Example #1
0
    def test_upload_form(self):
        # make a correct one
        nonce = 'foobar'
        set_course = 'course_foo'
        username = 'foo'
        redirect_to = "http://www.example.com/"
        hmc = hmac.new(smart_bytes(settings.MEDIATHREAD_SECRET),
                       smart_bytes(
                           '%s:%s:%s' % (username, redirect_to, nonce)),
                       hashlib.sha1
                       ).hexdigest()

        response = self.c.get(
            "/mediathread/",
            {
                'nonce': nonce,
                'as': username,
                'redirect_url': redirect_to,
                'set_course': set_course,
                'hmac': hmc
            }
        )
        self.assertNotContains(
            response,
            "invalid authentication token")
Example #2
0
    def urlencode(self, safe=None):
        """
        Returns an encoded string of all query string arguments.

        :arg safe: Used to specify characters which do not require quoting, for
            example::

                >>> q = QueryDict('', mutable=True)
                >>> q['next'] = '/a&b/'
                >>> q.urlencode()
                'next=%2Fa%26b%2F'
                >>> q.urlencode(safe='/')
                'next=/a%26b/'

        """
        output = []
        if safe:
            safe = smart_bytes(safe, self.encoding)
            encode = lambda k, v: '%s=%s' % ((quote(k, safe), quote(v, safe)))
        else:
            encode = lambda k, v: urlencode({k: v})
        for k, list_ in self.lists():
            k = smart_bytes(k, self.encoding)
            output.extend([encode(k, smart_bytes(v, self.encoding))
                           for v in list_])
        return '&'.join(output)
Example #3
0
    def delete(self):
        if settings.DEFAULT_FILE_STORAGE == "utils.backends.s3_boto.S3BotoStorage":
            bucket, key = open_s3()
            bucket.delete_key(smart_bytes(str(self.original_file)))
            bucket.delete_key(smart_bytes(str(self.profile_thumbnail)))
            bucket.delete_key(smart_bytes(str(self.search_thumbnail)))
        # TODO needs work
        """
        else:
            #Prevent trying to access undefined variable error if the files truly do not exist on the server
            absolute_original_path = None
            absolute_thumbnail_path = None

            #If we are going to delete the file from the database, we need to remove the file from the file system.
            #We need to remove both the thumbnail and the original photo
            if self.thumbnail_file:
                absolute_thumbnail_path = os.path.join(settings.MEDIA_ROOT, str(self.thumbnail_file))
                #Make sure all of the separators (the forward and backward slashes) are aligned correctly
                absolute_thumbnail_path = os.path.normpath(absolute_thumbnail_path)
            if self.original_file:
                absolute_original_path = os.path.join(settings.MEDIA_ROOT, str(self.original_file))
                #Make sure all of the separators (the forward and backward slashes) are aligned correctly
                absolute_original_path = os.path.normpath(absolute_original_path)

            if absolute_thumbnail_path and os.path.isfile(absolute_thumbnail_path):
                os.remove(absolute_thumbnail_path)

            if absolute_original_path and os.path.isfile(absolute_original_path):
                os.remove(absolute_original_path)
        """

        # Actually delete the Photo object from the DB
        super(Photo, self).delete()
Example #4
0
def set_email(username, email):
    """
    Set the email attribute in LDAP. Used for Officer email forwarding.
    Although LDAP allows multiple email attributes, we only allow one.
    """
    ldap_handle = initialize()
    if ldap_handle is None:
        return False

    username = smart_bytes(username)
    email = smart_bytes(email)

    udn = 'uid=%s,%s' % (username, settings.LDAP_BASE['PEOPLE'])
    try:
        email_results = ldap_handle.search_s(
            udn, settings.LDAP['SCOPE'], '(mail=*)')
    except ldap.LDAPError:
        return False

    if len(email_results) == 0:
        attr = [(ldap.MOD_ADD, 'mail', email)]
    else:
        attr = [(ldap.MOD_REPLACE, 'mail', email)]

