move from bcrypt to argon2

move from bcrypt to argon2 ignore .venv directory update sqlalchemy models to 2.0

move from bcrypt to argon2
move from bcrypt to argon2 ignore .venv directory update sqlalchemy models to 2.0
Miguel Barão · Miguel Barão · Miguel Barão
1 parent 8c0c618d
Showing 7 changed files with 86 additions and 102 deletions Show diff stats
.gitignore
perguntations/TODO
perguntations/app.py
perguntations/initdb.py
perguntations/models.py
perguntations/serve.py
setup.py
+# ignore virtual environment
+.venv
+
 __pycache__/
 .DS_Store
 demo/ans
@@ -0,0 +1,17 @@
+# TODO
+
+- opcao correct de testes que nao foram corrigidos automaticamente.
+- tests should store identification of the perguntations version.
+- detailed CSV devia ter as refs das perguntas e so preencher as que o aluno respondeu.
+- long pooling admin
+- student sends updated answers
+- questions with parts
+
+
+---- Estados -----
+
+inicialização (sincrona)
+    test factory
+    database setup: define lista de estudantes com teste=None
+    login admin:
+        gera todos os testes para os alunos na lista
@@ -14,7 +14,7 @@ import os
 from typing import Optional
 # installed packages
-import bcrypt
+import argon2
 from sqlalchemy import create_engine, select
 from sqlalchemy.exc import OperationalError, NoResultFound, IntegrityError
 from sqlalchemy.orm import Session
@@ -30,17 +30,25 @@ from .questions import question_from
 # setup logger for this module
 logger = logging.getLogger(__name__)
+# ============================================================================
+ph = argon2.PasswordHasher()
+
 async def check_password(password: str, hashed: bytes) -> bool:
     '''check password in executor'''
     loop = asyncio.get_running_loop()
-    return await loop.run_in_executor(None, bcrypt.checkpw,
-            password.encode('utf-8'), hashed)
+    try:
+        return await loop.run_in_executor(None, ph.verify, hashed, password.encode('utf-8'))
+    except argon2.exceptions.VerifyMismatchError:
+        return False
+    except Exception:
+        logger.error('Unkown error while verifying password')
+        return False
 async def hash_password(password: str) -> bytes:
     '''get hash for password'''
     loop = asyncio.get_running_loop()
-    return await loop.run_in_executor(None, bcrypt.hashpw,
-            password.encode('utf-8'), bcrypt.gensalt())
+    hashed = await loop.run_in_executor(None, ph.hash, password)
+    return hashed.encode('utf-8')
 # ============================================================================
 class AppException(Exception):
@@ -9,10 +9,9 @@ import csv
 import argparse
 import re
 from string import capwords
-from concurrent.futures import ThreadPoolExecutor
 # installed packages
-import bcrypt
+from argon2 import PasswordHasher
 from sqlalchemy import create_engine, select
 from sqlalchemy.orm import Session
 from sqlalchemy.exc import IntegrityError
@@ -76,7 +75,7 @@ def parse_commandline_arguments():
 # ============================================================================
-def get_students_from_csv(filename):
+def get_students_from_csv(filename: str):
     '''
     SIIUE names have alien strings like "(TE)" and are sometimes capitalized
     We remove them so that students dont keep asking what it means
@@ -105,24 +104,12 @@ def get_students_from_csv(filename):
 # ============================================================================
-def hashpw(student, password=None) -> None:
-    '''replace password by hash for a single student'''
-    print('.', end='', flush=True)
-    if password is None:
-        student['pw'] = ''
-    else:
-        student['pw'] = bcrypt.hashpw(password.encode('utf-8'),
-                                      bcrypt.gensalt())
-
-
-# ============================================================================
 def insert_students_into_db(session, students) -> None:
     '''insert list of students into the database'''
     try:
         session.add_all([Student(id=s['uid'], name=s['name'], password=s['pw'])
                          for s in students])
         session.commit()
-
     except IntegrityError:
         print('!!! Integrity error. Users already in database. Aborted !!!\n')
         session.rollback()
@@ -132,7 +119,6 @@ def insert_students_into_db(session, students) -&gt; None:
 def show_students_in_database(session, verbose=False):
     '''get students from database'''
     users = session.execute(select(Student)).scalars().all()
-    # users = session.query(Student).all()
     total = len(users)
     print('Registered users:')
@@ -158,6 +144,7 @@ def show_students_in_database(session, verbose=False):
 def main():
     '''insert, update, show students from database'''
+    ph = PasswordHasher()
     args = parse_commandline_arguments()
     # --- database
@@ -166,15 +153,15 @@ def main():
     Base.metadata.create_all(engine)  # Criates schema if needed
     session = Session(engine, future=True)
-    # --- make list of students to insert
+    # --- build list of new students to insert
     students = []
     if args.admin:
-        print('Adding user: 0, Admin.')
