def db_admin_update_user(session, tid, user_id, request, language):
"""
Updates the specified user.
"""
fill_localized_keys(request, models.User.localized_keys, language)
user = db_get_user(session, tid, user_id)
if user.username != request['username']:
check = session.query(models.User).filter(models.User.username == text_type(request['username']),
models.UserTenant.user_id == models.User.id,
models.UserTenant.tenant_id == tid).one_or_none()
if check is not None:
raise errors.InputValidationError('Username already in use')
user.update(request)
password = request['password']
if password:
user.hash_alg = GCE.HASH
user.salt = GCE.generate_salt()
user.password = GCE.hash_password(password, user.salt)
user.password_change_date = datetime_now()
user.crypto_prv_key = b''
user.crypto_pub_key = b''
# The various options related in manage PGP keys are used here.
parse_pgp_options(user, request)
if user.role == 'admin':
db_refresh_memory_variables(session, [tid])
return user
def login_whistleblower(session, tid, receipt):
"""
login_whistleblower returns a session
"""
x = None
algorithms = [x[0] for x in session.query(WhistleblowerTip.hash_alg).filter(WhistleblowerTip.tid == tid).distinct()]
if algorithms:
hashes = []
for alg in algorithms:
hashes.append(GCE.hash_password(receipt, State.tenant_cache[tid].receipt_salt, alg))
x = session.query(WhistleblowerTip, InternalTip) \
.filter(WhistleblowerTip.receipt_hash.in_(hashes),
WhistleblowerTip.tid == tid,
InternalTip.id == WhistleblowerTip.id,
InternalTip.tid == WhistleblowerTip.tid).one_or_none()
if x is None:
log.debug("Whistleblower login: Invalid receipt")
Settings.failed_login_attempts += 1
raise errors.InvalidAuthentication
wbtip = x[0]
itip = x[1]
itip.wb_last_access = datetime_now()
crypto_prv_key = ''
if State.tenant_cache[1].encryption and wbtip.crypto_prv_key:
user_key = GCE.derive_key(receipt.encode('utf-8'), State.tenant_cache[tid].receipt_salt)
crypto_prv_key = GCE.symmetric_decrypt(user_key, wbtip.crypto_prv_key)
return Sessions.new(tid, wbtip.id, 'whistleblower', False, crypto_prv_key)
def get_internalfiles_by_receipt(self, session, receipt):
hashed_receipt = GCE.hash_password(receipt, State.tenant_cache[1].receipt_salt)
ifiles = session.query(models.InternalFile) \
.filter(models.InternalFile.internaltip_id == models.WhistleblowerTip.id,
models.WhistleblowerTip.receipt_hash == hashed_receipt)
return [models.serializers.serialize_ifile(session, ifile) for ifile in ifiles]
def db_create_user(session, tid, request, language):
request['tid'] = tid
fill_localized_keys(request, models.User.localized_keys, language)
if request['username']:
user = session.query(models.User).filter(models.User.username == text_type(request['username']),
models.UserTenant.user_id == models.User.id,
models.UserTenant.tenant_id == tid).one_or_none()
if user is not None:
raise errors.InputValidationError('Username already in use')
user = models.User({
'tid': tid,
'username': request['username'],
'role': request['role'],
'state': u'enabled',
'name': request['name'],
'description': request['description'],
'language': language,
'password_change_needed': request['password_change_needed'],
'mail_address': request['mail_address'],
'can_edit_general_settings': request['can_edit_general_settings']
})
if not request['username']:
user.username = user.id = uuid4()
password = u'password'
if request['password']:
password = request['password']
user.hash_alg = GCE.HASH
user.salt = GCE.generate_salt()
user.password = GCE.hash_password(password, user.salt)
# The various options related in manage PGP keys are used here.
parse_pgp_options(user, request)
session.add(user)
session.flush()
db_create_usertenant_association(session, user.id, tid)
return user
sum_dicts
from globaleaks.utils.log import log
from globaleaks.workers import process
from globaleaks.workers.supervisor import ProcessSupervisor
GCE.ALGORITM_CONFIGURATION['KDF']['ARGON2']['OPSLIMIT'] = GCE.ALGORITM_CONFIGURATION['HASH']['ARGON2']['OPSLIMIT'] = 1
GCE.ALGORITM_CONFIGURATION['HASH']['SCRYPT']['N'] = 1<<1
################################################################################
# BEGIN MOCKS NECESSARY FOR DETERMINISTIC ENCRYPTION
VALID_PASSWORD1 = u'ACollectionOfDiplomaticHistorySince_1966_ToThe_Pr esentDay#'
VALID_PASSWORD2 = VALID_PASSWORD1
VALID_SALT1 = GCE.generate_salt()
VALID_SALT2 = GCE.generate_salt()
VALID_HASH1 = GCE.hash_password(VALID_PASSWORD1, VALID_SALT1)
VALID_HASH2 = GCE.hash_password(VALID_PASSWORD2, VALID_SALT2)
VALID_BASE64_IMG = 'iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVQYV2NgYAAAAAMAAWgmWQ0AAAAASUVORK5CYII='
INVALID_PASSWORD = u'antani'
KEY = GCE.generate_key()
USER_KEY = GCE.derive_key(VALID_PASSWORD1, VALID_SALT1)
USER_PRV_KEY, USER_PUB_KEY = GCE.generate_keypair()
USER_PRV_KEY_ENC = GCE.symmetric_encrypt(USER_KEY, USER_PRV_KEY)
GCE_orig_generate_key = GCE.generate_key
