def virtual_machines_view():
# Check if authed
if not utils.authed() or not 'id' in session:
return redirect(url_for('auth.login', next='vm'))
# Look for all vms that the team has access too (has solved the chal)
vmso = VMs.query.join(Solves, Solves.teamid == int(
session['id'])).filter(Solves.chalid == VMs.chalid).all()
vms = []
# Set up the json data
for v in vmso:
signer = Signer(utils.get_config('VM_KEY'),
salt=v.name,
digest_method=sha256)
vms.append({
'name':
v.name,
'desc':
v.desc,
'key':
signer.sign(json.dumps({
'team': session['id'],
'vm': v.name
})).encode('base64').replace('\n', '')
})
# Run the template
return render_template(PLUGIN_NAME + '/vms.html', vms=vms)
def createreportdict(lat, lng, accuracy, form):
dct = {}
dct["latitude"] = lat
dct["longitude"] = lng
dct["latitude_rand"] = lat + 0.01 * random.random()
dct["longitude_rand"] = lng + 0.01 * random.random()
dct["accuracy"] = accuracy
dct["test"] = form.test.data
dct["datetest"] = None if form.datetest.data is None else form.datetest.data.strftime("%d.%m.%Y")
dct["notherstest"] = form.notherstest.data
dct["symptoms"] = ', '.join(form.symptoms.data)
dct["dayssymptoms"] = form.dayssymptoms.data
dct["notherssymptoms"] = form.notherssymptoms.data
dct["age"] = form.age.data
dct["sex"] = form.sex.data
dct["email_addr"] = form.email_addr.data
s = Signer(form.password.data)
dct["signature"] = str(s.sign(form.email_addr.data))
dct["timestamp"] = firestore.SERVER_TIMESTAMP
dct["email_confirmed"] = False
dct["overwritten"] = False
dct["source"] = "report"
dct["token"] = str(generate_confirmation_token(dct["signature"]))
return dct
def signup():
data = request.get_json()
app_root = os.getcwd()
s = Signer('superpowerfullkey')
token = s.sign(data['email'].encode()).decode()
token = token[::-1].split('.')[0][::-1]
if 'type' not in data:
data['type'] = False
image_path = None
else:
import base64
byte_image = base64.b64decode(data['image'])
if not os.path.isdir(os.path.join(app_root, "images/")):
os.mkdir(os.path.join(app_root, "images/"))
image_path = os.path.join(
os.path.join(app_root, "images/"),
data['first_name'] + ' ' + data['last_name'] + '.jpg')
with open(image_path, 'wb') as f:
f.write(byte_image)
newuser = User(data['first_name'],
data['last_name'],
data['email'],
data['password'],
token,
data['type'],
filepath_=image_path if image_path is not None else None)
db.session.add(newuser)
db.session.commit()
return jsonify(status='success', token=token)
def sign():
s = Signer(
bytes(input("Enter a secret(!!) key: "),
encoding="UTF-8"))
print(s.sign(
bytes(input("Enter data\n"),
encoding="UTF-8")).decode('UTF-8'))
def gen_signed_code(self, identifier=None):
"""Generates a signed code in the format discount_code_base.randint.signature"""
if not identifier:
identifier = buid()
signer = Signer(self.secret)
key = "{base}.{identifier}".format(base=self.discount_code_base, identifier=identifier)
return signer.sign(key)
def test_auth_mfa_success(flask_client):
user = User.create(
email="[email protected]",
password="******",
name="Test User",
activated=True,
enable_otp=True,
otp_secret="base32secret3232",
)
db.session.commit()
totp = pyotp.TOTP(user.otp_secret)
s = Signer(FLASK_SECRET)
mfa_key = s.sign(str(user.id))
r = flask_client.post(
url_for("api.auth_mfa"),
json={
"mfa_token": totp.now(),
"mfa_key": mfa_key,
"device": "Test Device"
},
)
assert r.status_code == 200
assert r.json["api_key"]
assert r.json["name"] == "Test User"
def verify_mailbox_change(user, mailbox, new_email):
s = Signer(MAILBOX_SECRET)
mailbox_id_signed = s.sign(str(mailbox.id)).decode()
verification_url = (
URL + "/dashboard/mailbox/confirm_change" + f"?mailbox_id={mailbox_id_signed}"
)
send_email(
new_email,
f"Confirm mailbox change on SimpleLogin",
render(
"transactional/verify-mailbox-change.txt",
user=user,
link=verification_url,
mailbox_email=mailbox.email,
mailbox_new_email=new_email,
),
