def login_for_apps():
"""Login for API access only"""
if request.method == "GET":
session['unsigned_access_token'] = random_token()
session['logged_in'] = False
return jsonify({
"token":
session['unsigned_access_token'],
"signature":
server_key.sign_message(session['unsigned_access_token'])
})
elif request.method == "POST":
# Client posts it's login name and a signed token.
data = request.get_json()
# Verify signed token against stored public key for that name.
pubkey = APIKey(db.get_pub_key(data['login'])['pubkey'])
try:
pubkey.verify_message(session['unsigned_access_token'],
data['signature'])
except Exception, e:
session['logged_in'] = False
del session['unsigned_access_token']
return make_response(jsonify({'error': 'Bad token signature.'}),
401)
# Token has valid signature, grant login:
session['user_id'] = data['login']
session['logged_in'] = True
# Mark this session as safe to bypass csrf protection, due to the ECDSA authentication:
session['bypass_csrf'] = True
return jsonify({'success': 'Logged in'})
def login_for_apps():
"""Login for API access only"""
if request.method == "GET":
session["unsigned_access_token"] = random_token()
session["logged_in"] = False
return jsonify(
{
"token": session["unsigned_access_token"],
"signature": server_key.sign_message(session["unsigned_access_token"]),
}
)
elif request.method == "POST":
# Client posts it's login name and a signed token.
data = request.get_json()
# Verify signed token against stored public key for that name.
pubkey = APIKey(db.get_pub_key(data["login"])["pubkey"])
try:
pubkey.verify_message(session["unsigned_access_token"], data["signature"])
except Exception, e:
session["logged_in"] = False
del session["unsigned_access_token"]
return make_response(jsonify({"error": "Bad token signature."}), 401)
# Token has valid signature, grant login:
session["user_id"] = data["login"]
session["logged_in"] = True
# Mark this session as safe to bypass csrf protection, due to the ECDSA authentication:
session["bypass_csrf"] = True
return jsonify({"success": "Logged in"})
def authenticate():
token_to_sign = random_token()
cmd = Command.new(ws, action='authenticate', token=token_to_sign)
response = cmd.send()
context['cluster'] = cluster = response['cluster']
client_pubkey = db.get_pub_key(cluster)
client_apikey = APIKey(client_pubkey['pubkey'])
# Verify the client correctly signed the token:
try:
client_apikey.verify_message(token_to_sign, response.get('signature'))
except:
response.respond(message='Bad Signature of token for authentication', done=True)
log.error('client provided bad signature for auth token')
raise
response.respond(authenticated=True, done=True)
# Client will ask us to authenticate too:
command = receive_data(ws)
assert command.get('action') == 'authenticate'
data = {'signature' :context['apikey'].sign_message(command['token'])}
response = command.respond(**data)
if response.get('authenticated') != True:
raise UnauthenticatedError("Our peer could not validate our signed auth token")
def authenticate():
token_to_sign = random_token()
cmd = Command.new(ws, action='authenticate', token=token_to_sign)
response = cmd.send()
context['cluster'] = cluster = response['cluster']
client_pubkey = db.get_pub_key(cluster)
client_apikey = APIKey(client_pubkey['pubkey'])
# Verify the client correctly signed the token:
try:
client_apikey.verify_message(token_to_sign,
response.get('signature'))
except:
response.respond(
message='Bad Signature of token for authentication', done=True)
log.error('client provided bad signature for auth token')
raise
response.respond(authenticated=True, done=True)
# Client will ask us to authenticate too:
command = receive_data(ws)
assert command.get('action') == 'authenticate'
data = {'signature': context['apikey'].sign_message(command['token'])}
response = command.respond(**data)
if response.get('authenticated') != True:
raise UnauthenticatedError(
"Our peer could not validate our signed auth token")
def create_credentials():
"""Create ecdsa keypair for authenticating with server. Save these to
a config file in the home directory."""
print("Config file is : {config_path}".format(
config_path=CLIENT_CONFIG_PATH))
# Check for cluster name:
config = ConfigParser.RawConfigParser()
config.read(CLIENT_CONFIG_PATH)
if not config.has_section("cluster"):
config.add_section("cluster")
if config.has_option('cluster', 'name'):
cluster_name = config.get('cluster', 'name')
else:
while True:
cluster_name = raw_input('Enter a name for this cluster: ')
if not re.match(r'^[a-zA-Z0-9_-]+$', cluster_name):
print(
"Cluster name must be of the characters a-z, A-Z, 0-9, _ and -"
)
continue
break
config.set('cluster', 'name', cluster_name)
with open(CLIENT_CONFIG_PATH, "wb") as f:
config.write(f)
os.chmod(CLIENT_CONFIG_PATH, 0600)
print(
"Cluster name is: {cluster_name}\n".format(cluster_name=cluster_name))
# Check for existing client key:
try:
# Load existing config:
apikey = APIKey.load()
except BadConfigFileException:
apikey = APIKey.new()
apikey.save()
print("Your public key is: {key}\n".format(key=apikey.get_pub_key()))
# Check for existing server key:
try:
# Load existing config:
apikey = APIKey.load(key_type='server')
except BadConfigFileException:
server_key = raw_input("Input the server's public key:")
try:
apikey = APIKey(server_key)
except:
print("Invalid server key, does not decode to a valid ecdsa key.")
exit(1)
# Verify server key:
verify_code = raw_input("Input the server verify code: ")
token, sig = base64.decodestring(verify_code).split("|")
apikey.verify_message(token, sig)
apikey.save(key_type='server')
print("Server public key is: {key}".format(key=apikey.get_pub_key()))
def create_credentials():
"""Create ecdsa keypair for authenticating with server. Save these to
a config file in the home directory."""
print("Config file is : {config_path}".format(config_path=CLIENT_CONFIG_PATH))
# Check for cluster name:
config = ConfigParser.RawConfigParser()
config.read(CLIENT_CONFIG_PATH)
if not config.has_section("cluster"):
config.add_section("cluster")
if config.has_option('cluster', 'name'):
cluster_name = config.get('cluster', 'name')
else:
while True:
cluster_name = raw_input('Enter a name for this cluster: ')
if not re.match(r'^[a-zA-Z0-9_-]+$', cluster_name):
print("Cluster name must be of the characters a-z, A-Z, 0-9, _ and -")
continue
break
config.set('cluster', 'name', cluster_name)
with open(CLIENT_CONFIG_PATH, "wb") as f:
config.write(f)
os.chmod(CLIENT_CONFIG_PATH, 0600)
print("Cluster name is: {cluster_name}\n".format(cluster_name=cluster_name))
# Check for existing client key:
try:
# Load existing config:
apikey = APIKey.load()
except BadConfigFileException:
apikey = APIKey.new()
apikey.save()
print("Your public key is: {key}\n".format(key=apikey.get_pub_key()))
# Check for existing server key:
try:
# Load existing config:
apikey = APIKey.load(key_type='server')
except BadConfigFileException:
server_key = raw_input("Input the server's public key:")
try:
apikey = APIKey(server_key)
except:
print("Invalid server key, does not decode to a valid ecdsa key.")
exit(1)
# Verify server key:
verify_code = raw_input("Input the server verify code: ")
token, sig = base64.decodestring(verify_code).split("|")
apikey.verify_message(token, sig)
apikey.save(key_type='server')
print("Server public key is: {key}".format(key=apikey.get_pub_key()))
