def NewUser(email, passwd):
salt = utils.CreateSalt(length=8)
user(uuid=(lambda: str(uuid.uuid4()).replace("-", ""))(),
email=email,
password=password.crypt(passwd, salt),
passwordsalt=salt,
last_login=0.0,
last_joinserver=0.0,
register_time=datetime.now()).save()
def kf_login_verify():
if request.is_json:
data = request.json
Data = cache_secureauth.get(data.get("authId"))
if not Data:
return Response(status=403)
else:
user_result = model.getuser(Data['username'])
if user_result:
AuthRequest = password.crypt(
user_result.password, Data['HashKey'])
print(AuthRequest)
if AuthRequest == data['Password']:
if Data.get("inorderto") == "signin":
notDoubleProfile = False
Profileresult = model.getprofile_createby(
user_result.uuid)
if len(Profileresult) == 1:
notDoubleProfile = True
SelectedProfile = model.format_profile(
Profileresult.get())
AccessToken = str(uuid.uuid4()).replace("-", "")
ClientToken = str(uuid.uuid4()).replace("-", "")
cache_token.set(AccessToken, {
"clientToken": ClientToken,
"bind": Profileresult.get().uuid if notDoubleProfile else None,
"user": user_result.uuid,
"group": "global",
"createTime": int(time.time())
}, ttl=config.TokenTime.RefrushTime * config.TokenTime.TimeRange)
IReturn = {
"accessToken": AccessToken,
"clientToken": ClientToken,
}
cache_secureauth.delete(data['authId'])
if data.get("requestUser"):
IReturn['metadata'] = {
"user": {
"userId": user_result.uuid
}
}
return Response(json.dumps(IReturn), mimetype='application/json; charset=utf-8')
if Data.get("inorderto") == "signout":
result = Token.getalltoken(user_result)
if result:
for i in result:
cache_secureauth.delete(i)
return Response(status=204)
else:
cache_secureauth.delete(data['authId'])
raise Exceptions.InvalidCredentials()
else:
cache_secureauth.delete(data['authId'])
return Response(status=403)
def kf_user_changepasswd(username):
if request.is_json:
data = request.json
user_result = model.getuser(username)
if user_result:
AccessToken = data['accessToken']
ClientToken = data['clientToken'] if 'clientToken' in data else None
if not ClientToken:
token_result_boolean = model.is_validate(AccessToken)
token = model.gettoken(AccessToken)
else:
token_result_boolean = model.is_validate(
AccessToken, ClientToken)
token = model.gettoken(AccessToken, ClientToken)
if token_result_boolean and token:
# 如果Token有效
# 开始解析由公钥(/api/yggdrasil)加密的东西
# 这玩意是个base64
encrypt = base64.b64decode(data['Password'])
decrypt_errorMessage = password.decrypt(
encrypt, config.KeyPath.Private)
user = model.getuser(token.email)
if password.crypt(decrypt_errorMessage, user.passwordsalt) == user.password:
return Response(status=204)
newsalt = utils.CreateSalt(length=8)
newpassword = password.crypt(decrypt_errorMessage, newsalt)
user.password = newpassword
user.passwordsalt = newsalt
user.save()
# 开始否决所有的Token
model.token.delete().where(model.token.email == user.email).execute()
return Response(status=204)
else:
raise Exceptions.InvalidToken()
else:
raise Exceptions.InvalidToken()
def verify():
data = cache_verify.get(request.args.get("registerId"))
if not data:
raise Exceptions.InvalidToken()
if model.getuser(data.get("email")):
raise Exceptions.InvalidToken()
result = model.user(username=data.get("username"),
email=data.get("email"),
password=password.crypt(data["password"]['context'],
data["password"]['salt']),
passwordsalt=data["password"]['salt'],
register_time=datetime.now(),
last_login=0,
last_joinserver=0)
result.save()
cache_verify.delete(request.args.get("registerId"))
return Response(status=204)
def group_signout(group_id):
group.get_group(group_id)
if request.is_json:
data = request.json
email = data['username']
passwd = data['password']
result = model.getuser(email)
if not result:
model.log_yggdrasil(operational="authserver.signout",
IP=request.remote_addr,
time=datetime.datetime.now(),
successful=False).save()
raise Exceptions.InvalidCredentials()
else:
group.get_member(result, group_id)
'''if result.permission == 0:
return Response(json.dumps({
'error' : "ForbiddenOperationException",
'errorMessage' : "Invalid credentials. Invalid username or password."
