def read_data(environ, start_response):
log = logging.getLogger("read_data")
log.debug("start")
try:
brand_identifier = environ['query_data']['brand_id'][0]
escrowed_data = environ['post_data']['escrow_data'][0]
serial_sign_key = environ['post_data']['sign_key'][0]
except KeyError:
log.warn("KeyError at start")
return BadRequest()(environ, start_response)
try:
layer_count = int(environ['post_data'].get('layer_count', [])[0])
except IndexError:
layer_count = None
sign_key = serial.loads(serial_sign_key)
log.debug("Being sent:")
log.debug("brand_identifier: %r" % brand_identifier)
log.debug("layer_count: %r" % layer_count)
try:
if layer_count is None:
plaintext_data = server.read_escrow_data(brand_identifier,
escrowed_data,
sign_key=sign_key)
else:
plaintext_data = server.read_escrow_data(brand_identifier,
escrowed_data,
layer_count=layer_count,
sign_key=sign_key)
except ValueError:
log.warn("ValueError at reading escrow data")
return BadRequest()(environ, start_response)
except KeyError:
log.warn("KeyError at reading escrow data")
return NotFound()(environ, start_response)
except Exception:
log.exception('500 error in reading escrow data')
return ServerError()(
environ,
start_response,
)
log.info("Read data for brand %s" % (brand_identifier, ))
return SuperSimple(plaintext_data,
ctype="application/octet-stream")(environ,
start_response)
def read_data(environ, start_response):
log = logging.getLogger("read_data")
log.debug("start")
try:
brand_identifier = environ['query_data']['brand_id'][0]
escrowed_data = environ['post_data']['escrow_data'][0]
serial_sign_key = environ['post_data']['sign_key'][0]
except KeyError:
log.warn("KeyError at start")
return BadRequest()(environ, start_response)
try:
layer_count = int(environ['post_data'].get('layer_count', [])[0])
except IndexError:
layer_count = None
sign_key = serial.loads(serial_sign_key)
log.debug("Being sent:")
log.debug("brand_identifier: %r" % brand_identifier)
log.debug("layer_count: %r" % layer_count)
try:
if layer_count is None:
plaintext_data = server.read_escrow_data(brand_identifier,
escrowed_data,
sign_key=sign_key)
else:
plaintext_data = server.read_escrow_data(brand_identifier,
escrowed_data,
layer_count=layer_count,
sign_key=sign_key)
except ValueError:
log.warn("ValueError at reading escrow data")
return BadRequest()(environ, start_response)
except KeyError:
log.warn("KeyError at reading escrow data")
return NotFound()(environ, start_response)
except Exception:
log.exception('500 error in reading escrow data')
return ServerError()(environ, start_response,)
log.info("Read data for brand %s" % (brand_identifier,))
return SuperSimple(plaintext_data, ctype="application/octet-stream")(environ, start_response)
def test_encrypt_and_decrypt_with_layers(self):
config = common.read_config_file()
brand_identifier = config['api_user']
escrow_data = "test data"
sign_key = RSA.generate(2048, random_string)
escrowed_data = encrypt_with_layers(escrow_data, sign_key, brand_identifier)
layer_count = 2
plaintext_data = server.read_escrow_data(brand_identifier,
escrowed_data,
layer_count=layer_count,
sign_key=sign_key)
self.assertEqual(escrow_data, plaintext_data)
def test_encrypt_and_decrypt_with_layers(self):
config = common.read_config_file()
brand_identifier = config['api_user']
escrow_data = "test data"
sign_key = RSA.generate(2048, random_string)
escrowed_data = encrypt_with_layers(escrow_data, sign_key,
brand_identifier)
layer_count = 2
plaintext_data = server.read_escrow_data(brand_identifier,
escrowed_data,
layer_count=layer_count,
sign_key=sign_key)
self.assertEqual(escrow_data, plaintext_data)
def test_setup_brand():
from key_escrow.server import read_escrow_data
brand_identifier = 'my_test_brand'
brand_id, _brand_keypair, layers = setup_brand(brand_identifier)
assert brand_id == layers[0][0]
_user_key_id, user_keypair = make_keypair()
test_data = "0123456789"
escrowed_data = escrow_binary(layers, test_data, user_keypair)
plain_escrowed_data = read_escrow_data(brand_identifier, escrowed_data,
sign_key=user_keypair.publickey())
assert plain_escrowed_data == test_data
print "setup brand test ok"
return True
def test_get_auth_params(self, gen):
gen.return_value = self.sign_key
client = self._get_client_with_dummy_credentials()
params = client.get_auth_params()
auth = b64decode(params.pop('auth'))
auth = json.loads(read_escrow_data('brand', auth, 1))
self.assertEqual(auth, {
'challenge': b64encode('challenge'),
'password': '******',
})
self.assertEqual(params, {
'brand_id': 'brand',
'username': '******',
})
def test_get_auth_params(self, gen):
gen.return_value = self.sign_key
client = self._get_client_with_dummy_credentials()
params = client.get_auth_params()
auth = b64decode(params.pop('auth'))
auth = json.loads(read_escrow_data('brand', auth, 1))
self.assertEqual(auth, {
'challenge': b64encode('challenge'),
'password': '******',
})
self.assertEqual(params, {
'brand_id': 'brand',
'username': '******',
})
def decorator(environ, start_response):
log = logging.getLogger('login_required')
log.debug("start")
try:
brand_identifier = environ['query_data']['brand_id'][0]
username = environ['query_data']['username'][0]
password = environ['query_data']['password'][0]
crypt_pw = environ['query_data'].get('crypt_pw', ["True"])[0]
except KeyError:
log.error("Got bad request.")
