Beispiel #1
0
    def unsign(self, signed_value, ttl=None):
        """
        Retrieve original value and check it wasn't signed more
        than max_age seconds ago.

        :type signed_value: bytes
        :type ttl: int | datetime.timedelta
        """
        h_size, d_size = struct.calcsize('>cQ'), self.digest.digest_size
        fmt = '>cQ%ds%ds' % (len(signed_value) - h_size - d_size, d_size)
        try:
            version, timestamp, value, sig = struct.unpack(fmt, signed_value)
        except struct.error:
            raise BadSignature('Signature is not valid')
        if version != self.version:
            raise BadSignature('Signature version not supported')
        if ttl is not None:
            if isinstance(ttl, datetime.timedelta):
                ttl = ttl.total_seconds()
            # Check timestamp is not older than ttl
            age = abs(time.time() - timestamp)
            if age > ttl + _MAX_CLOCK_SKEW:
                raise SignatureExpired('Signature age %s > %s seconds' %
                                       (age, ttl))
        try:
            self.signature(signed_value[:-d_size]).verify(sig)
        except InvalidSignature:
            raise BadSignature('Signature "%s" does not match' %
                               binascii.b2a_base64(sig))
        return value
Beispiel #2
0
def validate_remember_device_cookie(cookie, user, otp_device_id):
    """
    Returns True if the cookie was returned by get_remember_device_cookie using the same
    user.pk, user.password and otp_device_id. Moreover the cookie must not be expired.
    Returns False if the otp_device_id does not match.
    Otherwise raises an exception.
    """

    timestamp, input_cookie_key, input_cookie_value = cookie.split(
        remember_device_cookie_separator, 3)

    cookie_key = hash_remember_device_cookie_key(otp_device_id)
    if input_cookie_key != cookie_key:
        return False

    cookie_value = hash_remember_device_cookie_value(otp_device_id, user,
                                                     timestamp)
    if input_cookie_value != cookie_value:
        raise BadSignature('Signature does not match')

    timestamp_int = baseconv.base62.decode(timestamp)
    age = time.time() - timestamp_int
    if age > settings.TWO_FACTOR_REMEMBER_COOKIE_AGE:
        raise SignatureExpired('Signature age %s > %s seconds' %
                               (age, settings.TWO_FACTOR_REMEMBER_COOKIE_AGE))

    return True
Beispiel #3
0
 def test_expired_signature(self, mock_unsign):
     with self.feature({
             "organizations:integrations-msteams": True,
             "organizations:integrations-alert-rule": True,
     }):
         mock_unsign.side_effect = SignatureExpired()
         resp = self.hit_configure({"signed_params": "test"})
         assert "Installation link expired" in resp.content
Beispiel #4
0
 def test_expired_signature(self, mock_unsign):
     with self.feature({"organizations:integrations-msteams": True}):
         mock_unsign.side_effect = SignatureExpired()
         self.login_as(self.user)
         org = self.create_organization()
         OrganizationMember.objects.create(user=self.user, organization=org)
         path = u"/extensions/msteams/configure/"
         resp = self.client.get(path, {"signed_params": "test"})
         assert "Installation link expired" in resp.content
Beispiel #5
0
    def verify(self):
        data = self._data
        signature = data.get(self.signature_field, None)
        if signature is None:
            raise BadSignature()
        expected_signature = self.calculate_signature()
        if not constant_time_compare(signature, expected_signature):
            raise BadSignature()

        if self.use_timestamp and self.valid_period is not None:
            timestamp = data[self.timestamp_field]
            timestamp = int(timestamp)
            current_timestamp = get_current_timestamp()
            valid_period_secs = self.valid_period.total_seconds()
            if current_timestamp - timestamp > valid_period_secs:
                raise SignatureExpired()
Beispiel #6
0
 def unsign(self, value, max_age=None):
     """
     Retrieve original value and check it wasn't signed more
     than max_age seconds ago.
     """
     result = super(TimestampSigner, self).unsign(value)
     value, timestamp = result.rsplit(self.sep, 1)
     timestamp = baseconv.base62.decode(timestamp)
     if max_age is not None:
         if isinstance(max_age, datetime.timedelta):
             max_age = max_age.total_seconds()
         # Check timestamp is not older than max_age
         age = time.time() - timestamp
         if age > max_age:
             raise SignatureExpired("Signature age %s > %s seconds" %
                                    (age, max_age))
     return value
Beispiel #7
0
    def verify(self):
        data = self._data
        signature = data.get(self.SIGNATURE_FIELD, None)
        if signature is None:
            raise BadSignature()
        expected_signature = self.calculate_signature()
        if not constant_time_compare(signature, expected_signature):
            raise BadSignature()

        valid_period = self.get_valid_period()

        if self.USE_TIMESTAMP and valid_period is not None:
            timestamp = data[self.TIMESTAMP_FIELD]
            timestamp = int(timestamp)
            current_timestamp = get_current_timestamp()
            valid_period_secs = valid_period.total_seconds()
            if current_timestamp - timestamp > valid_period_secs:
                raise SignatureExpired()