GCE_orig_generate_keypair = GCE.generate_keypair
@staticmethod
def GCE_mock_generate_key():
return KEY
def db_create_submission(session, tid, request, token, client_using_tor):
answers = request['answers']
context, questionnaire = session.query(models.Context, models.Questionnaire) \
.filter(models.Context.id == request['context_id'],
models.Questionnaire.id == models.Context.questionnaire_id).one_or_none()
if not context:
raise errors.ModelNotFound(models.Context)
if not request['receivers']:
raise errors.InputValidationError("The submission should involve at least one recipient")
if context.maximum_selectable_receivers > 0 and \
len(request['receivers']) > context.maximum_selectable_receivers:
raise errors.InputValidationError("The number of recipients selected exceed the configured limit")
steps = db_get_questionnaire(session, tid, questionnaire.id, None)['steps']
questionnaire_hash = db_archive_questionnaire_schema(session, steps)
preview = extract_answers_preview(steps, answers)
itip = models.InternalTip()
itip.tid = tid
itip.status = 'new'
itip.progressive = db_assign_submission_progressive(session, tid)
itip.additional_questionnaire_id = context.additional_questionnaire_id
if context.tip_timetolive > 0:
itip.expiration_date = get_expiration(context.tip_timetolive)
# Evaluate the score level
itip.total_score = request['total_score']
# The status https is used to keep track of the security level adopted by the whistleblower
itip.https = not client_using_tor
itip.mobile = request['mobile']
itip.context_id = context.id
itip.enable_two_way_comments = context.enable_two_way_comments
itip.enable_two_way_messages = context.enable_two_way_messages
itip.enable_attachments = context.enable_attachments
x = session.query(models.Field, models.FieldAttr.value) \
.filter(models.Field.template_id == 'whistleblower_identity',
models.Field.step_id == models.Step.id,
models.Step.questionnaire_id == context.questionnaire_id,
models.FieldAttr.field_id == models.Field.id,
models.FieldAttr.name == 'visibility_subject_to_authorization').one_or_none()
whistleblower_identity = None
can_access_whistleblower_identity = True
if x:
whistleblower_identity = x[0]
can_access_whistleblower_identity = not x[1]
itip.enable_whistleblower_identity = whistleblower_identity is not None
session.add(itip)
session.flush()
crypto_is_available = State.tenant_cache[tid].encryption
if crypto_is_available:
crypto_tip_prv_key, itip.crypto_tip_pub_key = GCE.generate_keypair()
receipt = ''
# Evaluate if the whistleblower tip should be generated
if ((not State.tenant_cache[tid].enable_scoring_system) or
(context.score_threshold_receipt == 0) or
(context.score_threshold_receipt == 1 and itip.total_score >= 2) or
(context.score_threshold_receipt == 2 and itip.total_score == 3)):
receipt = GCE.generate_receipt()
receipt_salt = State.tenant_cache[tid].receipt_salt
wbtip = models.WhistleblowerTip()
wbtip.id = itip.id
wbtip.tid = tid
wbtip.hash_alg = 'ARGON2'
wbtip.receipt_hash = GCE.hash_password(receipt, receipt_salt)
# Evaluate if the whistleblower tip should be encrypted
if crypto_is_available:
crypto_tip_prv_key, itip.crypto_tip_pub_key = GCE.generate_keypair()
wb_key = GCE.derive_key(receipt.encode(), receipt_salt)
wb_prv_key, wb_pub_key = GCE.generate_keypair()
wbtip.crypto_prv_key = Base64Encoder.encode(GCE.symmetric_encrypt(wb_key, wb_prv_key))
wbtip.crypto_pub_key = wb_pub_key
wbtip.crypto_tip_prv_key = Base64Encoder.encode(GCE.asymmetric_encrypt(wb_pub_key, crypto_tip_prv_key))
session.add(wbtip)
# Apply special handling to the whistleblower identity question
if itip.enable_whistleblower_identity and request['identity_provided'] and answers[whistleblower_identity.id]:
if crypto_is_available:
wbi = base64.b64encode(GCE.asymmetric_encrypt(itip.crypto_tip_pub_key, json.dumps(answers[whistleblower_identity.id][0]).encode())).decode()
else:
wbi = answers[whistleblower_identity.id][0]
answers[whistleblower_identity.id] = ''
db_set_internaltip_data(session, itip.id, 'whistleblower_identity', wbi)
db_save_plaintext_answers(session, tid, itip.id, answers)
if crypto_is_available:
preview = base64.b64encode(GCE.asymmetric_encrypt(itip.crypto_tip_pub_key, json.dumps(preview).encode())).decode()
answers = base64.b64encode(GCE.asymmetric_encrypt(itip.crypto_tip_pub_key, json.dumps(answers).encode())).decode()
itip.preview = preview
db_set_internaltip_answers(session, itip.id, questionnaire_hash, answers)
for uploaded_file in token.uploaded_files:
if uploaded_file['id'] in request['removed_files']:
continue
if crypto_is_available:
for k in ['name', 'type', 'size']:
uploaded_file[k] = base64.b64encode(GCE.asymmetric_encrypt(itip.crypto_tip_pub_key, str(uploaded_file[k])))
new_file = models.InternalFile()
new_file.tid = tid
new_file.name = uploaded_file['name']
new_file.content_type = uploaded_file['type']
new_file.size = uploaded_file['size']
