From 08b9b1b293f6cc898382e467cd6afd441fa13d68 Mon Sep 17 00:00:00 2001
From: spl0k <alban.feron@gmail.com>
Date: Tue, 18 Jun 2013 16:40:41 +0200
Subject: [PATCH] Moving password decoding to UserManager class

---
 api/__init__.py | 16 +++-------------
 api/user.py     |  7 -------
 user_manager.py | 18 ++++++++++++++++++
 3 files changed, 21 insertions(+), 20 deletions(-)

diff --git a/api/__init__.py b/api/__init__.py
index 8cc3961..678915b 100755
--- a/api/__init__.py
+++ b/api/__init__.py
@@ -46,14 +46,11 @@ def authorize():
 			request.user = user
 			return
 
-	(username, decoded_pass) = map(request.args.get, [ 'u', 'p' ])
-	if not username or not decoded_pass:
+	(username, password) = map(request.args.get, [ 'u', 'p' ])
+	if not username or not password:
 		return error
 
-	if decoded_pass.startswith('enc:'):
-		decoded_pass = hexdecode(decoded_pass[4:])
-	
-	status, user = UserManager.try_auth(username, decoded_pass)
+	status, user = UserManager.try_auth(username, password)
 	if status != UserManager.SUCCESS:
 		return error
 
@@ -188,13 +185,6 @@ class ResponseHelper:
 
 		return ret.replace('"True"', '"true"').replace('"False"', '"false"')
 
-def hexdecode(enc):
-	ret = ''
-	while enc:
-		ret = ret + chr(int(enc[:2], 16))
-		enc = enc[2:]
-	return ret
-
 def get_entity(req, ent, param = 'id'):
 	eid = req.args.get(param)
 	if not eid:
diff --git a/api/user.py b/api/user.py
index 17e9492..1843a1b 100755
--- a/api/user.py
+++ b/api/user.py
@@ -3,7 +3,6 @@
 from flask import request
 from web import app
 from db import User
-from . import hexdecode
 from user_manager import UserManager
 
 @app.route('/rest/getUser.view', methods = [ 'GET', 'POST' ])
@@ -38,9 +37,6 @@ def user_add():
 		return request.error_formatter(10, 'Missing parameter')
 	admin = True if admin in (True, 'True', 'true', 1, '1') else False
 
-	if password.startswith('enc:'):
-		password = hexdecode(password[4:])
-
 	status = UserManager.add(username, password, email, admin)
 	if status == UserManager.NAME_EXISTS:
 		return request.error_formatter(0, 'There is already a user with that username')
@@ -72,9 +68,6 @@ def user_changepass():
 	if username != request.username and not request.user.admin:
 		return request.error_formatter(50, 'Admin restricted')
 
-	if password.startswith('enc:'):
-		password = hexdecode(password[4:])
-
 	status = UserManager.change_password2(username, password)
 	if status != UserManager.SUCCESS:
 		return request.error_formatter(0, UserManager.error_str(status))
diff --git a/user_manager.py b/user_manager.py
index 54fcf38..6f4621a 100755
--- a/user_manager.py
+++ b/user_manager.py
@@ -35,6 +35,7 @@ class UserManager:
 		if User.query.filter(User.name == name).first():
 			return UserManager.NAME_EXISTS
 
+		password = UserManager.__decode_password(password)
 		crypt, salt = UserManager.__encrypt_password(password)
 		user = User(name = name, mail = mail, password = crypt, salt = salt, admin = admin)
 		session.add(user)
@@ -55,6 +56,7 @@ class UserManager:
 
 	@staticmethod
 	def try_auth(name, password):
+		password = UserManager.__decode_password(password)
 		user = User.query.filter(User.name == name).first()
 		if not user:
 			return UserManager.NO_SUCH_USER, None
@@ -69,6 +71,9 @@ class UserManager:
 		if status != UserManager.SUCCESS:
 			return status
 
+		old_pass = UserManager.__decode_password(old_pass)
+		new_pass = UserManager.__decode_password(new_pass)
+
 		if UserManager.__encrypt_password(old_pass, user.salt)[0] != user.password:
 			return UserManager.WRONG_PASS
 
@@ -82,6 +87,7 @@ class UserManager:
 		if not user:
 			return UserManager.NO_SUCH_USER
 
+		new_pass = UserManager.__decode_password(new_pass)
 		user.password = UserManager.__encrypt_password(new_pass, user.salt)[0]
 		session.commit()
 		return UserManager.SUCCESS
@@ -107,3 +113,15 @@ class UserManager:
 			salt = ''.join(random.choice(string.printable.strip()) for i in xrange(6))
 		return hashlib.sha1(salt + password).hexdigest(), salt
 
+	@staticmethod
+	def __decode_password(password):
+		if not password.startswith('enc:'):
+			return password
+
+		enc = password[4:]
+		ret = ''
+		while enc:
+			ret = ret + chr(int(enc[:2], 16))
+			enc = enc[2:]
+		return ret
+