From fc41c0875c616f20cfa0920d07313933b1b0d93e Mon Sep 17 00:00:00 2001
From: Josue Kouka <jkouka@entrouvert.com>
Date: Thu, 7 Jan 2016 17:47:54 +0100
Subject: [PATCH] encrypt user credentials (#9534)

---
 debian/control              |  1 +
 mandayejs/mandaye/models.py | 34 ++++++++++++++++++++++++++++++++--
 mandayejs/mandaye/utils.py  |  8 ++++++++
 mandayejs/mandaye/views.py  |  1 +
 4 files changed, 42 insertions(+), 2 deletions(-)

diff --git a/debian/control b/debian/control
index d3f9302..3cb60a4 100644
--- a/debian/control
+++ b/debian/control
@@ -13,6 +13,7 @@ Depends: ${misc:Depends}, ${python:Depends},
     python-gadjo,
     python-django-jsonfield,
     python-ldap,
+    python-cryptography
 Recommends: python-django-mellon
 Description: Authentication Reverse Proxy
 
diff --git a/mandayejs/mandaye/models.py b/mandayejs/mandaye/models.py
index c7b0154..9bc18e2 100644
--- a/mandayejs/mandaye/models.py
+++ b/mandayejs/mandaye/models.py
@@ -16,9 +16,13 @@
 
 
 from django.db import models
-from jsonfield import JSONField
+from django.conf import settings
 from django.utils.translation import ugettext_lazy as _
 
+from jsonfield import JSONField
+from cryptography.fernet import Fernet
+
+from mandayejs.mandaye.utils import get_password_field
 
 class UserCredentials(models.Model):
     user = models.ForeignKey('auth.User')
@@ -33,6 +37,32 @@ class UserCredentials(models.Model):
             or self.user.email \
             or self.user.username
 
-    def to_login_info(self):
+    def save(self, *args, **kwargs):
+        self.encrypt()
+        super(UserCredentials, self).save(*args, **kwargs)
+
+    def encrypt(self,):
+        """Encrypt password
+        """
+        secret_key = settings.SECRET_KEY
+        password_field_name = get_password_field()
+        f = Fernet(secret_key)
+        self.locators[password_field_name] = \
+            f.encrypt(self.locators.get(password_field_name,'').encode('ascii'))
+        return self.locators
+
+    def decrypt(self,):
+        """Decrypt password
+        """
+        secret_key = settings.SECRET_KEY 
+        password_field_name = get_password_field()
+        f = Fernet(secret_key)
+        self.locators[password_field_name] = \
+            f.decrypt(self.locators.get(password_field_name, '').encode('ascii'))
+        return self.locators
+
+    def to_login_info(self, decrypt=False):
+        if decrypt:
+            self.decrypt()
         return {'#'+k : v for k,v in self.locators.items() }
 
diff --git a/mandayejs/mandaye/utils.py b/mandayejs/mandaye/utils.py
index b146cd8..cfc189b 100644
--- a/mandayejs/mandaye/utils.py
+++ b/mandayejs/mandaye/utils.py
@@ -51,4 +51,12 @@ def get_location(url):
     url = url._replace(netloc=settings.SITE_DOMAIN)
     return url.path
 
+def get_password_field():
+    """Return name of the password field
+    """
+    try:
+        field_name = [ field.get('name') for field in settings.SITE_LOCATORS if field.get('kind') == 'password' ]
+        return field_name[0]
+    except (IndexError,):
+        return None
 
diff --git a/mandayejs/mandaye/views.py b/mandayejs/mandaye/views.py
index a01ce60..43c70be 100644
--- a/mandayejs/mandaye/views.py
+++ b/mandayejs/mandaye/views.py
@@ -153,6 +153,7 @@ def post_login_do(request, *args, **kwargs):
         'auth_checker': os.path.join(site_static_root, site_auth_checker)
     }
     logger.debug(login_info)
+    login_info['locators'] = [ credentials.to_login_info(decrypt=True)]
     result = exec_phantom(login_info)
     logger.debug(result)
 
-- 
2.6.4