def test_verify_third_party_caveats(self): m = Macaroon( location='http://mybank/', identifier='we used our other secret key', key='this is a different super-secret key; \ never use the same secret twice' ) m.add_first_party_caveat('account = 3735928559') caveat_key = '4; guaranteed random by a fair toss of the dice' identifier = 'this was how we remind auth of key/pred' m.add_third_party_caveat('http://auth.mybank/', caveat_key, identifier) discharge = Macaroon( location='http://auth.mybank/', key=caveat_key, identifier=identifier ) discharge.add_first_party_caveat('time < 2015-01-01T00:00') protected = m.prepare_for_request(discharge) v = Verifier() v.satisfy_exact('account = 3735928559') v.satisfy_exact('time < 2015-01-01T00:00') verified = v.verify( m, 'this is a different super-secret key; \ never use the same secret twice', discharge_macaroons=[protected] ) assert_true(verified)
def test_verify_third_party_caveats(self): m = Macaroon( location='http://mybank/', identifier='we used our other secret key', key='this is a different super-secret key; \ never use the same secret twice' ) m.add_first_party_caveat('account = 3735928559') caveat_key = '4; guaranteed random by a fair toss of the dice' identifier = 'this was how we remind auth of key/pred' m.add_third_party_caveat('http://auth.mybank/', caveat_key, identifier) discharge = Macaroon( location='http://auth.mybank/', key=caveat_key, identifier=identifier ) discharge.add_first_party_caveat('time < 2015-01-01T00:00') protected = m.prepare_for_request(discharge) v = Verifier() v.satisfy_exact('account = 3735928559') v.satisfy_exact('time < 2015-01-01T00:00') verified = v.verify( m, 'this is a different super-secret key; \ never use the same secret twice', discharge_macaroons=[protected] ) assert_true(verified)
def test_verify_first_party_exact_caveats(self): m = Macaroon( location='http://mybank/', identifier='we used our secret key', key='this is our super secret key; only we should know it') m.add_first_party_caveat('test = caveat') v = Verifier() v.satisfy_exact('test = caveat') verified = v.verify( m, 'this is our super secret key; only we should know it') assert_true(verified)
def assert_macaroon(m, discharge, version): assert_equal(m.location, 'my location') assert_equal(m.version, version) assert_equal(m.identifier_bytes, b'my identifier') v = Verifier(discharge_macaroons=[discharge]) v.satisfy_exact('fp caveat') verified = v.verify( m, "my secret key", ) assert_true(verified)
def assert_macaroon(m, discharge, version): assert_equal(m.location, 'my location') assert_equal(m.version, version) assert_equal(m.identifier_bytes, b'my identifier') v = Verifier(discharge_macaroons=[discharge]) v.satisfy_exact('fp caveat') verified = v.verify( m, "my secret key", ) assert_true(verified)
def test_verify_first_party_exact_caveats(self): m = Macaroon( location='http://mybank/', identifier='we used our secret key', key='this is our super secret key; only we should know it' ) m.add_first_party_caveat('test = caveat') v = Verifier() v.satisfy_exact('test = caveat') verified = v.verify( m, 'this is our super secret key; only we should know it' ) assert_true(verified)
def verify( macaroon: Macaroon, key: bytes, roles: List[str], caveats: List[str], used: int, req: Request, ) -> bool: assert macaroon v_obj = Verifier() v_obj.satisfy_exact(f"user = {macaroon.identifier}") for role in roles: v_obj.satisfy_exact(f"role = {role}") # satisfy specific actions in the API for caveat in caveats: v_obj.satisfy_exact(f"action = {caveat}") # satify same origin restrictions v_obj.satisfy_exact(f"origin = {req.headers['origin']}") # satisfy macaroon with time expiry v_obj.satisfy_general(lambda x: x.split(" = ")[0] == "expiry" and int( x.split(" = ")[1]) > time()) # satisfy macaroon with limited uses v_obj.satisfy_general(lambda x: x.split(" = ")[0] == "uses" and int( x.split(" = ")[1]) > used) # satisfy any with 'amount' caveat. Currently only included so macaroon user can tell amount v_obj.satisfy_general(lambda x: x.split(" = ")[0] == "amount") return bool(v_obj.verify(macaroon, key))
def test_verify_encrypted_first_party_exact_caveats(self): m = Macaroon( location='http://mybank/', identifier='we used our secret key', key='this is our super secret key; only we should know it') m.first_party_caveat_delegate = EncryptedFirstPartyCaveatDelegate() m.add_first_party_caveat('test = caveat', encrypted=True) v = Verifier() v.first_party_caveat_verifier_delegate = EncryptedFirstPartyCaveatVerifierDelegate( ) v.satisfy_exact('test = caveat') verified = v.verify( m, 'this is our super secret key; only we should know it') assert_true(verified)
def test_verify_encrypted_first_party_exact_caveats(self): m = Macaroon( location='http://mybank/', identifier='we used our secret key', key='this is our super secret key; only we should know it' ) m.first_party_caveat_delegate = EncryptedFirstPartyCaveatDelegate() m.add_first_party_caveat('test = caveat', encrypted=True) v = Verifier() v.first_party_caveat_verifier_delegate = EncryptedFirstPartyCaveatVerifierDelegate() v.satisfy_exact('test = caveat') verified = v.verify( m, 'this is our super secret key; only we should know it' ) assert_true(verified)
def access_picture_with_macaroon(picture_id, macaroon): m = Macaroon.deserialize(macaroon) v = Verifier() v.satisfy_exact('view_pictures = True') v.satisfy_exact('picture_id = ' + str(picture_id)) try: verified = v.verify(m, keys[m.identifier]) except MacaroonInvalidSignatureException: verified = False images = [False, False, False] images[picture_id] = True resp = make_response( render_template("home.html", showimages=verified, images=images, macaroon=m.inspect().replace("\n", "<br/>"))) return resp
def photo_album(): macaroonCookie = request.cookies.get('macaroonCookie') if macaroonCookie is not None and macaroonCookie != "": m = Macaroon.deserialize(macaroonCookie) v = Verifier() v.satisfy_exact('view_pictures = True') try: verified = v.verify(m, keys[m.identifier]) except MacaroonInvalidSignatureException: verified = False images = [True, True, True] resp = make_response( render_template("home.html", showimages=verified, images=images, macaroon=m.inspect().replace("\n", "<br/>"))) return resp else: return redirect(url_for("login"))
def gallery_token(token, image_name): if token: #Decode token n = Macaroon.deserialize(token) v = Verifier() form = forms.VerifyEmail() #On valid for submission if form.validate_on_submit(): #Verify Macaroon is valid v.satisfy_exact('email = {}'.format(form.email.data)) v.satisfy_exact('image_name = {}'.format(image_name)) v.satisfy_general(check_expiry) try: verified = v.verify(n, keys[n.identifier]) return send_from_directory(app.config['UPLOADED_IMAGES_DEST'], filename=image_name, as_attachment=False) except: flash("Unable to access") return render_template('validate_email.html', form=form, token=token, image_name=image_name) return render_template('validate_email.html', form=form, token=token, image_name=image_name) else: flash("Unable to access") return render_template('validate_email.html', form=form, token=token, image_name=image_name)