+        print('Adding administrator: 0, Admin')
         students.append({'uid': '0', 'name': 'Admin'})
     for csvfile in args.csvfile:
-        print('Adding users from:', csvfile)
+        print(f'Adding users from: {csvfile}')
         students.extend(get_students_from_csv(csvfile))
     if args.add:
@@ -184,9 +171,14 @@ def main():
     # --- insert new students
     if students:
-        print('Generating password hashes', end='')
-        with ThreadPoolExecutor() as executor:  # hashing
-            executor.map(lambda s: hashpw(s, args.pw), students)
+        print('Generating password hashes')
+        if args.pw is None:
+            for s in students:
+                s['pw'] = ''
+        else:
+            for s in students:
+                s['pw'] = ph.hash(args.pw)
+                print('.', end='', flush=True)
         print(f'\nInserting {len(students)}')
         insert_students_into_db(session, students)
@@ -196,10 +188,10 @@ def main():
             select(Student).where(Student.id != '0')
         ).scalars().all()
-        print(f'Updating password of {len(all_students)} users', end='')
+        print(f'Updating password of {len(all_students)} users')
         for student in all_students:
             password = (args.pw or student.id).encode('utf-8')
-            student.password = bcrypt.hashpw(password, bcrypt.gensalt())
+            student.password = ph.hash(password)
             print('.', end='', flush=True)
         print()
         session.commit()
@@ -213,7 +205,7 @@ def main():
                 where(Student.id == student_id)
             ).scalar_one()
             new_password = (args.pw or student_id).encode('utf-8')
-            student.password = bcrypt.hashpw(new_password, bcrypt.gensalt())
+            student.password = ph.hash(new_password)
         session.commit()
     show_students_in_database(session, args.verbose)
@@ -3,91 +3,57 @@ perguntations/models.py
 SQLAlchemy ORM
 '''
-from typing import Any
+from typing import List
-from sqlalchemy import Column, ForeignKey, Integer, Float, String
-from sqlalchemy.orm import declarative_base, relationship
+from sqlalchemy import ForeignKey, Integer, String
+from sqlalchemy.orm import DeclarativeBase, Mapped, relationship, mapped_column
-# FIXME Any is a workaround for static type checking
-# (https://github.com/python/mypy/issues/6372)
-Base: Any = declarative_base()
+class Base(DeclarativeBase):
+    pass
+# [Student] ---1:N--- [Test] ---1:N--- [Question]
+
 # ----------------------------------------------------------------------------
 class Student(Base):
-    '''Student table'''
     __tablename__ = 'students'
-    id = Column(String, primary_key=True)
-    name = Column(String)
-    password = Column(String)
+    id = mapped_column(String, primary_key=True)
+    name: Mapped[str]
+    password: Mapped[str]
     # ---
-    tests = relationship('Test', back_populates='student')
-
-    def __repr__(self):
-        return (f'Student('
-            f'id={self.id!r}, '
-            f'name={self.name!r}, '
-            f'password={self.password!r})')
-
+    tests: Mapped[List['Test']] = relationship(back_populates='student')
 # ----------------------------------------------------------------------------
 class Test(Base):
-    '''Test table'''
     __tablename__ = 'tests'
-    id = Column(Integer, primary_key=True)  # auto_increment
-    ref = Column(String)
-    title = Column(String)
-    grade = Column(Float)
-    state = Column(String)  # ACTIVE, SUBMITTED, CORRECTED, QUIT, NULL
-    comment = Column(String)
-    starttime = Column(String)
-    finishtime = Column(String)
-    filename = Column(String)
-    student_id = Column(String, ForeignKey('students.id'))
+    id = mapped_column(Integer, primary_key=True)  # auto_increment
+    ref: Mapped[str]
+    title: Mapped[str]
+    grade: Mapped[float]
+    state: Mapped[str]  # ACTIVE, SUBMITTED, CORRECTED, QUIT, NULL
+    comment: Mapped[str]
+    starttime: Mapped[str]
+    finishtime: Mapped[str]
+    filename: Mapped[str]
+    student_id = mapped_column(String, ForeignKey('students.id'))
     # ---
-    student = relationship('Student', back_populates='tests')
-    questions = relationship('Question', back_populates='test')
-
-    def __repr__(self):