new_file.internaltip_id = itip.id
new_file.filename = uploaded_file['filename']
new_file.submission = uploaded_file['submission']
session.add(new_file)
tip_count = 0
for user in session.query(models.User).filter(models.User.id.in_(request['receivers'])):
_tip_key = b''
if crypto_is_available:
if user.crypto_pub_key:
_tip_key = GCE.asymmetric_encrypt(user.crypto_pub_key, crypto_tip_prv_key)
else:
continue
db_create_receivertip(session, user, itip, can_access_whistleblower_identity, _tip_key)
tip_count += 1
if not tip_count:
raise errors.InputValidationError("Unable to deliver the submission to at least one recipient")
return {
'receipt': receipt,
'score': itip.total_score
}
from globaleaks.utils.crypto import GCE, Base32Encoder, Base64Encoder
from globaleaks.utils.objectdict import ObjectDict
from globaleaks.utils.securetempfile import SecureTemporaryFile
from globaleaks.utils.utility import datetime_null, datetime_now, sum_dicts
from globaleaks.utils.log import log
GCE.ALGORITM_CONFIGURATION['ARGON2']['OPSLIMIT'] = 1
GCE.ALGORITM_CONFIGURATION['SCRYPT']['N'] = 1 << 1
################################################################################
# BEGIN MOCKS NECESSARY FOR DETERMINISTIC ENCRYPTION
VALID_PASSWORD1 = 'ACollectionOfDiplomaticHistorySince_1966_ToThe_Pr esentDay#'
VALID_PASSWORD2 = VALID_PASSWORD1
VALID_SALT1 = GCE.generate_salt()
VALID_SALT2 = GCE.generate_salt()
VALID_HASH1 = GCE.hash_password(VALID_PASSWORD1, VALID_SALT1)
VALID_HASH2 = GCE.hash_password(VALID_PASSWORD2, VALID_SALT2)
VALID_BASE64_IMG = 'iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVQYV2NgYAAAAAMAAWgmWQ0AAAAASUVORK5CYII='
INVALID_PASSWORD = '******'
KEY = GCE.generate_key()
USER_KEY = GCE.derive_key(VALID_PASSWORD1, VALID_SALT1)
USER_PRV_KEY, USER_PUB_KEY = GCE.generate_keypair()
USER_PRV_KEY_ENC = Base64Encoder.encode(GCE.symmetric_encrypt(USER_KEY, USER_PRV_KEY))
USER_BKP_KEY, USER_REC_KEY = GCE.generate_recovery_key(USER_PRV_KEY)
USER_REC_KEY_PLAIN = GCE.asymmetric_decrypt(USER_PRV_KEY, Base64Encoder.decode(USER_REC_KEY))
USER_REC_KEY_PLAIN = Base32Encoder.encode(USER_REC_KEY_PLAIN).replace(b'=', b'').decode('utf-8')
GCE_orig_generate_key = GCE.generate_key
GCE_orig_generate_keypair = GCE.generate_keypair
def db_user_update_user(session, tid, user_session, request):
"""
Updates the specified user.
This version of the function is specific for users that with comparison with
admins can change only few things:
- real name
- email address
- preferred language
- the password (with old password check)
- pgp key
raises: globaleaks.errors.ResourceNotFound` if the receiver does not exist.
"""
from globaleaks.handlers.admin.notification import db_get_notification
from globaleaks.handlers.admin.node import db_admin_serialize_node
user = models.db_get(session,
models.User,
models.User.id == user_session.user_id)
user.language = request.get('language', State.tenant_cache[tid].default_language)
user.name = request['name']
new_password = request['password']
old_password = request['old_password']
if new_password:
if user.password_change_needed:
user.password_change_needed = False
else:
if not GCE.check_password(user.hash_alg,
old_password,
user.salt,
user.password):
raise errors.InvalidOldPassword
user.hash_alg = GCE.HASH
user.salt = GCE.generate_salt()
user.password = GCE.hash_password(new_password, user.salt)
user.password_change_date = datetime_now()
if State.tenant_cache[1].encryption:
enc_key = GCE.derive_key(request['password'].encode(), user.salt)
if not user_session.cc:
user_session.cc, user.crypto_pub_key = GCE.generate_keypair()
user.crypto_prv_key = GCE.symmetric_encrypt(enc_key, user_session.cc)
# If the email address changed, send a validation email
if request['mail_address'] != user.mail_address:
user.change_email_address = request['mail_address']
user.change_email_date = datetime_now()
user.change_email_token = generateRandomKey(32)
user_desc = user_serialize_user(session, user, user.language)
template_vars = {
'type': 'email_validation',
'user': user_desc,
'new_email_address': request['mail_address'],
'validation_token': user.change_email_token,
'node': db_admin_serialize_node(session, 1, user.language),
'notification': db_get_notification(session, tid, user.language)
}
State.format_and_send_mail(session, tid, user_desc, template_vars)
# If the platform allows users to change PGP keys, process it
if State.tenant_cache[tid]['enable_user_pgp_key_upload'] is True:
parse_pgp_options(user, request)
return user
def db_user_update_user(session, tid, user_session, request):
"""
Updates the specified user.
This version of the function is specific for users that with comparison with
admins can change only few things:
- real name
- email address
- preferred language
- the password (with old password check)
- pgp key
raises: globaleaks.errors.ResourceNotFound` if the receiver does not exist.