}), status=403, mimetype='application/json; charset=utf-8')'''
if not cache_limit.get(".".join(['lock', result.email])):
cache_limit.set(".".join(['lock', result.email]),
"LOCKED",
ttl=config.AuthLimit)
else:
raise Exceptions.InvalidCredentials()
if password.crypt(passwd,
salt=result.passwordsalt) == result.password:
Token_result = Token.getalltoken(result)
if Token_result:
for i in Token_result:
if i.get("group") == group_id:
cache_token.delete(i)
model.log_yggdrasil(operational="authserver.signout",
user=result.uuid,
IP=request.remote_addr,
time=datetime.datetime.now()).save()
return Response(status=204)
else:
model.log_yggdrasil(operational="authserver.signout",
user=result.uuid,
IP=request.remote_addr,
time=datetime.datetime.now(),
successful=False).save()
raise Exceptions.InvalidCredentials()
parser = argparse.ArgumentParser()
parser.add_argument(
"--password", help="length of the generated password", type=int)
parser.add_argument(
"--purpose", help="purpose of the password generation", type=str)
parser.add_argument(
"--file", help="file where password will be saved", type=str)
parser.add_argument(
"--token", help="handle the token, deletion request => true or pass", type=str)
parser.add_argument("--check",
help="check if the password you seek is correct compare to the hashed version => true or pass, type=str")
args = parser.parse_args()
if args.password:
psswd = password_generation(args.password)
hashed = crypt(save_crypt_key("salt.txt"), str(
args.file), psswd, str(args.purpose))
check(psswd, hashed)
if args.token == "true":
display_token("salt.txt")
if args.check == "true":
if args.purpose:
if args.file:
compare_hash(str(args.file), str(args.purpose))
else:
print(
"You need at least a purpose(--purpose) and a filename(--file) to decrypt a password")
else:
print("You need at least a purpose and a filename to decrypt a password")
if args.check == "false":
pass
else:
def group_authenticate(group_id):
group.get_group(group_id)
IReturn = {}
if request.is_json:
data = request.json
user = model.getuser(data['username'])
if not user:
raise Exceptions.InvalidCredentials()
'''if user.permission == 0:
return Response(json.dumps({
'error' : "ForbiddenOperationException",
'errorMessage' : "You have been banned by the administrator, please contact the administrator for help"
}), status=403, mimetype='application/json; charset=utf-8')'''
if not cache_limit.get(".".join(['lock', user.email])):
cache_limit.set(".".join(['lock', user.email]),
"LOCKED",
ttl=config.AuthLimit)
else:
raise Exceptions.InvalidCredentials()
group.get_member(group_id, user.uuid)
SelectedProfile = {}
AvailableProfiles = []
if password.crypt(data['password'],
user.passwordsalt) == user.password:
# 登录成功.
ClientToken = data.get("clientToken",
str(uuid.uuid4()).replace("-", ""))
AccessToken = str(uuid.uuid4()).replace("-", "")
notDoubleProfile = False
try:
AvailableProfiles = [
model.format_profile(i, unsigned=True)
for i in model.profile.select().where(
model.profile.createby == user.uuid)
]
except model.profile.DoesNotExist:
pass
Profileresult = model.getprofile_createby(user.uuid)
if len(Profileresult) == 1:
notDoubleProfile = True
SelectedProfile = model.format_profile(Profileresult.get())
cache_token.set(
AccessToken, {
"clientToken": ClientToken,
"bind":
Profileresult.get().uuid if notDoubleProfile else None,
"user": user.uuid,
"group": group_id,
"createTime": int(time.time())
},
ttl=config.TokenTime.RefrushTime * config.TokenTime.TimeRange)
IReturn = {
"accessToken": AccessToken,
"clientToken": ClientToken,
"availableProfiles": AvailableProfiles,
"selectedProfile": SelectedProfile
}
if "requestUser" in data:
if data['requestUser']:
IReturn['user'] = model.format_user(user)
if IReturn['selectedProfile'] == {}:
del IReturn['selectedProfile']
user.last_login = datetime.datetime.now()
model.log_yggdrasil(operational="authserver.authenticate",
user=user.uuid,
otherargs=json.dumps(
{"clientToken": ClientToken}),
IP=request.remote_addr,
time=datetime.datetime.now()).save()
else:
model.log_yggdrasil(operational="authserver.authenticate",
user=user.uuid,
IP=request.remote_addr,
time=datetime.datetime.now(),
successful=False).save()
raise Exceptions.InvalidCredentials()
return Response(json.dumps(IReturn),
mimetype='application/json; charset=utf-8')
