nik/FreedomBox
1
0
Fork 0
mirror of https://github.com/freedombox/FreedomBox.git synced 2026-04-29 10:10:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

Use bcrypt to hash passwords for new users in firstboot and user_add forms. Removed references to md5 hashing which was already non-functional.

Browse Source
This commit is contained in:
James Valleroy 2013-11-03 21:55:06 +00:00 committed by Nick Daly
parent 41e46d53b5
commit c4b2fb1a60
2 changed files with 23 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
modules/installed/first_boot.py
View File

@ -9,7 +9,7 @@ from withsqlite.withsqlite import sqlite_db
import cfg import cfg
import config import config
from model import User from model import User
import md5 from passlib.hash import bcrypt
class FirstBoot(PagePlugin): class FirstBoot(PagePlugin):
def __init__(self, *args, **kwargs): def __init__(self, *args, **kwargs):
@ -65,16 +65,14 @@ class FirstBoot(PagePlugin):
box_key = self.generate_box_key() box_key = self.generate_box_key()
db['box_key'] = box_key db['box_key'] = box_key
if username and password: if username and password:
# FIXME: MD5 as a password hash? REALLY?! NOOO!!! pass_hash = bcrypt.encrypt(password)
passphrase = md5.new()
passphrase.update(password)
di = { di = {
'username':username, 'username':username,
'name': 'First user - please change', 'name': 'First user - please change',
'expert': 'on', 'expert': 'on',
"groups": ["expert"], "groups": ["expert"],
'passphrase': passphrase.digest(), 'passphrase':pass_hash,
'salt':pass_hash[7:29], # for bcrypt
} }
new_user = User(di) new_user = User(di)
cfg.users.set(username,new_user) cfg.users.set(username,new_user)

32
modules/installed/system/users.py
View File

@ -6,6 +6,7 @@ import cfg
from forms import Form from forms import Form
from util import * from util import *
from model import User from model import User
from passlib.hash import bcrypt
class users(PagePlugin): class users(PagePlugin):
order = 20 # order of running init in PagePlugins order = 20 # order of running init in PagePlugins
@ -32,30 +33,35 @@ class add(FormPlugin, PagePlugin):
don't worry about it.</p>""") don't worry about it.</p>""")
def main(self, username='', name='', email='', message=None, *args, **kwargs): def main(self, username='', name='', email='', message=None, *args, **kwargs):
form = Form(title="Add User", form = Form(title="Add User",
action=cfg.server_dir + "/sys/users/add/index", action=cfg.server_dir + "/sys/users/add/index",
onsubmit="return md5ify('add_user_form', 'password')",
name="add_user_form", name="add_user_form",
message=message) message=message)
form.text_input(_("Username"), name="username", value=username) form.text_input(_("Username"), name="username", value=username)
form.text_input(_("Full name"), name="name", value=name) form.text_input(_("Full name"), name="name", value=name)
form.text_input(_("Email"), name="email", value=email) form.text_input(_("Email"), name="email", value=email)
form.text_input(_("Password"), name="password", type="password") form.text_input(_("Password"), name="password", type="password")
form.text_input(name="md5_password", type="hidden")
form.submit(label=_("Create User"), name="create") form.submit(label=_("Create User"), name="create")
return form.render() return form.render()
def process_form(self, username=None, name=None, email=None, md5_password=None, **kwargs): def process_form(self, username=None, name=None, email=None, password=None, **kwargs):
msg = Message() msg = Message()
if not username: msg.add = _("Must specify a username!") if not username: msg.add = _("Must specify a username!")
if not md5_password: msg.add = _("Must specify a password!") if not password: msg.add = _("Must specify a password!")
if username in cfg.users.get_all(): if username in cfg.users.get_all():
msg.add = _("User already exists!") msg.add = _("User already exists!")
else: else:
try: try:
di = {'username':username, 'name':name, 'email':email, 'passphrase':md5_password} pass_hash = bcrypt.encrypt(password)
di = {
'username':username,
'name':name,
'email':email,
'passphrase':pass_hash,
'salt': pass_hash[7:29], # for bcrypt
}
new_user = User(di) new_user = User(di)
cfg.users.set(username,new_user) cfg.users.set(username,new_user)
except: except:
@ -70,7 +76,7 @@ class add(FormPlugin, PagePlugin):
class edit(FormPlugin, PagePlugin): class edit(FormPlugin, PagePlugin):
url = ["/sys/users/edit"] url = ["/sys/users/edit"]
order = 35 order = 35
sidebar_left = '' sidebar_left = ''
sidebar_right = _("""<strong>Edit Users</strong><p>Click on a user's name to sidebar_right = _("""<strong>Edit Users</strong><p>Click on a user's name to
go to a screen for editing that user's account.</p><strong>Delete go to a screen for editing that user's account.</p><strong>Delete
@ -84,9 +90,9 @@ class edit(FormPlugin, PagePlugin):
add_form.html('<span class="indent"><strong>Delete</strong><br /></span>') add_form.html('<span class="indent"><strong>Delete</strong><br /></span>')
for uname in users: for uname in users:
user = User(uname[1]) user = User(uname[1])
add_form.html('<span class="indent">&nbsp;&nbsp;%s&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;' % add_form.html('<span class="indent">&nbsp;&nbsp;%s&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;' %
add_form.get_checkbox(name=user['username']) + add_form.get_checkbox(name=user['username']) +
'<a href="/sys/users/edit?username=%s">%s (%s)</a><br /></span>' % '<a href="/sys/users/edit?username=%s">%s (%s)</a><br /></span>' %
(user['username'], user['name'], user['username'])) (user['username'], user['name'], user['username']))
add_form.submit(label=_("Delete User"), name="delete") add_form.submit(label=_("Delete User"), name="delete")
return add_form.render() return add_form.render()
@ -123,9 +129,9 @@ class edit(FormPlugin, PagePlugin):
u = cfg.users[kwargs['username']] u = cfg.users[kwargs['username']]
if not u: if not u:
main = _("<p>Could not find a user with username of %s!</p>" % kwargs['username']) main = _("<p>Could not find a user with username of %s!</p>" % kwargs['username'])
return self.fill_template(template="err", title=_("Unnown User"), main=main, return self.fill_template(template="err", title=_("Unnown User"), main=main,
sidebar_left=self.sidebar_left, sidebar_right=sidebar_right) sidebar_left=self.sidebar_left, sidebar_right=sidebar_right)
main = _("""<strong>Edit User '%s'</strong>""" % u['username']) main = _("""<strong>Edit User '%s'</strong>""" % u['username'])
sidebar_right = '' sidebar_right = ''
return self.fill_template(title="Manage Users and Groups", main=main, sidebar_left=self.sidebar_left, sidebar_right=sidebar_right) return self.fill_template(title="Manage Users and Groups", main=main, sidebar_left=self.sidebar_left, sidebar_right=sidebar_right)