def test_basic(self):
hs = sign.HeaderSigner(key_id='Test', secret=self.key, headers=[
'(request-target)',
'host',
'date',
])
unsigned = {
'Host': self.header_host,
'Date': self.header_date,
}
signed = hs.sign(
unsigned, method=self.test_method, path=self.test_path)
self.assertIn('Date', signed)
self.assertEqual(unsigned['Date'], signed['Date'])
self.assertIn('Authorization', signed)
auth = parse_authorization_header(signed['authorization'])
params = auth[1]
self.assertIn('keyId', params)
self.assertIn('algorithm', params)
self.assertIn('signature', params)
self.assertEqual(params['keyId'], 'Test')
self.assertEqual(params['algorithm'], 'rsa-sha256')
self.assertEqual(
params['headers'], '(request-target) host date')
self.assertEqual(params['signature'], 'HUxc9BS3P/kPhSmJo+0pQ4IsCo007vkv6bUm4Qehrx+B1Eo4Mq5/6KylET72ZpMUS80XvjlOPjKzxfeTQj4DiKbAzwJAb4HX3qX6obQTa00/qPDXlMepD2JtTw33yNnm/0xV7fQuvILN/ys+378Ysi082+4xBQFwvhNvSoVsGv4=') # noqa: E501
def test_all(self):
hs = sign.HeaderSigner(key_id='Test', secret=self.key, headers=[
'(request-target)',
'host',
'date',
'content-type',
'digest',
'content-length'
])
unsigned = {
'Host': self.header_host,
'Date': self.header_date,
'Content-Type': self.header_content_type,
'Digest': self.header_digest,
'Content-Length': self.header_content_length,
}
signed = hs.sign(
unsigned, method=self.test_method, path=self.test_path)
self.assertIn('Date', signed)
self.assertEqual(unsigned['Date'], signed['Date'])
self.assertIn('Authorization', signed)
auth = parse_authorization_header(signed['authorization'])
params = auth[1]
self.assertIn('keyId', params)
self.assertIn('algorithm', params)
self.assertIn('signature', params)
self.assertEqual(params['keyId'], 'Test')
self.assertEqual(params['algorithm'], 'rsa-sha256')
self.assertEqual(
params['headers'],
'(request-target) host date content-type digest content-length')
self.assertEqual(params['signature'], 'Ef7MlxLXoBovhil3AlyjtBwAL9g4TN3tibLj7uuNB3CROat/9KaeQ4hW2NiJ+pZ6HQEOx9vYZAyi+7cmIkmJszJCut5kQLAwuX+Ms/mUFvpKlSo9StS2bMXDBNjOh4Auj774GFj4gwjS+3NhFeoqyr/MuN6HsEnkvn6zdgfE2i0=') # noqa: E501
def test_basic(self):
hs = sign.HeaderSigner(key_id='Test',
secret=self.key_2048,
sign_algorithm=PSS(salt_length=0),
headers=[
'(request-target)',
'host',
'date',
])
unsigned = {
'Host': self.header_host,
'Date': self.header_date,
}
signed = hs.sign(unsigned,
method=self.test_method,
path=self.test_path)
self.assertIn('Date', signed)
self.assertEqual(unsigned['Date'], signed['Date'])
self.assertIn('Authorization', signed)
auth = parse_authorization_header(signed['authorization'])
params = auth[1]
self.assertIn('keyId', params)
self.assertIn('algorithm', params)
self.assertIn('signature', params)
self.assertEqual(params['keyId'], 'Test')
self.assertEqual(params['algorithm'], 'hs2019')
self.assertEqual(params['headers'], '(request-target) host date')
self.assertEqual(
params['signature'],
'KkF4oeOJJH9TaYjQdaU634G7AVmM5Bf3fnfJCBZ7G0H5puW5XlQTpduA+TgouKOJhbv4aRRpunPzCHUxUjEvrR3TSALqW1EOsBwCVIusE9CnrhL7vUOvciIDai/jI15RsfR9+XyTmOSFbsI07E8mmywr3nLeWX6AAFDMO2vWc21zZxrSc13vFfAkVvFhXLxO4g0bBm6Z4m5/9ytWtdE0Gf3St2kY8aZTedllRCS8cMx8GVAIw/qYGeIlGKUCZKxrFxnviN7gfxixwova6lcxpppIo+WXxEiwMJfSQBlx0WGn3A3twCv6TsIxPOVUEW4jcogDh+jGFf1aGdVyHquTRQ=='
