def authenticate(self, options): """ options can have the following * checkNonceFn - A callback to validate if a given nonce is valid * timestampSkewSec - Allows for clock skew in seconds. Defaults to 60. * localtimeOffsetMsec - Offset for client time. Defaults to 0. * options.payload - Required """ now = math.floor(time.time()) self._check_options(options) attributes = util.parse_authorization_header( self.req['headers']['authorization']) artifacts = self._prepare_artifacts(attributes) log.debug('artifacts=%s' % pprint.pformat(artifacts)) credentials = self.credentials_fn(attributes['id']) mac = self._calculate_mac(credentials, artifacts) if not util.compare(mac, attributes['mac']): log.info("Ours [" + mac + "] Theirs [" + attributes['mac'] + "]") raise BadMac if 'payload' in options: if 'hash' not in attributes: log.info("Missing required payload hash") raise BadRequest p_hash = hcrypto.calculate_payload_hash(options['payload'], credentials['algorithm'], self.req['contentType']) log.debug('payload=%s' % options['payload']) log.debug('algorithm=%s, contentType=%s' % (credentials['algorithm'], self.req['contentType'])) if not util.compare(p_hash, attributes['hash']): log.info("Bad payload hash") raise BadRequest if 'check_nonce_fn' in options: if not options['check_nonce_fn'](attributes['nonce'], attributes['ts']): raise BadRequest skew = int(options['timestampSkewSec']) if math.fabs(int(attributes['ts']) - now) > skew: log.info("Expired request") raise BadRequest return artifacts
def authenticate(self, req, options): """ options can have the following * checkNonceFn - A callback to validate if a given nonce is valid * timestampSkewSec - Allows for clock skew in seconds. Defaults to 60. * localtimeOffsetMsec - Offset for client time. Defaults to 0. * options.payload - Required """ now = math.floor(time.time()) self._check_options(options) attributes = util.parse_authorization_header( req['headers']['authorization']) artifacts = self._prepare_artifacts(req, attributes) credentials = self.credentials_fn(attributes['id']) mac = self._calculate_mac(credentials, artifacts) # TODO prevent timing attach if not mac == attributes['mac']: print "Ours [" + mac + "] Theirs [" + attributes['mac'] + "]" raise BadMac if 'payload' in options: if 'hash' not in attributes: print "Missing required payload hash" raise BadRequest p_hash = hcrypto.calculate_payload_hash(options['payload'], credentials['algorithm'], req['contentType']) if not p_hash == attributes['hash']: print "Bad payload hash" raise BadRequest if 'check_nonce_fn' in options: if not options['check_nonce_fn'](attributes['nonce'], attributes['ts']): raise BadRequest skew = int(options['timestampSkewSec']) if math.fabs(int(attributes['ts'].split(".")[0]) - now) > skew: print "Expired request" raise BadTimingRequest(now) return artifacts
def authenticate(response, credentials, artifacts, options=None): """Validate server response. :param response: dictionary with server response :param artifacts: object recieved from header().artifacts :param options: { payload: optional payload received required: specifies if a Server-Authorization header is required. Defaults to 'false' } """ if not isinstance(response, dict) or 'headers' not in response: return False if 'content-type' not in response['headers']: log.warn("response lacked content-type") response['headers']['content-type'] = 'text/plain' if options is None: options = {} if 'required' not in options: options['required'] = False if 'www-authenticate' in response['headers']: www_auth_attrs = util.parse_authorization_header( response['headers']['www-authenticate'], ['ts', 'tsm', 'error']) if 'ts' in www_auth_attrs: ts_mac = hcrypto.calculate_ts_mac(www_auth_attrs['ts'], credentials) if not util.compare(ts_mac, www_auth_attrs['ts']): log.info(ts_mac + " didn't match " + www_auth_attrs['ts']) return False if 'server-authorization' not in response['headers'] and \ False == options['required']: return True if 'server-authorization' not in response['headers']: log.info("Unable to verify, no server-authorization header") return False s_auth_attrs = util.parse_authorization_header( response['headers']['server-authorization'], ['mac', 'ext', 'hash']) if 'ext' in s_auth_attrs: artifacts['ext'] = s_auth_attrs['ext'] else: artifacts['ext'] = '' artifacts['hash'] = s_auth_attrs['hash'] mac = hcrypto.calculate_mac('response', credentials, artifacts) if not util.compare(mac, s_auth_attrs['mac']): log.info("server mac mismatch " + mac + " != " + s_auth_attrs['mac']) return False if 'payload' not in options: return True if 'hash' not in s_auth_attrs: return False content_type = response['headers']['content-type'] p_mac = hcrypto.calculate_payload_hash(options['payload'], credentials['algorithm'], content_type) if not util.compare(p_mac, s_auth_attrs['hash']): log.info("p_mac " + p_mac + " != " + s_auth_attrs['hash']) return util.compare(p_mac, s_auth_attrs['hash'])
def authenticate(response, credentials, artifacts, options=None): """Validate server response. :param response: dictionary with server response :param artifacts: object recieved from header().artifacts :param options: { payload: optional payload received required: specifies if a Server-Authorization header is required. Defaults to 'false' } """ if not isinstance(response, dict) or 'headers' not in response: return False if 'content-type' not in response['headers']: print "WARNING response lacked content-type" response['headers']['content-type'] = 'text/plain' if options is None: options = {} if 'required' not in options: options['required'] = False if 'www-authenticate' in response['headers']: www_auth_attrs = util.parse_authorization_header( response['headers']['www-authenticate'], ['ts', 'tsm', 'error']) if 'ts' in www_auth_attrs: ts_mac = hcrypto.calculate_ts_mac(www_auth_attrs['ts'], credentials) if not util.compare(ts_mac, www_auth_attrs['ts']): print ts_mac + " didn't match " + www_auth_attrs['ts'] return False if 'server-authorization' not in response['headers'] and \ False == options['required']: return True if 'server-authorization' not in response['headers']: print "Unable to verify, no server-authorization header" return False s_auth_attrs = util.parse_authorization_header( response['headers']['server-authorization'], ['mac', 'ext', 'hash']) if 'ext' in s_auth_attrs: artifacts['ext'] = s_auth_attrs['ext'] else: artifacts['ext'] = '' artifacts['hash'] = s_auth_attrs['hash'] mac = hcrypto.calculate_mac('response', credentials, artifacts) if not util.compare(mac, s_auth_attrs['mac']): print "server mac mismatch " + mac + " != " + s_auth_attrs['mac'] return False if 'payload' in options: return True if 'hash' not in s_auth_attrs: return False content_type = response['headers']['content-type'] p_mac = hcrypto.calculate_payload_hash(options['payload'], credentials['algorithm'], content_type) if not util.compare(p_mac, s_auth_attrs['hash']): print "p_mac " + p_mac + " != " + s_auth_attrs['hash'] return util.compare(p_mac, s_auth_attrs['hash'])