    try:
        ldap_handle.modify_s(udn, attr)
    except ldap.LDAPError:
        return False
    return True
Example #5
0
 def get_signature_hmac(self, data, message):
     signature_hmac = hmac.new(
         key=smart_bytes(settings.CMSCLOUD_SYNC_KEY),
         msg=smart_bytes(message),
         digestmod=hashlib.sha1,
     )
     return signature_hmac
Example #6
0
def mod_user_group(username, group, action=ldap.MOD_ADD):
    """
    Adds or removes a user to/from an LDAP group. Default action is to add.
    Returns True on success, False otherwise (including errors)
    """
    if action not in [ldap.MOD_ADD, ldap.MOD_DELETE]:
        return False

    ldap_handle = initialize()
    if ldap_handle is None:
        return False

    username = smart_bytes(username)
    group = smart_bytes(group)

    gdn = 'cn=%s,%s' % (group, settings.LDAP_BASE['GROUP'])
    if get_group_member_attr(group) == 'memberUid':
        attr = [(action, 'memberUid', username)]
    else:
        udn = 'uid=%s,%s' % (username, settings.LDAP_BASE['PEOPLE'])
        attr = [(action, 'member', udn)]

    try:
        ldap_handle.modify_s(gdn, attr)
    except ldap.LDAPError:
        return False
    return True
Example #7
0
def generate_sha1(string, salt=None):
    """
    Generates a sha1 hash for supplied string. Doesn't need to be very secure
    because it's not used for password checking. We got Django for that.

    :param string:
        The string that needs to be encrypted.

    :param salt:
        Optionally define your own salt. If none is supplied, will use a random
        string of 5 characters.

    :return: Tuple containing the salt and hash.

    """
    if not isinstance(string, (str, text_type)):
        string = str(string)

    if not salt:
        salt = sha1(str(random.random()).encode('utf-8')).hexdigest()[:5]

    salted_bytes = (smart_bytes(salt) + smart_bytes(string))
    hash_ = sha1(salted_bytes).hexdigest()

    return salt, hash_
Example #8
0
def obfuscate(password):
    """
    Hashes a password using (salted) SHA1 algorithm.
    Also converts password to byte string before processing.
    A None or '' password is considered unusable.
    Unusable passwords will be corrupted with a UNUSABLE_PASSWORD_PREFIX and
    instead hash a random password.
    OpenLDAP 2.4.x only supports SHA1. Would be nice if they supported
    an algorithm that is more secure.
    """
    hash_prefix = LDAP_HASH_PREFIX
    # Set unusable password if None or empty string
    if not password:
        hash_prefix += UNUSABLE_PASSWORD_PREFIX
        password = get_random_string(
            length=UNUSABLE_PASSWORD_SUFFIX_LENGTH,
            allowed_chars=string.printable)
    try:
        salt = os.urandom(LDAP_SALT_LENGTH)
    except NotImplementedError:
        salt = ''.join(
            [chr(random.randint(0, 255)) for _ in range(LDAP_SALT_LENGTH)])
    hmsg = hashlib.new('sha1')
    # openldap SSHA uses this format:
    # '{SSHA}' + b64encode(sha1_digest('secret' + 'salt') + 'salt')
    hmsg.update(smart_bytes(password))
    hmsg.update(salt)
    pw_hash = base64.b64encode(hmsg.digest() + salt)
    return smart_bytes(hash_prefix + pw_hash)
def make_key(k, with_locale=True):
    """Generate the full key for ``k``, with a prefix."""
    key = encoding.smart_bytes('%s:%s' % (config.CACHE_PREFIX, k))
    if with_locale:
        key += encoding.smart_bytes(translation.get_language())
    # memcached keys must be < 250 bytes and w/o whitespace, but it's nice
    # to see the keys when using locmem.
    return hashlib.md5(key).hexdigest()
Example #10
0
 def is_valid(self):
     verify = hmac.new(
         smart_bytes(settings.MEDIATHREAD_SECRET),
         smart_bytes(
             '%s:%s:%s' % (self.username, self.redirect_to, self.nonce)),
         hashlib.sha1
     ).hexdigest()
     return verify == self.hmc
def generate_cache_key(prefix, *args, **kwargs):
    arg_str = ":".join(smart_bytes(a) for a in args)
    kwarg_str = ":".join("{}={}".format(smart_bytes(k), smart_bytes(v)) for k, v in kwargs.items())
    key_str = "{}::{}".format(arg_str, kwarg_str)
    argkwarg_str = md5(smart_bytes(key_str)).hexdigest()
    if not isinstance(prefix, basestring):
        prefix = "_".join(str(a) for a in prefix)
    return "{}__{}".format(prefix, argkwarg_str)
Example #12
0
    def get_topic_hash(self):
        topic_hash = self.cleaned_data.get('topic_hash', None)