) # noqa: E501
def test_all(self):
hs = sign.HeaderSigner(key_id='Test', secret=self.key, headers=[
'(request-target)',
'host',
'date',
'content-type',
'content-md5',
'content-length'
])
unsigned = {
'Host': 'example.com',
'Date': 'Thu, 05 Jan 2012 21:31:40 GMT',
'Content-Type': 'application/json',
'Content-MD5': 'Sd/dVLAcvNLSq16eXua5uQ==',
'Content-Length': '18',
}
signed = hs.sign(unsigned, method='POST', path='/foo?param=value&pet=dog')
self.assertIn('Date', signed)
self.assertEqual(unsigned['Date'], signed['Date'])
self.assertIn('Authorization', signed)
auth = parse_authorization_header(signed['authorization'])
params = auth[1]
self.assertIn('keyId', params)
self.assertIn('algorithm', params)
self.assertIn('signature', params)
self.assertEqual(params['keyId'], 'Test')
self.assertEqual(params['algorithm'], 'rsa-sha256')
self.assertEqual(params['headers'], '(request-target) host date content-type content-md5 content-length')
self.assertEqual(params['signature'], 'G8/Uh6BBDaqldRi3VfFfklHSFoq8CMt5NUZiepq0q66e+fS3Up3BmXn0NbUnr3L1WgAAZGplifRAJqp2LgeZ5gXNk6UX9zV3hw5BERLWscWXlwX/dvHQES27lGRCvyFv3djHP6Plfd5mhPWRkmjnvqeOOSS0lZJYFYHJz994s6w=')
def authenticate(self, request):
"""
Perform the actual authentication.
Note that the exception raised is always the same. This is so that we
don't leak information about in/valid keyIds and other such useful
things.
"""
auth_header = authentication.get_authorization_header(request)
if not auth_header or len(auth_header) == 0:
return None
method, fields = utils.parse_authorization_header(auth_header)
# Ignore foreign Authorization headers.
if method.lower() != 'signature':
return None
# Verify basic header structure.
if len(fields) == 0:
raise FAILED
# Ensure all required fields were included.
if len(set(("keyid","algorithm","signature")) - set(fields.keys())) > 0:
raise FAILED
# Fetch the secret associated with the keyid
user, secret = self.fetch_user_data(
fields["keyid"],
algorithm=fields["algorithm"]
)
if not (user and secret):
raise FAILED
# Gather all request headers and translate them as stated in the Django docs:
# https://docs.djangoproject.com/en/1.6/ref/request-response/#django.http.HttpRequest.META
headers = {}
for key in request.META.keys():
if key.startswith("HTTP_") or \
key in ("CONTENT_TYPE", "CONTENT_LENGTH"):
header = key[5:].lower().replace('_', '-')
headers[header] = request.META[key]
# Verify headers
hs = HeaderVerifier(
headers,
secret,
required_headers=self.required_headers,
method=request.method.lower(),
path=request.get_full_path()
)
# All of that just to get to this.
if not hs.verify():
raise FAILED
return (user, fields["keyid"])
def authenticate(self, request):
"""
Perform the actual authentication.
Note that the exception raised is always the same. This is so that we
don't leak information about in/valid keyIds and other such useful
things.
"""
auth_header = authentication.get_authorization_header(request)
if not auth_header or len(auth_header) == 0:
return None
method, fields = utils.parse_authorization_header(auth_header)
# Ignore foreign Authorization headers.
if method.lower() != 'signature':
return None
# Verify basic header structure.
if len(fields) == 0:
