Beispiel #1
0
    def test_default_bucket_exists_and_has_user_id(self):
        bucket = self.app.get(self.bucket_url, headers=self.headers)
        result = bucket.json
        settings = self.app.app.registry.settings
        hmac_secret = settings["userid_hmac_secret"]
        bucket_id = hmac_digest(hmac_secret, self.principal)[:32]

        self.assertEqual(result["data"]["id"], text_type(UUID(bucket_id)))
        self.assertEqual(result["permissions"]["write"], [self.principal])
    def test_default_bucket_exists_and_has_user_id(self):
        bucket = self.app.get(self.bucket_url, headers=self.headers)
        result = bucket.json
        settings = self.app.app.registry.settings
        hmac_secret = settings['cliquet.userid_hmac_secret']
        bucket_id = hmac_digest(hmac_secret, self.principal)[:32]

        self.assertEqual(result['data']['id'], text_type(UUID(bucket_id)))
        self.assertEqual(result['permissions']['write'], [self.principal])
Beispiel #3
0
    def test_default_bucket_exists_and_has_user_id(self):
        bucket = self.app.get(self.bucket_url, headers=self.headers)
        result = bucket.json
        settings = self.app.app.registry.settings
        hmac_secret = settings['userid_hmac_secret']
        bucket_id = hmac_digest(hmac_secret, self.principal)[:32]

        self.assertEqual(result['data']['id'], text_type(UUID(bucket_id)))
        self.assertEqual(result['permissions']['write'], [self.principal])
Beispiel #4
0
    def unauthenticated_userid(self, request):
        settings = request.registry.settings

        credentials = self._get_credentials(request)
        if credentials:
            username, password = credentials
            if not username:
                return

            hmac_secret = settings['userid_hmac_secret']
            credentials = '%s:%s' % credentials
            userid = utils.hmac_digest(hmac_secret, credentials)
            return userid
Beispiel #5
0
    def unauthenticated_userid(self, request):
        settings = request.registry.settings

        credentials = self._get_credentials(request)
        if credentials:
            username, password = credentials
            if not username:
                return

            hmac_secret = settings['userid_hmac_secret']
            credentials = '%s:%s' % credentials
            userid = utils.hmac_digest(hmac_secret, credentials)
            return userid
Beispiel #6
0
def default_bucket(request):
    if request.method.lower() == 'options':
        path = request.path.replace('default', 'unknown')
        subrequest = build_request(request, {
            'method': 'OPTIONS',
            'path': path
        })
        return request.invoke_subrequest(subrequest)

    if getattr(request, 'prefixed_userid', None) is None:
        # Pass through the forbidden_view_config
        raise httpexceptions.HTTPForbidden()

    settings = request.registry.settings

    if asbool(settings['readonly']):
        raise httpexceptions.HTTPMethodNotAllowed()

    hmac_secret = settings['userid_hmac_secret']
    # Build the user unguessable bucket_id UUID from its user_id
    digest = hmac_digest(hmac_secret, request.prefixed_userid)
    bucket_id = text_type(UUID(digest[:32]))
    path = request.path.replace('/buckets/default', '/buckets/%s' % bucket_id)
    querystring = request.url[(request.url.index(request.path) +
                               len(request.path)):]

    # Make sure bucket exists
    create_bucket(request, bucket_id)

    # Make sure the collection exists
    create_collection(request, bucket_id)

    subrequest = build_request(request, {
        'method': request.method,
        'path': path + querystring,
        'body': request.body
    })
    subrequest.bound_data = request.bound_data

    try:
        response = request.invoke_subrequest(subrequest)
    except httpexceptions.HTTPException as error:
        if error.content_type == 'application/json':
            response = reapply_cors(subrequest, error)
        else:
            # Ask the upper level to format the error.
            raise error
    return response
Beispiel #7
0
def default_bucket(request):
    if request.method.lower() == 'options':
        path = request.path.replace('default', 'unknown')
        subrequest = build_request(request, {
            'method': 'OPTIONS',
            'path': path
        })
        return request.invoke_subrequest(subrequest)

    if getattr(request, 'prefixed_userid', None) is None:
        raise HTTPForbidden()  # Pass through the forbidden_view_config

    settings = request.registry.settings

    hmac_secret = settings['userid_hmac_secret']
    # Build the user unguessable bucket_id UUID from its user_id
    digest = hmac_digest(hmac_secret, request.prefixed_userid)
    bucket_id = text_type(UUID(digest[:32]))
    path = request.path.replace('/buckets/default', '/buckets/%s' % bucket_id)
    querystring = request.url[(request.url.index(request.path) +
                               len(request.path)):]

