def get_authenticated_user(self, auth_cookie):
"""Determine the name of the currently logged-in user, if any.
Parses the authentication cookie passsed in as a string, verifies
the signatures and, if all checks succeed, returns the name of
the authenticated user.
Args:
auth_cookie: value of the cookie used for authentication.
Returns:
Name of the authenticated user, or an empty string if the user
authentication cannot be verified or is empty.
"""
if len(auth_cookie) == 0:
return ""
tc = token_pb2.TokenCookie()
tcc = token_cookie.TokenCookieCodec(tc,
pubkey=self._cert.get_pub_key())
try:
tcc.decode(auth_cookie)
except token_cookie.SignatureException as e:
return ""
except token_cookie.TokenExpiredException as e:
return ""
return tc.basic_creds.user_name
def login_handler(self, access_token):
"""Handle a login response from the login server.
This should be invoked when an HTTP post from the login server
occurs. This method will return any local cookies to set up and
redirects the user back to the URL requested with the login
operation.
Please note that when the /login handler is invoked, the peer
will not be the login server, but the user.
Args:
access_token: the content of the access_token HTTP parameter
sent by the login server. This will essentially be a signed,
base64 encoded token with user information.
Returns:
Tuple with the cookie value to set the authentication token,
and the URL to redirect the user to.
"""
atr = token_pb2.AuthTokenResponse()
atrc = token_cookie.AuthTokenResponseCodec(atr, cacert=self._ca)
atrc.decode(access_token)
expiry = datetime.now() + timedelta(1)
tc = token_pb2.TokenCookie()
tc.basic_creds.user_name = atr.basic_creds.user_name
tc.basic_creds.scope.extend(atr.basic_creds.scope)
tc.basic_creds.expires = calendar.timegm(expiry.utctimetuple())
tcc = token_cookie.TokenCookieCodec(tc, privkey=self._rsa_key)
cookiedata = tcc.encode()
return (cookiedata, atr.original_uri)
def test_sign_and_decrypt(self):
"""Encode and decode a token cookie object."""
cert, key = gen_certificate()
# Create a TokenCookie with the basic credentials.
tc = token_pb2.TokenCookie()
set_basic_creds(tc.basic_creds)
# Create the codec and encode.
tcc = token_cookie.TokenCookieCodec(tc, privkey=key)
data = tcc.encode()
# Verify the signature.
vtc = token_pb2.TokenCookie()
vtcc = token_cookie.TokenCookieCodec(vtc, pubkey=cert.get_pub_key())
vtcc.decode(data)
self.assertEqual(tc, vtc)
def test_verify_expired_cookie(self):
"""Verify a cookie with its expiry set in the past."""
cert, key = gen_certificate()
# Create a TokenCookie with the basic credentials.
tc = token_pb2.TokenCookie()
set_basic_creds(tc.basic_creds)
tc.basic_creds.expires -= 90
# Create the codec and encode.
tcc = token_cookie.TokenCookieCodec(tc, privkey=key)
data = tcc.encode()
# Verify the signature.
vtc = token_pb2.TokenCookie()
vtcc = token_cookie.TokenCookieCodec(vtc, pubkey=cert.get_pub_key())
self.assertRaises(token_cookie.TokenExpiredException, vtcc.decode,
data)
def test_authenticated_user(self):
"""Test if we can extract the user from a TokenCookie."""
key = importKey(_TEST_KEY)
token = token_pb2.TokenCookie()
token.basic_creds.user_name = 'testosteronius'
token.basic_creds.scope.append('users')
token.basic_creds.expires = calendar.timegm(
datetime.utcnow().timetuple()) + 30
codec = token_cookie.TokenCookieCodec(token, privkey=key)
cookie = codec.encode()
auth = authenticator.Authenticator("Unit Test", cert=_TEST_CERT)
self.assertEquals(auth.get_authenticated_user(cookie),
'testosteronius')
def get_authenticated_scopes(self, auth_cookie):
"""Determines the scopes the authenticated user belongs to.
Returns a list of the names of all scopes the user is in. If no user
is authenticated, an empty list is returned.
Args:
auth_cookie: value of the cookie used for authentication.
Returns:
List of all scopes the user is authorized for.
"""
tc = token_pb2.TokenCookie()
tcc = token_cookie.TokenCookieCodec(tc,
pubkey=self._cert.get_pub_key())
tcc.decode(auth_cookie)
return tc.basic_creds.scope
def test_verify_wrong_signature(self):
"""Verify a wrong signature."""
cert, key = gen_certificate()
# Set up a token cookie with test data.
tc = token_pb2.TokenCookie()
set_basic_creds(tc.basic_creds)
# Fill in a bogus signature.
h = SHA256.new('A' * 42)
signer = PKCS1_v1_5.new(key)
tc.signature = signer.sign(h)
# Finally, build our own base64.
data = base64.urlsafe_b64encode(tc.SerializeToString())
# Verify the signature.
vtc = token_pb2.TokenCookie()
tcc = token_cookie.TokenCookieCodec(vtc, pubkey=cert.get_pub_key())
self.assertRaises(token_cookie.SignatureException, tcc.decode, data)