gavo.protocols.creds module

Code for checking against our user db.

Todo: evaluate using twisted.cred for this; but then I guess all this needs a thorough shakeup looking towards OAuth2 anyway.

We store the passwords hashed with scrypt with 16 bytes of salt. Of course, since we only support http basic auth at this point, this level of security really only makes sense if credential transmission is restricted to https; and with current DaCHS, this means disabling http altogether.

gavo.protocols.creds.addToGroup(conn, username, groupname)[source]

Adds a user to a group.

A group would come into being by this operation if it didn’t exist before. Adding a non-existent user will raise an IntegrityError.

This will commit conn in order to catch integrity problems early.

gavo.protocols.creds.addUser(conn, username, password, remarks)[source]

Adds a user to the users table.

This will always also create a like-named group. It will raise an IntegrityError if the user already exists.

This will commit conn in order to catch integrity problems early.

gavo.protocols.creds.changeUser(conn, username, password, remarks=None)[source]

Changes a user’s password and remarks.

This will raise an error if no such user exists.

gavo.protocols.creds.delUser(conn, username)[source]

Removes a user and their associated group memberships from the users and groups tables.

This returns then number of database rows affected; if this is 0, nothing was removed.

gavo.protocols.creds.getGroupsForUser(username, password)[source]

returns a set of all groups user username belongs to.

If username and password don’t match, you’ll get an empty set.

gavo.protocols.creds.hasCredentials(user, password, reqGroup)[source]

returns true if user and password match the db entry and the user is in the reqGroup.

If reqGroup is None, true will be returned if the user/password pair is in the user table.

gavo.protocols.creds.hashMatches(pwIn, storedHash)[source]

returns true if pwIn matches the encoded hash value computed with hashPassword.


returns pw hashed and encoded with the salt.

Our storage format is: “scrypt:”+b64encode(<16 bytes of salt><hash>

gavo.protocols.creds.isAdmin(username, password)[source]

returns True if username and password match what’s configured in gavorc.

gavo.protocols.creds.removeFromGroup(conn, username, groupname)[source]

Removes a user from a group.

It is not an error to remove a user from a group they are not in. This returns the number of rows removed in the operation (which should be 1 when the user has been a member of the group).