def update_one_corp(corp): my_corp = Corporation.objects.mine() auth_url = urlparse.urljoin(corp.ecm_url, '/corp/auth/startsession/') client = HttpClient() LOG.debug('Establishing secure data exchange with %r...' % corp.ecm_url) response = client.get( auth_url, headers={'Authorization': 'RSA %s' % my_corp.key_fingerprint}) cipher_txt_in = response.read() # we decrypt the response with our private key session_secret = crypto.rsa_decrypt(my_corp.private_key, cipher_txt_in) # and encrypt it back with the corp's public key cipher_txt_out = crypto.rsa_encrypt(corp.public_key, session_secret) # then send it to the server client.post(auth_url, cipher_txt_out) LOG.debug('Fetching which data %r is sharing with us...' % corp) # now we fetch the urls we're allowed to pull from this corporation response = client.get( urlparse.urljoin(corp.ecm_url, '/corp/share/allowed/')) data = crypto.aes_decrypt(session_secret, response.read()) allowed_urls = json.loads(data) if not allowed_urls: LOG.warning('%r is not sharing any data with us' % corp.corporationName) for url in allowed_urls: try: shared_data = SharedData.objects.get(url=url) LOG.debug('Fetching shared data %r...' % url) response = client.get( urlparse.urljoin(corp.ecm_url, shared_data.url)) raw_data = crypto.aes_decrypt(session_secret, response.read()) if response.info().getheader( 'content-type') == 'application/gzip-compressed': raw_data = zlib.decompress(raw_data) shared_data.call_handler(corp, json.loads(raw_data)) except SharedData.DoesNotExist: LOG.error('Unknown SharedData with url=%r' % url) except: LOG.exception('') LOG.debug('Ending secure session with %r...' % corp.ecm_url) # finally destroy our session info to be sure nobody will steal it :) client.get(urlparse.urljoin(corp.ecm_url, '/corp/auth/endsession/'))
def update_one_corp(corp): my_corp = Corporation.objects.mine() auth_url = urlparse.urljoin(corp.ecm_url, '/corp/auth/startsession/') client = HttpClient() LOG.debug('Establishing secure data exchange with %r...' % corp.ecm_url) response = client.get(auth_url, headers={'Authorization': 'RSA %s' % my_corp.key_fingerprint}) cipher_txt_in = response.read() # we decrypt the response with our private key session_secret = crypto.rsa_decrypt(my_corp.private_key, cipher_txt_in) # and encrypt it back with the corp's public key cipher_txt_out = crypto.rsa_encrypt(corp.public_key, session_secret) # then send it to the server client.post(auth_url, cipher_txt_out) LOG.debug('Fetching which data %r is sharing with us...' % corp) # now we fetch the urls we're allowed to pull from this corporation response = client.get(urlparse.urljoin(corp.ecm_url, '/corp/share/allowed/')) data = crypto.aes_decrypt(session_secret, response.read()) allowed_urls = json.loads(data) if not allowed_urls: LOG.warning('%r is not sharing any data with us' % corp.corporationName) for url in allowed_urls: try: shared_data = SharedData.objects.get(url=url) LOG.debug('Fetching shared data %r...' % url) response = client.get(urlparse.urljoin(corp.ecm_url, shared_data.url)) raw_data = crypto.aes_decrypt(session_secret, response.read()) if response.info().getheader('content-type') == 'application/gzip-compressed': raw_data = zlib.decompress(raw_data) shared_data.call_handler(corp, json.loads(raw_data)) except SharedData.DoesNotExist: LOG.error('Unknown SharedData with url=%r' % url) except: LOG.exception('') LOG.debug('Ending secure session with %r...' % corp.ecm_url) # finally destroy our session info to be sure nobody will steal it :) client.get(urlparse.urljoin(corp.ecm_url, '/corp/auth/endsession/'))
def post_response(request): key_fingerprint = request.session.get(AUTH_FINGERPRINT) secret = request.session.get(AUTH_SECRET) if key_fingerprint is None or secret is None: return HttpResponse(status=http.UNAUTHORIZED) given_secret = crypto.rsa_decrypt(Corporation.objects.mine().private_key, request.body) if given_secret == secret: # authentication successful! request.session[SESSION_AUTHENTICATED] = True return HttpResponse(status=http.ACCEPTED) else: return HttpResponse(status=http.UNAUTHORIZED)