Add a simple pawword sharing module

2019-07-27 17:17:21 +02:00 · 2019-07-27 17:17:21 +02:00 · d7af4cd80c
parent 8c601c23a2
commit d7af4cd80c
17 changed files with 502 additions and 2 deletions
--- a/1
+++ b/1
@ -9,6 +9,7 @@ django-bulma = "*"
 django-npb = "*"
 markdown = "*"
 python-decouple = "*"
+cryptography = ">=2.7,<2.8"

 [dev-packages]
 gunicorn = "*"
--- a/khaganat/settings.py
+++ b/khaganat/settings.py
@ -49,6 +49,7 @@ INSTALLED_APPS = [
    "npb.apps.NpbConfig",
    "nsfw.apps.NsfwConfig",
    "pages.apps.PagesConfig",
+    "pwdb.apps.PwdbConfig",
    "static_extra.apps.KhaganatStaticFilesConfig",
 ]

--- a/khaganat/urls.py
+++ b/khaganat/urls.py
@ -25,8 +25,9 @@ urlpatterns += i18n_patterns(
    path("", index),
    path("admin/", admin.site.urls),
    path("account/", include("neluser.urls")),
-    path("page/", include("pages.urls")),
-    path("paste/", include("npb.urls", namespace="npb")),
    path("chat/", include("chat.urls")),
    path("nsfw/", include("nsfw.urls")),
+    path("page/", include("pages.urls")),
+    path("paste/", include("npb.urls", namespace="npb")),
+    path("password_share/", include("pwdb.urls")),
 )
--- a/pwdb/init.py
+++ b/pwdb/init.py
--- a/pwdb/admin.py
+++ b/pwdb/admin.py
@ -0,0 +1,26 @@
+from django.contrib import admin
+from .models import SharedPassword, SharedPasswordAccess
+from .forms import NewSharedPasswordForm, EditSharedPasswordForm
+
+
+class SharedPasswordAdmin(admin.ModelAdmin):
+    form = NewSharedPasswordForm
+    exclude = ["iv", "encrypted_password"]
+    list_display = ("name", "users")
+
+    def get_form(self, request, obj=None, **kwargs):
+        if obj is None:
+            kwargs["form"] = NewSharedPasswordForm
+        else:
+            kwargs["form"] = EditSharedPasswordForm
+        return super().get_form(request, obj, **kwargs)
+
+
+admin.site.register(SharedPassword, SharedPasswordAdmin)
+
+
+class SharedPasswordAccessAdmin(admin.ModelAdmin):
+    list_display = ("password", "user")
+
+
+admin.site.register(SharedPasswordAccess, SharedPasswordAccessAdmin)
--- a/pwdb/apps.py
+++ b/pwdb/apps.py
@ -0,0 +1,5 @@
+from django.apps import AppConfig
+
+
+class PwdbConfig(AppConfig):
+    name = "pwdb"
--- a/pwdb/forms.py
+++ b/pwdb/forms.py
@ -0,0 +1,75 @@
+from django.utils.translation import gettext_lazy as _
+from django import forms
+from .models import SharedPassword
+
+
+class AuthForm(forms.Form):
+    pwdb_check = forms.CharField(widget=forms.PasswordInput, label="")
+
+
+class NewSharedPasswordForm(forms.ModelForm):
+    name = forms.CharField(max_length=512, label=_("Name"))
+    url = forms.CharField(
+        max_length=512, widget=forms.URLInput, required=False, label="URL"
+    )
+    description = forms.CharField(
+        widget=forms.Textarea, required=False, label=_("Description")
+    )
+    password = forms.CharField(
+        max_length=1024, widget=forms.PasswordInput, label=_("Password")
+    )
+
+    def save_m2m(self):
+        pass
+
+    def save(self, commit=True):
+        if self.errors:
+            raise ValueError(
+                "The %s could not be %s because the data didn't validate."
