From a0640bb803bdd37c4b1ce5c450ba565a9d0d39c5 Mon Sep 17 00:00:00 2001
From: venusbb <venus.bailey@digital.cabinet-office.gov.uk>
Date: Fri, 9 Jun 2017 16:19:30 +0100
Subject: [PATCH 1/4] Generate 2FA secret code cryptographically install of
 using random number

---
 app/dao/users_dao.py |  9 ++++++-
 app/secrets.py       | 56 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 64 insertions(+), 1 deletion(-)
 create mode 100644 app/secrets.py

diff --git a/app/dao/users_dao.py b/app/dao/users_dao.py
index fd1723fc7..fce62a576 100644
--- a/app/dao/users_dao.py
+++ b/app/dao/users_dao.py
@@ -3,7 +3,7 @@ from datetime import (datetime, timedelta)
 from sqlalchemy import func
 from app import db
 from app.models import (User, VerifyCode)
-
+from app import secrets
 
 def _remove_values_for_keys_if_present(dict, keys):
     for key in keys:
@@ -11,6 +11,13 @@ def _remove_values_for_keys_if_present(dict, keys):
 
 
 def create_secret_code():
+    '''
+    L1 = []
+    for i in range(0, 5):
+        L1.append(secrets.randbelow(10))    #return cryptographically strong random number using secrets module
+    L2 = ''.join(map(str, L1))
+    return L2
+    '''
     return ''.join(map(str, random.sample(range(9), 5)))
 
 
diff --git a/app/secrets.py b/app/secrets.py
new file mode 100644
index 000000000..70040d69a
--- /dev/null
+++ b/app/secrets.py
@@ -0,0 +1,56 @@
+__all__ = ['choice', 'randbelow', 'randbits', 'SystemRandom',
+           'token_bytes', 'token_hex', 'token_urlsafe',
+           'compare_digest',
+           ]
+
+
+import base64
+import binascii
+import os
+
+from hmac import compare_digest
+from random import SystemRandom
+
+_sysrand = SystemRandom()
+
+randbits = _sysrand.getrandbits
+choice = _sysrand.choice
+
+def randbelow(exclusive_upper_bound):
+    """Return a random int in the range [0, n)."""
+    if exclusive_upper_bound <= 0:
+        raise ValueError("Upper bound must be positive.")
+    return _sysrand._randbelow(exclusive_upper_bound)
+
+DEFAULT_ENTROPY = 32  # number of bytes to return by default
+
+def token_bytes(nbytes=None):
+    """Return a random byte string containing *nbytes* bytes.
+    If *nbytes* is ``None`` or not supplied, a reasonable
+    default is used.
+    >>> token_bytes(16)  #doctest:+SKIP
+    b'\\xebr\\x17D*t\\xae\\xd4\\xe3S\\xb6\\xe2\\xebP1\\x8b'
+    """
+    if nbytes is None:
+        nbytes = DEFAULT_ENTROPY
+    return os.urandom(nbytes)
+
+def token_hex(nbytes=None):
+    """Return a random text string, in hexadecimal.
+    The string has *nbytes* random bytes, each byte converted to two
+    hex digits.  If *nbytes* is ``None`` or not supplied, a reasonable
+    default is used.
+    >>> token_hex(16)  #doctest:+SKIP
+    'f9bf78b9a18ce6d46a0cd2b0b86df9da'
+    """
+    return binascii.hexlify(token_bytes(nbytes)).decode('ascii')
+
+def token_urlsafe(nbytes=None):
+    """Return a random URL-safe text string, in Base64 encoding.
+    The string has *nbytes* random bytes.  If *nbytes* is ``None``
+    or not supplied, a reasonable default is used.
+    >>> token_urlsafe(16)  #doctest:+SKIP
+    'Drmhze6EPcv0fN_81Bj-nA'
+    """
+    tok = token_bytes(nbytes)
+    return base64.urlsafe_b64encode(tok).rstrip(b'=').decode('ascii')
\ No newline at end of file

From 270173fd5c1491d4d98fd69fbd009cc46aea9c36 Mon Sep 17 00:00:00 2001
From: venusbb <venus.bailey@digital.cabinet-office.gov.uk>
Date: Fri, 9 Jun 2017 17:15:51 +0100
Subject: [PATCH 2/4] 2FA use secret cryptopgraphy

---
 app/dao/users_dao.py | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/app/dao/users_dao.py b/app/dao/users_dao.py
index fce62a576..501840ba4 100644
--- a/app/dao/users_dao.py
+++ b/app/dao/users_dao.py
@@ -11,14 +11,12 @@ def _remove_values_for_keys_if_present(dict, keys):
 
 
 def create_secret_code():
-    '''
     L1 = []
     for i in range(0, 5):
         L1.append(secrets.randbelow(10))    #return cryptographically strong random number using secrets module
     L2 = ''.join(map(str, L1))
     return L2
-    '''
-    return ''.join(map(str, random.sample(range(9), 5)))
+
 
 
 def save_user_attribute(usr, update_dict={}):