    # Make sure bucket exists
    create_bucket(request, bucket_id)

    # Make sure the collection exists
    create_collection(request, bucket_id)

    subrequest = build_request(request, {
        'method': request.method,
        'path': path + querystring,
        'body': request.body
    })
    subrequest.bound_data = request.bound_data

    try:
        response = request.invoke_subrequest(subrequest)
    except HTTPException as error:
        if error.content_type == 'application/json':
            response = reapply_cors(subrequest, error)
        else:
            # Ask the upper level to format the error.
            raise error
    return response
Beispiel #8
0
def default_bucket(request):
    if request.method.lower() == 'options':
        path = request.path.replace('default', 'unknown')
        subrequest = build_request(request, {
            'method': 'OPTIONS',
            'path': path
        })
        return request.invoke_subrequest(subrequest)

    if getattr(request, 'prefixed_userid', None) is None:
        raise HTTPForbidden  # Pass through the forbidden_view_config

    settings = request.registry.settings
    hmac_secret = settings['userid_hmac_secret']
    # Build the user unguessable bucket_id UUID from its user_id
    digest = hmac_digest(hmac_secret, request.prefixed_userid)
    bucket_id = text_type(UUID(digest[:32]))
    path = request.path.replace('/buckets/default', '/buckets/%s' % bucket_id)
    querystring = request.url[(request.url.index(request.path) +
                               len(request.path)):]

    # Make sure bucket exists
    create_bucket(request, bucket_id)

    # Make sure the collection exists
    create_collection(request, bucket_id)

    subrequest = build_request(request, {
        'method': request.method,
        'path': path + querystring,
        'body': request.body
    })
    subrequest.bound_data = request.bound_data

    try:
        response = request.invoke_subrequest(subrequest)
    except HTTPException as error:
        response = reapply_cors(subrequest, error)
    return response
Beispiel #9
0
def default_bucket(request):
    if getattr(request, 'prefixed_userid', None) is None:
        raise HTTPForbidden  # Pass through the forbidden_view_config

    settings = request.registry.settings
    hmac_secret = settings['cliquet.userid_hmac_secret']
    # Build the user unguessable bucket_id UUID from its user_id
    bucket_id = hmac_digest(hmac_secret, request.prefixed_userid)[:32]
    path = request.path.replace('default', bucket_id)

    # Make sure bucket exists
    create_bucket(request, bucket_id)

    # Make sure the collection exists
    create_collection(request, bucket_id)

    subrequest = build_request(request, {
        'method': request.method,
        'path': path,
        'body': request.body
    })

    return request.invoke_subrequest(subrequest)
Beispiel #10
0
 def get_user_id(self, credentials):
     hmac_secret = self.config.get("app:main", "kinto.userid_hmac_secret")
     credentials = "%s:%s" % credentials
     digest = cliquet_utils.hmac_digest(hmac_secret, credentials)
     return "basicauth:%s" % digest
Beispiel #11
0
def default_bucket_id(request):
    settings = request.registry.settings
    secret = settings['userid_hmac_secret']
    # Build the user unguessable bucket_id UUID from its user_id
    digest = hmac_digest(secret, request.prefixed_userid)
    return six.text_type(uuid.UUID(digest[:32]))
Beispiel #12
0
def default_bucket_id(request):
    settings = request.registry.settings
    secret = settings['userid_hmac_secret']
    # Build the user unguessable bucket_id UUID from its user_id
    digest = hmac_digest(secret, request.prefixed_userid)
    return six.text_type(uuid.UUID(digest[:32]))
def build_sync_client(request):
    # Get the BID assertion
    is_authorization_defined = AUTHORIZATION_HEADER in request.headers
    starts_with_browser_id = False
    if is_authorization_defined:
        authorization = request.headers[AUTHORIZATION_HEADER].lower()
        starts_with_browser_id = authorization.startswith("browserid ")

    if not is_authorization_defined or not starts_with_browser_id:
        msg = "Provide a BID assertion %s header." % AUTHORIZATION_HEADER
        response = http_error(httpexceptions.HTTPUnauthorized(), errno=ERRORS.MISSING_AUTH_TOKEN, message=msg)
        response.headers.extend(forget(request))
        raise response

    bucket_id = request.matchdict["bucket_id"]
    is_client_state_header_defined = CLIENT_STATE_HEADER in request.headers

    if bucket_id == "syncto":
        if not is_client_state_header_defined:
            msg = "Provide the tokenserver %s header." % CLIENT_STATE_HEADER
            response = http_error(httpexceptions.HTTPUnauthorized(), errno=ERRORS.MISSING_AUTH_TOKEN, message=msg)
            response.headers.extend(forget(request))
            raise response
        client_state = request.headers[CLIENT_STATE_HEADER]
    elif len(bucket_id) != CLIENT_STATE_LENGTH:
        msg = "The provided bucket ID is incorrect."
        response = http_error(httpexceptions.HTTPUnauthorized(), errno=ERRORS.MISSING_AUTH_TOKEN, message=msg)
        response.headers.extend(forget(request))
        raise response
    else:
        client_state = bucket_id

    if is_client_state_header_defined:
        send_alert(request, "%s header is deprecated and should not be " "provided anymore." % CLIENT_STATE_HEADER)

    authorization_header = request.headers[AUTHORIZATION_HEADER]
    bid_assertion = authorization_header.split(" ", 1)[1]

    settings = request.registry.settings
    cache = request.registry.cache
    statsd = request.registry.statsd
    token_server_url = settings["token_server_url"]

