Beispiel #1
0
    def get_authenticated_user(self, auth_cookie):
        """Determine the name of the currently logged-in user, if any.

        Parses the authentication cookie passsed in as a string, verifies
        the signatures and, if all checks succeed, returns the name of
        the authenticated user.

        Args:
        auth_cookie: value of the cookie used for authentication.

        Returns:
        Name of the authenticated user, or an empty string if the user
        authentication cannot be verified or is empty.
        """

        if len(auth_cookie) == 0:
            return ""

        tc = token_pb2.TokenCookie()
        tcc = token_cookie.TokenCookieCodec(tc,
                                            pubkey=self._cert.get_pub_key())
        try:
            tcc.decode(auth_cookie)
        except token_cookie.SignatureException as e:
            return ""
        except token_cookie.TokenExpiredException as e:
            return ""

        return tc.basic_creds.user_name
Beispiel #2
0
    def login_handler(self, access_token):
        """Handle a login response from the login server.

        This should be invoked when an HTTP post from the login server
        occurs. This method will return any local cookies to set up and
        redirects the user back to the URL requested with the login
        operation.

        Please note that when the /login handler is invoked, the peer
        will not be the login server, but the user.

        Args:
        access_token: the content of the access_token HTTP parameter
        sent by the login server. This will essentially be a signed,
        base64 encoded token with user information.

        Returns:
        Tuple with the cookie value to set the authentication token,
        and the URL to redirect the user to.
        """
        atr = token_pb2.AuthTokenResponse()
        atrc = token_cookie.AuthTokenResponseCodec(atr, cacert=self._ca)
        atrc.decode(access_token)

        expiry = datetime.now() + timedelta(1)
        tc = token_pb2.TokenCookie()
        tc.basic_creds.user_name = atr.basic_creds.user_name
        tc.basic_creds.scope.extend(atr.basic_creds.scope)
        tc.basic_creds.expires = calendar.timegm(expiry.utctimetuple())

        tcc = token_cookie.TokenCookieCodec(tc, privkey=self._rsa_key)
        cookiedata = tcc.encode()

        return (cookiedata, atr.original_uri)
    def test_sign_and_decrypt(self):
        """Encode and decode a token cookie object."""

        cert, key = gen_certificate()

        # Create a TokenCookie with the basic credentials.
        tc = token_pb2.TokenCookie()
        set_basic_creds(tc.basic_creds)

        # Create the codec and encode.
        tcc = token_cookie.TokenCookieCodec(tc, privkey=key)

        data = tcc.encode()

        # Verify the signature.
        vtc = token_pb2.TokenCookie()
        vtcc = token_cookie.TokenCookieCodec(vtc, pubkey=cert.get_pub_key())
        vtcc.decode(data)

        self.assertEqual(tc, vtc)
    def test_verify_expired_cookie(self):
        """Verify a cookie with its expiry set in the past."""

        cert, key = gen_certificate()

        # Create a TokenCookie with the basic credentials.
        tc = token_pb2.TokenCookie()
        set_basic_creds(tc.basic_creds)
        tc.basic_creds.expires -= 90

        # Create the codec and encode.
        tcc = token_cookie.TokenCookieCodec(tc, privkey=key)

        data = tcc.encode()

        # Verify the signature.
        vtc = token_pb2.TokenCookie()
        vtcc = token_cookie.TokenCookieCodec(vtc, pubkey=cert.get_pub_key())
        self.assertRaises(token_cookie.TokenExpiredException, vtcc.decode,
                          data)
    def test_authenticated_user(self):
        """Test if we can extract the user from a TokenCookie."""

        key = importKey(_TEST_KEY)

        token = token_pb2.TokenCookie()
        token.basic_creds.user_name = 'testosteronius'
        token.basic_creds.scope.append('users')
        token.basic_creds.expires = calendar.timegm(
            datetime.utcnow().timetuple()) + 30

        codec = token_cookie.TokenCookieCodec(token, privkey=key)
        cookie = codec.encode()

        auth = authenticator.Authenticator("Unit Test", cert=_TEST_CERT)
        self.assertEquals(auth.get_authenticated_user(cookie),
                          'testosteronius')
Beispiel #6
0
    def get_authenticated_scopes(self, auth_cookie):
        """Determines the scopes the authenticated user belongs to.

        Returns a list of the names of all scopes the user is in. If no user
        is authenticated, an empty list is returned.

        Args:
        auth_cookie: value of the cookie used for authentication.

        Returns:
        List of all scopes the user is authorized for.
        """

        tc = token_pb2.TokenCookie()
        tcc = token_cookie.TokenCookieCodec(tc,
                                            pubkey=self._cert.get_pub_key())
        tcc.decode(auth_cookie)

        return tc.basic_creds.scope
    def test_verify_wrong_signature(self):
        """Verify a wrong signature."""

        cert, key = gen_certificate()

        # Set up a token cookie with test data.
        tc = token_pb2.TokenCookie()
        set_basic_creds(tc.basic_creds)

        # Fill in a bogus signature.
        h = SHA256.new('A' * 42)
        signer = PKCS1_v1_5.new(key)
        tc.signature = signer.sign(h)

        # Finally, build our own base64.
        data = base64.urlsafe_b64encode(tc.SerializeToString())

        # Verify the signature.
        vtc = token_pb2.TokenCookie()
        tcc = token_cookie.TokenCookieCodec(vtc, pubkey=cert.get_pub_key())
        self.assertRaises(token_cookie.SignatureException, tcc.decode, data)