172 lines
5.3 KiB
Python
172 lines
5.3 KiB
Python
import nacl
|
|
import base64
|
|
|
|
from nacl import pwhash, secret
|
|
from django.db import models
|
|
from django.core.cache import cache
|
|
from django.utils.translation import gettext_lazy as _
|
|
from django.contrib.auth.models import BaseUserManager, AbstractBaseUser
|
|
|
|
|
|
class UserManager(BaseUserManager):
|
|
def create_user(self, email, password=None):
|
|
"""
|
|
Creates and saves a User with the given email, date of
|
|
birth and password.
|
|
"""
|
|
if not email:
|
|
raise ValueError("Users must have an email address")
|
|
|
|
user = self.model(
|
|
email=self.normalize_email(email),
|
|
)
|
|
|
|
user.set_password(password)
|
|
user.save(using=self._db)
|
|
return user
|
|
|
|
def create_superuser(self, email, password=None):
|
|
"""
|
|
Creates and saves a superuser with the given email, date of
|
|
birth and password.
|
|
"""
|
|
user = self.create_user(
|
|
email,
|
|
password=password,
|
|
)
|
|
user.is_admin = True
|
|
user.save(using=self._db)
|
|
return user
|
|
|
|
|
|
class User(AbstractBaseUser):
|
|
email = models.EmailField(
|
|
_('Email address'),
|
|
max_length=255,
|
|
unique=True,
|
|
)
|
|
is_active = models.BooleanField(_("is active"), default=True)
|
|
is_admin = models.BooleanField(_("is admin"), default=False)
|
|
first_name = models.CharField(_("First name"), max_length=255, blank=True, null=True)
|
|
last_name = models.CharField(_("Last name"), max_length=255, blank=True, null=True)
|
|
encrypted_sensitive_data = models.CharField(max_length=255)
|
|
salt = models.CharField(max_length=255)
|
|
accept_gdpr = models.BooleanField(default=False)
|
|
|
|
objects = UserManager()
|
|
|
|
USERNAME_FIELD = "email"
|
|
REQUIRED_FIELDS = []
|
|
|
|
def __str__(self):
|
|
return self.email
|
|
|
|
def has_perm(self, perm, obj=None):
|
|
"Does the user have a specific permission?"
|
|
# Simplest possible answer: Yes, always
|
|
return True
|
|
|
|
def has_module_perms(self, app_label):
|
|
"Does the user have permissions to view the app `app_label`?"
|
|
# Simplest possible answer: Yes, always
|
|
return True
|
|
|
|
@property
|
|
def is_staff(self):
|
|
"Is the user a member of staff?"
|
|
# Simplest possible answer: All admins are staff
|
|
return self.is_admin
|
|
|
|
@property
|
|
def username(self):
|
|
"Is the email of the user"
|
|
return self.email
|
|
|
|
def get_memberships(self):
|
|
members = set(
|
|
str(dict(x.Types.choices)[x.type]) for x in self.memberships.all()
|
|
)
|
|
return ", ".join(members)
|
|
|
|
def get_roles(self):
|
|
roles = []
|
|
for s in self.roles.all():
|
|
for r in s.service.rol.all():
|
|
roles.append(r.name)
|
|
return ", ".join(set(roles))
|
|
|
|
def derive_key_from_password(self, password=None):
|
|
if not password:
|
|
password = cache.get("KEY_DIDS").encode('utf-8')
|
|
|
|
kdf = pwhash.argon2i.kdf
|
|
ops = pwhash.argon2i.OPSLIMIT_INTERACTIVE
|
|
mem = pwhash.argon2i.MEMLIMIT_INTERACTIVE
|
|
return kdf(
|
|
secret.SecretBox.KEY_SIZE,
|
|
password,
|
|
self.get_salt(),
|
|
opslimit=ops,
|
|
memlimit=mem
|
|
)
|
|
|
|
def decrypt_sensitive_data(self, data=None):
|
|
sb_key = self.derive_key_from_password()
|
|
sb = secret.SecretBox(sb_key)
|
|
if not data:
|
|
data = self.get_encrypted_sensitive_data()
|
|
if not isinstance(data, bytes):
|
|
data = data.encode('utf-8')
|
|
|
|
return sb.decrypt(data).decode('utf-8')
|
|
|
|
def encrypt_sensitive_data(self, data):
|
|
sb_key = self.derive_key_from_password()
|
|
sb = secret.SecretBox(sb_key)
|
|
if not isinstance(data, bytes):
|
|
data = data.encode('utf-8')
|
|
|
|
return base64.b64encode(sb.encrypt(data)).decode('utf-8')
|
|
|
|
def get_salt(self):
|
|
return base64.b64decode(self.salt.encode('utf-8'))
|
|
|
|
def set_salt(self):
|
|
self.salt = base64.b64encode(nacl.utils.random(16)).decode('utf-8')
|
|
|
|
def get_encrypted_sensitive_data(self):
|
|
return base64.b64decode(self.encrypted_sensitive_data.encode('utf-8'))
|
|
|
|
def set_encrypted_sensitive_data(self):
|
|
key = base64.b64encode(nacl.utils.random(64))
|
|
self.set_salt()
|
|
|
|
key_crypted = self.encrypt_sensitive_data(key)
|
|
self.encrypted_sensitive_data = key_crypted
|
|
|
|
def encrypt_data(self, data):
|
|
pw = self.decrypt_sensitive_data().encode('utf-8')
|
|
sb = self.get_secret_box(pw)
|
|
value_enc = sb.encrypt(data.encode('utf-8'))
|
|
return base64.b64encode(value_enc).decode('utf-8')
|
|
|
|
def decrypt_data(self, data):
|
|
pw = self.decrypt_sensitive_data().encode('utf-8')
|
|
sb = self.get_secret_box(pw)
|
|
value = base64.b64decode(data.encode('utf-8'))
|
|
return sb.decrypt(value).decode('utf-8')
|
|
|
|
def get_secret_box(self, password):
|
|
sb_key = self.derive_key_from_password(password)
|
|
return secret.SecretBox(sb_key)
|
|
|
|
def change_password_key(self, new_password):
|
|
data = self.decrypt_sensitive_data()
|
|
sb_key = self.derive_key_from_password(new_password)
|
|
sb = secret.SecretBox(sb_key)
|
|
if not isinstance(data, bytes):
|
|
data = data.encode('utf-8')
|
|
|
|
encrypted_data = base64.b64encode(sb.encrypt(data)).decode('utf-8')
|
|
self.encrypted_sensitive_data = encrypted_data
|