raise FAILED
# Ensure all required fields were included.
if len(set(("keyid", "algorithm", "signature")) -
set(fields.keys())) > 0:
raise FAILED
# Fetch the secret associated with the keyid
try:
user, secret = self.fetch_user_data(fields['keyid'],
algorithm=fields["algorithm"])
except Exception as ex:
print('Received Exception: {}'.format(ex))
if not (user and secret):
raise FAILED
# Gather all request headers and translate them as stated in the Django docs:
# https://docs.djangoproject.com/en/1.6/ref/request-response/#django.http.HttpRequest.META
headers = {}
for key in request.META.keys():
if key.startswith("HTTP_") or \
key in ("CONTENT_TYPE", "CONTENT_LENGTH"):
header = key[5:].lower().replace('_', '-')
headers[header] = request.META[key]
# Verify headers
hs = HeaderVerifier(headers,
secret,
required_headers=self.required_headers,
method=request.method.lower(),
path=request.get_full_path())
# All of that just to get to this.
if not hs.verify():
raise FAILED
return user, secret
def test_hmac(self):
hs = sign.HeaderSigner(key_id='pda', algorithm='hmac-sha256', secret='secret', headers=['(request-target)', 'Date'])
unsigned = {
'Date': 'today',
'accept': 'llamas'
}
signed = hs.sign(unsigned, method='GET', path='/path?query=123')
auth = parse_authorization_header(signed['authorization'])
params = auth[1]
self.assertIn('keyId', params)
self.assertIn('algorithm', params)
self.assertIn('signature', params)
self.assertEqual(params['keyId'], 'pda')
self.assertEqual(params['algorithm'], 'hmac-sha256')
self.assertEqual(params['signature'], 'SFlytCGpsqb/9qYaKCQklGDvwgmrwfIERFnwt+yqPJw=')
def test_default(self):
hs = sign.HeaderSigner(key_id='Test', secret=self.key)
unsigned = {
'Date': self.header_date
}
signed = hs.sign(unsigned)
self.assertIn('Date', signed)
self.assertEqual(unsigned['Date'], signed['Date'])
self.assertIn('Authorization', signed)
auth = parse_authorization_header(signed['authorization'])
params = auth[1]
self.assertIn('keyId', params)
self.assertIn('algorithm', params)
self.assertIn('signature', params)
self.assertEqual(params['keyId'], 'Test')
self.assertEqual(params['algorithm'], 'rsa-sha256')
self.assertEqual(params['signature'], 'jKyvPcxB4JbmYY4mByyBY7cZfNl4OW9HpFQlG7N4YcJPteKTu4MWCLyk+gIr0wDgqtLWf9NLpMAMimdfsH7FSWGfbMFSrsVTHNTk0rK3usrfFnti1dxsM4jl0kYJCKTGI/UWkqiaxwNiKqGcdlEDrTcUhhsFsOIo8VhddmZTZ8w=') # noqa: E501
def test_default(self):
hs = sign.HeaderSigner(key_id='Test', secret=self.key)
unsigned = {
'Date': 'Thu, 05 Jan 2012 21:31:40 GMT'
}
signed = hs.sign(unsigned)
self.assertIn('Date', signed)
self.assertEqual(unsigned['Date'], signed['Date'])
self.assertIn('Authorization', signed)
auth = parse_authorization_header(signed['authorization'])
params = auth[1]
self.assertIn('keyId', params)
self.assertIn('algorithm', params)
self.assertIn('signature', params)
self.assertEqual(params['keyId'], 'Test')
self.assertEqual(params['algorithm'], 'rsa-sha256')
self.assertEqual(params['signature'], 'ATp0r26dbMIxOopqw0OfABDT7CKMIoENumuruOtarj8n/97Q3htHFYpH8yOSQk3Z5zh8UxUym6FYTb5+A0Nz3NRsXJibnYi7brE/4tx5But9kkFGzG+xpUmimN4c3TMN7OFH//+r8hBf7BT9/GmHDUVZT2JzWGLZES2xDOUuMtA=')
def test_default(self):
hs = sign.HeaderSigner(key_id='Test', secret=self.key)
unsigned = {'Date': 'Thu, 05 Jan 2012 21:31:40 GMT'}
