Files
postgres-web/pgweb/account/models.py
Magnus Hagander de76f82f62 Implement authenticated encryption in community auth
This creates a community auth version 3 (previous one being 2, and 1 is
long gone) trhat uses AES_SIV as the encryption method instead of
regular AES_CBC, and validates the digests on all accounts.

As this gets deployed on servers incrementall, the version has to be
specified in the database record for the site. We could have the site
indicate this itself, but doing it this way seems safer as it will then
just break for any app that accidentally reverts the plugin.

Reviewed by Jacob Champion
2025-06-11 20:26:21 +02:00

55 lines
2.8 KiB
Python

from django.db import models
from django.contrib.auth.models import User
class CommunityAuthOrg(models.Model):
orgname = models.CharField(max_length=100, null=False, blank=False, unique=True,
help_text="Name of the organisation")
require_consent = models.BooleanField(null=False, blank=False, default=True)
def __str__(self):
return self.orgname
class CommunityAuthSite(models.Model):
name = models.CharField(max_length=100, null=False, blank=False, unique=True,
help_text="Note that the value in this field is shown on the login page, so make sure it's user-friendly!")
redirecturl = models.URLField(max_length=200, null=False, blank=False)
apiurl = models.URLField(max_length=200, null=False, blank=True)
cryptkey = models.CharField(max_length=100, null=False, blank=False,
help_text="Use tools/communityauth/generate_cryptkey.py to create a key")
version = models.IntegerField(choices=((2, 2), (3, 3)), default=2)
comment = models.TextField(null=False, blank=True)
org = models.ForeignKey(CommunityAuthOrg, null=False, blank=False, on_delete=models.CASCADE)
cooloff_hours = models.PositiveIntegerField(null=False, blank=False, default=0,
help_text="Number of hours a user must have existed in the systems before allowed to log in to this site")
cooloff_message = models.TextField(null=False, blank=True,
help_text="Message (HTML format allowed, will be wrapped in <P>) to show users who have not passed the cool-off period")
push_changes = models.BooleanField(null=False, blank=False, default=False,
help_text="Supports receiving http POSTs with changes to accounts")
push_ssh = models.BooleanField(null=False, blank=False, default=False,
help_text="Wants to receive SSH keys in push changes")
def __str__(self):
return self.name
class CommunityAuthConsent(models.Model):
user = models.ForeignKey(User, null=False, blank=False, on_delete=models.CASCADE)
org = models.ForeignKey(CommunityAuthOrg, null=False, blank=False, on_delete=models.CASCADE)
consentgiven = models.DateTimeField(null=False, blank=False)
class Meta:
unique_together = (('user', 'org'), )
class SecondaryEmail(models.Model):
user = models.ForeignKey(User, null=False, blank=False, on_delete=models.CASCADE)
email = models.EmailField(max_length=75, null=False, blank=False, unique=True)
confirmed = models.BooleanField(null=False, blank=False, default=False)
token = models.CharField(max_length=100, null=False, blank=False)
sentat = models.DateTimeField(null=False, blank=False, auto_now=True)
class Meta:
ordering = ('email', )