+                % (
+                    self.instance._meta.object_name,
+                    "created" if self.instance._state.adding else "changed",
+                )
+            )
+        password = SharedPassword.new(
+            self.cleaned_data["name"], self.cleaned_data["password"]
+        )
+        if self.cleaned_data["url"]:
+            password.url = self.cleaned_data["url"]
+        if self.cleaned_data["description"]:
+            password.description = self.cleaned_data["description"]
+        password.save()
+        return password
+
+    class Meta:
+        model = SharedPassword
+        exclude = ["iv", "encrypted_password"]
+
+
+class EditSharedPasswordForm(forms.ModelForm):
+    name = forms.CharField(max_length=512, label=_("Name"))
+    password = forms.CharField(
+        max_length=1024, widget=forms.PasswordInput, required=False, label=_("Password")
+    )
+
+    def save_m2m(self):
+        pass
+
+    def save(self, commit=True):
+        if self.errors:
+            raise ValueError(
+                "The %s could not be %s because the data didn't validate."
+                % (
+                    self.instance._meta.object_name,
+                    "created" if self.instance._state.adding else "changed",
+                )
+            )
+        password = self.instance
+        if self.cleaned_data["password"]:
+            password.set_password(self.cleaned_data["password"])
+        password.save()
+        return password
+
+    class Meta:
+        model = SharedPassword
+        exclude = ["iv", "encrypted_password"]
--- a/pwdb/locale/en/LC_MESSAGES/django.po
+++ b/pwdb/locale/en/LC_MESSAGES/django.po
@ -0,0 +1,73 @@
+msgid ""
+msgstr ""
+"Project-Id-Version: 1.0\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2019-07-27 16:41+0200\n"
+"PO-Revision-Date: 2019-07-27 16:41+0200\n"
+"Last-Translator: Khaganat <assoc@khaganat.net>\n"
+"Language-Team: Khaganat <assoc@khaganat.net>\n"
+"Language: en\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=2; plural=(n != 1);\n"
+
+#: forms.py:11 forms.py:46 templates/pwdb/list_passwords.html:12
+msgid "Name"
+msgstr ""
+
+#: forms.py:13 templates/pwdb/list_passwords.html:13
+msgid "Description"
+msgstr ""
+
+#: forms.py:15 forms.py:48 templates/pwdb/list_passwords.html:15
+msgid "Password"
+msgstr ""
+
+#: models.py:102
+msgid "shared_password"
+msgstr "Shared password"
+
+#: models.py:103 templates/pwdb/list_passwords.html:4
+msgid "shared_passwords"
+msgstr "Shared passwords"
+
+#: models.py:116
+msgid "shared_password_access"
+msgstr "Shared password access"
+
+#: models.py:117
+msgid "shared_passwords_access"
+msgstr "Shared passwords access"
+
+#: templates/pwdb/authenticate.html:5
+msgid "authenticate"
+msgstr ""
+
+#: templates/pwdb/authenticate.html:10
+msgid "safety_enter_password"
+msgstr "For safety reasons, please enter your password."
