requests.ReceiptAuthDesc)
self.state.tokens.use(request['token'])
connection_check(self.request.tid, self.request.client_ip,
'whistleblower', self.request.client_using_tor)
session = yield login_whistleblower(self.request.tid, request['receipt'])
log.debug("Login: Success (%s)" % session.user_role)
returnValue(session.serialize())
def post(self):
request = self.validate_message(self.request.content.read(), requests.TokenAuthDesc)
yield login_delay(self.request.tid)
self.state.tokens.use(request['token'])
session = Sessions.get(request['authtoken'])
if session is None or session.tid != self.request.tid:
login_failure(self.request.tid, 0)
connection_check(self.request.tid, self.request.client_ip,
session.user_role, self.request.client_using_tor)
session = Sessions.regenerate(session.id)
returnValue(session.serialize())
def put(self, token_id):
"""
Finalize the submission
"""
connection_check(self.request.tid, self.request.client_ip, 'whistleblower', self.request.client_using_tor)
if (not self.state.accept_submissions or self.state.tenant_cache[self.request.tid]['disable_submissions']):
raise errors.SubmissionDisabled
request = self.validate_message(self.request.content.read(), requests.SubmissionDesc)
request['mobile'] = self.request.client_mobile
token = self.state.tokens.use(token_id)
return create_submission(self.request.tid,
request,
token,
self.request.client_using_tor)
def login(session, tid, username, password, authcode, client_using_tor,
client_ip):
"""
Login transaction for users' access
:param session: An ORM session
:param tid: A tenant ID
:param username: A provided username
:param password: A provided password
:param authcode: A provided authcode
:param client_using_tor: A boolean signaling Tor usage
:param client_ip: The client IP
:return: Returns a user session in case of success
"""
user = None
for u in session.query(User).filter(User.username == username,
User.state != 'disabled',
User.tid == tid):
if GCE.check_password(u.hash_alg, password, u.salt, u.password):
user = u
break
# Fix for issue: https://github.com/globaleaks/GlobaLeaks/issues/2563
if State.tenant_cache[1].creation_date < 1551740400:
u_password = '******'' + u.password + '\''
if GCE.check_password(u.hash_alg, password, u.salt, u_password):
user = u
break
if user is None:
log.debug("Login: Invalid credentials")
Settings.failed_login_attempts += 1
raise errors.InvalidAuthentication
connection_check(tid, client_ip, user.role, client_using_tor)
crypto_prv_key = ''
if user.crypto_prv_key:
user_key = GCE.derive_key(password.encode(), user.salt)
crypto_prv_key = GCE.symmetric_decrypt(
user_key, Base64Encoder.decode(user.crypto_prv_key))
elif State.tenant_cache[tid].encryption:
# Force the password change on which the user key will be created
user.password_change_needed = True
if user.two_factor_enable:
if authcode != '':
# RFC 6238: step size 30 sec; valid_window = 1; total size of the window: 1.30 sec
if not pyotp.TOTP(user.two_factor_secret).verify(authcode,
valid_window=1):
raise errors.InvalidTwoFactorAuthCode
else:
raise errors.TwoFactorAuthCodeRequired
user.last_login = datetime_now()
return Sessions.new(tid, user.id, user.tid, user.role,
user.password_change_needed, user.two_factor_enable,
crypto_prv_key, user.crypto_escrow_prv_key)
