From 33fd9bfb5048bd579acec402877ee432f51920ea Mon Sep 17 00:00:00 2001 From: Josue Kouka Date: Thu, 7 Jan 2016 17:47:54 +0100 Subject: [PATCH] encrypt user credentials (#9534) --- debian/control | 1 + mandayejs/mandaye/models.py | 35 +++++++++++++++++++++++++++++++++-- mandayejs/mandaye/utils.py | 8 ++++++++ mandayejs/mandaye/views.py | 1 + mandayejs/settings.py | 2 +- 5 files changed, 44 insertions(+), 3 deletions(-) diff --git a/debian/control b/debian/control index d3f9302..3cb60a4 100644 --- a/debian/control +++ b/debian/control @@ -13,6 +13,7 @@ Depends: ${misc:Depends}, ${python:Depends}, python-gadjo, python-django-jsonfield, python-ldap, + python-cryptography Recommends: python-django-mellon Description: Authentication Reverse Proxy diff --git a/mandayejs/mandaye/models.py b/mandayejs/mandaye/models.py index c7b0154..3628c26 100644 --- a/mandayejs/mandaye/models.py +++ b/mandayejs/mandaye/models.py @@ -16,14 +16,19 @@ from django.db import models -from jsonfield import JSONField +from django.conf import settings from django.utils.translation import ugettext_lazy as _ +from jsonfield import JSONField +from cryptography.fernet import Fernet + +from mandayejs.mandaye.utils import get_password_field class UserCredentials(models.Model): user = models.ForeignKey('auth.User') locators = JSONField(_('locators'), default={}, blank=True) linked = models.BooleanField(_('associated'), default=False, blank=True) + #token = models.CharField(_('encryption token', max_length=128, blank=True)) class Meta: unique_together = ('user',) @@ -33,6 +38,32 @@ class UserCredentials(models.Model): or self.user.email \ or self.user.username - def to_login_info(self): + def save(self, *args, **kwargs): + self.encrypt() + super(UserCredentials, self).save(*args, **kwargs) + + def encrypt(self,): + """Encrypt password + """ + secret_key = settings.SECRET_KEY + password_field_name = get_password_field() + f = Fernet(secret_key) + self.locators[password_field_name] = \ + f.encrypt(self.locators.get(password_field_name,'').encode('ascii')) + return self.locators + + def decrypt(self,): + """Decrypt password + """ + secret_key = settings.SECRET_KEY + password_field_name = get_password_field() + f = Fernet(secret_key) + self.locators[password_field_name] = \ + f.decrypt(self.locators.get(password_field_name, '').encode('ascii')) + return self.locators + + def to_login_info(self, decrypt=False): + if decrypt: + self.decrypt() return {'#'+k : v for k,v in self.locators.items() } diff --git a/mandayejs/mandaye/utils.py b/mandayejs/mandaye/utils.py index b146cd8..cfc189b 100644 --- a/mandayejs/mandaye/utils.py +++ b/mandayejs/mandaye/utils.py @@ -51,4 +51,12 @@ def get_location(url): url = url._replace(netloc=settings.SITE_DOMAIN) return url.path +def get_password_field(): + """Return name of the password field + """ + try: + field_name = [ field.get('name') for field in settings.SITE_LOCATORS if field.get('kind') == 'password' ] + return field_name[0] + except (IndexError,): + return None diff --git a/mandayejs/mandaye/views.py b/mandayejs/mandaye/views.py index a01ce60..43c70be 100644 --- a/mandayejs/mandaye/views.py +++ b/mandayejs/mandaye/views.py @@ -153,6 +153,7 @@ def post_login_do(request, *args, **kwargs): 'auth_checker': os.path.join(site_static_root, site_auth_checker) } logger.debug(login_info) + login_info['locators'] = [ credentials.to_login_info(decrypt=True)] result = exec_phantom(login_info) logger.debug(result) diff --git a/mandayejs/settings.py b/mandayejs/settings.py index f45f9ea..eda6653 100644 --- a/mandayejs/settings.py +++ b/mandayejs/settings.py @@ -35,7 +35,7 @@ BASE_DIR = os.path.dirname(os.path.dirname(__file__)) # See https://docs.djangoproject.com/en/1.7/howto/deployment/checklist/ # SECURITY WARNING: keep the secret key used in production secret! -SECRET_KEY = 'xlf$@r5j*6p5-l#q=bg&t$mlhf=v@fq9^xfs#%712zndtu2#2@' +SECRET_KEY = 'QJCOqbVnL4jj37b9wd9YQo-2wSvOoGw6OwPu-ErT5QA=' # SECURITY WARNING: don't run with debug turned on in production! DEBUG = True -- 2.6.4