"""
from globaleaks.handlers.admin.notification import db_get_notification
from globaleaks.handlers.admin.node import db_admin_serialize_node
user = models.db_get(session, models.User,
models.User.id == user_session.user_id)
user.language = request.get('language',
State.tenant_cache[tid].default_language)
user.name = request['name']
new_password = request['password']
old_password = request['old_password']
if new_password:
if user.password_change_needed:
user.password_change_needed = False
else:
if not GCE.check_password(user.hash_alg, old_password, user.salt,
user.password):
raise errors.InvalidOldPassword
user.hash_alg = GCE.HASH
user.salt = GCE.generate_salt()
user.password = GCE.hash_password(new_password, user.salt)
user.password_change_date = datetime_now()
if State.tenant_cache[1].encryption:
enc_key = GCE.derive_key(request['password'].encode(), user.salt)
if not user_session.cc:
user_session.cc, user.crypto_pub_key = GCE.generate_keypair()
user.crypto_prv_key = GCE.symmetric_encrypt(
enc_key, user_session.cc)
# If the email address changed, send a validation email
if request['mail_address'] != user.mail_address:
user.change_email_address = request['mail_address']
user.change_email_date = datetime_now()
user.change_email_token = generateRandomKey(32)
user_desc = user_serialize_user(session, user, user.language)
template_vars = {
'type': 'email_validation',
'user': user_desc,
'new_email_address': request['mail_address'],
'validation_token': user.change_email_token,
'node': db_admin_serialize_node(session, 1, user.language),
'notification': db_get_notification(session, tid, user.language)
}
State.format_and_send_mail(session, tid, user_desc, template_vars)
# If the platform allows users to change PGP keys, process it
if State.tenant_cache[tid]['enable_user_pgp_key_upload'] is True:
parse_pgp_options(user, request)
return user
def db_create_submission(session, tid, request, token, client_using_tor):
if not request['receivers']:
raise errors.InputValidationError("need at least one recipient")
answers = request['answers']
context, questionnaire = session.query(models.Context, models.Questionnaire) \
.filter(models.Context.id == request['context_id'],
models.Questionnaire.id == models.Context.questionnaire_id,
models.Questionnaire.tid.in_(set([1, tid]))).one_or_none()
if not context:
raise errors.ModelNotFound(models.Context)
steps = db_get_questionnaire(session, tid, questionnaire.id, None)['steps']
questionnaire_hash = db_archive_questionnaire_schema(session, steps)
itip = models.InternalTip()
itip.tid = tid
itip.status = db_get_id_for_system_status(session, tid, u'new')
itip.progressive = db_assign_submission_progressive(session, tid)
itip.additional_questionnaire_id = context.additional_questionnaire_id
if context.tip_timetolive > 0:
itip.expiration_date = get_expiration(context.tip_timetolive)
# this is get from the client as it the only possibility possible
# that would fit with the end to end submission.
# the score is only an indicator and not a critical information so we can accept to
# be fooled by the malicious user.
itip.total_score = request['total_score']
# The status https is used to keep track of the security level adopted by the whistleblower
itip.https = not client_using_tor
itip.context_id = context.id
itip.enable_two_way_comments = context.enable_two_way_comments
itip.enable_two_way_messages = context.enable_two_way_messages
itip.enable_attachments = context.enable_attachments
x = session.query(models.Field, models.FieldAttr.value) \
.filter(models.Field.template_id == u'whistleblower_identity',
models.Field.step_id == models.Step.id,
models.Step.questionnaire_id == context.questionnaire_id,
models.FieldAttr.field_id == models.Field.id,
models.FieldAttr.name == u'visibility_subject_to_authorization').one_or_none()
whistleblower_identity = None
can_access_whistleblower_identity = True
if x:
whistleblower_identity = x[0]
can_access_whistleblower_identity = not x[1]
itip.enable_whistleblower_identity = whistleblower_identity is not None
itip.preview = extract_answers_preview(steps, answers)
session.add(itip)
session.flush()
receipt = GCE.generate_receipt()
receipt_salt = State.tenant_cache[tid].receipt_salt
wbtip = models.WhistleblowerTip()
wbtip.id = itip.id
wbtip.tid = tid
wbtip.hash_alg = GCE.HASH
wbtip.receipt_hash = GCE.hash_password(receipt, receipt_salt)
crypto_is_available = State.tenant_cache[1].encryption
if crypto_is_available:
users_count = session.query(models.User) \
.filter(models.User.id.in_(request['receivers']),
models.User.crypto_prv_key != b'').count()
crypto_is_available = users_count == len(request['receivers'])
if crypto_is_available:
crypto_tip_prv_key, itip.crypto_tip_pub_key = GCE.generate_keypair()
wb_key = GCE.derive_key(receipt.encode(), receipt_salt)
wb_prv_key, wb_pub_key = GCE.generate_keypair()
wbtip.crypto_prv_key = GCE.symmetric_encrypt(wb_key, wb_prv_key)
wbtip.crypto_pub_key = wb_pub_key
wbtip.crypto_tip_prv_key = GCE.asymmetric_encrypt(wb_pub_key, crypto_tip_prv_key)
if itip.enable_whistleblower_identity and request['identity_provided'] and answers[whistleblower_identity.id]:
wbi = answers[whistleblower_identity.id][0]
answers[whistleblower_identity.id] = ''
if crypto_is_available:
wbi = base64.b64encode(GCE.asymmetric_encrypt(itip.crypto_tip_pub_key, json.dumps(wbi).encode())).decode()
db_set_internaltip_data(session, itip.id, 'identity_provided', True, False)
db_set_internaltip_data(session, itip.id, 'whistleblower_identity', wbi, crypto_is_available)
if crypto_is_available:
answers = base64.b64encode(GCE.asymmetric_encrypt(itip.crypto_tip_pub_key, json.dumps(answers).encode())).decode()
else:
db_save_questionnaire_answers(session, tid, itip.id, answers)
db_set_internaltip_answers(session,
itip.id,
questionnaire_hash,
answers,
crypto_is_available)
session.add(wbtip)
for filedesc in token.uploaded_files:
