cherrypy-foundation 1.0.0__py3-none-any.whl → 1.0.0a1__py3-none-any.whl

cherrypy_foundation/tools/auth_mfa.py

@@ -1,5 +1,5 @@
 # MFA tool for cherrypy
-# Copyright (C) 2022-2026 IKUS Software
+# Copyright (C) 2022-2025 Patrik Dufresne
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -21,16 +21,16 @@ from typing import Optional
 
 import cherrypy
 
-from cherrypy_foundation.sessions import session_lock
-
 from ..passwd import check_password, hash_password
 
+logger = logging.getLogger(__name__)
+
 MFA_CODE = '_auth_mfa_code'
 MFA_CODE_TIME = '_auth_mfa_code_time'
 MFA_CODE_ATTEMPT = '_auth_mfa_code_attempt'
 MFA_REDIRECT_URL = '_auth_mfa_redirect_url'
 MFA_TRUSTED_IP_LIST = '_auth_mfa_trusted_ip_list'
-MFA_USER_KEY = '_auth_mfa_user_key'
+MFA_USERNAME = '_auth_mfa_username'
 MFA_VERIFICATION_TIME = '_auth_mfa_time'
 
 MFA_DEFAULT_CODE_TIMEOUT = 10  # minutes
@@ -85,11 +85,11 @@ class CheckAuthMfa(cherrypy.Tool):
 
         length = self._code_length()
         code = ''.join(secrets.choice(string.digits) for _ in range(length))
-        with session_lock() as session:
-            session[MFA_USER_KEY] = cherrypy.request.login
-            session[MFA_CODE] = hash_password(code)
-            session[MFA_CODE_TIME] = session.now()
-            session[MFA_CODE_ATTEMPT] = 0
+        session = cherrypy.serving.session
+        session[MFA_USERNAME] = cherrypy.request.login
+        session[MFA_CODE] = hash_password(code)
+        session[MFA_CODE_TIME] = session.now()
+        session[MFA_CODE_ATTEMPT] = 0
         return code
 
     def _is_verified(self) -> bool:
@@ -98,24 +98,24 @@ class CheckAuthMfa(cherrypy.Tool):
             return False
 
         # Check if our username match current login user.
-        with session_lock() as session:
-            if session.get(MFA_USER_KEY) != cherrypy.request.login:
-                return False
+        session = cherrypy.serving.session
+        if session.get(MFA_USERNAME) != cherrypy.request.login:
+            return False
 
-            # Check if the current IP is trusted
-            ip_list = session.get(MFA_TRUSTED_IP_LIST) or []
-            if cherrypy.request.remote.ip not in ip_list:
-                return False
+        # Check if the current IP is trusted
+        ip_list = session.get(MFA_TRUSTED_IP_LIST) or []
+        if cherrypy.request.remote.ip not in ip_list:
+            return False
 
-            # Check if user ever pass the verification.
-            verified_at: Optional[datetime.datetime] = session.get(MFA_VERIFICATION_TIME)
-            if not verified_at:
-                return False
+        # Check if user ever pass the verification.
+        verified_at: Optional[datetime.datetime] = session.get(MFA_VERIFICATION_TIME)
+        if not verified_at:
+            return False
 
-            # Check trusted duration time
-            trust_minutes = self._trust_duration_minutes()
-            if (verified_at + datetime.timedelta(minutes=trust_minutes)) <= session.now():
-                return False
+        # Check trusted duration time
+        trust_minutes = self._trust_duration_minutes()
+        if (verified_at + datetime.timedelta(minutes=trust_minutes)) <= session.now():
+            return False
 
         return True
 
@@ -127,26 +127,24 @@ class CheckAuthMfa(cherrypy.Tool):
         if not hasattr(cherrypy.serving, 'session'):
             return True
 
-        with session_lock() as session:
-            if session.get(MFA_USER_KEY) != cherrypy.request.login:
-                return True
+        session = cherrypy.serving.session
+        if session.get(MFA_USERNAME) != cherrypy.request.login:
+            return True
 
-            # Check if code is defined.
-            hash_ = session.get(MFA_CODE)
-            if not hash_:
-                return True
+        # Check if code is defined.
+        hash_ = session.get(MFA_CODE)
+        if not hash_:
+            return True
 
-            # Check issued time.
-            issued_at: Optional[datetime.datetime] = session.get(MFA_CODE_TIME)
-            if not issued_at or (
-                (issued_at + datetime.timedelta(minutes=self._code_timeout_minutes())) < session.now()
-            ):
-                return True
+        # Check issued time.
+        issued_at: Optional[datetime.datetime] = session.get(MFA_CODE_TIME)
+        if not issued_at or ((issued_at + datetime.timedelta(minutes=self._code_timeout_minutes())) < session.now()):
+            return True
 
