def _decrypt_data(self, session_data):
"""Bas64, decipher, then un-serialize the data for the session
dict"""
if self.encrypt_key:
try:
nonce = session_data[:8]
encrypt_key = crypto.generateCryptoKeys(self.encrypt_key,
self.validate_key + nonce, 1)
payload = b64decode(session_data[8:])
data = crypto.aesDecrypt(payload, encrypt_key)
except:
# As much as I hate a bare except, we get some insane errors
# here that get tossed when crypto fails, so we raise the
# 'right' exception
if self.invalidate_corrupt:
return None
else:
raise
try:
return util.pickle.loads(data)
except:
if self.invalidate_corrupt:
return None
else:
raise
else:
data = b64decode(session_data)
return util.pickle.loads(data)
def _decrypt_data(self, session_data):
"""Bas64, decipher, then un-serialize the data for the session
dict"""
if self.encrypt_key:
try:
nonce = session_data[:8]
encrypt_key = crypto.generateCryptoKeys(
self.encrypt_key, self.validate_key + nonce, 1)
payload = b64decode(session_data[8:])
data = crypto.aesDecrypt(payload, encrypt_key)
except:
# As much as I hate a bare except, we get some insane errors
# here that get tossed when crypto fails, so we raise the
# 'right' exception
if self.invalidate_corrupt:
return None
else:
raise
try:
return util.pickle.loads(data)
except:
if self.invalidate_corrupt:
return None
else:
raise
else:
data = b64decode(session_data)
return util.pickle.loads(data)
def send_beaker_encrypt(validate_key, add, payload, encrypt_key):
from beaker import crypto #yes we need it, will port it when we have time
nonce = '12345678' #anything 8 bytes
encrypt_key = crypto.generateCryptoKeys(encrypt_key, validate_key + nonce, 1)
data = nonce + b64(crypto.aesEncrypt(payload, encrypt_key))
mac = hmac(validate_key, data.encode('UTF-8'), hashlib.sha1).hexdigest()
s = mac + data
print requests.get(add, cookies={'beaker.session.id':s})
def _hash(username, pwd, salt=None):
"""Hash username and password, generating salt value if required
:returns: base-64 encoded str.
"""
if salt is None:
salt = os.urandom(32)
assert len(salt) == 32, "Incorrect salt length"
h = crypto.generateCryptoKeys(username + pwd, salt, 10)
return b64encode(salt + h)
def _encrypt_data(self):
"""Serialize, encipher, and base64 the session dict"""
if self.encrypt_key:
nonce = b64encode(os.urandom(40))[:8]
encrypt_key = crypto.generateCryptoKeys(self.encrypt_key, self.validate_key + nonce, 1)
data = pickle.dumps(self.copy(), 2)
return nonce + b64encode(crypto.aesEncrypt(data, encrypt_key))
else:
data = pickle.dumps(self.copy(), 2)
return b64encode(data)
def _hash(username, pwd, salt=None):
"""Hash username and password, generating salt value if required
:returns: base-64 encoded str.