return BadRequest()(environ, start_response)
decoded_user = unquote(username)
# If we get anything OTHER than explicitly "False" in the request, we will assume it's an encrypted password.
if crypt_pw == "False":
plaintext_password = password
else:
try:
plaintext_password = server.read_escrow_data(
brand_identifier, password)
except KeyError:
log.warn("missing identifier %s" % (brand_identifier, ))
return NotFound()(environ, start_response)
except ValueError:
log.warn("bad values for authenticating user %s" %
(decoded_user, ))
return BadRequest()(environ, start_response)
except Exception:
log.exception(
"server.read_escrow_data failed for user %s brand %s" % (
decoded_user,
brand_identifier,
))
return ServerError()(environ, start_response)
if not authenticator(read_config_file(), decoded_user,
plaintext_password):
log.info("Auth failed for %s" % (decoded_user, ))
return Forbidden()(environ, start_response)
log.info("Auth OK for brand %s with user %s" % (
brand_identifier,
decoded_user,
))
return fun(environ, start_response)
def authenticate_user(environ, start_response):
log = logging.getLogger('authenticate_user')
log.debug("start")
try:
brand_identifier = environ['query_data']['brand_id'][0]
username = environ['query_data']['username'][0]
password = environ['query_data']['password'][0]
crypt_pw = environ['query_data'].get('crypt_pw', ["True"])[0]
except KeyError:
log.error("Got bad request.")
return BadRequest()(environ, start_response)
decoded_user = unquote(username)
# If we get anything OTHER than explicitly "False" in the request, we will assume it's an encrypted password.
if crypt_pw == "False":
plaintext_password = password
else:
try:
plaintext_password = server.read_escrow_data(
brand_identifier, password)
except KeyError:
log.warn("missing identifier %s" % (brand_identifier,))
return NotFound()(environ, start_response)
except ValueError:
log.warn("bad values for authenticating user %s" % (decoded_user,))
return BadRequest()(environ, start_response)
except Exception:
log.exception("server.read_escrow_data failed for user %s brand %s"
% (decoded_user, brand_identifier,))
return ServerError()(environ, start_response)
if not authenticator(get_config(), decoded_user, plaintext_password):
log.info("Auth failed for %s" % (decoded_user,))
return Forbidden()(environ, start_response)
log.info("Auth OK for brand %s with user %s" % (brand_identifier, decoded_user, ))
return SuperSimple("OK")(environ, start_response)
def read_data(request):
log = logging.getLogger("read_data")
log.debug("start")
auth = request.session['auth']
brand_identifier = auth['brand_identifier']
sign_key = auth['sign_key']
layer_count = auth['layer_count']
try:
escrowed_data = a2b_base64(request.POST['escrow_data'])
except KeyError:
log.warn("KeyError at start")
return HttpResponseBadRequest()
log.debug("Being sent:")
log.debug("brand_identifier: %r" % brand_identifier)
log.debug("layer_count: %r" % layer_count)
try:
plaintext_data = server.read_escrow_data(brand_identifier,
escrowed_data,
layer_count=layer_count,
sign_key=sign_key)
except ValueError:
log.warn("ValueError at reading escrow data", exc_info=True)
return HttpResponseBadRequest()
except KeyError:
log.warn("KeyError at reading escrow data", exc_info=True)
return HttpResponseNotFound()
except Exception:
log.exception('500 error in reading escrow data', exc_info=True)
return HttpResponseServerError()
response = auth['secret_box'].encrypt(plaintext_data, auth['nonce'])
log.info("Read data for brand %s" % (brand_identifier, ))
return HttpResponse(response, content_type="application/octet-stream")
def read_data(request):
log = logging.getLogger("read_data")
log.debug("start")
auth = request.session['auth']
brand_identifier = auth['brand_identifier']
sign_key = auth['sign_key']
layer_count = auth['layer_count']
try:
escrowed_data = a2b_base64(request.POST['escrow_data'])
except KeyError:
log.warn("KeyError at start")
return HttpResponseBadRequest()
log.debug("Being sent:")
log.debug("brand_identifier: %r" % brand_identifier)
log.debug("layer_count: %r" % layer_count)
try:
plaintext_data = server.read_escrow_data(brand_identifier,
escrowed_data,
layer_count=layer_count,
sign_key=sign_key)
except ValueError:
log.warn("ValueError at reading escrow data", exc_info=True)
return HttpResponseBadRequest()
except KeyError:
log.warn("KeyError at reading escrow data", exc_info=True)
return HttpResponseNotFound()
except Exception:
log.exception('500 error in reading escrow data', exc_info=True)
return HttpResponseServerError()
response = auth['secret_box'].encrypt(plaintext_data, auth['nonce'])
log.info("Read data for brand %s" % (brand_identifier,))
return HttpResponse(response, content_type="application/octet-stream")
def decorator(request):
log = logging.getLogger('login_required')
log.debug("start")
if valid_auth_session(request):
return fun(request)
else:
try:
brand_identifier = request.POST['brand_id']
username = request.POST['username']
auth = a2b_base64(request.POST['auth'])
serial_sign_key = request.POST['sign_key']
layer_count = int(request.POST['layer_count'])
except KeyError:
log.error("Got bad request.")
