def test_verify_third_party_caveats(self):
m = Macaroon(
location='http://mybank/',
identifier='we used our other secret key',
key='this is a different super-secret key; \
never use the same secret twice'
)
m.add_first_party_caveat('account = 3735928559')
caveat_key = '4; guaranteed random by a fair toss of the dice'
identifier = 'this was how we remind auth of key/pred'
m.add_third_party_caveat('http://auth.mybank/', caveat_key, identifier)
discharge = Macaroon(
location='http://auth.mybank/',
key=caveat_key,
identifier=identifier
)
discharge.add_first_party_caveat('time < 2015-01-01T00:00')
protected = m.prepare_for_request(discharge)
v = Verifier()
v.satisfy_exact('account = 3735928559')
v.satisfy_exact('time < 2015-01-01T00:00')
verified = v.verify(
m,
'this is a different super-secret key; \
never use the same secret twice',
discharge_macaroons=[protected]
)
assert_true(verified)
def test_verify_third_party_caveats(self):
m = Macaroon(
location='http://mybank/',
identifier='we used our other secret key',
key='this is a different super-secret key; \
never use the same secret twice'
)
m.add_first_party_caveat('account = 3735928559')
caveat_key = '4; guaranteed random by a fair toss of the dice'
identifier = 'this was how we remind auth of key/pred'
m.add_third_party_caveat('http://auth.mybank/', caveat_key, identifier)
discharge = Macaroon(
location='http://auth.mybank/',
key=caveat_key,
identifier=identifier
)
discharge.add_first_party_caveat('time < 2015-01-01T00:00')
protected = m.prepare_for_request(discharge)
v = Verifier()
v.satisfy_exact('account = 3735928559')
v.satisfy_exact('time < 2015-01-01T00:00')
verified = v.verify(
m,
'this is a different super-secret key; \
never use the same secret twice',
discharge_macaroons=[protected]
)
assert_true(verified)
def test_verify_first_party_exact_caveats(self):
m = Macaroon(
location='http://mybank/',
identifier='we used our secret key',
key='this is our super secret key; only we should know it')
m.add_first_party_caveat('test = caveat')
v = Verifier()
v.satisfy_exact('test = caveat')
verified = v.verify(
m, 'this is our super secret key; only we should know it')
assert_true(verified)
def assert_macaroon(m, discharge, version):
assert_equal(m.location, 'my location')
assert_equal(m.version, version)
assert_equal(m.identifier_bytes, b'my identifier')
v = Verifier(discharge_macaroons=[discharge])
v.satisfy_exact('fp caveat')
verified = v.verify(
m,
"my secret key",
)
assert_true(verified)
def assert_macaroon(m, discharge, version):
assert_equal(m.location, 'my location')
assert_equal(m.version, version)
assert_equal(m.identifier_bytes, b'my identifier')
v = Verifier(discharge_macaroons=[discharge])
v.satisfy_exact('fp caveat')
verified = v.verify(
m,
"my secret key",
)
assert_true(verified)
def test_verify_first_party_exact_caveats(self):
m = Macaroon(
location='http://mybank/',
identifier='we used our secret key',
key='this is our super secret key; only we should know it'
)
m.add_first_party_caveat('test = caveat')
v = Verifier()
v.satisfy_exact('test = caveat')
verified = v.verify(
m,
'this is our super secret key; only we should know it'
)
assert_true(verified)
def verify(
macaroon: Macaroon,
key: bytes,
roles: List[str],
caveats: List[str],
used: int,
req: Request,
) -> bool:
assert macaroon
v_obj = Verifier()
v_obj.satisfy_exact(f"user = {macaroon.identifier}")
for role in roles:
v_obj.satisfy_exact(f"role = {role}")
# satisfy specific actions in the API
for caveat in caveats:
v_obj.satisfy_exact(f"action = {caveat}")