"""
if salt is None:
salt = os.urandom(32)
assert len(salt) == 32, "Incorrect salt length"
h = crypto.generateCryptoKeys(username + pwd, salt, 10)
return b64encode(salt + h)
def _encrypt_data(self):
"""Serialize, encipher, and base64 the session dict"""
if self.encrypt_key:
nonce = b64encode(os.urandom(40))[:8]
encrypt_key = generateCryptoKeys(self.encrypt_key,
self.validate_key + nonce, 1)
data = cPickle.dumps(self.copy(), 2)
return nonce + b64encode(aesEncrypt(data, encrypt_key))
else:
data = cPickle.dumps(self.copy(), 2)
return b64encode(data)
def _encrypt_data(self):
"""Cerealize, encipher, and base64 the session dict"""
if self.encrypt_key:
nonce = b64encode(os.urandom(40))[:8]
encrypt_key = generateCryptoKeys(self.encrypt_key, self.validate_key + nonce, 1)
ctrcipher = aes.AES(encrypt_key)
data = cPickle.dumps(self.dict, protocol=2)
return nonce + b64encode(ctrcipher.process(data))
else:
data = cPickle.dumps(self.dict, protocol=2)
return b64encode(data)
def _encrypt_data(self, session_data=None):
"""Serialize, encipher, and base64 the session dict"""
session_data = session_data or self.copy()
if self.encrypt_key:
nonce = b64encode(os.urandom(6))[:8]
encrypt_key = crypto.generateCryptoKeys(self.encrypt_key,
self.validate_key + nonce, 1)
data = util.pickle.dumps(session_data, 2)
return nonce + b64encode(crypto.aesEncrypt(data, encrypt_key))
else:
return b64encode(util.pickle.dumps(session_data))
def _encrypt_data(self, session_data=None):
"""Serialize, encipher, and base64 the session dict"""
session_data = session_data or self.copy()
if self.encrypt_key:
nonce = b64encode(os.urandom(40))[:8]
encrypt_key = crypto.generateCryptoKeys(self.encrypt_key,
self.validate_key + nonce, 1)
data = util.pickle.dumps(session_data, 2)
return nonce + b64encode(crypto.aesEncrypt(data, encrypt_key))
else:
data = util.pickle.dumps(session_data, 2)
return b64encode(data)
def _decrypt_data(self):
"""Bas64, decipher, then un-cerealize the data for the session dict"""
if self.encrypt_key:
nonce = self.cookie[self.key].value[:8]
encrypt_key = generateCryptoKeys(self.encrypt_key, self.validate_key + nonce, 1)
ctrcipher = aes.AES(encrypt_key)
payload = b64decode(self.cookie[self.key].value[8:])
data = ctrcipher.process(payload)
return cPickle.loads(data)
else:
data = b64decode(self.cookie[self.key].value)
return cPickle.loads(data)
def _decrypt_data(self):
"""Bas64, decipher, then un-serialize the data for the session
dict"""
if self.encrypt_key:
nonce = self.cookie[self.key].value[:8]
encrypt_key = crypto.generateCryptoKeys(self.encrypt_key, self.validate_key + nonce, 1)
payload = b64decode(self.cookie[self.key].value[8:])
data = crypto.aesDecrypt(payload, encrypt_key)
return pickle.loads(data)
else:
data = b64decode(self.cookie[self.key].value)
return pickle.loads(data)
def add_user():
"""Command-line utility to add a user to the auth files
"""
set_logger()
parser = argparse.ArgumentParser(description='Adds users')
parser.add_argument('config', help='configuration file', nargs='?')
parser.add_argument('--overwrite', help='overwrite existing user',
action='store_true', default=False)
args = parser.parse_args()
config = load_conf(args.config)
username = raw_input('username: '******'password: '******'p' for PBKDF2
hash = b64encode('p' + salt + h)
# now adding the user
conf_dir = config.get('auth_conf', 'auth_conf')
with open(os.path.join(conf_dir, 'users.json')) as f:
users = json.loads(f.read())
with open(os.path.join(conf_dir, 'roles.json')) as f:
roles = json.loads(f.read())
if username in users and not args.overwrite:
print('User %r exists. Use --overwrite' % username)
sys.exit(0)
users[username] = {'email_addr': '', 'role': 'user', 'hash': hash,
'desc': ''}
with open(os.path.join(conf_dir, 'users.json'), 'w') as f:
f.write(json.dumps(users))
if username not in roles['user']:
roles['user'].append(username)
with open(os.path.join(conf_dir, 'roles.json'), 'w') as f:
f.write(json.dumps(roles))