return HttpResponseBadRequest()
try:
sign_key = serial.loads(serial_sign_key)
except (serial.EndOfFile, serial.NotSerializerFileError,
serial.NotSerializableObjectError):
log.error("Got bad request. Unable to load sign key")
return HttpResponseBadRequest()
decoded_user = urllib.unquote(username)
try:
data = server.read_escrow_data(
brand_identifier,
auth,
sign_key=sign_key,
layer_count=layer_count,
)
plaintext_auth = json.loads(data)
if ('challenge' not in plaintext_auth
or 'password' not in plaintext_auth):
log.warn("missing auth key %s" % (brand_identifier, ))
return HttpResponseBadRequest()
except KeyError:
log.warn("missing identifier %s" % (brand_identifier, ))
return HttpResponseNotFound()
except ValueError:
log.warn("bad values for authenticating user %s" %
(decoded_user, ))
return HttpResponseBadRequest()
except Exception:
log.exception(
"server.read_escrow_data failed for user %s brand %s" % (
decoded_user,
brand_identifier,
))
return HttpResponseServerError()
challenge = valid_challenge(request, plaintext_auth['challenge'])
authenticated = authenticator(read_config_file(), decoded_user,
plaintext_auth['password'])
if not challenge or not authenticated:
log.info("Auth failed for %s" % (decoded_user, ))
return HttpResponseForbidden()
session_challenge = get_challenge(request)
secret_box, nonce = create_secret_box(plaintext_auth['password'],
session_challenge[0])
request.session['auth'] = {
'secret_box': secret_box,
'nonce': nonce,
'time': session_challenge[1],
'brand_identifier': brand_identifier,
'sign_key': sign_key,
'layer_count': layer_count,
}
log.info("Auth OK for brand %s with user %s" % (
brand_identifier,
decoded_user,
))
return fun(request)
def decorator(request):
log = logging.getLogger('login_required')
log.debug("start")
if valid_auth_session(request):
return fun(request)
else:
try:
brand_identifier = request.POST['brand_id']
username = request.POST['username']
auth = a2b_base64(request.POST['auth'])
serial_sign_key = request.POST['sign_key']
layer_count = int(request.POST['layer_count'])
except KeyError:
log.error("Got bad request.")
return HttpResponseBadRequest()
try:
sign_key = serial.loads(serial_sign_key)
except (serial.EndOfFile,
serial.NotSerializerFileError,
serial.NotSerializableObjectError):
log.error("Got bad request. Unable to load sign key")
return HttpResponseBadRequest()
decoded_user = urllib.unquote(username)
try:
data = server.read_escrow_data(
brand_identifier,
auth,
sign_key=sign_key,
layer_count=layer_count,
)
plaintext_auth = json.loads(data)
if ('challenge' not in plaintext_auth or
'password' not in plaintext_auth):
log.warn("missing auth key %s" % (brand_identifier,))
return HttpResponseBadRequest()
except KeyError:
log.warn("missing identifier %s" % (brand_identifier,))
return HttpResponseNotFound()
except ValueError:
log.warn("bad values for authenticating user %s" % (decoded_user,))
return HttpResponseBadRequest()
except Exception:
log.exception("server.read_escrow_data failed for user %s brand %s"
% (decoded_user, brand_identifier,))
return HttpResponseServerError()
challenge = valid_challenge(request, plaintext_auth['challenge'])
authenticated = authenticator(get_config(),
decoded_user,
plaintext_auth['password'])
if not challenge or not authenticated:
log.info("Auth failed for %s" % (decoded_user,))
return HttpResponseForbidden()
session_challenge = get_challenge(request)
secret_box, nonce = create_secret_box(plaintext_auth['password'],
session_challenge[0])
request.session['auth'] = {
'secret_box': secret_box,
'nonce': nonce,
'time': session_challenge[1],
'brand_identifier': brand_identifier,
'sign_key': sign_key,
'layer_count': layer_count,
}
log.info("Auth OK for brand %s with user %s" % (brand_identifier, decoded_user, ))
return fun(request)