+
+#: templates/pwdb/authenticate.html:15
+msgid "send"
+msgstr ""
+
+#: templates/pwdb/list_passwords.html:16
+msgid "Actions"
+msgstr ""
+
+#: templates/pwdb/list_passwords.html:24
+msgid "view_website"
+msgstr "View website"
+
+#: templates/pwdb/list_passwords.html:26
+msgid "copy_password"
+msgstr "Copy"
+
+#: templates/pwdb/list_passwords.html:27
+msgid "show_password"
+msgstr "Show"
+
+#: templates/pwdb/list_passwords.html:28
+msgid "hide_password"
+msgstr "Hide"
--- a/pwdb/locale/fr/LC_MESSAGES/django.po
+++ b/pwdb/locale/fr/LC_MESSAGES/django.po
@ -0,0 +1,73 @@
+msgid ""
+msgstr ""
+"Project-Id-Version: 1.0\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2019-07-27 16:41+0200\n"
+"PO-Revision-Date: 2019-07-27 16:41+0200\n"
+"Last-Translator: Khaganat <assoc@khaganat.net>\n"
+"Language-Team: Khaganat <assoc@khaganat.net>\n"
+"Language: fr\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=2; plural=(n > 1);\n"
+
+#: forms.py:11 forms.py:46 templates/pwdb/list_passwords.html:12
+msgid "Name"
+msgstr "Nom"
+
+#: forms.py:13 templates/pwdb/list_passwords.html:13
+msgid "Description"
+msgstr "Description"
+
+#: forms.py:15 forms.py:48 templates/pwdb/list_passwords.html:15
+msgid "Password"
+msgstr "Mot de passe"
+
+#: models.py:102
+msgid "shared_password"
+msgstr "Mot de passe partagé"
+
+#: models.py:103 templates/pwdb/list_passwords.html:4
+msgid "shared_passwords"
+msgstr "Mots de passe partagés"
+
+#: models.py:116
+msgid "shared_password_access"
+msgstr "Accès au mot de passe partagé"
+
+#: models.py:117
+msgid "shared_passwords_access"
+msgstr "Accès aux mots de passe partagés"
+
+#: templates/pwdb/authenticate.html:5
+msgid "authenticate"
+msgstr "Authentification"
+
+#: templates/pwdb/authenticate.html:10
+msgid "safety_enter_password"
+msgstr "À des fins de sécurité, veuillez entrer votre mot de passe."
+
+#: templates/pwdb/authenticate.html:15
+msgid "send"
+msgstr "Envoyer"
+
+#: templates/pwdb/list_passwords.html:16
+msgid "Actions"
+msgstr "Actions"
+
+#: templates/pwdb/list_passwords.html:24
+msgid "view_website"
+msgstr "Voir le site web"
+
+#: templates/pwdb/list_passwords.html:26
+msgid "copy_password"
+msgstr "Copier"
+
+#: templates/pwdb/list_passwords.html:27
+msgid "show_password"
+msgstr "Montrer"
+
+#: templates/pwdb/list_passwords.html:28
+msgid "hide_password"
+msgstr "Masquer"
--- a/pwdb/migrations/0001_initial.py
+++ b/pwdb/migrations/0001_initial.py
@ -0,0 +1,45 @@
+# Generated by Django 2.2.3 on 2019-07-27 15:16
+
+from django.conf import settings
+from django.db import migrations, models
+import django.db.models.deletion
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='SharedPassword',
+            fields=[
+                ('uuid', models.UUIDField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
+                ('name', models.CharField(max_length=512)),
+                ('url', models.CharField(blank=True, max_length=512)),
+                ('description', models.TextField(blank=True)),
+                ('iv', models.BinaryField(max_length=16)),
+                ('encrypted_password', models.BinaryField(max_length=2048)),
+            ],
+            options={
+                'verbose_name': 'shared_password',
+                'verbose_name_plural': 'shared_passwords',
+            },
+        ),
+        migrations.CreateModel(
+            name='SharedPasswordAccess',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('password', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='pwdb.SharedPassword')),
+                ('user', models.ForeignKey(limit_choices_to={'is_staff': True}, on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL)),
+            ],
+            options={
+                'verbose_name': 'shared_password_access',
+                'verbose_name_plural': 'shared_passwords_access',
+            },
+        ),
+    ]
--- a/pwdb/migrations/init.py
+++ b/pwdb/migrations/init.py
--- a/pwdb/models.py