        if topic_hash:
            return topic_hash

        return utils.get_hash((
            smart_bytes(self.cleaned_data['title']),
            smart_bytes('category-{}'.format(self.cleaned_data['category'].pk))))
Example #13
0
def make_key(key, with_locale=True, normalize=False):
    """Generate the full key for ``k``, with a prefix."""
    if with_locale:
        key = u'{key}:{lang}'.format(
            key=key, lang=translation.get_language())

    if normalize:
        return hashlib.md5(encoding.smart_bytes(key)).hexdigest()
    return encoding.smart_bytes(key)
    def _test_update(self, base_form, update_view=TransactionalUpdateView):
        self.assertEqual(0, TestModel.objects.count())
        tm1 = TestModel.objects.create(unique=1)
        tm2 = TestModel.objects.create(unique=2)

        def first(semaphore):
            try:
                first.as_expected = False
                view = get_acquiring_view(base_form, update_view, semaphore).as_view()
                request = self.factory.post("/", { 'id': tm1.pk, 'unique': '3' })
                first.response = view(request, pk=tm1.pk)
                first.response.render()
                first.as_expected = True
            finally:
                connection.close()

        def second(semaphore):
            try:
                second.as_expected = False
                view = get_releasing_view(base_form, update_view, semaphore).as_view()
                request = self.factory.post("/", { 'id': tm2.pk, 'unique': '3' })
                second.response = view(request, pk=tm2.pk)
                second.as_expected = True
            finally:
                connection.close()

        semaphore = threading.Semaphore()
        semaphore.acquire()
        first_thread = threading.Thread(target=first, args=[semaphore])
        second_thread = threading.Thread(target=second, args=[semaphore])
        first_thread.daemon = True
        second_thread.daemon = True

        first_thread.start()
        second_thread.start()
        second_thread.join()
        first_thread.join()

        # okay, so the validation checks should both have passed
        # before either thread got to saving, so we should get the
        # releasing view (ie the second thread) having succeeded and
        # the first displaying a validation error on its form.
        self.assertEqual(True, first.as_expected)
        self.assertEqual(True, second.as_expected)
        self.assertEqual(2, TestModel.objects.count())
        tm1 = TestModel.objects.get(pk=tm1.pk)
        self.assertEqual(1, tm1.unique)
        tm2 = TestModel.objects.get(pk=tm2.pk)
        self.assertEqual(3, tm2.unique)

        self.assertEqual(200, first.response.status_code)
        self.assertTrue(smart_bytes('errorlist') in first.response.content)
        self.assertTrue(smart_bytes('errorlist') not in second.response.content)
        self.assertEqual(302, second.response.status_code)
        self.assertEqual('/', second.response['Location'])
        return first, second
Example #15
0
    def test_smart_bytes(self):
        class Test:
            def __str__(self):
                return 'ŠĐĆŽćžšđ'

        lazy_func = gettext_lazy('x')
        self.assertIs(smart_bytes(lazy_func), lazy_func)
        self.assertEqual(smart_bytes(Test()), b'\xc5\xa0\xc4\x90\xc4\x86\xc5\xbd\xc4\x87\xc5\xbe\xc5\xa1\xc4\x91')
        self.assertEqual(smart_bytes(1), b'1')
        self.assertEqual(smart_bytes('foo'), b'foo')
Example #16
0
    def get_filtered_queryset(self, qs):
        filters = {}
        query_string = self.GET.get("query_string", None)

