From ac3d673855678e49ca4c980d01675448db2f3f03 Mon Sep 17 00:00:00 2001
From: "Kali Kaneko (leap communications)" <kali@leap.se>
Date: Fri, 4 Mar 2016 01:26:58 -0400
Subject: hide srpauth implementation details

---
 src/leap/bonafide/_srp.py    | 48 ++++++++++++++++++++++++--------------------
 src/leap/bonafide/session.py | 25 ++++++++++-------------
 2 files changed, 37 insertions(+), 36 deletions(-)

diff --git a/src/leap/bonafide/_srp.py b/src/leap/bonafide/_srp.py
index 1c711f3..38f657b 100644
--- a/src/leap/bonafide/_srp.py
+++ b/src/leap/bonafide/_srp.py
@@ -31,41 +31,45 @@ class SRPAuthMechanism(object):
     Implement a protocol-agnostic SRP Authentication mechanism.
     """
 
-    def initialize(self, username, password):
-        srp_user = srp.User(username, password,
-                            srp.SHA256, srp.NG_1024)
-        _, A = srp_user.start_authentication()
-        return srp_user, A
-
-    def get_handshake_params(self, username, A):
-        return {'login': bytes(username), 'A': binascii.hexlify(A)}
-
-    def process_handshake(self, srp_user, handshake_response):
+    def __init__(self, username, password):
+        self.username = username
+        self.srp_user = srp.User(username, password,
+                                 srp.SHA256, srp.NG_1024)
+        _, A = self.srp_user.start_authentication()
+        self.A = A
+        self.M = None
+        self.M2 = None
+
+    def get_handshake_params(self):
+        return {'login': bytes(self.username),
+                'A': binascii.hexlify(self.A)}
+
+    def process_handshake(self, handshake_response):
         challenge = json.loads(handshake_response)
         self._check_for_errors(challenge)
         salt = challenge.get('salt', None)
         B = challenge.get('B', None)
         unhex_salt, unhex_B = self._unhex_salt_B(salt, B)
-        M = srp_user.process_challenge(unhex_salt, unhex_B)
-        return M
+        self.M = self.srp_user.process_challenge(unhex_salt, unhex_B)
 
-    def get_authentication_params(self, M, A):
+    def get_authentication_params(self):
         # It looks A is not used server side
-        return {'client_auth': binascii.hexlify(M), 'A': binascii.hexlify(A)}
+        return {'client_auth': binascii.hexlify(self.M),
+                'A': binascii.hexlify(self.A)}
 
     def process_authentication(self, authentication_response):
         auth = json.loads(authentication_response)
         self._check_for_errors(auth)
         uuid = auth.get('id', None)
         token = auth.get('token', None)
-        M2 = auth.get('M2', None)
-        self._check_auth_params(uuid, token, M2)
-        return uuid, token, M2
-
-    def verify_authentication(self, srp_user, M2):
-        unhex_M2 = _safe_unhexlify(M2)
-        srp_user.verify_session(unhex_M2)
-        assert srp_user.authenticated()
+        self.M2 = auth.get('M2', None)
+        self._check_auth_params(uuid, token, self.M2)
+        return uuid, token
+
+    def verify_authentication(self):
+        unhex_M2 = _safe_unhexlify(self.M2)
+        self.srp_user.verify_session(unhex_M2)
+        assert self.srp_user.authenticated()
 
     def _check_for_errors(self, response):
         if 'errors' in response:
diff --git a/src/leap/bonafide/session.py b/src/leap/bonafide/session.py
index 547f0dd..ec1587f 100644
--- a/src/leap/bonafide/session.py
+++ b/src/leap/bonafide/session.py
@@ -61,9 +61,10 @@ class Session(object):
 
     def _initialize_session(self):
         self._agent = cookieAgentFactory(self._provider_cert)
-        self._srp_auth = _srp.SRPAuthMechanism()
+        username = self.username or ''
+        password = self.password or ''
+        self._srp_auth = _srp.SRPAuthMechanism(username, password)
         self._srp_signup = _srp.SRPSignupMechanism()
-        self._srp_user = None
         self._token = None
         self._uuid = None
 
@@ -79,36 +80,30 @@ class Session(object):
 
     @property
     def is_authenticated(self):
-        if not self._srp_user:
-            return False
-        return self._srp_user.authenticated()
+        return self._srp_auth.srp_user.authenticated()
 
     @defer.inlineCallbacks
     def authenticate(self):
-        srpuser, A = self._srp_auth.initialize(
-            self.username, self.password)
-        self._srp_user = srpuser
-
         uri = self._api.get_handshake_uri()
         met = self._api.get_handshake_method()
         log.msg("%s to %s" % (met, uri))
-        params = self._srp_auth.get_handshake_params(self.username, A)
+        params = self._srp_auth.get_handshake_params()
 
         handshake = yield self._request(self._agent, uri, values=params,
                                         method=met)
 
-        M = self._srp_auth.process_handshake(srpuser, handshake)
+        self._srp_auth.process_handshake(handshake)
         uri = self._api.get_authenticate_uri(login=self.username)
         met = self._api.get_authenticate_method()
 
         log.msg("%s to %s" % (met, uri))
-        params = self._srp_auth.get_authentication_params(M, A)
+        params = self._srp_auth.get_authentication_params()
 
         auth = yield self._request(self._agent, uri, values=params,
                                    method=met)
 
-        uuid, token, M2 = self._srp_auth.process_authentication(auth)
-        self._srp_auth.verify_authentication(srpuser, M2)
+        uuid, token = self._srp_auth.process_authentication(auth)
+        self._srp_auth.verify_authentication()
 
         self._uuid = uuid
         self._token = token
@@ -120,6 +115,8 @@ class Session(object):
         uri = self._api.get_logout_uri()
         met = self._api.get_logout_method()
         auth = yield self._request(self._agent, uri, method=met)
+        print 'AUTH', auth
+        print 'resetting user/pass'
         self.username = None
         self.password = None
         self._initialize_session()
-- 
cgit v1.2.3