+++ b/pwdb/models.py
@ -0,0 +1,117 @@
+from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
+from cryptography.hazmat.primitives.kdf.hkdf import HKDF
+from cryptography.hazmat.primitives import hashes, padding
+from cryptography.hazmat.backends import default_backend
+from django.utils.translation import ugettext_lazy as _
+from django.conf import settings
+from django.db import models
+from neluser.models import NelUser
+import secrets
+import uuid
+
+KEY_LENGTH = 32
+IV_LENGTH = 16
+BLOCK_SIZE = 128
+ENCODING = "UTF-8"
+
+
+class SharedPassword(models.Model):
+    uuid = models.UUIDField(primary_key=True, default=uuid.uuid4, editable=False)
+    name = models.CharField(max_length=512)
+    url = models.CharField(max_length=512, blank=True)
+    description = models.TextField(blank=True)
+    iv = models.BinaryField(max_length=IV_LENGTH)
+    encrypted_password = models.BinaryField(max_length=2048)
+
+    @staticmethod
+    def get_key(pass_uuid, key=None):
+        backend = default_backend()
+        hkdf = HKDF(
+            algorithm=hashes.SHA256(),
+            length=KEY_LENGTH,
+            salt=pass_uuid.bytes,
+            backend=backend,
+            info=None,
+        )
+        key = key or settings.SECRET_KEY
+        key = bytes(key, encoding=ENCODING)
+        return hkdf.derive(key)
+
+    @staticmethod
+    def get_cipher(key, iv):
+        backend = default_backend()
+        return Cipher(algorithms.Camellia(key), modes.CBC(iv), backend=backend)
+
+    @staticmethod
+    def padd_password(clear_password):
+        clear_password = bytes(clear_password, encoding=ENCODING)
+        padder = padding.PKCS7(BLOCK_SIZE).padder()
+        padded_password = padder.update(clear_password) + padder.finalize()
+        return padded_password
+
+    @staticmethod
+    def unpadd_password(clear_password):
+        unpadder = padding.PKCS7(BLOCK_SIZE).unpadder()
+        unpadded_password = unpadder.update(clear_password) + unpadder.finalize()
+        return unpadded_password.decode()
+
+    @staticmethod
+    def new(name, clear_password):
+        password = SharedPassword(
+            uuid=uuid.uuid4(),
+            name=name,
+            url="",
+            description="",
+            iv=secrets.token_bytes(IV_LENGTH),
+            encrypted_password=b"",
+        )
+        password.set_password(clear_password)
+        return password
+
+    def set_password(self, clear_password):
+        clear_password = SharedPassword.padd_password(clear_password)
+        key = SharedPassword.get_key(self.uuid)
+        cipher = SharedPassword.get_cipher(key, self.iv)
+        encryptor = cipher.encryptor()
+        self.encrypted_password = (
+            encryptor.update(clear_password) + encryptor.finalize()
+        )
+
+    def decrypt_password(self):
+        key = SharedPassword.get_key(self.uuid)
+        cipher = SharedPassword.get_cipher(key, self.iv)
+        decryptor = cipher.decryptor()
+        clear_password = (
+            decryptor.update(self.encrypted_password) + decryptor.finalize()
+        )
+        clear_password = SharedPassword.unpadd_password(clear_password)
+        return clear_password
+
+    def users(self):
+        lst = (
+            SharedPasswordAccess.objects.select_related("user")
+            .filter(password=self)
+            .order_by("user__email")
+        )
+        return [e.user for e in lst]
+
+    def __str__(self):
+        return self.name
+
+    class Meta:
+        verbose_name = _("shared_password")
+        verbose_name_plural = _("shared_passwords")
+
+
+class SharedPasswordAccess(models.Model):
+    user = models.ForeignKey(
+        NelUser, on_delete=models.CASCADE, limit_choices_to={"is_staff": True}
+    )
+    password = models.ForeignKey(SharedPassword, on_delete=models.CASCADE)
+
+    def __str__(self):
+        return "{}: {}".format(self.password, self.user)
+
+    class Meta:
+        verbose_name = _("shared_password_access")