-        return (f'Test('
-                f'id={self.id!r}, '
-                f'ref={self.ref!r}, '
-                f'title={self.title!r}, '
-                f'grade={self.grade!r}, '
-                f'state={self.state!r}, '
-                f'comment={self.comment!r}, '
-                f'starttime={self.starttime!r}, '
-                f'finishtime={self.finishtime!r}, '
-                f'filename={self.filename!r}, '
-                f'student_id={self.student_id!r})')
-
+    student: Mapped['Student'] = relationship(back_populates='tests')
+    questions: Mapped[List['Question']] = relationship(back_populates='test')
 # ---------------------------------------------------------------------------
 class Question(Base):
-    '''Question table'''
     __tablename__ = 'questions'
-    id = Column(Integer, primary_key=True)  # auto_increment
-    number = Column(Integer)    # question number (ref may be not be unique)
-    ref = Column(String)
-    grade = Column(Float)
-    comment = Column(String)
-    starttime = Column(String)
-    finishtime = Column(String)
-    test_id = Column(String, ForeignKey('tests.id'))
+    id = mapped_column(Integer, primary_key=True)  # auto_increment
+    number: Mapped[int] # question number (ref may be repeated in the same test)
+    ref: Mapped[str]
+    grade: Mapped[float]
+    comment: Mapped[str]
+    starttime: Mapped[str]
+    finishtime: Mapped[str]
+    test_id = mapped_column(String, ForeignKey('tests.id'))
     # ---
-    test = relationship('Test', back_populates='questions')
-
-    def __repr__(self):
-        return (f'Question('
-                f'id={self.id!r}, '
-                f'number={self.number!r}, '
-                f'ref={self.ref!r}, '
-                f'grade={self.grade!r}, '
-                f'comment={self.comment!r}, '
-                f'starttime={self.starttime!r}, '
-                f'finishtime={self.finishtime!r}, '
-                f'test_id={self.test_id!r})')
+    test: Mapped['Test'] = relationship(back_populates='questions')
-#!/usr/bin/env python3
-
 '''
 Handles the web, http & html part of the application interface.
 Uses the tornadoweb framework.
@@ -22,15 +22,15 @@ setup(
     url="https://git.xdi.uevora.pt/mjsb/perguntations.git",
     packages=find_packages(),
     include_package_data=True,   # install files from MANIFEST.in
-    python_requires='>=3.8.*',
+    python_requires='>=3.9',
     install_requires=[
-        'bcrypt>=3.1',
+        'argon2-cffi>=23.1',
         'mistune<2.0',
         'pyyaml>=5.1',
         'pygments',
         'schema>=0.7.5',
-        'sqlalchemy>=1.4',
-        'tornado>=6.3',
+        'sqlalchemy>=2.0',
+        'tornado>=6.4',
         ],
     entry_points={
         'console_scripts': [
		1	+# ignore virtual environment
		2	+.venv
		3	+
1	__pycache__/	4	__pycache__/
2	.DS_Store	5	.DS_Store
3	demo/ans	6	demo/ans
@@ -0,0 +1,17 @@		@@ -0,0 +1,17 @@
	1	+# TODO
	2	+
	3	+- opcao correct de testes que nao foram corrigidos automaticamente.
	4	+- tests should store identification of the perguntations version.
	5	+- detailed CSV devia ter as refs das perguntas e so preencher as que o aluno respondeu.
	6	+- long pooling admin
	7	+- student sends updated answers
	8	+- questions with parts
	9	+
	10	+
	11	+---- Estados -----
	12	+
	13	+inicialização (sincrona)
	14	+ test factory
	15	+ database setup: define lista de estudantes com teste=None
	16	+ login admin:
	17	+ gera todos os testes para os alunos na lista
	@@ -3,91 +3,57 @@ perguntations/models.py		@@ -3,91 +3,57 @@ perguntations/models.py
3	SQLAlchemy ORM	3	SQLAlchemy ORM
4	'''	4	'''
5		5
6	-from typing import Any	6	+from typing import List
7		7
8	-from sqlalchemy import Column, ForeignKey, Integer, Float, String
9	-from sqlalchemy.orm import declarative_base, relationship	8	+from sqlalchemy import ForeignKey, Integer, String
		9	+from sqlalchemy.orm import DeclarativeBase, Mapped, relationship, mapped_column
10		10
11		11
12	-# FIXME Any is a workaround for static type checking
13	-# (https://github.com/python/mypy/issues/6372)
14	-Base: Any = declarative_base()	12	+class Base(DeclarativeBase):
		13	+ pass
15		14
16		15
		16	+# [Student] ---1:N--- [Test] ---1:N--- [Question]
		17	+