signed = hs.sign(unsigned)
self.assertIn('Date', signed)
self.assertEqual(unsigned['Date'], signed['Date'])
self.assertIn('Authorization', signed)
auth = parse_authorization_header(signed['authorization'])
params = auth[1]
self.assertIn('keyId', params)
self.assertIn('algorithm', params)
self.assertIn('signature', params)
self.assertEqual(params['keyId'], 'Test')
self.assertEqual(params['algorithm'], 'rsa-sha256')
self.assertEqual(
params['signature'],
'ATp0r26dbMIxOopqw0OfABDT7CKMIoENumuruOtarj8n/97Q3htHFYpH8yOSQk3Z5zh8UxUym6FYTb5+A0Nz3NRsXJibnYi7brE/4tx5But9kkFGzG+xpUmimN4c3TMN7OFH//+r8hBf7BT9/GmHDUVZT2JzWGLZES2xDOUuMtA='
)
def test_other_default(self):
hs = sign.HeaderSigner(key_id='Test',
secret=self.key_1024,
sign_algorithm=PSS(hash_algorithm="sha512",
salt_length=0))
unsigned = {'Date': self.header_date}
signed = hs.sign(unsigned)
self.assertIn('Date', signed)
self.assertEqual(unsigned['Date'], signed['Date'])
self.assertIn('Authorization', signed)
auth = parse_authorization_header(signed['authorization'])
params = auth[1]
self.assertIn('keyId', params)
self.assertIn('algorithm', params)
self.assertIn('signature', params)
self.assertEqual(params['keyId'], 'Test')
self.assertEqual(params['algorithm'], 'hs2019')
self.assertEqual(
params['signature'],
'Gw8FOaXNxqwJHXwJ30OKiMFpK5zP916CFtzK7/biKi9NppjGAlpUfFKqp5kK+bFRyXxqUzQ1x5cbSeFzRWnqodNNO60ApYbOVD7ePqJfZ3DJFAxYOMzoECzc+lyVskSHKC0Ue8aYiV66gXTuY7hrEIqUsK3To/DhSNgO8csdzwg='
)
def test_default(self):
hs = sign.HeaderSigner(key_id='Test',
secret=self.key_2048,
sign_algorithm=PSS(hash_algorithm="sha512",
salt_length=0))
unsigned = {'Date': self.header_date}
signed = hs.sign(unsigned)
self.assertIn('Date', signed)
self.assertEqual(unsigned['Date'], signed['Date'])
self.assertIn('Authorization', signed)
auth = parse_authorization_header(signed['authorization'])
params = auth[1]
self.assertIn('keyId', params)
self.assertIn('algorithm', params)
self.assertIn('signature', params)
self.assertEqual(params['keyId'], 'Test')
self.assertEqual(params['algorithm'], 'hs2019')
self.assertEqual(
params['signature'],
'T8+Cj3Zp2cBDm2r8/loPgfHUSSFXXyZJNxxbNx1NvKVz/r5T4z6pVxhl9rqk8WfYHMdlh2aT5hCrYKvhs88Jy0DDmeUP4nELWRsO1BF0oAqHfcrbEikZQL7jA6z0guVaLr0S5QRGmd1K5HUEkP/vYEOns+FRL+JrFG4dNJNESvG5iyKUoaXfoZCFdqtzLlIteEAL7dW/kaX/dE116wfpbem1eCABuGopRhuFtjqLKVjuUVwyP/zSYTqd9j+gDhinkAifTJPxbGMh0b5LZdNCqw5irT9NkTcTFRXDp8ioX8r805Z9QhjT7H+rSo350U2LsAFoQ9ttryPBOoMPCiQTlw=='
) # noqa: E501
def test_all(self):
hs = sign.HeaderSigner(key_id='Test',
secret=self.key,
headers=[
'(request-target)', 'host', 'date',
'content-type', 'content-md5',
'content-length'
])
unsigned = {
'Host': 'example.com',
'Date': 'Thu, 05 Jan 2012 21:31:40 GMT',
'Content-Type': 'application/json',
'Content-MD5': 'Sd/dVLAcvNLSq16eXua5uQ==',
'Content-Length': '18',
}
signed = hs.sign(unsigned,
method='POST',
path='/foo?param=value&pet=dog')
self.assertIn('Date', signed)
self.assertEqual(unsigned['Date'], signed['Date'])
self.assertIn('Authorization', signed)
auth = parse_authorization_header(signed['authorization'])
params = auth[1]
self.assertIn('keyId', params)
self.assertIn('algorithm', params)
self.assertIn('signature', params)
self.assertEqual(params['keyId'], 'Test')
