Island: Move authentication logic into AuthenticationService

This commit is contained in:
Mike Salvatore 2021-10-08 10:31:37 -04:00
parent 17f7e22584
commit 8a2bae7e14
2 changed files with 25 additions and 19 deletions

View File

@ -7,11 +7,7 @@ from flask import make_response, request
from flask_jwt_extended.exceptions import JWTExtendedException from flask_jwt_extended.exceptions import JWTExtendedException
from jwt import PyJWTError from jwt import PyJWTError
import monkey_island.cc.environment.environment_singleton as env_singleton from monkey_island.cc.resources.auth.credential_utils import get_username_password_from_request
from monkey_island.cc.resources.auth.credential_utils import (
get_username_password_from_request,
password_matches_hash,
)
from monkey_island.cc.services.authentication import AuthenticationService from monkey_island.cc.services.authentication import AuthenticationService
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
@ -41,21 +37,11 @@ class Authenticate(flask_restful.Resource):
""" """
username, password = get_username_password_from_request(request) username, password = get_username_password_from_request(request)
if _credentials_match_registered_user(username, password): if AuthenticationService.authenticate(username, password):
AuthenticationService.unlock_datastore_encryptor(username, password)
access_token = _create_access_token(username) access_token = _create_access_token(username)
return make_response({"access_token": access_token, "error": ""}, 200) return make_response({"access_token": access_token, "error": ""}, 200)
else:
return make_response({"error": "Invalid credentials"}, 401)
return make_response({"error": "Invalid credentials"}, 401)
def _credentials_match_registered_user(username: str, password: str) -> bool:
registered_user = env_singleton.env.get_user()
if not registered_user:
return False
return (registered_user.username == username) and password_matches_hash(password, registered_user.password_hash)
def _create_access_token(username): def _create_access_token(username):

View File

@ -2,6 +2,7 @@ import bcrypt
import monkey_island.cc.environment.environment_singleton as env_singleton import monkey_island.cc.environment.environment_singleton as env_singleton
from monkey_island.cc.environment.user_creds import UserCreds from monkey_island.cc.environment.user_creds import UserCreds
from monkey_island.cc.resources.auth.credential_utils import password_matches_hash
from monkey_island.cc.server_utils.encryption import ( from monkey_island.cc.server_utils.encryption import (
reset_datastore_encryptor, reset_datastore_encryptor,
unlock_datastore_encryptor, unlock_datastore_encryptor,
@ -19,8 +20,8 @@ class AuthenticationService:
def initialize(cls, key_file_directory): def initialize(cls, key_file_directory):
cls.KEY_FILE_DIRECTORY = key_file_directory cls.KEY_FILE_DIRECTORY = key_file_directory
@classmethod @staticmethod
def needs_registration(cls) -> bool: def needs_registration() -> bool:
return env_singleton.env.needs_registration() return env_singleton.env.needs_registration()
@classmethod @classmethod
@ -30,6 +31,14 @@ class AuthenticationService:
AuthenticationService.reset_datastore_encryptor(username, password) AuthenticationService.reset_datastore_encryptor(username, password)
reset_database() reset_database()
@classmethod
def authenticate(cls, username: str, password: str) -> bool:
if _credentials_match_registered_user(username, password):
AuthenticationService.unlock_datastore_encryptor(username, password)
return True
return False
@staticmethod @staticmethod
def unlock_datastore_encryptor(username: str, password: str): def unlock_datastore_encryptor(username: str, password: str):
secret = AuthenticationService._get_secret_from_credentials(username, password) secret = AuthenticationService._get_secret_from_credentials(username, password)
@ -50,3 +59,14 @@ def _hash_password(plaintext_password):
password_hash = bcrypt.hashpw(plaintext_password.encode("utf-8"), salt) password_hash = bcrypt.hashpw(plaintext_password.encode("utf-8"), salt)
return password_hash.decode() return password_hash.decode()
def _credentials_match_registered_user(username: str, password: str) -> bool:
registered_user = env_singleton.env.get_user()
if not registered_user:
return False
return (registered_user.username == username) and password_matches_hash(
password, registered_user.password_hash
)