From 5c855803945a09716bc6dc2fa1c0971e73d7f021 Mon Sep 17 00:00:00 2001
From: Zhaofeng Yang <yangzhaofeng@arcas-da.com>
Date: Sun, 22 Nov 2020 02:51:18 +0800
Subject: [PATCH 1/2] add hashed vpn password

---
 app/models.py | 12 ++++++++----
 app/utils.py  | 12 ++++++++++++
 app/views.py  |  4 ++++
 3 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/app/models.py b/app/models.py
index 73c538c..7275304 100644
--- a/app/models.py
+++ b/app/models.py
@@ -49,7 +49,7 @@ class VPNAccount(db.Model):
     def __init__(self, username, value, is_expiration=False):
         self.username = username
         self.value = value
-        self.attribute = 'Expiration' if is_expiration else 'Cleartext-Password'
+        self.attribute = 'Expiration' if is_expiration else 'SSHA2-256-Password'
         self.op = ':='
 
     def save(self):
@@ -58,7 +58,7 @@ def save(self):
 
     @classmethod
     def get_account_by_email(cls, email):
-        return cls.query.filter_by(username=email).filter_by(attribute='Cleartext-Password').first()
+        return cls.query.filter_by(username=email).filter_by(attribute='SSHA2-256-Password').first()
 
     @classmethod
     def get_expiration_by_email(cls, email):
@@ -68,7 +68,7 @@ def get_expiration_by_email(cls, email):
     def add(cls, email, password, expiration):
         account = cls.get_account_by_email(email)
         if not account:
-            account = cls(email, password)
+            account = cls(email, hash_passwd(password))
             account.save()
             if not Group.get_group_by_email(email):
                 group = Group(email)
@@ -107,7 +107,7 @@ def changepass(cls, email, newpass):
         if not account:
             raise Exception('account not found')
         else:
-            account.value = newpass
+            account.value = hash_passwd(newpass)
         account.save()
 
 
@@ -186,6 +186,10 @@ def get_rejected(cls):
     def get_users(cls):
         return cls.query.filter(db.or_(cls.status == 'pass', cls.status == 'banned')).order_by(cls.id).all()
 
+    def vpnpassword_invisible(self):
+        self.vpnpassword = "<secure>"
+        self.save()
+
     def pass_apply(self, is_long=False):
         self.status = 'pass'
         self.expiration = next_semester_end()
diff --git a/app/utils.py b/app/utils.py
index e173983..44027fd 100644
--- a/app/utils.py
+++ b/app/utils.py
@@ -1,7 +1,19 @@
 import random
 import string
 import datetime
+import hashlib
+from base64 import b64encode
 
+def hash_passwd_with_salt(passwd, salt):
+    ctx = hashlib.sha256(passwd)
+    ctx.update(salt)
+    #hash = b"{SSHA256}" + b64encode(ctx.digest() + salt)
+    hash_clean = b64encode(ctx.digest() + salt)
+    return hash_clean
+
+def hash_passwd(passwd):
+    salt = random_string(8)
+    return hash_passwd_with_salt(passwd.encode('utf-8'),salt.encode('utf-8'))
 
 def random_string(N):
     return ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase + string.digits) for i in range(N))
diff --git a/app/views.py b/app/views.py
index ffff32c..3e676e5 100644
--- a/app/views.py
+++ b/app/views.py
@@ -90,6 +90,8 @@ def login():
                 flash('Email not confirmed. Please recover your account at the bottom of this page.', 'error')
             else:
                 login_user(user)
+                if user.status == 'pass':
+                    user.vpnpassword_invisible()
                 return redirect(url_for('index'))
     return render_template('login.html', form=form)
 
@@ -146,6 +148,8 @@ def cancel():
 @app.route('/logout/', methods=['POST'])
 @login_required
 def logout():
+    if current_user.status == 'pass':
+        current_user.vpnpassword_invisible()
     logout_user()
     return redirect(url_for('login'))
 

From 8f0090473fb9277686967cc1f8109ebae0c38ef5 Mon Sep 17 00:00:00 2001
From: Zhaofeng Yang <yangzhaofeng@arcas-da.com>
Date: Mon, 23 Nov 2020 00:45:31 +0800
Subject: [PATCH 2/2] change the location of encode utf8

---
 app/models.py | 4 ++--
 app/utils.py  | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/app/models.py b/app/models.py
index 7275304..5366e66 100644
--- a/app/models.py
+++ b/app/models.py
@@ -68,7 +68,7 @@ def get_expiration_by_email(cls, email):
     def add(cls, email, password, expiration):
         account = cls.get_account_by_email(email)
         if not account:
-            account = cls(email, hash_passwd(password))
+            account = cls(email, hash_passwd(password.encode('utf-8')))
             account.save()
             if not Group.get_group_by_email(email):
                 group = Group(email)
@@ -107,7 +107,7 @@ def changepass(cls, email, newpass):
         if not account:
             raise Exception('account not found')
         else:
-            account.value = hash_passwd(newpass)
+            account.value = hash_passwd(newpass.encode('utf-8'))
         account.save()
 
 
diff --git a/app/utils.py b/app/utils.py
index 44027fd..9319432 100644
--- a/app/utils.py
+++ b/app/utils.py
@@ -12,8 +12,8 @@ def hash_passwd_with_salt(passwd, salt):
     return hash_clean
 
 def hash_passwd(passwd):
-    salt = random_string(8)
-    return hash_passwd_with_salt(passwd.encode('utf-8'),salt.encode('utf-8'))
+    salt = random_string(8).encode('utf-8')
+    return hash_passwd_with_salt(passwd,salt)
 
 def random_string(N):
     return ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase + string.digits) for i in range(N))