From 5eab19d4d273bc9ebb51d64f2057456b95bf08fa Mon Sep 17 00:00:00 2001
From: Alex Kakyris <akakyris@fogus.gr>
Date: Thu, 29 Feb 2024 14:26:11 +0200
Subject: [PATCH] Resolve "Register user password must be hashed before store
 on DB"

---
 .../core/register_operations.py               | 26 ++++++++++++++++---
 services/register/requirements.txt            |  1 +
 2 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/services/register/register_service/core/register_operations.py b/services/register/register_service/core/register_operations.py
index f929820f..707828be 100644
--- a/services/register/register_service/core/register_operations.py
+++ b/services/register/register_service/core/register_operations.py
@@ -6,6 +6,7 @@ import secrets
 import requests
 import json
 import sys
+import bcrypt
 
 class RegisterOperations:
 
@@ -14,6 +15,10 @@ class RegisterOperations:
         self.mimetype = 'application/json'
         self.config = Config().get_config()
 
+    def hash_password(self, password):
+        hashed_password = bcrypt.hashpw(password.encode('utf-8'), bcrypt.gensalt())
+        return hashed_password
+
     def register_user(self, username, password, description, cn, role):
 
         mycol = self.db.get_col_by_name(self.db.capif_users)
@@ -21,7 +26,8 @@ class RegisterOperations:
         if exist_user:
             return jsonify("user already exists"), 409
 
-        user_info = dict(_id=secrets.token_hex(7), username=username, password=password, role=role, description=description, cn=cn, list_invokers=[], list_providers=[])
+        hashed_password = self.hash_password(password)
+        user_info = dict(_id=secrets.token_hex(7), username=username, password=hashed_password, role=role, description=description, cn=cn, list_invokers=[], list_providers=[])
         obj = mycol.insert_one(user_info)
 
         if role == "invoker":
@@ -42,11 +48,16 @@ class RegisterOperations:
 
         try:
 
-            exist_user = mycol.find_one({"username": username, "password": password})
+            #exist_user = mycol.find_one({"username": username, "password": password})
+            exist_user = mycol.find_one({"username": username})
 
             if exist_user is None:
                 return jsonify("Not exister user with this credentials"), 400
 
+            stored_password = exist_user["password"]
+            if not bcrypt.checkpw(password.encode('utf-8'), stored_password):
+                    return jsonify("Not exister user with this credentials"), 400
+            
             access_token = create_access_token(identity=(username + " " + exist_user["role"]))
             url = f"http://{self.config['ca_factory']['url']}:{self.config['ca_factory']['port']}/v1/secret/data/ca"
             headers = {
@@ -64,7 +75,16 @@ class RegisterOperations:
         mycol = self.db.get_col_by_name(self.db.capif_users)
 
         try:
-            mycol.delete_one({"username": username, "password": password})
+            exist_user = mycol.find_one({"username": username})
+
+            if exist_user is None:
+                return jsonify("Not exister user with this username"), 400
+
+            stored_password = exist_user["password"]
+            if not bcrypt.checkpw(password.encode('utf-8'), stored_password):
+                    return jsonify("Not exister user with this password"), 400
+            
+            mycol.delete_one({"username": username})
             return jsonify(message="User removed successfully"), 204
         except Exception as e:
             return jsonify(message=f"Errors when try remove user: {e}"), 500
diff --git a/services/register/requirements.txt b/services/register/requirements.txt
index c5a4f37e..05b9f7df 100644
--- a/services/register/requirements.txt
+++ b/services/register/requirements.txt
@@ -6,3 +6,4 @@ flask_jwt_extended
 pyopenssl
 pyyaml
 requests
+bcrypt
-- 
GitLab