        if query_string:
            for item in query_string.split("&"):
                k, v = item.split("=")
                if k != "t":
                    filters[smart_bytes(k)] = prepare_lookup_value(smart_bytes(k), smart_bytes(v))
        return qs.filter(**filters)
Example #17
0
def generate_signature(policy, secret_key):
    """
    Returns a Base64-encoded signature value that authorizes
    the form and proves that only you could have created it.
    This value is calculated by signing the Base64-encoded
    policy document with your AWS Secret Key.
    """
    hmac_signature = hmac.new(
        smart_bytes(secret_key), smart_bytes(policy), hashlib.sha1)

    return base64.b64encode(hmac_signature.digest())
Example #18
0
def rename_user(username, new_username):
    """
    Renames a user. Only updates LDAP. Does not save model.
    Both arguments are mandatory.
    Returns a (bool, string) tuple for success and reason.
    """
    if not (username and new_username):
        return (False, 'Invalid username argument(s)')

    ldap_handle = initialize()
    if ldap_handle is None:
        return (False, 'LDAP connection failed')

    username = smart_bytes(username)
    new_username = smart_bytes(new_username)

    # Validate new username
    if USERNAME_REGEX.match(new_username) is None:
        return (False, 'Invalid username. ' + settings.USERNAME_HELPTEXT)

    # Make sure new username not yet taken
    if username_exists(new_username):
        return (False, 'Requested username is already taken')

    old_dn = 'uid=%s,%s' % (username, settings.LDAP_BASE['PEOPLE'])
    new_rdn = 'uid=%s' % (new_username)

    try:
        ldap_handle.rename_s(old_dn, new_rdn)
    except ldap.LDAPError:
        return (False, 'LDAP error while renaming user')

    # Search in posixGroups (i.e. cn=web) for old username and replace
    # with new username. groupOfNames are automatically changed by rename_s
    search_str = '(memberUid=%s)' % (username)
    try:
        group_results = ldap_handle.search_s(
            settings.LDAP_BASE['GROUP'], settings.LDAP['SCOPE'], search_str)
    except ldap.LDAPError:
        return (False, 'LDAP error while searching for group memberships')

    for (gdn, gattr) in group_results:
        new_g = copy.copy(gattr)
        new_g['memberUid'] = [member if member != username else new_username
                              for member in gattr['memberUid']]
        mod_g = ldap.modlist.modifyModlist(gattr, new_g)
        try:
            ldap_handle.modify_s(gdn, mod_g)
        except ldap.LDAPError:
            return (False, 'LDAP error while migrating groups')

    return (True, 'User %s renamed to %s' % (username, new_username))
Example #19
0
 def to_python(self, value):
     """Overrides ``models.Field`` method. This is used to convert
     bytes (from serialization etc) to an instance of this class"""
     if value is None:
         return None
     elif isinstance(value, oauth2client.client.Credentials):
         return value
     else:
         try:
             return jsonpickle.decode(
                 base64.b64decode(encoding.smart_bytes(value)).decode())
         except ValueError:
             return pickle.loads(
                 base64.b64decode(encoding.smart_bytes(value)))
Example #20
0
    def process_response(self, request, response):
        html_types = ('text/html', 'application/xhtml+xml')
        content_type = response.get('Content-Type', '').split(';')[0]
        content_encoding = response.get('Content-Encoding', '')
        if any((getattr(response, 'streaming', False),
                'gzip' in content_encoding,
                content_type not in html_types)):
            return response

        if settings.RESPONSIVE_COOKIE_NAME not in request.COOKIES \
                or getattr(request, 'INVALID_RESPONSIVE_COOKIE', False):
            expires = datetime.datetime.utcnow() + \
                datetime.timedelta(days=settings.RESPONSIVE_COOKIE_AGE)
            snippet = render_to_string('responsive/snippet.html', {
                'cookie_name': settings.RESPONSIVE_COOKIE_NAME,
                'cookie_age': 60 * 60 * 24 * settings.RESPONSIVE_COOKIE_AGE,  # convert to secs
                'cookie_expires': expires.strftime('%a, %d %b %Y %H:%M:%S GMT')
            })
            pattern = re.compile(b'<head>', re.IGNORECASE)
            response.content = pattern.sub(b'<head>' + smart_bytes(snippet), response.content)

            if response.get('Content-Length', None):
                response['Content-Length'] = len(response.content)