new_file = models.InternalFile()
new_file.tid = tid
new_file.encrypted = crypto_is_available
new_file.name = filedesc['name']
new_file.description = ""
new_file.content_type = filedesc['type']
new_file.size = filedesc['size']
new_file.internaltip_id = itip.id
new_file.submission = filedesc['submission']
new_file.filename = filedesc['filename']
session.add(new_file)
log.debug("=> file associated %s|%s (%d bytes)",
new_file.name, new_file.content_type, new_file.size)
if context.maximum_selectable_receivers > 0 and \
len(request['receivers']) > context.maximum_selectable_receivers:
raise errors.InputValidationError("selected an invalid number of recipients")
for user in session.query(models.User).filter(models.User.id.in_(request['receivers'])):
if not crypto_is_available and not user.pgp_key_public and not State.tenant_cache[tid].allow_unencrypted:
continue
_tip_key = b''
if crypto_is_available:
_tip_key = GCE.asymmetric_encrypt(user.crypto_pub_key, crypto_tip_prv_key)
db_create_receivertip(session, user, itip, can_access_whistleblower_identity, _tip_key)
return {'receipt': receipt}
def db_wizard(session, tid, hostname, request):
"""
Transaction for the handling of wizard request
:param session: An ORM session
:param tid: A tenant ID
:param request: A user request
"""
language = request['node_language']
node = config.ConfigFactory(session, tid)
if tid == 1:
root_tenant_node = node
encryption = True
else:
root_tenant_node = node
encryption = root_tenant_node.get_val('encryption')
if node.get_val('wizard_done'):
log.err("DANGER: Wizard already initialized!", tid=tid)
raise errors.ForbiddenOperation
db_update_enabled_languages(session, tid, [language], language)
node.set_val('encryption', encryption)
node.set_val('name', request['node_name'])
node.set_val('default_language', language)
node.set_val('wizard_done', True)
node.set_val('enable_developers_exception_notification',
request['enable_developers_exception_notification'])
node.set_val('hostname', hostname)
node_l10n = config.ConfigL10NFactory(session, tid)
node_l10n.set_val('header_title_homepage', language, request['node_name'])
profiles.load_profile(session, tid, request['profile'])
if encryption:
crypto_escrow_prv_key, crypto_escrow_pub_key = GCE.generate_keypair()
node.set_val('crypto_escrow_pub_key', crypto_escrow_pub_key)
admin_desc = models.User().dict(language)
admin_desc['username'] = request['admin_username']
admin_desc['name'] = request['admin_name']
admin_desc['password'] = request['admin_password']
admin_desc['name'] = request['admin_name']
admin_desc['mail_address'] = request['admin_mail_address']
admin_desc['language'] = language
admin_desc['role'] = 'admin'
admin_desc['pgp_key_remove'] = False
admin_user = db_create_user(session, tid, admin_desc, language)
admin_user.password = GCE.hash_password(request['admin_password'],
admin_user.salt)
admin_user.password_change_needed = False
admin_user.password_change_date = datetime_now()
if encryption:
db_gen_user_keys(session, tid, admin_user, request['admin_password'])
admin_user.crypto_escrow_prv_key = Base64Encoder.encode(
GCE.asymmetric_encrypt(admin_user.crypto_pub_key,
crypto_escrow_prv_key))
receiver_user = None
if not request['skip_recipient_account_creation']:
receiver_desc = models.User().dict(language)
receiver_desc['username'] = request['receiver_username']
receiver_desc['name'] = request['receiver_name']
receiver_desc['password'] = request['receiver_password']
receiver_desc['mail_address'] = request['receiver_mail_address']
receiver_desc['language'] = language
receiver_desc['role'] = 'receiver'
receiver_desc['pgp_key_remove'] = False
receiver_desc['send_account_activation_link'] = receiver_desc[
'password'] == ''
receiver_user = db_create_user(session, tid, receiver_desc, language)
if receiver_desc['password']:
receiver_user.password = GCE.hash_password(
receiver_desc['password'], receiver_user.salt)
if encryption:
db_gen_user_keys(session, tid, receiver_user,
receiver_desc['password'])
context_desc = models.Context().dict(language)
context_desc['name'] = 'Default'
context_desc['status'] = 'enabled'
context_desc['receivers'] = [receiver_user.id] if receiver_user else []
context = db_create_context(session, tid, context_desc, language)
# Root tenants initialization terminates here
if tid == 1:
db_refresh_memory_variables(session, [tid])
return
# Secondary tenants initialization starts here
tenant = models.db_get(session, models.Tenant, models.Tenant.id == tid)
tenant.label = request['node_name']
mode = node.get_val('mode')
if mode != 'default':
node.set_val(
'hostname',
tenant.subdomain + '.' + root_tenant_node.get_val('rootdomain'))
for varname in [
'reachable_via_web', 'enable_receipt_hint',
'disable_privacy_badge', 'simplified_login',
'can_delete_submission', 'can_postpone_expiration',
'anonymize_outgoing_connections', 'frame_ancestors',
'password_change_period', 'default_questionnaire',
'enable_password_reset'
]:
node.set_val(varname, root_tenant_node.get_val(varname))
# Set data retention policy to 18 months
context.tip_timetolive = 540
context.questionnaire_id = root_tenant_node.get_val(
'default_questionnaire')
if receiver_user is not None:
# Enable the recipient user to configure platform general settings
receiver_user.can_edit_general_settings = True
# Delete the admin user
request['admin_password'] = ''
session.delete(admin_user)
# Apply the specific fixes related to whistleblowing.it projects
if mode == 'whistleblowing.it':
node.set_val('simplified_login', True)
node.set_val('tor', False)
# Enable recipients to load files to the whistleblower
context.enable_rc_to_wb_files = True
if receiver_user is not None:
# Set the recipient name equal to the node name
receiver_user.name = request['node_name']
db_refresh_memory_variables(session, [tid])
def db_user_update_user(session, tid, user_session, request):
"""
Updates the specified user.