self.assertEqual(params['algorithm'], 'rsa-sha256')
self.assertEqual(
params['headers'],
'(request-target) host date content-type content-md5 content-length'
)
self.assertEqual(
params['signature'],
'G8/Uh6BBDaqldRi3VfFfklHSFoq8CMt5NUZiepq0q66e+fS3Up3BmXn0NbUnr3L1WgAAZGplifRAJqp2LgeZ5gXNk6UX9zV3hw5BERLWscWXlwX/dvHQES27lGRCvyFv3djHP6Plfd5mhPWRkmjnvqeOOSS0lZJYFYHJz994s6w='
)
def test_all(self):
hs = sign.HeaderSigner(key_id='Test',
secret=self.key_2048,
sign_algorithm=PSS("sha512", salt_length=0),
headers=[
'(request-target)', 'host', 'date',
'content-type', 'digest', 'content-length'
])
unsigned = {
'Host': self.header_host,
'Date': self.header_date,
'Content-Type': self.header_content_type,
'Digest': self.header_digest,
'Content-Length': self.header_content_length,
}
signed = hs.sign(unsigned,
method=self.test_method,
path=self.test_path)
self.assertIn('Date', signed)
self.assertEqual(unsigned['Date'], signed['Date'])
self.assertIn('Authorization', signed)
auth = parse_authorization_header(signed['authorization'])
params = auth[1]
self.assertIn('keyId', params)
self.assertIn('algorithm', params)
self.assertIn('signature', params)
self.assertEqual(params['keyId'], 'Test')
self.assertEqual(params['algorithm'], 'hs2019')
self.assertEqual(
params['headers'],
'(request-target) host date content-type digest content-length')
self.assertEqual(
params['signature'],
'bxWyLDB/Tuhzxd/tWG2g60l3Goyk9XJZzj2ouNKizZuZoe1Ngj+19N11bhK7FABHJ7lSzH5g6fp5LkN894ivIv6N29L2sPssuAkqgzNXyvYkp4KWOr5j7sVpApmRH7gf7THljcXosmrYk5gdBTspixpJJJ5LGkkPKCRAFurmi/LqopSH6cJbLJNIccTu2dTMGEeDOqqNterVmfonpZyPeBsEEwoeOo6d8zgHzB/1Xxk7dfELFbA1c0LE5kZbwEIEFPmS01YFz6EJW7Aj8kzvzwQRyvgDobi25niGOy/D7JVHvtDjBIaJedFuFJSb8rZ2DGryBQ6NwchMp3f2MUoTGg=='
) # noqa: E501
def authenticate(self, request):
"""
Perform the actual authentication.
Note that the exception raised is always the same. This is so that we
don't leak information about in/valid keyIds and other such useful
things.
"""
auth_header = authentication.get_authorization_header(request)
if not auth_header or len(auth_header) == 0:
return None
method, fields = utils.parse_authorization_header(auth_header)
# Ignore foreign Authorization headers.
if method.lower() != "signature":
return None
# Verify basic header structure.
if len(fields) == 0:
raise FAILED
# Ensure all required fields were included.
if len(set(("keyid", "algorithm", "signature")) -
set(fields.keys())) > 0:
raise FAILED
# Fetch the secret associated with the keyid
user, secret = self.fetch_user_data(fields["keyid"],
algorithm=fields["algorithm"])
if not (user and secret):
raise FAILED
# Verify headers
hs = HeaderVerifier(
request.headers,
secret,
required_headers=self.required_headers,
method=request.method.lower(),
path=request.get_full_path(),
)
# All of that just to get to this.
if not hs.verify():
raise FAILED
# Check if the signature is expired
expires = request.headers.get("(expires)", None)
try:
expires = int(expires)
except TypeError:
expires = None
if expires and time.time() > expires:
raise FAILED
if 'On-Behalf-Of' in request.headers:
user = self.fetch_on_behalf_of_user(
request.headers['On-Behalf-Of'])
if not user:
raise exceptions.AuthenticationFailed(
"On behalf of user was not found.")
return (user, None)
return (user, fields["keyid"])