From 8188dfa7d37736ed6f9e678588d1b6b5ceec30d2 Mon Sep 17 00:00:00 2001
From: venusbb <venus.bailey@digital.cabinet-office.gov.uk>
Date: Tue, 13 Jun 2017 11:51:11 +0100
Subject: [PATCH 3/4] secret-2fa using SystemRandom library

---
 app/secrets.py | 56 --------------------------------------------------
 1 file changed, 56 deletions(-)
 delete mode 100644 app/secrets.py

diff --git a/app/secrets.py b/app/secrets.py
deleted file mode 100644
index 70040d69a..000000000
--- a/app/secrets.py
+++ /dev/null
@@ -1,56 +0,0 @@
-__all__ = ['choice', 'randbelow', 'randbits', 'SystemRandom',
-           'token_bytes', 'token_hex', 'token_urlsafe',
-           'compare_digest',
-           ]
-
-
-import base64
-import binascii
-import os
-
-from hmac import compare_digest
-from random import SystemRandom
-
-_sysrand = SystemRandom()
-
-randbits = _sysrand.getrandbits
-choice = _sysrand.choice
-
-def randbelow(exclusive_upper_bound):
-    """Return a random int in the range [0, n)."""
-    if exclusive_upper_bound <= 0:
-        raise ValueError("Upper bound must be positive.")
-    return _sysrand._randbelow(exclusive_upper_bound)
-
-DEFAULT_ENTROPY = 32  # number of bytes to return by default
-
-def token_bytes(nbytes=None):
-    """Return a random byte string containing *nbytes* bytes.
-    If *nbytes* is ``None`` or not supplied, a reasonable
-    default is used.
-    >>> token_bytes(16)  #doctest:+SKIP
-    b'\\xebr\\x17D*t\\xae\\xd4\\xe3S\\xb6\\xe2\\xebP1\\x8b'
-    """
-    if nbytes is None:
-        nbytes = DEFAULT_ENTROPY
-    return os.urandom(nbytes)
-
-def token_hex(nbytes=None):
-    """Return a random text string, in hexadecimal.
-    The string has *nbytes* random bytes, each byte converted to two
-    hex digits.  If *nbytes* is ``None`` or not supplied, a reasonable
-    default is used.
-    >>> token_hex(16)  #doctest:+SKIP
-    'f9bf78b9a18ce6d46a0cd2b0b86df9da'
-    """
-    return binascii.hexlify(token_bytes(nbytes)).decode('ascii')
-
-def token_urlsafe(nbytes=None):
-    """Return a random URL-safe text string, in Base64 encoding.
-    The string has *nbytes* random bytes.  If *nbytes* is ``None``
-    or not supplied, a reasonable default is used.
-    >>> token_urlsafe(16)  #doctest:+SKIP
-    'Drmhze6EPcv0fN_81Bj-nA'
-    """
-    tok = token_bytes(nbytes)
-    return base64.urlsafe_b64encode(tok).rstrip(b'=').decode('ascii')
\ No newline at end of file

From 332fe146800e21f650fad66dc01bdeee868f4cad Mon Sep 17 00:00:00 2001
From: venusbb <venus.bailey@digital.cabinet-office.gov.uk>
Date: Tue, 13 Jun 2017 18:11:13 +0100
Subject: [PATCH 4/4] fixed pep 8 issues

---
 app/dao/users_dao.py | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/app/dao/users_dao.py b/app/dao/users_dao.py
index 501840ba4..27b6e03b6 100644
--- a/app/dao/users_dao.py
+++ b/app/dao/users_dao.py
@@ -1,9 +1,9 @@
-import random
+from random import (SystemRandom)
 from datetime import (datetime, timedelta)
 from sqlalchemy import func
 from app import db
 from app.models import (User, VerifyCode)
-from app import secrets
+
 
 def _remove_values_for_keys_if_present(dict, keys):
     for key in keys:
@@ -11,12 +11,7 @@ def _remove_values_for_keys_if_present(dict, keys):
 
 
 def create_secret_code():
-    L1 = []
-    for i in range(0, 5):
-        L1.append(secrets.randbelow(10))    #return cryptographically strong random number using secrets module
-    L2 = ''.join(map(str, L1))
-    return L2
-
+    return ''.join(map(str, [SystemRandom().randrange(10) for i in range(5)]))
 
 
 def save_user_attribute(usr, update_dict={}):