    hmac_secret = settings["cache_hmac_secret"]
    cache_key = "credentials_%s" % utils.hmac_digest(hmac_secret, bid_assertion)
    ca_bundle = settings["certificate_ca_bundle"]

    encrypted_credentials = cache.get(cache_key)

    if not encrypted_credentials:
        settings_ttl = int(settings["cache_credentials_ttl_seconds"])
        bid_ttl = _extract_bid_assertion_ttl(bid_assertion)
        ttl = min(settings_ttl, bid_ttl or settings_ttl)

        tokenserver = TokenserverClient(bid_assertion, client_state, token_server_url, verify=ca_bundle)
        if statsd:
            statsd.watch_execution_time(tokenserver, prefix="tokenserver")
        credentials = tokenserver.get_hawk_credentials(duration=ttl)
        encrypted = encrypt(json.dumps(credentials), client_state, hmac_secret)
        cache.set(cache_key, encrypted, ttl)
    else:
        credentials = json.loads(decrypt(encrypted_credentials, client_state, hmac_secret))

    if statsd:
        timer = statsd.timer("syncclient.start_time")
        timer.start()

    sync_client = SyncClient(verify=ca_bundle, **credentials)

    if statsd:
        timer.stop()
        statsd.watch_execution_time(sync_client, prefix="syncclient")

    return sync_client
Beispiel #14
0
 def get_user_id(self, credentials):
     hmac_secret = self.config.get('app:main', 'cliquet.userid_hmac_secret')
     credentials = '%s:%s' % credentials
     digest = cliquet_utils.hmac_digest(hmac_secret, credentials)
     return 'basicauth:%s' % digest
Beispiel #15
0
def build_sync_client(request):
    # Get the BID assertion
    is_authorization_defined = AUTHORIZATION_HEADER in request.headers
    starts_with_browser_id = False
    if is_authorization_defined:
        authorization = request.headers[AUTHORIZATION_HEADER].lower()
        starts_with_browser_id = authorization.startswith("browserid ")

    if not is_authorization_defined or not starts_with_browser_id:
        msg = "Provide a BID assertion %s header." % AUTHORIZATION_HEADER
        response = http_error(httpexceptions.HTTPUnauthorized(),
                              errno=ERRORS.MISSING_AUTH_TOKEN,
                              message=msg)
        response.headers.extend(forget(request))
        raise response

    is_client_state_defined = CLIENT_STATE_HEADER in request.headers
    if not is_client_state_defined:
        msg = "Provide the tokenserver %s header." % CLIENT_STATE_HEADER
        response = http_error(httpexceptions.HTTPUnauthorized(),
                              errno=ERRORS.MISSING_AUTH_TOKEN,
                              message=msg)
        response.headers.extend(forget(request))
        raise response

    authorization_header = request.headers[AUTHORIZATION_HEADER]
    bid_assertion = authorization_header.split(" ", 1)[1]
    client_state = request.headers[CLIENT_STATE_HEADER]

    settings = request.registry.settings
    cache = request.registry.cache
    statsd = request.registry.statsd
    token_server_url = settings['token_server_url']

    hmac_secret = settings['cache_hmac_secret']
    cache_key = 'credentials_%s' % utils.hmac_digest(hmac_secret,
                                                     bid_assertion)

    encrypted_credentials = cache.get(cache_key)

    if not encrypted_credentials:
        settings_ttl = int(settings['cache_credentials_ttl_seconds'])
        bid_ttl = _extract_bid_assertion_ttl(bid_assertion)
        ttl = min(settings_ttl, bid_ttl or settings_ttl)

        tokenserver = TokenserverClient(bid_assertion, client_state,
                                        token_server_url)
        if statsd:
            statsd.watch_execution_time(tokenserver, prefix="tokenserver")
        credentials = tokenserver.get_hawk_credentials(duration=ttl)
        encrypted = encrypt(json.dumps(credentials), client_state, hmac_secret)
        cache.set(cache_key, encrypted, ttl)
    else:
        credentials = json.loads(
            decrypt(encrypted_credentials, client_state, hmac_secret))

    if statsd:
        timer = statsd.timer("syncclient.start_time")
        timer.start()

    sync_client = SyncClient(**credentials)

    if statsd:
        timer.stop()
        statsd.watch_execution_time(sync_client, prefix="syncclient")

    return sync_client
Beispiel #16
0
 def test_supports_secret_as_text(self):
     value = hmac_digest("blah", "input data")
     self.assertTrue(value.startswith("d4f5c51db246c7faeb42240545b47274b6"))
Beispiel #17
0
 def test_supports_secret_as_bytes(self):
     value = hmac_digest(b"blah", "input data")
     self.assertTrue(value.startswith("d4f5c51db246c7faeb42240545b47274b6"))
Beispiel #18
0
 def get_user_id(self, credentials):
     hmac_secret = self.config.get('app:main', 'kinto.userid_hmac_secret')
     credentials = '%s:%s' % credentials
     digest = cliquet_utils.hmac_digest(hmac_secret, credentials)
     return 'basicauth:%s' % digest