-            # Check number of attempt.
-            attempts = int(session.get(MFA_CODE_ATTEMPT, 0))
-            if attempts >= self._max_attempts():
-                return True
+        # Check number of attempt.
+        attempts = int(session.get(MFA_CODE_ATTEMPT, 0))
+        if attempts >= self._max_attempts():
+            return True
 
         return False
 
@@ -194,55 +192,56 @@ class CheckAuthMfa(cherrypy.Tool):
         if not hasattr(cherrypy.serving, 'session'):
             return False
 
-        with session_lock() as session:
-            stored_hash = session.get(MFA_CODE)
-            is_expired = self.is_code_expired()
-            if self.is_code_expired():
-                return False
-
-            # Always perform the hash check regardless of expiration
-            # to prevent timing attacks
-            code_valid = False
-            if stored_hash:
-                code_valid = check_password(code, stored_hash)
-
-            # Check all conditions after hash verification
-            if is_expired or not code_valid:
-                if not is_expired:  # Only increment if not expired
-                    session[MFA_CODE_ATTEMPT] = attempts = int(session.get(MFA_CODE_ATTEMPT, 0)) + 1
-                cherrypy.log(
-                    f'verification failed user={cherrypy.request.login} ip={cherrypy.request.remote.ip} attempts={attempts}',
-                    context='MFA',
-                    severity=logging.WARNING,
-                )
-                return False
-
-            # Success: trust this device/IP for the configured duration
-            session[MFA_VERIFICATION_TIME] = session.now()
-            ip_list = list({*(session.get(MFA_TRUSTED_IP_LIST) or []), cherrypy.request.remote.ip})
-            # Cap the list to avoid unbounded growth (keep most recent N)
-            max_ips = self._max_trusted_ips()
-            if len(ip_list) > max_ips:
-                ip_list = ip_list[-max_ips:]
-            session[MFA_TRUSTED_IP_LIST] = ip_list
-
-            # Clear the one-time code
-            session[MFA_CODE] = None
-            session[MFA_CODE_TIME] = None
-            session[MFA_CODE_ATTEMPT] = 0
-
-            # Honor “remember this device” option by making the session persistent
-            if hasattr(cherrypy.tools, 'sessions_timeout'):
-                try:
-                    cherrypy.tools.sessions_timeout.set_persistent(bool(persistent))
-                except Exception:
-                    pass
-
-            # Rotate session id to prevent fixation
-            session.regenerate()
-            cherrypy.log(
-                f'verification successful user={cherrypy.request.login} ip={cherrypy.request.remote.ip}', context='MFA'
+        session = cherrypy.serving.session
+        stored_hash = session.get(MFA_CODE)
+        is_expired = self.is_code_expired()
+        if self.is_code_expired():
+            return False
+
+        # Always perform the hash check regardless of expiration
+        # to prevent timing attacks
+        code_valid = False
+        if stored_hash:
+            code_valid = check_password(code, stored_hash)
+
+        # Check all conditions after hash verification
+        if is_expired or not code_valid:
+            if not is_expired:  # Only increment if not expired
+                session[MFA_CODE_ATTEMPT] = attempts = int(session.get(MFA_CODE_ATTEMPT, 0)) + 1
+            logger.warning(
+                'MFA code verification failed for user=%s from ip=%s, attempt=%d',
+                cherrypy.request.login,
+                cherrypy.request.remote.ip,
+                attempts,
             )
+            return False
+
+        # Success: trust this device/IP for the configured duration
+        session[MFA_VERIFICATION_TIME] = session.now()
+        ip_list = list({*(session.get(MFA_TRUSTED_IP_LIST) or []), cherrypy.request.remote.ip})
+        # Cap the list to avoid unbounded growth (keep most recent N)
+        max_ips = self._max_trusted_ips()
+        if len(ip_list) > max_ips:
+            ip_list = ip_list[-max_ips:]
+        session[MFA_TRUSTED_IP_LIST] = ip_list
+
+        # Clear the one-time code
+        session[MFA_CODE] = None
+        session[MFA_CODE_TIME] = None
+        session[MFA_CODE_ATTEMPT] = 0
+
+        # Honor “remember this device” option by making the session persistent
+        if hasattr(cherrypy.tools, 'sessions_timeout'):
+            try:
+                cherrypy.tools.sessions_timeout.set_persistent(bool(persistent))
+            except Exception:
+                pass
+
+        # Rotate session id to prevent fixation
+        session.regenerate()
+        logger.info(
+            'Successful MFA verification for user=%s from ip=%s', cherrypy.request.login, cherrypy.request.remote.ip
+        )
         return True
 
 

cherrypy_foundation/tools/errors.py

@@ -0,0 +1,27 @@
+# udb, A web interface to manage IT network
+# Copyright (C) 2025 IKUS Software inc.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+import sys
+
+import cherrypy
+
+
+def handle_exception(error_table):
+    t = sys.exc_info()[0]
+    code = error_table.get(t, 500)
+    cherrypy.serving.request.error_response = cherrypy.HTTPError(code).set_response
+
+
+cherrypy.tools.errors = cherrypy.Tool('before_error_response', handle_exception, priority=90)