        patch_vary_headers(response, ('Cookie', ))
        return response
Example #21
0
    def test_large_upload(self):
        tdir = tempfile.gettempdir()

        file1 = tempfile.NamedTemporaryFile(suffix=".file1", dir=tdir)
        file1.write(b'a' * (2 ** 21))
        file1.seek(0)

        file2 = tempfile.NamedTemporaryFile(suffix=".file2", dir=tdir)
        file2.write(b'a' * (10 * 2 ** 20))
        file2.seek(0)

        post_data = {
            'name': 'Ringo',
            'file_field1': file1,
            'file_field2': file2,
            }

        for key in list(post_data):
            try:
                post_data[key + '_hash'] = hashlib.sha1(post_data[key].read()).hexdigest()
                post_data[key].seek(0)
            except AttributeError:
                post_data[key + '_hash'] = hashlib.sha1(smart_bytes(post_data[key])).hexdigest()

        response = self.client.post('/file_uploads/verify/', post_data)

        self.assertEqual(response.status_code, 200)
Example #22
0
File: auth.py Project: cloudera/hue
    def _verify_jws(self, payload, key):
        """Verify the given JWS payload with the given key and return the payload"""
        jws = JWS.from_compact(payload)

        try:
            alg = jws.signature.combined.alg.name
        except KeyError:
            msg = 'No alg value found in header'
            raise SuspiciousOperation(msg)

        if alg != self.OIDC_RP_SIGN_ALGO:
            msg = "The provider algorithm {!r} does not match the client's " \
                  "OIDC_RP_SIGN_ALGO.".format(alg)
            raise SuspiciousOperation(msg)

        if isinstance(key, six.string_types):
            # Use smart_bytes here since the key string comes from settings.
            jwk = JWK.load(smart_bytes(key))
        else:
            # The key is a json returned from the IDP JWKS endpoint.
            jwk = JWK.from_json(key)

        if not jws.verify(jwk):
            msg = 'JWS token verification failed.'
            raise SuspiciousOperation(msg)

        return jws.payload
Example #23
0
    def execute_command(self, command, content):
        pipe = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE,
                                stdin=subprocess.PIPE, stderr=subprocess.PIPE)

        try:
            pipe.stdin.write(smart_bytes(content))
        except IOError as e:
            message = "Unable to pipe content to command: %s" % command
            raise CompressorError(message, e)
        pipe.stdin.close()

        compressed_content = pipe.stdout.read()
        pipe.stdout.close()

        error = pipe.stderr.read()
        pipe.stderr.close()

        if pipe.wait() != 0:
            if not error:
                error = "Unable to apply %s compressor" % self.__class__.__name__
            raise CompressorError(error)

        if self.verbose:
            print(error)
        return compressed_content
Example #24
0
    def get_comment_hash(self):
        assert self.topic

        # This gets saved into
        # User.last_post_hash,
        # it does not matter whether
        # is a safe string or not
        comment_hash = self.cleaned_data.get('comment_hash', None)

        if comment_hash:
            return comment_hash

        return utils.get_hash((
            smart_bytes(self.cleaned_data['comment']),
            smart_bytes('thread-{}'.format(self.topic.pk))
        ))
Example #25
0
    def to_python(self, value):
        """
        :param value:
        :return:
        """
        if not self.deserialize:

            return super(JsonField, self).to_python(value)

        if value == "":
            return None

        try:
            if isinstance(value, six.text_type):
                value = json.loads(value, encoding=settings.DEFAULT_CHARSET)

            elif isinstance(value, six.string_types):
                value = json.loads(smart_text(value), encoding=settings.DEFAULT_CHARSET)

            elif type(value) == UnicodeType:
                # Fallback Unicode problem
                value = json.loads(smart_bytes(value), encoding=settings.DEFAULT_CHARSET)

        except ValueError:
            try:
                # Fallback: django serializer may cast dict or list value as string
                value = ast.literal_eval(value)
            except ValueError:
                raise
        return value
Example #26
0
def get_group_members(group):
    """
    Return a list of the members in the group.
    """
    ldap_handle = initialize()
    if ldap_handle is None:
        return False

    group = smart_bytes(group)
    searchstr = '(cn=%s)' % group
    try:
        entry = ldap_handle.search_s(settings.LDAP_BASE['GROUP'],
                                     settings.LDAP['SCOPE'],
                                     searchstr)
    except ldap.LDAPError:
        return False

    # Should only return one successful entry (since there should only be one
    # group that matches the group parameter used with this function)
    if len(entry) != 1 or len(entry[0]) != 2:
        return False

    member_attribute = get_group_member_attr(group)
    entry_properties = entry[0][1]
    if member_attribute in entry_properties:
        return entry_properties[member_attribute]
    else:
        # It is possible for a posixGroup to have no members, in which case
        # 'memberUid' will not be listed in the entry's properties, indicating
        # that there are no members (so return an empty list):
        return []
Example #27
0
def get_group_member_attr(group):
    """
    Returns the group member attribute type for this group: "member" if this
    group is of the objectClass groupOfNames, or "memberUid" if it is of the
    objectClass posixGroup.
    """
    ldap_handle = initialize()
    if ldap_handle is None:
        return False

    group = smart_bytes(group)
    searchstr = '(cn=%s)' % group
    try:
        entry = ldap_handle.search_s(settings.LDAP_BASE['GROUP'],
                                     settings.LDAP['SCOPE'],
                                     searchstr)
    except ldap.LDAPError:
        return False

    # Should only return one successful entry (since there should only be one
    # group that matches the group parameter used with this function)
    if len(entry) != 1 or len(entry[0]) != 2:
        return False

    entry_properties = entry[0][1]
    group_classes = entry_properties['objectClass']
    if 'posixGroup' in group_classes:
        member_attribute = 'memberUid'
    elif 'groupOfNames' in group_classes:
        member_attribute = 'member'
    else:
        return False
    return member_attribute
Example #28
0
def default_username_algo(email):
    # store the username as a base64 encoded sha1 of the email address
    # this protects against data leakage because usernames are often
    # treated as public identifiers (so we can't use the email address).
    return base64.urlsafe_b64encode(
        hashlib.sha1(smart_bytes(email)).digest()
    ).rstrip(b'=')
Example #29
0
def get_email(username):
    """
    Gets the user's email attribute from LDAP
    Returns the string (currently bytestring) or False if an error occurred.
    """
    ldap_handle = initialize()
    if ldap_handle is None:
        return False

    username = smart_bytes(username)
    udn = 'uid=%s,%s' % (username, settings.LDAP_BASE['PEOPLE'])
    try:
        entry = ldap_handle.search_s(
            udn, settings.LDAP['SCOPE'], '(mail=*)', ['mail'])
    except ldap.LDAPError:
        return False
    entry_len = len(entry)
    if entry_len == 0:
        mail_admins('LDAP Anomaly Detected',
                    'No search results found for %s in "get_email"' % username)
    elif entry_len > 1:
        entries = []
        for e in entry:
            entries.append(e[0])
        mail_admins('LDAP Anomaly Detected',
                    'Multiple search results for %s in "get_email":\n%s' % (
                        username, '\n'.join(entries)))
        return False
    # Invalid search result. Each search result must be a 2-tuple
    if len(entry[0]) != 2:
        return False
    return get_property(entry[0][1], 'mail') or False
Example #30
0
def has_usable_password(username):
    """
    Gets the user's password entry from LDAP.
    Returns False if it's an unusable password, or encounters LDAP errors
    """
    ldap_handle = initialize()
    if ldap_handle is None:
        return False

    username = smart_bytes(username)
    try:
        entry = ldap_handle.search_s(
            settings.LDAP_BASE['PEOPLE'],
            settings.LDAP['SCOPE'],
            '(uid=%s)' % username,
            ['userPassword'])
    except ldap.LDAPError:
        return False
    entry_len = len(entry)
    if entry_len != 1:
        mail_admins('LDAP Anomaly Detected',
                    'Found %d userPassword attributes for %s ' % (
                        entry_len,
                        username))
    # Invalid search result. Each search result must be a 2-tuple
    if len(entry[0]) != 2:
        return False
    pw_hash = get_property(entry[0][1], 'userPassword')
    return pw_hash and UNUSABLE_PASSWORD_PREFIX not in pw_hash