This version of the function is specific for users that with comparison with
admins can change only few things:
- real name
- email address
- preferred language
- the password (with old password check)
- pgp key
raises: globaleaks.errors.ResourceNotFound` if the receiver does not exist.
"""
from globaleaks.handlers.admin.notification import db_get_notification
from globaleaks.handlers.admin.node import db_admin_serialize_node
user = models.db_get(session,
models.User,
models.User.id == user_session.user_id)
user.language = request.get('language', State.tenant_cache[tid].default_language)
user.name = request['name']
if request['password']:
if user.password_change_needed:
user.password_change_needed = False
else:
if not GCE.check_password(user.hash_alg,
request['old_password'],
user.salt,
user.password):
raise errors.InvalidOldPassword
# Regenerate the password hash only if different from the best choice on the platform
if user.hash_alg != 'ARGON2':
user.hash_alg = 'ARGON2'
user.salt = GCE.generate_salt()
password_hash = GCE.hash_password(request['password'], user.salt)
# Check that the new password is different form the current password
if user.password == password_hash:
raise errors.PasswordReuseError
user.password = password_hash
user.password_change_date = datetime_now()
if State.tenant_cache[tid].encryption:
enc_key = GCE.derive_key(request['password'].encode(), user.salt)
if not user_session.cc:
# Th First first password change triggers the generation
# of the user encryption private key and its backup
user_session.cc, user.crypto_pub_key = GCE.generate_keypair()
user.crypto_bkp_key, user.crypto_rec_key = GCE.generate_recovery_key(user_session.cc)
# If the user had already enabled two factor before encryption was not enable
# encrypt the two factor secret
if user.two_factor_secret:
user.two_factor_secret = GCE.asymmetric_encrypt(user.crypto_pub_key, user.two_factor_secret)
user.crypto_prv_key = GCE.symmetric_encrypt(enc_key, user_session.cc)
# If the email address changed, send a validation email
if request['mail_address'] != user.mail_address:
user.change_email_address = request['mail_address']
user.change_email_date = datetime_now()
user.change_email_token = generateRandomKey(32)
user_desc = user_serialize_user(session, user, user.language)
user_desc['mail_address'] = request['mail_address']
template_vars = {
'type': 'email_validation',
'user': user_desc,
'new_email_address': request['mail_address'],
'validation_token': user.change_email_token,
'node': db_admin_serialize_node(session, tid, user.language),
'notification': db_get_notification(session, tid, user.language)
}
State.format_and_send_mail(session, tid, user_desc, template_vars)
parse_pgp_options(user, request)
return user
def test_check_password(self):
hash = GCE.hash_password(password, salt)
self.assertTrue(GCE.check_password(GCE.HASH, password, salt, hash))
self.assertFalse(
GCE.check_password(GCE.HASH, password, salt, 'nohashnoparty'))
def db_create_submission(session, tid, request, token, client_using_tor):
encryption = db_get(
session, models.Config,
(models.Config.tid == tid, models.Config.var_name == 'encryption'))
crypto_is_available = encryption.value
tenant = db_get(session, models.Tenant, models.Tenant.id == tid)
context, questionnaire = db_get(
session, (models.Context, models.Questionnaire),
(models.Context.id == request['context_id'], models.Questionnaire.id
== models.Context.questionnaire_id))
answers = request['answers']
steps = db_get_questionnaire(session, tid, questionnaire.id, None)['steps']
questionnaire_hash = db_archive_questionnaire_schema(session, steps)
crypto_tip_pub_key = ''
receivers = []
for r in session.query(models.User).filter(
models.User.id.in_(request['receivers'])):
if crypto_is_available:
if r.crypto_pub_key:
# This is the regular condition of systems setup on Globaleaks 4
# Since this version, encryption is enabled by default and
# users need to perform their first access before they
# could receive reports.
receivers.append(r)
elif encryption.update_date != datetime_null():
