From e1b9597fdb6a1da770845fdfaa686137b6bc8bea Mon Sep 17 00:00:00 2001
From: Wolfgang Hottgenroth <wolfgang.hottgenroth@icloud.com>
Date: Tue, 26 Jan 2021 22:06:39 +0100
Subject: [PATCH] crypt and adduser tool

---
 asadduser.py       | 67 ++++++++++++++++++++++++++++++++++++++++++++++
 auth.py            | 23 +++++++---------
 initial-schema.sql |  3 +++
 3 files changed, 80 insertions(+), 13 deletions(-)
 create mode 100755 asadduser.py

diff --git a/asadduser.py b/asadduser.py
new file mode 100755
index 0000000..0a6f276
--- /dev/null
+++ b/asadduser.py
@@ -0,0 +1,67 @@
+#!/usr/bin/python
+
+import mariadb
+from pbkdf2 import crypt
+import argparse
+import os
+
+
+parser = argparse.ArgumentParser(description='asadduser')
+parser.add_argument('--user', '-u',
+                    help='Login', 
+                    required=True)
+parser.add_argument('--password', '-p',
+                    help='Password', 
+                    required=True)
+parser.add_argument('--application', '-a',
+                    help='Application', 
+                    required=True)
+parser.add_argument('--issuer', '-i',
+                    help='Issuer', 
+                    required=True)
+
+args = parser.parse_args()
+user = args.user
+password = args.password
+application = args.application
+issuer = args.issuer
+
+
+DB_USER = os.environ["DB_USER"]
+DB_PASS = os.environ["DB_PASS"]
+DB_HOST = os.environ["DB_HOST"]
+DB_NAME = os.environ["DB_NAME"]
+
+pwhash = crypt(password, iterations=100000)
+
+conn = None
+cur = None
+try:
+    conn = mariadb.connect(user = DB_USER, password = DB_PASS,
+                            host = DB_HOST, database = DB_NAME)
+    conn.autocommit = False
+
+    cur = conn.cursor()
+    cur.execute("""
+INSERT INTO users (issuer, login, password)
+  VALUES(
+      (SELECT id FROM issuers WHERE name = ?),
+      ?,
+      ?
+  )
+""", [issuer, user, pwhash])
+    cur.execute("""
+INSERT INTO  user_applications_mapping (application, user)
+  VALUES(
+      (SELECT id FROM applications WHERE name = ?),
+      (SELECT id FROM users WHERE login = ?)
+  )
+""", [application, user])
+    conn.commit()
+finally:
+    if cur:
+        cur.close()
+    if conn:
+        conn.rollback()
+        conn.close()
+
diff --git a/auth.py b/auth.py
index fd790b0..c8d7d45 100755
--- a/auth.py
+++ b/auth.py
@@ -23,11 +23,11 @@ class PasswordMismatchException(Exception):
     pass
 
 
-UserEntry = namedtuple('UserEntry', ['id', 'login', 'pwhash', 'issuer', 'secret', 'expiry', 'claims'])
+UserEntry = namedtuple('UserEntry', ['id', 'login', 'issuer', 'secret', 'expiry', 'claims'])
 
 
 
-def getUserEntryFromDB(application: str, login: str) -> UserEntry:
+def getUserEntryFromDB(application: str, login: str):
     conn = None
     cur = None
     try:
@@ -62,11 +62,11 @@ def getUserEntryFromDB(application: str, login: str) -> UserEntry:
             else:
                 claims[claimObj["key"]] = claimObj["value"]
                 
-        userEntry = UserEntry(id=userId, login=login, pwhash=resObj["password"],
+        userEntry = UserEntry(id=userId, login=login, 
                               secret=resObj["secret"], issuer=resObj["issuer"], 
                               expiry=resObj["expiry"], claims=claims)
 
-        return userEntry
+        return userEntry, resObj["password"]
     except mariadb.Error as err:
         raise Exception("Error when connecting to database: {}".format(err))
     finally:
@@ -76,24 +76,21 @@ def getUserEntryFromDB(application: str, login: str) -> UserEntry:
             conn.rollback()
             conn.close()
 
-def checkPassword(inputPassword, passwordHash) -> bool:
-    print("DEBUG, checkPassword: {} {}".format(inputPassword, passwordHash))
-    if passwordHash != crypt(inputPassword, passwordHash, 100000):
+def getUserEntry(application, login, password):
+    userEntry, pwhash = getUserEntryFromDB(application, login)
+    if pwhash != crypt(password, pwhash):
         raise PasswordMismatchException()
-    return True
+    return userEntry
 
 def generateToken(**args):
     try:
         body = args["body"]
         application = body["application"]
         login = body["login"]
-        inputPassword = body["password"]
+        password = body["password"]
     
-        userEntry = getUserEntryFromDB(application, login)
+        userEntry = getUserEntry(application, login, password)
     
-        if inputPassword != crypt(inputPassword, userEntry.pwhash, 100000):
-            raise PasswordMismatchException()
-
         timestamp = int(time.time())
         payload = {
             "iss": userEntry.issuer,
diff --git a/initial-schema.sql b/initial-schema.sql
index 4e22f66..6c2be77 100644
--- a/initial-schema.sql
+++ b/initial-schema.sql
@@ -47,6 +47,9 @@ ALTER TABLE `users`
 ALTER TABLE `users`
   MODIFY COLUMN expiry int(10) unsigned NOT NULL;
 
+ALTER TABLE `users`
+  MODIFY COLUMN expiry int(10) unsigned NOT NULL DEFAULT 600;
+  
 CREATE TABLE `claims` (
     `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
     `key` varchar(64) NOT NULL,