print('User %r added.' % username)
sys.exit(1)
def _encrypt_data(self, session_data=None):
"""Serialize, encipher, and base64 the session dict"""
session_data = session_data or self.copy()
if self.encrypt_key:
nonce_len, nonce_b64len = self.encrypt_nonce_size
nonce = b64encode(os.urandom(nonce_len))[:nonce_b64len]
encrypt_key = crypto.generateCryptoKeys(self.encrypt_key,
self.validate_key + nonce, 1)
data = self.serializer.dumps(session_data)
return nonce + b64encode(crypto.aesEncrypt(data, encrypt_key))
else:
data = self.serializer.dumps(session_data)
return b64encode(data)
def _decrypt_data(self, session_data):
"""Bas64, decipher, then un-serialize the data for the session
dict"""
if self.encrypt_key:
__, nonce_b64len = self.encrypt_nonce_size
nonce = session_data[:nonce_b64len]
encrypt_key = crypto.generateCryptoKeys(self.encrypt_key,
self.validate_key + nonce, 1)
payload = b64decode(session_data[nonce_b64len:])
data = crypto.aesDecrypt(payload, encrypt_key)
else:
data = b64decode(session_data)
return self.serializer.loads(data)
def _decrypt_data(self):
"""Bas64, decipher, then un-serialize the data for the session
dict"""
if self.encrypt_key:
nonce = self.cookie[self.key].value[:8]
encrypt_key = crypto.generateCryptoKeys(self.encrypt_key,
self.validate_key + nonce,
1)
payload = b64decode(self.cookie[self.key].value[8:])
data = crypto.aesDecrypt(payload, encrypt_key)
return pickle.loads(data)
else:
data = b64decode(self.cookie[self.key].value)
return pickle.loads(data)
def _hash(username, pwd, salt=None):
"""Hash username and password, generating salt value if required
Use PBKDF2 from Beaker
:returns: base-64 encoded str.
"""
if salt is None:
salt = os.urandom(32)
assert len(salt) == 32, "Incorrect salt length"
cleartext = "%s\0%s" % (username, pwd)
h = crypto.generateCryptoKeys(cleartext, salt, 10)
# 'p' for PBKDF2
return b64encode('p' + salt + h)
def _hash(username, pwd, salt=None):
"""Hash username and password, generating salt value if required
Use PBKDF2 from Beaker
:returns: base-64 encoded str.
"""
if salt is None:
salt = os.urandom(32)
assert len(salt) == 32, "Incorrect salt length"
cleartext = "%s\0%s" % (username, pwd)
h = crypto.generateCryptoKeys(cleartext, salt, 10)
# 'p' for PBKDF2
return b64encode('p' + salt + h)
def _hash(username, pwd, salt=None):
"""Hash username and password, generating salt value if required
Use PBKDF2 from Beaker
:returns: base-64 encoded str.
"""
if salt is None:
salt = os.urandom(32)
assert len(salt) == 32, "Incorrect salt length"
cleartext = "%s\0%s" % (username, pwd)
h = crypto.generateCryptoKeys(cleartext, salt, 10)
if len(h) != 32:
raise RuntimeError("The PBKDF2 hash is not 32 bytes long."
" The pycrypto library might be missing.")
# "p" for PBKDF2
return b64encode("p" + salt + h)
def _hash_pbkdf2(username, pwd, salt=None):
"""Hash username and password, generating salt value if required
Use PBKDF2 from Beaker
:returns: base-64 encoded str.
"""
if salt is None:
salt = os.urandom(32)
assert len(salt) == 32, "Incorrect salt length"
cleartext = "%s\0%s" % (username, pwd)
h = crypto.generateCryptoKeys(cleartext, salt, 10)
if len(h) != 32:
raise RuntimeError("The PBKDF2 hash is %d bytes long instead"
"of 32. The pycrypto library might be missing." % len(h))
# 'p' for PBKDF2
return b64encode('p' + salt + h)
def _decrypt_data(self, session_data, migration=False):
"""Base64, decipher, then un-serialize the data for the session
dict"""
if self.encrypt_key:
__, nonce_b64len = self.encrypt_nonce_size
nonce = session_data[:nonce_b64len]
encrypt_key = crypto.generateCryptoKeys(
self.encrypt_key,
self.validate_key + nonce,
1,
self.crypto_module.getKeyLength(),
)
payload = b64decode(session_data[nonce_b64len:])
if migration:
data = self.crypto_module_2.aesDecrypt(payload, encrypt_key)
else:
data = self.crypto_module.aesDecrypt(payload, encrypt_key)
else:
data = b64decode(session_data)
return self.serializer.loads(data)