From 8343478aea634ea5b4ed4d788a19824915215520 Mon Sep 17 00:00:00 2001
From: chirac <chirac@arachne>
Date: Sat, 2 Jul 2016 00:35:44 +0200
Subject: [PATCH] Vue de modification du mdp

---
 re2o/login.py  | 30 ++++++++++++++++++++++++++++++
 users/forms.py |  3 ++-
 users/views.py | 12 ++++++++++--
 3 files changed, 42 insertions(+), 3 deletions(-)
 create mode 100644 re2o/login.py

diff --git a/re2o/login.py b/re2o/login.py
new file mode 100644
index 00000000..566f2873
--- /dev/null
+++ b/re2o/login.py
@@ -0,0 +1,30 @@
+# -*- coding: utf-8 -*-
+# Module d'authentification
+# David Sinquin, Gabriel Détraz, Goulven Kermarec
+
+import hashlib, binascii
+import os
+from base64 import urlsafe_b64encode as encode
+from base64 import urlsafe_b64decode as decode
+
+def makeSecret(password):
+    salt = os.urandom(4)
+    h = hashlib.sha1(password.encode())
+    h.update(salt)
+    return "{SSHA}" + encode(h.digest() + salt).decode()
+
+def hashNT(password):
+    hash = hashlib.new('md4', password.encode()).digest()
+    return binascii.hexlify(hash)
+
+def checkPassword(challenge_password, password):
+    challenge_bytes = decode(challenge_password[6:])
+    digest = challenge_bytes[:20]
+    salt = challenge_bytes[20:]
+    hr = hashlib.sha1(password.encode())
+    hr.update(salt)
+    valid_password = True
+    # La comparaison est volontairement en temps constant (pour éviter les timing-attacks)
+    for i, j in zip(digest, hr.digest()):
+        valid_password &= i == j
+    return valid_password
diff --git a/users/forms.py b/users/forms.py
index f748e896..13a4d363 100644
--- a/users/forms.py
+++ b/users/forms.py
@@ -5,4 +5,5 @@ from django import forms
 
 
 class PassForm(forms.Form):
-    passwd = forms.CharField(label=u'Nouveau mot de passe', max_length=255, widget=forms.PasswordInput)
+    passwd1 = forms.CharField(label=u'Nouveau mot de passe', max_length=255, widget=forms.PasswordInput)
+    passwd2 = forms.CharField(label=u'Saisir à nouveau le mot de passe', max_length=255, widget=forms.PasswordInput)
diff --git a/users/views.py b/users/views.py
index 5b9fe2ad..1136c437 100644
--- a/users/views.py
+++ b/users/views.py
@@ -10,6 +10,8 @@ from django.contrib import messages
 from users.models import User, UserForm, InfoForm, PasswordForm, StateForm
 from users.forms  import PassForm
 
+from re2o.login import makeSecret, hashNT
+
 def form(ctx, template, request):
     c = ctx
     c.update(csrf(request))
@@ -55,7 +57,13 @@ def password(request, userid):
         return redirect("/users/")
     user_form = PassForm(request.POST or None)
     if user_form.is_valid():
-        user.pwd_ssha = user_form.cleaned_data['passwd']
-        user.pwd_ntlm = user_form.cleaned_data['passwd'] 
+        if user_form.cleaned_data['passwd1'] != user_form.cleaned_data['passwd2']:
+            messages.error(request, u"Les 2 mots de passe différent" )
+            return form({'userform': user_form}, 'users/user.html', request)
+        user.pwd_ssha = makeSecret(user_form.cleaned_data['passwd1'])
+        user.pwd_ntlm = hashNT(user_form.cleaned_data['passwd1'])
         user.save()
     return form({'userform': user_form}, 'users/user.html', request)
+
+def index(request):
+    return render(request, 'users/index.html')