From 5a02c06cc07dfb09e61445fe5966cc1b300a421a Mon Sep 17 00:00:00 2001
From: Pavlos Ratis <dastergon@gentoo.org>
Date: Sat, 17 Aug 2013 13:31:32 +0200
Subject: Add support for secondary password

Using OkupyCipher I generate a new random secondary password and I add it to
the session. This feature improves user experience and prevents user
from submitting password all time.
---
 okupy/common/ldap_helpers.py | 47 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)

(limited to 'okupy/common')

diff --git a/okupy/common/ldap_helpers.py b/okupy/common/ldap_helpers.py
index 64c5ae5..b4bf94f 100644
--- a/okupy/common/ldap_helpers.py
+++ b/okupy/common/ldap_helpers.py
@@ -1,6 +1,14 @@
 # vim:fileencoding=utf8:et:ts=4:sts=4:sw=4:ft=python
 
 from django.conf import settings
+
+from base64 import b64encode
+from Crypto import Random
+from passlib.hash import ldap_md5_crypt
+
+from .crypto import cipher
+from ..accounts.models import LDAPUser
+
 import edpwd
 import ldap
 
@@ -34,3 +42,42 @@ def get_ldap_connection(request=None, username=None, password=None,
 
     conn.simple_bind_s(dn, password)
     return conn
+
+
+def set_secondary_password(request, password):
+    """ Generate a secondary passsword and encrypt it in the session """
+    settings.DATABASES['ldap']['USER'] = settings.AUTH_LDAP_USER_DN_TEMPLATE \
+        % {'user': request.user.username}
+    settings.DATABASES['ldap']['PASSWORD'] = password
+
+    user = LDAPUser.objects.get(username=request.user.username)
+
+    secondary_password = Random.get_random_bytes(48)
+    request.session['secondary_password'] = cipher.encrypt(secondary_password)
+    # Clean up possible leftover secondary passwords from the LDAP account
+    if len(user.password) > 1:
+        for hash in user.password:
+            if not ldap_md5_crypt.verify(password, hash):
+                user.password.remove(hash)
+    # Add a new generated encrypted password to LDAP
+    user.password.append(ldap_md5_crypt.encrypt(b64encode(secondary_password)))
+    user.save()
+
+
+def remove_secondary_password(request):
+    """ Remove secondary password on logout """
+    settings.DATABASES['ldap']['USER'] = settings.AUTH_LDAP_USER_DN_TEMPLATE \
+        % {'user': request.user.username}
+    try:
+        password = b64encode(cipher.decrypt(
+            request.session['secondary_password'], 48))
+    except KeyError:
+        return
+    settings.DATABASES['ldap']['PASSWORD'] = password
+
+    user = LDAPUser.objects.get(username=request.user.username)
+    if len(user.password) > 1:
+        for hash in user.password:
+            if ldap_md5_crypt.verify(password, hash):
+                user.password.remove(hash)
+    user.save()
-- 
cgit v1.2.3-65-gdbad