# This is the exceptional condition of systems setup when
# encryption was implemented via PGP.
# For continuity reason of those production systems
# encryption could not be enforced.
receivers.append(r)
crypto_is_available = False
else:
receivers.append(r)
if not receivers:
raise errors.InputValidationError(
"Unable to deliver the submission to at least one recipient")
if 0 < context.maximum_selectable_receivers < len(request['receivers']):
raise errors.InputValidationError(
"The number of recipients selected exceed the configured limit")
if crypto_is_available:
crypto_tip_prv_key, crypto_tip_pub_key = GCE.generate_keypair()
itip = models.InternalTip()
itip.tid = tid
itip.status = 'new'
itip.crypto_tip_pub_key = crypto_tip_pub_key
itip.progressive = db_assign_submission_progressive(session, tid)
if context.tip_timetolive > 0:
itip.expiration_date = get_expiration(context.tip_timetolive)
# Evaluate the score level
itip.total_score = request['total_score']
# The status https is used to keep track of the security level adopted by the whistleblower
itip.https = not client_using_tor
itip.mobile = request['mobile']
itip.context_id = context.id
itip.enable_two_way_comments = context.enable_two_way_comments
itip.enable_two_way_messages = context.enable_two_way_messages
itip.enable_attachments = context.enable_attachments
x = session.query(models.Field, models.FieldAttr.value) \
.filter(models.Field.template_id == 'whistleblower_identity',
models.Field.step_id == models.Step.id,
models.Step.questionnaire_id == context.questionnaire_id,
models.FieldAttr.field_id == models.Field.id,
models.FieldAttr.name == 'visibility_subject_to_authorization').one_or_none()
whistleblower_identity = None
can_access_whistleblower_identity = True
if x:
whistleblower_identity = x[0]
can_access_whistleblower_identity = not x[1]
itip.enable_whistleblower_identity = whistleblower_identity is not None
session.add(itip)
session.flush()
# Evaluate if the whistleblower tip should be generated
if ((not State.tenant_cache[tid].enable_scoring_system)
or (context.score_threshold_receipt == 0)
or (context.score_threshold_receipt == 1 and itip.total_score >= 2)
or
(context.score_threshold_receipt == 2 and itip.total_score == 3)):
receipt = GCE.generate_receipt()
receipt_salt = State.tenant_cache[tid].receipt_salt
wbtip = models.WhistleblowerTip()
wbtip.id = itip.id
wbtip.tid = tid
wbtip.hash_alg = 'ARGON2'
wbtip.receipt_hash = GCE.hash_password(receipt, receipt_salt)
# Evaluate if the whistleblower tip should be encrypted
if crypto_is_available:
crypto_tip_prv_key, itip.crypto_tip_pub_key = GCE.generate_keypair(
)
wb_key = GCE.derive_key(receipt.encode(), receipt_salt)
wb_prv_key, wb_pub_key = GCE.generate_keypair()
wbtip.crypto_prv_key = Base64Encoder.encode(
GCE.symmetric_encrypt(wb_key, wb_prv_key))
wbtip.crypto_pub_key = wb_pub_key
wbtip.crypto_tip_prv_key = Base64Encoder.encode(
GCE.asymmetric_encrypt(wb_pub_key, crypto_tip_prv_key))
session.add(wbtip)
else:
receipt = ''
# Apply special handling to the whistleblower identity question
if itip.enable_whistleblower_identity and request[
'identity_provided'] and answers[whistleblower_identity.id]:
if crypto_is_available:
wbi = base64.b64encode(
GCE.asymmetric_encrypt(
itip.crypto_tip_pub_key,
json.dumps(answers[whistleblower_identity.id]
[0]).encode())).decode()
else:
wbi = answers[whistleblower_identity.id][0]
answers[whistleblower_identity.id] = ''
db_set_internaltip_data(session, itip.id, 'whistleblower_identity',
wbi)
if crypto_is_available:
answers = base64.b64encode(
GCE.asymmetric_encrypt(
itip.crypto_tip_pub_key,
json.dumps(answers, cls=JSONEncoder).encode())).decode()
db_set_internaltip_answers(session, itip.id, questionnaire_hash, answers)
for uploaded_file in token.uploaded_files:
if not itip.enable_attachments:
break
if uploaded_file['id'] in request['removed_files']:
continue
if crypto_is_available:
for k in ['name', 'type', 'size']:
uploaded_file[k] = base64.b64encode(
GCE.asymmetric_encrypt(itip.crypto_tip_pub_key,
str(uploaded_file[k])))
new_file = models.InternalFile()
new_file.tid = tid
new_file.name = uploaded_file['name']
new_file.content_type = uploaded_file['type']
new_file.size = uploaded_file['size']
new_file.internaltip_id = itip.id
new_file.filename = uploaded_file['filename']
new_file.submission = uploaded_file['submission']
session.add(new_file)
for user in receivers:
if crypto_is_available:
_tip_key = GCE.asymmetric_encrypt(user.crypto_pub_key,
crypto_tip_prv_key)
else:
_tip_key = b''
db_create_receivertip(session, user, itip,
can_access_whistleblower_identity, _tip_key)
State.log(tid=tid, type='whistleblower_new_report')
return {'receipt': receipt, 'score': itip.total_score}
def db_create_submission(session, tid, request, token, client_using_tor):
if not request['receivers']:
raise errors.InputValidationError("need at least one recipient")
answers = request['answers']
context, questionnaire = session.query(models.Context, models.Questionnaire) \
.filter(models.Context.id == request['context_id'],
models.Questionnaire.id == models.Context.questionnaire_id,
models.Questionnaire.tid.in_(set([1, tid]))).one_or_none()
if not context:
raise errors.ModelNotFound(models.Context)
