From 9024a512b01b89be0529af2a8bd347c75f6db14f Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Tue, 4 May 2021 21:26:06 -0400 Subject: [PATCH] island: Move all bcrypt dependencies to password_utils --- monkey/monkey_island/cc/environment/standard.py | 6 +----- monkey/monkey_island/cc/resources/auth/auth.py | 4 ++-- .../cc/resources/auth/password_utils.py | 12 ++++++++++++ .../monkey_island/cc/resources/auth/registration.py | 4 ++-- 4 files changed, 17 insertions(+), 9 deletions(-) create mode 100644 monkey/monkey_island/cc/resources/auth/password_utils.py diff --git a/monkey/monkey_island/cc/environment/standard.py b/monkey/monkey_island/cc/environment/standard.py index 7cca21c87..2f337fbf0 100644 --- a/monkey/monkey_island/cc/environment/standard.py +++ b/monkey/monkey_island/cc/environment/standard.py @@ -1,5 +1,3 @@ -import bcrypt - from monkey_island.cc.environment import Environment from monkey_island.cc.resources.auth.auth_user import User @@ -10,9 +8,7 @@ class StandardEnvironment(Environment): _credentials_required = False NO_AUTH_USER = "1234567890!@#$%^&*()_nothing_up_my_sleeve_1234567890!@#$%^&*()" - NO_AUTH_SECRET = bcrypt.hashpw( - NO_AUTH_USER.encode("utf-8"), b"$2b$12$frH7uEwV3jkDNGgReW6j2u" - ).decode() + NO_AUTH_SECRET = "$2b$12$frH7uEwV3jkDNGgReW6j2udw8hy/Yw1SWAqytrcBYK48kn1V5lQIa" def get_auth_users(self): return [User(1, StandardEnvironment.NO_AUTH_USER, StandardEnvironment.NO_AUTH_SECRET)] diff --git a/monkey/monkey_island/cc/resources/auth/auth.py b/monkey/monkey_island/cc/resources/auth/auth.py index 5ffa4516c..064395eaf 100644 --- a/monkey/monkey_island/cc/resources/auth/auth.py +++ b/monkey/monkey_island/cc/resources/auth/auth.py @@ -2,7 +2,6 @@ import json import logging from functools import wraps -import bcrypt import flask_jwt_extended import flask_restful from flask import make_response, request @@ -10,6 +9,7 @@ from flask_jwt_extended.exceptions import JWTExtendedException from jwt import PyJWTError import monkey_island.cc.environment.environment_singleton as env_singleton +import monkey_island.cc.resources.auth.password_utils as password_utils import monkey_island.cc.resources.auth.user_store as user_store logger = logging.getLogger(__name__) @@ -59,7 +59,7 @@ def _get_credentials_from_request(request): def _credentials_match_registered_user(username, password): user = user_store.UserStore.username_table.get(username, None) - if user and bcrypt.checkpw(password.encode("utf-8"), user.secret.encode("utf-8")): + if user and password_utils.password_matches_hash(password, user.secret): return True return False diff --git a/monkey/monkey_island/cc/resources/auth/password_utils.py b/monkey/monkey_island/cc/resources/auth/password_utils.py new file mode 100644 index 000000000..f470fd882 --- /dev/null +++ b/monkey/monkey_island/cc/resources/auth/password_utils.py @@ -0,0 +1,12 @@ +import bcrypt + + +def hash_password(plaintext_password): + salt = bcrypt.gensalt() + password_hash = bcrypt.hashpw(plaintext_password.encode("utf-8"), salt) + + return password_hash.decode() + + +def password_matches_hash(plaintext_password, password_hash): + return bcrypt.checkpw(plaintext_password.encode("utf-8"), password_hash.encode("utf-8")) diff --git a/monkey/monkey_island/cc/resources/auth/registration.py b/monkey/monkey_island/cc/resources/auth/registration.py index 8c7ca5054..121b03d71 100644 --- a/monkey/monkey_island/cc/resources/auth/registration.py +++ b/monkey/monkey_island/cc/resources/auth/registration.py @@ -1,10 +1,10 @@ import json -import bcrypt import flask_restful from flask import make_response, request import monkey_island.cc.environment.environment_singleton as env_singleton +import monkey_island.cc.resources.auth.password_utils as password_utils from common.utils.exceptions import InvalidRegistrationCredentialsError, RegistrationNotNeededError from monkey_island.cc.environment.user_creds import UserCreds @@ -28,6 +28,6 @@ def _get_user_credentials_from_request(request): username = cred_dict.get("user", "") password = cred_dict.get("password", "") - password_hash = bcrypt.hashpw(password.encode("utf-8"), bcrypt.gensalt()).decode() + password_hash = password_utils.hash_password(password) return UserCreds(username, password_hash)