first commit

cheatsheet.md

@@ -0,0 +1,169 @@
+# Git cheatsheet
+
+## Creating a repository
+```bash
+git init
+```
+Creates new git repository in current directory.
+
+```bash
+git clone <url> (<path>)
+```
+Clones the repository at the specified url. If no path is specified, the repository will
+be cloned into a directory with the same name as the remote repository.
+
+
+## Branches
+```bash
+git branch
+```
+Lists all branches in the repository.
+
+```bash
+git branch <branch-name>
+```
+Creates a new branch with the given name.
+
+```bash
+git switch <branch-name>
+```
+Switches to the specified branch.
+
+```bash
+git merge <branch-name>
+```
+Merges the specified branch into the current branch.
+
+
+## Making changes
+```bash
+git status
+```
+Shows the status of the repository. This includes the current branch and files that have been modified.
+
+```bash
+git diff [--staged]
+```
+Shows the changes that have been made to the files in the repository. Use `--staged` to see changes that have been added to the staging area.
+
+```bash
+git add <file>
+```
+Adds the specified file to the staging area.
+
+```bash
+git reset (<file>)
+```
+Removes the specified file from the staging area. If no file is specified, all files are removed.
+
+```bash
+git commit (-m "<message>")
+```
+Commits all changes in the staging area to the current branch. If the `-m` flag is omitted, a text editor will open to write a commit message.
+
+```bash
+git commit --amend
+```
+Adds the staged changes to the last commit. This can be used for fixing typos in the commit message.
+
+
+## Undoing changes
+```bash
+git restore <file>
+```
+Restores the specified file to the state of the last commit. This undoes uncommitted changes.
+
+```bash
+git revert <commit>
+```
+Creates a new commit that undoes the changes of the specified commit. Use `git log` to find the hash of the commit.
+
+```bash
+git reset --hard <commit>
+```
+Resets the current branch to the specified commit. DANGER: This will remove all changes after the specified commit. Prefer `git revert`.
+
+
+## Looking at the history
+```bash
+git log (--oneline)
+```
+Shows all past commits on the current branch. Use `--oneline` to show a more compact view.
+
+```bash
+git show <commit>
+```
+Shows the changes of the specified commit. Use `git log` to find the has of the commit.
+
+
+## Remote repositories
+```bash
+git remote add <remote> <url>
+```
+Adds a new remote repository with the specified name (e.g. `origin` or `upstream`) and url. Origin is automatically created when cloning a repository.
+
+```bash
+git push <remote> <branch>
+```
+Pushes the specified branch to the remote repository.
+
+```bash
+git fetch <remote>
+```
+Fetches changes from the remote repository.
+
+```bash
+git pull <remote> <branch>
+```
+Fetches changes from the remote repository and merges them into the current branch.
+
+
+## Typical workflow
+```bash
+# 1. Fork the repository on GitHub / git.aspp.school
+
+# 2. Clone the repository
+git clone <fork-url>
+git remote add upstream <upstream-url>
+
+# 3. Create a new branch
+git branch <topic-branch>
+git switch <topic-branch>
+
+# 4. Make changes to the code
+
+# 5. Add and commit changes
+git add file1 file2 ...
+git commit -m "<message>"
+
+# 6. Push changes to your fork
+git push origin <topic-branch>
+
+# 7. Create a pull request on GitHub / git.aspp.school
+
+# 8. Wait for the pull request to be reviewed and merged
+
+# 9. Pull changes from the remote repository
+git switch main
+git pull upstream main
+```
+
+Whenever the remote repository is updated (i.e. when a pull request is merged), you need to pull the changes into your local repository.
+```bash
+git switch main
+git pull upstream main
+
+# If you have an active topic branch, you need to merge main / rebase on main:
+git switch <topic-branch>
+git merge main --> preferred
+git rebase main --> if you know what you are doing
+```
+
+
+## Getting help
+```bash
+git help <command>
+```
+Shows the manual page for the specified command (`add`, `commit`, `push`, etc.).
+
+Official Git documentation: https://git-scm.com/docs

exercise.md

@@ -0,0 +1,47 @@
+# Create a simple authentication system
+*an alternative to the hopelessly boring `hello world` examples for an introduction to git*
+
+Start creating a script called `auth.py`
+
+### Expected usage:
+  - run the script
+  - the script asks for username and password
+  - if the user is known and password is correct ➔ print "Successfully authenticated!" 
+  - if the user is known and password is wrong ➔ print "Wrong password!" 
+  - if the user is not known ➔ print "Wrong username!"
+  - if the script is called with one argument, add a new user using the argument as a username
+  - if a user has been added ➔ store the updated database to disk
+
+### Basic API:
+  - a function `get_credentials` that asks for username and password
+  - a function `authenticate` that checks if user is in the password database and that the password is correct
+  - a function `add_user` to add a new user with its password to the database
+  - a function `read_pwdb` to read the password database from disk
+  - a function `write_pwdb` to write the password database to disk
+
+Suggestions:
+  - the database can be a simple dictionary `{username: password}`
+  - the database can be serialized to disk with [`json`](https://docs.python.org/3/library/json.html)
+
+### Later, think about the following problems:
+  - we are leaking valid usernames ➔ return a generic error if username does not exist or password is wrong
+  - [password *hashing*](https://en.wikipedia.org/wiki/Cryptographic_hash_function) ➔ do not store passwords in clear text (database could be stolen, admins are nosy). Solution: Do not store passwords at all but only their hashes (database could be stolen)
+  - [password *salting*](https://en.wikipedia.org/wiki/Salt_%28cryptography%29) ➔ different users with same passwords should not have same hash ⟶ cracking one does not crack all: mitigates dictionary attacks, see below
+
+Addition to the basic API:
+  - a function `pwhash` that given a password and a salt returns a hash
+  - a function `get_salt` that returns a unique salt
+
+### Try to crack it! (Advanced)
+  - can you guess the [*hash collision*](https://en.wikipedia.org/wiki/Collision_attack) risk for the proposed solution?
+  - try first a [*brute force*](https://en.wikipedia.org/wiki/Brute-force_attack) attack: is it feasible?
+  - try a [*dictionary*](https://en.wikipedia.org/wiki/Dictionary_attack) attack (you can use this list of [probable passwords](https://github.com/danielmiessler/SecLists/tree/master/Passwords)): is it feasible?
+  - think about [*lookup tables*](https://en.wikipedia.org/wiki/Lookup_table) and [*rainbow tables*](https://en.wikipedia.org/wiki/Rainbow_table) attacks
+  - what are the trade-offs of the different attacks?
+
+### Notes 
+To make it for real:
+  - insecure temporary file ([symlink race](https://en.wikipedia.org/wiki/Symlink_race) attack) ⟶ [`tempfile`](https://docs.python.org/3/library/tempfile.html) and its context managers
+  - better way of generating passwords or random tokens: the [`secrets`](https://docs.python.org/3/library/secrets.html) module
+  - cracking a password database is a form of art, see for example the [John the Ripper](http://www.openwall.com/john/) password cracker, or [Hashcat](https://hashcat.net/hashcat/) or [Brutus](https://www.darknet.org.uk/2006/09/brutus-password-cracker-download-brutus-aet2zip-aet2/)
+