steps = db_get_questionnaire(session, tid, questionnaire.id, None)['steps']
questionnaire_hash = db_archive_questionnaire_schema(session, steps)
itip = models.InternalTip()
itip.tid = tid
itip.status = db_get_id_for_system_status(session, tid, u'new')
itip.progressive = db_assign_submission_progressive(session, tid)
itip.additional_questionnaire_id = context.additional_questionnaire_id
if context.tip_timetolive > 0:
itip.expiration_date = get_expiration(context.tip_timetolive)
# Evaluate the score level
itip.total_score = request['total_score']
# The status https is used to keep track of the security level adopted by the whistleblower
itip.https = not client_using_tor
itip.context_id = context.id
itip.enable_two_way_comments = context.enable_two_way_comments
itip.enable_two_way_messages = context.enable_two_way_messages
itip.enable_attachments = context.enable_attachments
x = session.query(models.Field, models.FieldAttr.value) \
.filter(models.Field.template_id == u'whistleblower_identity',
models.Field.step_id == models.Step.id,
models.Step.questionnaire_id == context.questionnaire_id,
models.FieldAttr.field_id == models.Field.id,
models.FieldAttr.name == u'visibility_subject_to_authorization').one_or_none()
whistleblower_identity = None
can_access_whistleblower_identity = True
if x:
whistleblower_identity = x[0]
can_access_whistleblower_identity = not x[1]
itip.enable_whistleblower_identity = whistleblower_identity is not None
itip.preview = extract_answers_preview(steps, answers)
session.add(itip)
session.flush()
crypto_is_available = State.tenant_cache[1].encryption
# Evaluate if encryption is available
if crypto_is_available:
users_count = session.query(models.User) \
.filter(models.User.id.in_(request['receivers']),
models.User.crypto_prv_key != b'').count()
crypto_is_available = users_count == len(request['receivers'])
if crypto_is_available:
crypto_tip_prv_key, itip.crypto_tip_pub_key = GCE.generate_keypair()
# Evaluate if the whistleblower tip should be generated
if ((not context.enable_scoring_system) or
(context.score_threshold_receipt == 0) or
(context.score_threshold_receipt == 1 and itip.total_score >= 2) or
(context.score_threshold_receipt == 2 and itip.total_score == 3)):
receipt = GCE.generate_receipt()
receipt_salt = State.tenant_cache[tid].receipt_salt
wbtip = models.WhistleblowerTip()
wbtip.id = itip.id
wbtip.tid = tid
wbtip.hash_alg = GCE.HASH
wbtip.receipt_hash = GCE.hash_password(receipt, receipt_salt)
# Evaluate if the whistleblower tip should be encrypted
if crypto_is_available:
crypto_tip_prv_key, itip.crypto_tip_pub_key = GCE.generate_keypair()
wb_key = GCE.derive_key(receipt.encode(), receipt_salt)
wb_prv_key, wb_pub_key = GCE.generate_keypair()
wbtip.crypto_prv_key = GCE.symmetric_encrypt(wb_key, wb_prv_key)
wbtip.crypto_pub_key = wb_pub_key
wbtip.crypto_tip_prv_key = GCE.asymmetric_encrypt(wb_pub_key, crypto_tip_prv_key)
session.add(wbtip)
else:
receipt = ''
# Apply special handling to the whistleblower identity question
if itip.enable_whistleblower_identity and request['identity_provided'] and answers[whistleblower_identity.id]:
if crypto_is_available:
wbi = base64.b64encode(GCE.asymmetric_encrypt(itip.crypto_tip_pub_key, json.dumps(answers[whistleblower_identity.id][0]).encode())).decode()
answers[whistleblower_identity.id] = ''
else:
wbi = answers[whistleblower_identity.id][0]
db_set_internaltip_data(session, itip.id, 'identity_provided', True, False)
db_set_internaltip_data(session, itip.id, 'whistleblower_identity', wbi, crypto_is_available)
if crypto_is_available:
answers = base64.b64encode(GCE.asymmetric_encrypt(itip.crypto_tip_pub_key, json.dumps(answers).encode())).decode()
else:
db_save_questionnaire_answers(session, tid, itip.id, answers)
db_set_internaltip_answers(session,
itip.id,
questionnaire_hash,
answers,
crypto_is_available)
for filedesc in token.uploaded_files:
new_file = models.InternalFile()
new_file.tid = tid
new_file.encrypted = crypto_is_available
new_file.name = filedesc['name']
new_file.description = ""
new_file.content_type = filedesc['type']
new_file.size = filedesc['size']
new_file.internaltip_id = itip.id
new_file.submission = filedesc['submission']
new_file.filename = filedesc['filename']
session.add(new_file)
log.debug("=> file associated %s|%s (%d bytes)",
new_file.name, new_file.content_type, new_file.size)
if context.maximum_selectable_receivers > 0 and \
len(request['receivers']) > context.maximum_selectable_receivers:
raise errors.InputValidationError("selected an invalid number of recipients")
for user in session.query(models.User).filter(models.User.id.in_(request['receivers'])):
if not crypto_is_available and not user.pgp_key_public and not State.tenant_cache[tid].allow_unencrypted:
continue
_tip_key = b''
if crypto_is_available:
_tip_key = GCE.asymmetric_encrypt(user.crypto_pub_key, crypto_tip_prv_key)
db_create_receivertip(session, user, itip, can_access_whistleblower_identity, _tip_key)
return {
'receipt': receipt,
'score': itip.total_score
}
def test_check_password(self):
hash = GCE.hash_password(password, salt)
self.assertTrue(GCE.check_password(GCE.HASH, password, salt, hash))
self.assertFalse(GCE.check_password(GCE.HASH, password, salt, 'nohashnoparty'))