def unsign(self, signed_value, ttl=None):
"""
Retrieve original value and check it wasn't signed more
than max_age seconds ago.
:type signed_value: bytes
:type ttl: int | datetime.timedelta
"""
h_size, d_size = struct.calcsize('>cQ'), self.digest.digest_size
fmt = '>cQ%ds%ds' % (len(signed_value) - h_size - d_size, d_size)
try:
version, timestamp, value, sig = struct.unpack(fmt, signed_value)
except struct.error:
raise BadSignature('Signature is not valid')
if version != self.version:
raise BadSignature('Signature version not supported')
if ttl is not None:
if isinstance(ttl, datetime.timedelta):
ttl = ttl.total_seconds()
# Check timestamp is not older than ttl
age = abs(time.time() - timestamp)
if age > ttl + _MAX_CLOCK_SKEW:
raise SignatureExpired('Signature age %s > %s seconds' %
(age, ttl))
try:
self.signature(signed_value[:-d_size]).verify(sig)
except InvalidSignature:
raise BadSignature('Signature "%s" does not match' %
binascii.b2a_base64(sig))
return value
def validate_remember_device_cookie(cookie, user, otp_device_id):
"""
Returns True if the cookie was returned by get_remember_device_cookie using the same
user.pk, user.password and otp_device_id. Moreover the cookie must not be expired.
Returns False if the otp_device_id does not match.
Otherwise raises an exception.
"""
timestamp, input_cookie_key, input_cookie_value = cookie.split(
remember_device_cookie_separator, 3)
cookie_key = hash_remember_device_cookie_key(otp_device_id)
if input_cookie_key != cookie_key:
return False
cookie_value = hash_remember_device_cookie_value(otp_device_id, user,
timestamp)
if input_cookie_value != cookie_value:
raise BadSignature('Signature does not match')
timestamp_int = baseconv.base62.decode(timestamp)
age = time.time() - timestamp_int
if age > settings.TWO_FACTOR_REMEMBER_COOKIE_AGE:
raise SignatureExpired('Signature age %s > %s seconds' %
(age, settings.TWO_FACTOR_REMEMBER_COOKIE_AGE))
return True
def test_expired_signature(self, mock_unsign):
with self.feature({
"organizations:integrations-msteams": True,
"organizations:integrations-alert-rule": True,
}):
mock_unsign.side_effect = SignatureExpired()
resp = self.hit_configure({"signed_params": "test"})
assert "Installation link expired" in resp.content
def test_expired_signature(self, mock_unsign):
with self.feature({"organizations:integrations-msteams": True}):
mock_unsign.side_effect = SignatureExpired()
self.login_as(self.user)
org = self.create_organization()
OrganizationMember.objects.create(user=self.user, organization=org)
path = u"/extensions/msteams/configure/"
resp = self.client.get(path, {"signed_params": "test"})
assert "Installation link expired" in resp.content
def verify(self):
data = self._data
signature = data.get(self.signature_field, None)
if signature is None:
raise BadSignature()
expected_signature = self.calculate_signature()
if not constant_time_compare(signature, expected_signature):
raise BadSignature()
if self.use_timestamp and self.valid_period is not None:
timestamp = data[self.timestamp_field]
timestamp = int(timestamp)
current_timestamp = get_current_timestamp()
valid_period_secs = self.valid_period.total_seconds()
if current_timestamp - timestamp > valid_period_secs:
raise SignatureExpired()
def unsign(self, value, max_age=None):
"""
Retrieve original value and check it wasn't signed more
than max_age seconds ago.
"""
result = super(TimestampSigner, self).unsign(value)
value, timestamp = result.rsplit(self.sep, 1)
timestamp = baseconv.base62.decode(timestamp)
if max_age is not None:
if isinstance(max_age, datetime.timedelta):
max_age = max_age.total_seconds()
# Check timestamp is not older than max_age
age = time.time() - timestamp
if age > max_age:
raise SignatureExpired("Signature age %s > %s seconds" %
(age, max_age))
return value
def verify(self):
data = self._data
signature = data.get(self.SIGNATURE_FIELD, None)
if signature is None:
raise BadSignature()
expected_signature = self.calculate_signature()
if not constant_time_compare(signature, expected_signature):
raise BadSignature()
valid_period = self.get_valid_period()
if self.USE_TIMESTAMP and valid_period is not None:
timestamp = data[self.TIMESTAMP_FIELD]
timestamp = int(timestamp)
current_timestamp = get_current_timestamp()
valid_period_secs = valid_period.total_seconds()
if current_timestamp - timestamp > valid_period_secs:
raise SignatureExpired()