# satify same origin restrictions
v_obj.satisfy_exact(f"origin = {req.headers['origin']}")
# satisfy macaroon with time expiry
v_obj.satisfy_general(lambda x: x.split(" = ")[0] == "expiry" and int(
x.split(" = ")[1]) > time())
# satisfy macaroon with limited uses
v_obj.satisfy_general(lambda x: x.split(" = ")[0] == "uses" and int(
x.split(" = ")[1]) > used)
# satisfy any with 'amount' caveat. Currently only included so macaroon user can tell amount
v_obj.satisfy_general(lambda x: x.split(" = ")[0] == "amount")
return bool(v_obj.verify(macaroon, key))
def test_verify_encrypted_first_party_exact_caveats(self):
m = Macaroon(
location='http://mybank/',
identifier='we used our secret key',
key='this is our super secret key; only we should know it')
m.first_party_caveat_delegate = EncryptedFirstPartyCaveatDelegate()
m.add_first_party_caveat('test = caveat', encrypted=True)
v = Verifier()
v.first_party_caveat_verifier_delegate = EncryptedFirstPartyCaveatVerifierDelegate(
)
v.satisfy_exact('test = caveat')
verified = v.verify(
m, 'this is our super secret key; only we should know it')
assert_true(verified)
def test_verify_encrypted_first_party_exact_caveats(self):
m = Macaroon(
location='http://mybank/',
identifier='we used our secret key',
key='this is our super secret key; only we should know it'
)
m.first_party_caveat_delegate = EncryptedFirstPartyCaveatDelegate()
m.add_first_party_caveat('test = caveat', encrypted=True)
v = Verifier()
v.first_party_caveat_verifier_delegate = EncryptedFirstPartyCaveatVerifierDelegate()
v.satisfy_exact('test = caveat')
verified = v.verify(
m,
'this is our super secret key; only we should know it'
)
assert_true(verified)
def access_picture_with_macaroon(picture_id, macaroon):
m = Macaroon.deserialize(macaroon)
v = Verifier()
v.satisfy_exact('view_pictures = True')
v.satisfy_exact('picture_id = ' + str(picture_id))
try:
verified = v.verify(m, keys[m.identifier])
except MacaroonInvalidSignatureException:
verified = False
images = [False, False, False]
images[picture_id] = True
resp = make_response(
render_template("home.html",
showimages=verified,
images=images,
macaroon=m.inspect().replace("\n", "<br/>")))
return resp
def photo_album():
macaroonCookie = request.cookies.get('macaroonCookie')
if macaroonCookie is not None and macaroonCookie != "":
m = Macaroon.deserialize(macaroonCookie)
v = Verifier()
v.satisfy_exact('view_pictures = True')
try:
verified = v.verify(m, keys[m.identifier])
except MacaroonInvalidSignatureException:
verified = False
images = [True, True, True]
resp = make_response(
render_template("home.html",
showimages=verified,
images=images,
macaroon=m.inspect().replace("\n", "<br/>")))
return resp
else:
return redirect(url_for("login"))
def gallery_token(token, image_name):
if token:
#Decode token
n = Macaroon.deserialize(token)
v = Verifier()
form = forms.VerifyEmail()
#On valid for submission
if form.validate_on_submit():
#Verify Macaroon is valid
v.satisfy_exact('email = {}'.format(form.email.data))
v.satisfy_exact('image_name = {}'.format(image_name))
v.satisfy_general(check_expiry)
try:
verified = v.verify(n, keys[n.identifier])
return send_from_directory(app.config['UPLOADED_IMAGES_DEST'],
filename=image_name,
as_attachment=False)
except:
flash("Unable to access")
return render_template('validate_email.html',
form=form,
token=token,
image_name=image_name)
return render_template('validate_email.html',
form=form,
token=token,
image_name=image_name)
else:
flash("Unable to access")
return render_template('validate_email.html',
form=form,
token=token,
image_name=image_name)
