nik/FreedomBox
1
0
Fork 0
mirror of https://github.com/freedombox/FreedomBox.git synced 2026-05-20 10:34:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

Use bcrypt to hash passwords for new users in firstboot and user_add forms. Removed references to md5 hashing which was already non-functional.

Browse Source
This commit is contained in:
James Valleroy 2013-11-03 21:55:06 +00:00
parent 3425d265c3
commit 198cea5b58
2 changed files with 17 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
modules/installed/first_boot.py
View File

@ -9,6 +9,7 @@ from withsqlite.withsqlite import sqlite_db
import cfg import cfg
import config import config
from model import User from model import User
from passlib.hash import bcrypt
class FirstBoot(PagePlugin): class FirstBoot(PagePlugin):
def __init__(self, *args, **kwargs): def __init__(self, *args, **kwargs):
@ -26,7 +27,7 @@ class FirstBoot(PagePlugin):
return "fake key" return "fake key"
@cherrypy.expose @cherrypy.expose
def state0(self, message="", hostname="", box_key="", submitted=False, username="", md5_password="", **kwargs): def state0(self, message="", hostname="", box_key="", submitted=False, username="", password="", **kwargs):
""" """
In this state, we do time config over HTTP, name the box and In this state, we do time config over HTTP, name the box and
server key selection. server key selection.
@ -63,13 +64,15 @@ class FirstBoot(PagePlugin):
elif submitted and not box_key: elif submitted and not box_key:
box_key = self.generate_box_key() box_key = self.generate_box_key()
db['box_key'] = box_key db['box_key'] = box_key
if username and md5_password: if username and password:
pass_hash = bcrypt.encrypt(password)
di = { di = {
'username':username, 'username':username,
'name':'First user - please change', 'name':'First user - please change',
'expert':'on', 'expert':'on',
"groups": ["expert"], "groups": ["expert"],
'passphrase':md5_password, 'passphrase':pass_hash,
'salt':pass_hash[7:29], # for bcrypt
} }
new_user = User(di) new_user = User(di)
cfg.users.set(username,new_user) cfg.users.set(username,new_user)
@ -93,7 +96,6 @@ class FirstBoot(PagePlugin):
form.html("<p><strong>Initial user and password.</strong> Access to this web interface is protected by knowing a username and password. Provide one here to register the initial privileged user. The password can be changed and other users added later.</p>") form.html("<p><strong>Initial user and password.</strong> Access to this web interface is protected by knowing a username and password. Provide one here to register the initial privileged user. The password can be changed and other users added later.</p>")
form.text_input('Username:', id="username", value=username) form.text_input('Username:', id="username", value=username)
form.text_input('Password:', id="password", type='password') form.text_input('Password:', id="password", type='password')
form.text_input(name="md5_password", type="hidden")
form.html("<p>%(box_name)s uses cryptographic keys so it can prove its identity when talking to you. %(box_name)s can make a key for itself, but if one already exists (from a prior FreedomBox, for example), you can paste it below. This key should not be the same as your key because you are not your FreedomBox!</p>" % {'box_name':cfg.box_name}) form.html("<p>%(box_name)s uses cryptographic keys so it can prove its identity when talking to you. %(box_name)s can make a key for itself, but if one already exists (from a prior FreedomBox, for example), you can paste it below. This key should not be the same as your key because you are not your FreedomBox!</p>" % {'box_name':cfg.box_name})
form.text_box("If you want, paste your box's key here.", id="box_key", value=box_key) form.text_box("If you want, paste your box's key here.", id="box_key", value=box_key)
form.hidden(name="submitted", value="True") form.hidden(name="submitted", value="True")

16
modules/installed/system/users.py
View File

@ -6,6 +6,7 @@ import cfg
from forms import Form from forms import Form
from util import * from util import *
from model import User from model import User
from passlib.hash import bcrypt
class users(PagePlugin): class users(PagePlugin):
order = 20 # order of running init in PagePlugins order = 20 # order of running init in PagePlugins
@ -34,28 +35,33 @@ class add(FormPlugin, PagePlugin):
def main(self, username='', name='', email='', message=None, *args, **kwargs): def main(self, username='', name='', email='', message=None, *args, **kwargs):
form = Form(title="Add User", form = Form(title="Add User",
action="/sys/users/add/index", action="/sys/users/add/index",
onsubmit="return md5ify('add_user_form', 'password')",
name="add_user_form", name="add_user_form",
message=message) message=message)
form.text_input(_("Username"), name="username", value=username) form.text_input(_("Username"), name="username", value=username)
form.text_input(_("Full name"), name="name", value=name) form.text_input(_("Full name"), name="name", value=name)
form.text_input(_("Email"), name="email", value=email) form.text_input(_("Email"), name="email", value=email)
form.text_input(_("Password"), name="password", type="password") form.text_input(_("Password"), name="password", type="password")
form.text_input(name="md5_password", type="hidden")
form.submit(label=_("Create User"), name="create") form.submit(label=_("Create User"), name="create")
return form.render() return form.render()
def process_form(self, username=None, name=None, email=None, md5_password=None, **kwargs): def process_form(self, username=None, name=None, email=None, password=None, **kwargs):
msg = Message() msg = Message()
if not username: msg.add = _("Must specify a username!") if not username: msg.add = _("Must specify a username!")
if not md5_password: msg.add = _("Must specify a password!") if not password: msg.add = _("Must specify a password!")
if username in cfg.users.get_all(): if username in cfg.users.get_all():
msg.add = _("User already exists!") msg.add = _("User already exists!")
else: else:
try: try:
di = {'username':username, 'name':name, 'email':email, 'passphrase':md5_password} pass_hash = bcrypt.encrypt(password)
di = {
'username':username,
'name':name,
'email':email,
'passphrase':pass_hash,
'salt': pass_hash[7:29], # for bcrypt
}
new_user = User(di) new_user = User(di)
cfg.users.set(username,new_user) cfg.users.set(username,new_user)
except: except: