def test_cookie_str_changed_data(self): c = self.jar.makeCookie(self.exp, self.data) cout = c.output() cout_str = cout[:36] + 'X' + cout[37:] s = SimpleCookie() s.load(cout_str) self.assertFalse(self.jar.isGoodCookieString(s.output()))
def test_cookie_str_changed_mac(self): c = self.jar.makeCookie(self.exp, self.data) cout = c.output(header="") cout_str = self._corrupt_part_str(cout, 64, 66) s = SimpleCookie() s.load(cout_str) self.assertFalse(self.jar.isGoodCookieString(s.output(header="")))
def test_cookie_str_changed_mac(self): c = self.jar.makeCookie(self.exp, self.data) cout = c.output(header="") cout_str = cout[:64] + 'X' + cout[65:] s = SimpleCookie() s.load(cout_str) self.assertFalse(self.jar.isGoodCookieString(s.output(header="")))
def test_cookie_str_arbitrary_change(self): c = self.jar.makeCookie(self.exp, self.data) cout = c.output(header="") cout_str = cout[:20] + 'this is bad' + cout[20:] s = SimpleCookie() s.load(cout_str) self.assertFalse(self.jar.isGoodCookieString(s.output(header="")))
def test_cookie_str_changed_mac(self): c = self.jar.makeCookie(self.exp, self.data) cout = c.output() cout_str = cout[:76] + 'X' + cout[77:] s = SimpleCookie() s.load(cout_str) observed = self.jar.isGoodCookieString(s.output(), _debug=True) self.assertFalse(observed)
def __init__(self, expiry, data, dough, mac): # type: (float, str, str, str) -> None self._expiry = expiry self._data = data self._mac = mac self._cookie = SimpleCookie() self._cookie[_TOKEN] = '%s%s' % (dough, mac) self._name = '%s%s' % (dough, mac) # XXX WebKit only.
def test_mix_unmix3(self): c = self.jar.makeCookie(self.exp, self.data) s = SimpleCookie() s.load(c.output()) exp, data, digest = unmix3(s[self._token].value) self.assertEqual(data, self.data) self.assertEqual(float(exp), self.exp) key = self.jar._key # Peeking... mac = util.bin_to_hex( EVP.hmac(key, util.py3bytes(mix(self.exp, self.data)), 'sha1')) self.assertEqual(digest, mac)
def test_mix_unmix3(self): c = self.jar.makeCookie(self.exp, self.data) s = SimpleCookie() s.load(c.output(header="")) exp, data, digest = unmix3(s[self._token].value) self.assertEqual(data, self.data) # see comment in test_mix_unmix self.assertAlmostEqual(exp, self.exp, places=4) key = self.jar._key # pylint: disable=protected-access mac = util.bin_to_hex( EVP.hmac(key, six.ensure_binary(mix(self.exp, self.data)), 'sha1')) self.assertEqual(digest, mac)
def isGoodCookieString(self, cookie_str): # type: (Union[dict, bytes]) -> Union[bool, int] c = SimpleCookie() c.load(cookie_str) if _TOKEN not in c: return 0 undough = unmix3(c[_TOKEN].value) if undough is None: return 0 exp, data, mac = undough c2 = self.makeCookie(exp, data) return (not c2.isExpired()) and (c2._mac == mac)
def test_mix_unmix3(self): c = self.jar.makeCookie(self.exp, self.data) s = SimpleCookie() s.load(c.output(header="")) exp, data, digest = unmix3(s[self._token].value) self.assertEqual(data, self.data) # see comment in test_mix_unmix self.assertAlmostEqual(exp, self.exp, places=4) key = self.jar._key # pylint: disable=protected-access mac = util.bin_to_hex( EVP.hmac(key, util.py3bytes(mix(self.exp, self.data)), 'sha1')) self.assertEqual(digest, mac)
def __init__(self, expiry, data, dough, mac): # type: (float, str, str, str) -> None """ Create new authentication cookie :param expiry: expiration time (in seconds) :param data: cookie payload (as a string) :param dough: expiry & data concatenated to URL compliant string :param mac: SHA1-based HMAC of dough and random key """ self._expiry = expiry self._data = data self._mac = mac self._cookie = SimpleCookie() self._cookie[_TOKEN] = '%s%s' % (dough, mac) self._name = '%s%s' % (dough, mac) # WebKit only.
def isGoodCookieString(self, cookie_str, _debug=False): # type: (Union[dict, bytes], bool) -> Union[bool, int] c = SimpleCookie() c.load(cookie_str) if _TOKEN not in c: log.debug('_TOKEN not in c (keys = %s)', dir(c)) return 0 undough = unmix3(c[_TOKEN].value) if undough is None: log.debug('undough is None') return 0 exp, data, mac = undough c2 = self.makeCookie(exp, data) if _debug and (c2._mac == mac): log.error('cookie_str = %s', cookie_str) log.error('c2.isExpired = %s', c2.isExpired()) log.error('mac = %s', mac) log.error('c2._mac = %s', c2._mac) log.error('c2._mac == mac: %s', str(c2._mac == mac)) return (not c2.isExpired()) and (c2._mac == mac)
class AuthCookie: def __init__(self, expiry, data, dough, mac): # type: (float, str, str, str) -> None self._expiry = expiry self._data = data self._mac = mac self._cookie = SimpleCookie() self._cookie[_TOKEN] = '%s%s' % (dough, mac) self._name = '%s%s' % (dough, mac) # XXX WebKit only. def expiry(self): # type: () -> float """Return the cookie's expiry time.""" return self._expiry def data(self): # type: () -> str """Return the data portion of the cookie.""" return self._data def mac(self): # type: () -> str """Return the cookie's MAC.""" return self._mac def output(self): # type: () -> str """Return the cookie's output in "Set-Cookie" format.""" return self._cookie.output() def value(self): # type: () -> str """Return the cookie's output minus the "Set-Cookie: " portion. """ return self._cookie[_TOKEN].value def isExpired(self): # type: () -> bool """Return 1 if the cookie has expired, 0 otherwise.""" return isinstance(self._expiry, (float, int)) and \ (time.time() > self._expiry) # XXX Following methods are for WebKit only. These should be pushed # to WKAuthCookie. def name(self): # type: () -> str return self._name def headerValue(self): # type: () -> str return self.value()
def test_cookie_str2(self): c = self.jar.makeCookie(self.exp, self.data) s = SimpleCookie() s.load(c.output(header="")) self.assertTrue(self.jar.isGoodCookieString(s.output(header="")))
class AuthCookie(object): def __init__(self, expiry, data, dough, mac): # type: (float, str, str, str) -> None """ Create new authentication cookie :param expiry: expiration time (in seconds) :param data: cookie payload (as a string) :param dough: expiry & data concatenated to URL compliant string :param mac: SHA1-based HMAC of dough and random key """ self._expiry = expiry self._data = data self._mac = mac self._cookie = SimpleCookie() self._cookie[_TOKEN] = '%s%s' % (dough, mac) self._name = '%s%s' % (dough, mac) # WebKit only. def expiry(self): # type: () -> float """Return the cookie's expiry time.""" return self._expiry def data(self): # type: () -> str """Return the data portion of the cookie.""" return self._data def mac(self): # type: () -> str """Return the cookie's MAC.""" return self._mac def output(self, header="Set-Cookie:"): # type: (Optional[str]) -> str """Return the cookie's output in "Set-Cookie" format.""" return self._cookie.output(header=header) def value(self): # type: () -> str """Return the cookie's output minus the "Set-Cookie: " portion. """ return self._cookie[_TOKEN].value def isExpired(self): # type: () -> bool """Return 1 if the cookie has expired, 0 otherwise.""" return isinstance(self._expiry, (float, six.integer_types)) and \ (time.time() > self._expiry) # Following two methods are for WebKit only. # I may wish to push them to WKAuthCookie, but they are part # of the API now. Oh well. def name(self): # type: () -> str return self._name def headerValue(self): # type: () -> str return self.value()
def test_cookie_str_expired(self): t = self.exp - 7200 c = self.jar.makeCookie(t, self.data) s = SimpleCookie() s.load(c.output(header="")) self.assertFalse(self.jar.isGoodCookieString(s.output(header="")))