+        verbose_name_plural = _("shared_passwords_access")
--- a/pwdb/templates/pwdb/authenticate.html
+++ b/pwdb/templates/pwdb/authenticate.html
@ -0,0 +1,17 @@
+{% extends "khaganat/centered_dialog.html" %}
+{% load bulma_tags %}
+{% load i18n %}
+
+{% block title %}{% trans "authenticate"|capfirst %}{% endblock %}
+{% block dialog_class %}is-link{% endblock %}
+
+{% block dialog %}
+<p>
+    {% trans "safety_enter_password" %}
+</p>
+<form method="post">
+    {% csrf_token %}
+    {{ form.as_p }}
+    <button type="submit" class="button is-link">{% trans "send"|capfirst %}</button>
+</form>
+{% endblock %}
--- a/pwdb/templates/pwdb/list_passwords.html
+++ b/pwdb/templates/pwdb/list_passwords.html
@ -0,0 +1,35 @@
+{% extends "khaganat/base.html" %}
+{% load i18n %}
+
+{% block title %}{% trans "shared_passwords" %}{% endblock %}
+
+{% block content %}
+<div class="content-bloc">
+    <div class="table-container">
+        <table class="table is-striped is-fullwidth">
+            <thead>
+                <tr>
+                    <th>{% trans "Name" %}</th>
+                    <th>{% trans "Description" %}</th>
+                    <th>URL</th>
+                    <th>{% trans "Password" %}</th>
+                    <th colspan="3">{% trans "Actions" %}</th>
+                </tr>
+            </thead>
+            <tbody>
+                {% for pass in passwords %}
+                <tr>
+                    <td class="has-text-weight-semibold">{{ pass.name }}</td>
+                    <td class="has-text-weight-light">{{ pass.description }}</td>
+                    <td>{% if pass.url %}<a href="{{ pass.url }}" target="_blank">{{ pass.url|truncatechars:30 }}</a>{% endif %}</td>
+                    <td><input class="input" type="password" id="password_{{ pass.uuid }}" name="password_{{ pass.uuid }}" value="{{ pass.decrypt_password }}" /></td>
+                    <td><a class="button is-primary" onclick="navigator.clipboard.writeText(document.getElementById('password_{{ pass.uuid }}').value).then(function() { console.log('Password copied to clipboard'); }, function(err) { console.error('Unable to copy password to clipboard'); });">{% trans "copy_password" %}</a></td>
+                    <td><a id="show_{{ pass.uuid }}" class="button is-warning" onclick="document.getElementById('password_{{ pass.uuid }}').type = 'text';">{% trans "show_password" %}</a></td>
+                    <td><a id="hide_{{ pass.uuid }}" class="button is-success" onclick="document.getElementById('password_{{ pass.uuid }}').type = 'password';">{% trans "hide_password" %}</a></td>
+                </tr>
+                {% endfor %}
+            </tbody>
+        </table>
+    </div>
+</div>
+{% endblock %}
--- a/pwdb/tests.py
+++ b/pwdb/tests.py
@ -0,0 +1,3 @@
+from django.test import TestCase
+
+# Create your tests here.
--- a/pwdb/urls.py
+++ b/pwdb/urls.py
@ -0,0 +1,5 @@
+from django.urls import path
+from . import views
+
+
+urlpatterns = [path("", views.list_passwords, name="pwdb")]
--- a/pwdb/views.py
+++ b/pwdb/views.py
@ -0,0 +1,23 @@
+from django.contrib.admin.views.decorators import staff_member_required
+from django.contrib.auth import authenticate
+from django.shortcuts import render
+from .models import SharedPasswordAccess
+from .forms import AuthForm
+
+
+@staff_member_required
+def list_passwords(request):
+    try:
+        pwd = request.POST["pwdb_check"]
+        user = authenticate(username=request.user, password=pwd)
+        assert user is not None
+        lst = (
+            SharedPasswordAccess.objects.select_related("password")
+            .filter(user__pk=user.pk)
+            .order_by("password__name")
+        )
+        ctx = {"passwords": [e.password for e in lst]}
+        return render(request, "pwdb/list_passwords.html", ctx)
+    except (KeyError, AssertionError):
+        ctx = {"form": AuthForm()}
+        return render(request, "pwdb/authenticate.html", ctx)