moved fake_login_attempt to plugins

2013-05-17 11:03:41 -07:00
parent c9dec8b3cc
commit 14efa7bdf1
6 changed files with 166 additions and 27 deletions
--- a/mediagoblin/plugins/basic_auth/init.py
+++ b/mediagoblin/plugins/basic_auth/init.py
@@ -102,4 +102,5 @@ hooks = {
    'auth_get_login_form': get_login_form,
    'auth_get_registration_form': get_registration_form,
    'auth_gen_password_hash': gen_password_hash,
+    'auth_fake_login_attempt': auth_lib.fake_login_attempt,
 }
--- a/mediagoblin/plugins/basic_auth/lib.py
+++ b/mediagoblin/plugins/basic_auth/lib.py
@@ -14,6 +14,7 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 import bcrypt
+import random

 from mediagoblin.tools.template import render_template
 from mediagoblin.tools.mail import send_email
@@ -97,3 +98,22 @@ def send_fp_verification_email(user, request):
        [user.email],
        'GNU MediaGoblin - Change forgotten password!',
        rendered_email)
+
+
+def fake_login_attempt():
+    """
+    Pretend we're trying to login.
+
+    Nothing actually happens here, we're just trying to take up some
+    time, approximately the same amount of time as
+    bcrypt_check_password, so as to avoid figuring out what users are
+    on the system by intentionally faking logins a bunch of times.
+    """
+    rand_salt = bcrypt.gensalt(5)
+
+    hashed_pass = bcrypt.hashpw(str(random.random()), rand_salt)
+
+    randplus_stored_hash = bcrypt.hashpw(str(random.random()), rand_salt)
+    randplus_hashed_pass = bcrypt.hashpw(hashed_pass, rand_salt)
+
+    randplus_stored_hash == randplus_hashed_pass
--- a/mediagoblin/plugins/piwigo/views.py
+++ b/mediagoblin/plugins/piwigo/views.py
@@ -23,7 +23,6 @@ from werkzeug.exceptions import MethodNotAllowed, BadRequest, NotImplemented
 from werkzeug.wrappers import BaseResponse

 from mediagoblin.meddleware.csrf import csrf_exempt
-from mediagoblin.auth.lib import fake_login_attempt
 from mediagoblin.media_types import sniff_media
 from mediagoblin.submit.lib import check_file_field, prepare_queue_task, \
    run_process_media, new_upload_entry
@@ -33,6 +32,7 @@ from mediagoblin.db.models import Collection

 from .tools import CmdTable, response_xml, check_form, \
    PWGSession, PwgNamedArray, PwgError
+from mediagoblin.plugins.basic_auth.lib import fake_login_attempt
 from .forms import AddSimpleForm, AddForm


@@ -126,7 +126,7 @@ def pwg_images_addSimple(request):
    dump = []
    for f in form:
        dump.append("%s=%r" % (f.name, f.data))
-    _log.info("addSimple: %r %s %r", request.form, " ".join(dump), 
+    _log.info("addSimple: %r %s %r", request.form, " ".join(dump),
              request.files)

    if not check_file_field(request, 'image'):