def userAdd():
if 'logged_in' in session:
if request.method == 'GET':
return render_template('user-add.html')
else:
success = True
errors = []
user_password = request.form['user_password']
user = dbsession.query(User).filter_by(id=session['user_id']).first()
# Checks current user password
if user is None or hashPassword(user_password) != user.password:
success = False
errors.append('Your password is incorrect')
# Someone has messed with the database
if success:
mk_cksum = dbsession.query(GlobalConfig).filter_by(key = 'master_key_checksum').first()
if not mk_cksum:
success = False
errors.append('Database is broken, please create a new one !')
if success:
keyFromPassword = crypto.keyFromText(user_password, base64.b64decode(user.b64_kdf_salt))
MASTER_KEY = crypto.decrypt(user.encrypted_master_key, keyFromPassword)
# Someone changed the master key...
if checksum(MASTER_KEY) != mk_cksum.value:
errors.append('MASTER_KEY may have been altered')
del MASTER_KEY
success = False
# Now check the new user password...
if success:
password1, password2 = request.form['password'], request.form['password2']
if password1 != password2:
success = False
errors.append('New user passwords do not match')
# ... including complexity
if success:
if not verifyPassword(password1):
success = False
errors.append('Password is not complex enough (l > 12 and at least three character classes between lowercase, uppercase, numeric and special char)')
# Encrypt the MASTER_KEY for the user
if success:
new_kdf_salt = crypto.randomBytes(crypto.SALT_LENGTH)
keyFromPassword = crypto.keyFromText(password1, new_kdf_salt)
emk = crypto.encrypt(MASTER_KEY, keyFromPassword)
del MASTER_KEY # safer ?
u = User(
username = request.form['username'],
password = hashPassword(password1),
email = request.form['email'],
active = True,
encrypted_master_key = emk,
b64_kdf_salt = base64.b64encode(new_kdf_salt))
if len(request.form['username']) <= 0 or len(request.form['email']) <= 0:
success = False
errors.append('No empty fields allowed.')
if success:
dbsession.add(u)
dbsession.commit()
return redirect(app.jinja_env.globals['url_for']('users'))
else:
return render_template('user-add.html', username=request.form['username'], email=request.form['email'], errors='\n'.join(errors))
else:
return redirect(app.jinja_env.globals['url_for']('login'))
def userAdd():
if 'logged_in' in session:
if request.method == 'GET':
return render_template('user-add.html')
else:
success = True
errors = []
user_password = request.form['user_password']
user = dbsession.query(User).filter_by(id=session['user_id']).first()
# Checks current user password
if user is None or hashPassword(user_password) != user.password:
success = False
errors.append('Your password is incorrect')
# Someone has messed with the database
if success:
mk_cksum = dbsession.query(GlobalConfig).filter_by(key = 'master_key_checksum').first()
if not mk_cksum:
success = False
errors.append('Database is broken, please create a new one !')
if success:
keyFromPassword = crypto.keyFromText(user_password)
MASTER_KEY = crypto.decrypt(user.encrypted_master_key, keyFromPassword)
# Someone changed the master key...
if checksum(MASTER_KEY) != mk_cksum.value:
errors.append('MASTER_KEY may have been altered')
del MASTER_KEY
success = False
# Now check the new user password...
if success:
password1, password2 = request.form['password'], request.form['password2']
if password1 != password2:
success = False
errors.append('New user passwords do not match')
# ... including complexity
if success:
if not verifyPassword(password1):
success = False
errors.append('Password is not complex enough (l > 12 and at least three character classes between lowercase, uppercase, numeric and special char)')
# Encrypt the MASTER_KEY for the user
if success:
keyFromPassword = crypto.keyFromText(password1)
emk = crypto.encrypt(MASTER_KEY, keyFromPassword)
del MASTER_KEY # safer ?
u = User(
username = request.form['username'],
password = hashPassword(password1),
email = request.form['email'],
active = True,
encrypted_master_key = emk)
dbsession.add(u)
dbsession.commit()
if success:
return redirect(url_for('users'))
else:
return render_template('user-add.html', username=request.form['username'], email=request.form['email'], errors='\n'.join(errors))
else:
return redirect(url_for('login'))