17	# ----------------------------------------------------------------------------	18	# ----------------------------------------------------------------------------
18	class Student(Base):	19	class Student(Base):
19	- '''Student table'''
20	__tablename__ = 'students'	20	__tablename__ = 'students'
21	- id = Column(String, primary_key=True)
22	- name = Column(String)
23	- password = Column(String)
24		21
		22	+ id = mapped_column(String, primary_key=True)
		23	+ name: Mapped[str]
		24	+ password: Mapped[str]
25	# ---	25	# ---
26	- tests = relationship('Test', back_populates='student')
27	-
28	- def __repr__(self):
29	- return (f'Student('
30	- f'id={self.id!r}, '
31	- f'name={self.name!r}, '
32	- f'password={self.password!r})')
33	-	26	+ tests: Mapped[List['Test']] = relationship(back_populates='student')
34		27
35	# ----------------------------------------------------------------------------	28	# ----------------------------------------------------------------------------
36	class Test(Base):	29	class Test(Base):
37	- '''Test table'''
38	__tablename__ = 'tests'	30	__tablename__ = 'tests'
39	- id = Column(Integer, primary_key=True) # auto_increment
40	- ref = Column(String)
41	- title = Column(String)
42	- grade = Column(Float)
43	- state = Column(String) # ACTIVE, SUBMITTED, CORRECTED, QUIT, NULL
44	- comment = Column(String)
45	- starttime = Column(String)
46	- finishtime = Column(String)
47	- filename = Column(String)
48	- student_id = Column(String, ForeignKey('students.id'))
49		31
		32	+ id = mapped_column(Integer, primary_key=True) # auto_increment
		33	+ ref: Mapped[str]
		34	+ title: Mapped[str]
		35	+ grade: Mapped[float]
		36	+ state: Mapped[str] # ACTIVE, SUBMITTED, CORRECTED, QUIT, NULL
		37	+ comment: Mapped[str]
		38	+ starttime: Mapped[str]
		39	+ finishtime: Mapped[str]
		40	+ filename: Mapped[str]
		41	+ student_id = mapped_column(String, ForeignKey('students.id'))
50	# ---	42	# ---
51	- student = relationship('Student', back_populates='tests')
52	- questions = relationship('Question', back_populates='test')
53	-
54	- def __repr__(self):
55	- return (f'Test('
56	- f'id={self.id!r}, '
57	- f'ref={self.ref!r}, '
58	- f'title={self.title!r}, '
59	- f'grade={self.grade!r}, '
60	- f'state={self.state!r}, '
61	- f'comment={self.comment!r}, '
62	- f'starttime={self.starttime!r}, '
63	- f'finishtime={self.finishtime!r}, '
64	- f'filename={self.filename!r}, '
65	- f'student_id={self.student_id!r})')
66	-	43	+ student: Mapped['Student'] = relationship(back_populates='tests')
		44	+ questions: Mapped[List['Question']] = relationship(back_populates='test')
67		45
68	# ---------------------------------------------------------------------------	46	# ---------------------------------------------------------------------------
69	class Question(Base):	47	class Question(Base):
70	- '''Question table'''
71	__tablename__ = 'questions'	48	__tablename__ = 'questions'
72	- id = Column(Integer, primary_key=True) # auto_increment
73	- number = Column(Integer) # question number (ref may be not be unique)
74	- ref = Column(String)
75	- grade = Column(Float)
76	- comment = Column(String)
77	- starttime = Column(String)
78	- finishtime = Column(String)
79	- test_id = Column(String, ForeignKey('tests.id'))
80		49
		50	+ id = mapped_column(Integer, primary_key=True) # auto_increment
		51	+ number: Mapped[int] # question number (ref may be repeated in the same test)
		52	+ ref: Mapped[str]
		53	+ grade: Mapped[float]
		54	+ comment: Mapped[str]
		55	+ starttime: Mapped[str]
		56	+ finishtime: Mapped[str]
		57	+ test_id = mapped_column(String, ForeignKey('tests.id'))
81	# ---	58	# ---
82	- test = relationship('Test', back_populates='questions')
83	-
84	- def __repr__(self):
85	- return (f'Question('
86	- f'id={self.id!r}, '
87	- f'number={self.number!r}, '
88	- f'ref={self.ref!r}, '
89	- f'grade={self.grade!r}, '
90	- f'comment={self.comment!r}, '
91	- f'starttime={self.starttime!r}, '
92	- f'finishtime={self.finishtime!r}, '
93	- f'test_id={self.test_id!r})')	59	+ test: Mapped['Test'] = relationship(back_populates='questions')
1	-#!/usr/bin/env python3
2	-
3	'''	1	'''
4	Handles the web, http & html part of the application interface.	2	Handles the web, http & html part of the application interface.
5	Uses the tornadoweb framework.	3	Uses the tornadoweb framework.