From aded467b8f44b5bf2bad2ae3cf3327112cc50888 Mon Sep 17 00:00:00 2001
From: John Hodge <tpg@ucc.asn.au>
Date: Sat, 16 Nov 2019 14:59:38 +0800
Subject: [PATCH] MIFARE Login - Add a blacklist of known-bad cards

---
 VendServer/OpenDispense.py | 39 ++++++++++++++++++++++++++++----------
 1 file changed, 29 insertions(+), 10 deletions(-)

diff --git a/VendServer/OpenDispense.py b/VendServer/OpenDispense.py
index 79cec66..6b93058 100644
--- a/VendServer/OpenDispense.py
+++ b/VendServer/OpenDispense.py
@@ -20,6 +20,13 @@ from LDAPConnector import get_uid,get_uname, set_card_id
 DISPENSE_ENDPOINT = ("localhost", 11020)
 DISPSRV_MIFARE = True
 
+# A list of cards that should never be registered, and should never log in
+# - Some of these might have been registered before we knew they were duplicates
+CARD_BLACKLIST = [
+	'AAAAAA==',	# All zeroes, don't allow that.
+	'ISIjJA==', # CommBank credit cards
+	]
+
 class OpenDispense(DispenseInterface):
 	_username = ""
 	_disabled = True
@@ -111,6 +118,10 @@ class OpenDispense(DispenseInterface):
 		self._username = None
 		if DISPSRV_MIFARE:
 			card_base64 = base64.b64encode(cardId)
+
+			if card_base64 in CARD_BLACKLIST:
+				logging.info("Blacklisted card base64:%s" % (card_base64,))
+				return False
 			
 			sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0)
 			sock.connect(DISPENSE_ENDPOINT)
@@ -128,13 +139,16 @@ class OpenDispense(DispenseInterface):
 			username = rsp.split('=')[1].strip()
 			logging.info("Accepted card base64:%s for %s" % (card_base64,username,))
 
-			# Check for thier username
-			try:
-				# Get info from the system (by username)
-				info = pwd.getpwnam(username)
-			except KeyError:
-				logging.info('getting info for user \'%s\': user not in password file' % (username,))
-				return False
+			## Check for thier username
+			#try:
+			#	# Get info from the system (by username)
+			#	info = pwd.getpwnam(username)
+			#except KeyError:
+			#	logging.info('getting info for user \'%s\': user not in password file' % (username,))
+			#	return False
+			#self._userid = info.pw_uid
+			self._userid = None
+			self._username = username
 		else:
 			# Get the users ID
 			self._userid = get_uid(cardId)
@@ -146,13 +160,13 @@ class OpenDispense(DispenseInterface):
 			except KeyError:
 				logging.info('getting info for uid %d: user not in password file' % (self._userid,))
 				return False
+			self._username = info.pw_name
 
 		# If we get this far all is good
 		self._loggedIn = True
 		self._disabled = False
-		self._userid = info.pw_uid
-		self._username = info.pw_name
 		return True
+
         def logOut(self):
             self._loggedIn = False
             self._disabled = False
@@ -164,7 +178,10 @@ class OpenDispense(DispenseInterface):
 			return False
 		if DISPSRV_MIFARE:
 			card_base64 = base64.b64encode(cardId)
-			logging.info('Enrolling card %s to uid %s (%s)' % (cardId, self._userId, self._username))
+			if card_base64 in CARD_BLACKLIST:
+				logging.info("Blacklisted card base64:%s" % (card_base64,))
+				return False
+			logging.info('Enrolling card base64:%s to uid %s (%s)' % (card_base64, self._userId, self._username))
 			sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0)
 			sock.connect(DISPENSE_ENDPOINT)
 			sockf = sock.makefile()
@@ -263,3 +280,5 @@ class OpenDispenseMapping():
 				print(map)
 		return map
 
+
+# vim: noexpandtab ts=4 sw=4
-- 
GitLab