render(
"transactional/verify-mailbox-change.html",
user=user,
link=verification_url,
mailbox_email=mailbox.email,
mailbox_new_email=new_email,
),
)
def captcha(publicID):
publicID = publicID.lower()
session_info = session_db.find_one({"publicID": publicID}, {"_id": 0})
hancock = Signer(str(secret_key), salt=str(session_info["privateID"]))
if (publicID + "-guest") in request.cookies and hancock.validate(
request.cookies.get(publicID + "-guest")):
return redirect("https://www.crowdsourcejukebox.com/vote/" + publicID +
"/")
if request.method == "POST":
captcha_response = request.form["g-recaptcha-response"]
if is_human(captcha_response):
resp = make_response(
redirect("https://www.crowdsourcejukebox.com/vote/" +
publicID + "/"))
guestID = bytes(str(uuid.uuid4()), "utf-8")
session_db.update_one({"publicID": publicID},
{"$inc": {
"guests": 1
}})
resp.set_cookie(
publicID + "-guest",
value=hancock.sign(guestID),
expires=datetime.datetime.now() + datetime.timedelta(hours=1),
)
return resp
else:
return redirect("http://www.crowdsourcejukebox.com/")
else:
return render_template("captcha.html",
sitekey=os.environ["RC_SITE_KEY"])
def cookie_serialize(secure_key, session_id, expire):
"""Serialize the cookie. Set the expire_time timestamp into the cookie"""
signer = Signer(secure_key)
session_data = session_id.encode('utf-8') + '&' + str(expire)
session_data = signer.sign(session_data).decode('utf-8')
return session_data
def gen_signed_code(self, identifier=None):
"""Generates a signed code in the format discount_code_base.randint.signature"""
if not identifier:
identifier = buid()
signer = Signer(self.secret)
key = "{base}.{identifier}".format(base=self.discount_code_base, identifier=identifier)
return signer.sign(key)
def auth_payload(user, device) -> dict:
ret = {
"name": user.name or "",
"email": user.email,
"mfa_enabled": user.enable_otp
}
# do not give api_key, user can only obtain api_key after OTP verification
if user.enable_otp:
s = Signer(FLASK_SECRET)
ret["mfa_key"] = s.sign(str(user.id))
ret["api_key"] = None
else:
api_key = ApiKey.get_by(user_id=user.id, name=device)
if not api_key:
LOG.d("create new api key for %s and %s", user, device)
api_key = ApiKey.create(user.id, device)
db.session.commit()
ret["mfa_key"] = None
ret["api_key"] = api_key.code
# so user is automatically logged in on the web
login_user(user)
return ret
def sign():
# if request.method == 'GET':
#
# return render_template('user_signup.html')
# elif request.method == 'POST':
# name = request.form.get('name')
# email=request.form.get('email')
# password=request.form.get('password')
# phone = request.form.get('phone')
# address = request.form.get('address')
# newUser = p.PeopleProfile(name,email,password, phone, address)
# db.session.add(newUser)
# db.session.commit()
# flash('Record were added successfully')
# return render_template('user_signup.html' )
if request.method == 'POST':
email = request.form.get("email")
print email
userS = p.PeopleProfile.query.filter_by(email=email).first()
if userS:
if userS.email == email:
session['email'] = userS.email
flash('email already registered')
return render_template('user_signup.html')
else:
name = request.form.get('name')
email = request.form.get('email')
password = request.form.get('password')
# hashpw = hash_password(password)
phone = request.form.get('phone')
address = request.form.get('address')
bloodCategoryId = request.form.get('bloodCategory')
# newUser = p.PeopleProfile(email = email)
newUser = p.PeopleProfile(name, email, password, phone, address,
bloodCategoryId)
newUser.hash_password(password)
db.session.add(newUser)
db.session.commit()
signer = Signer(app.secret_key)
token = signer.sign(email)
url = url_for('confirmation', token=token, _external=True)
msg = Message(
"E-mail confirmation for Sahayog - A Blood Donation Portal",
sender="*****@*****.**",
recipients=[email])
msg.body = url
# flash(msg.body)
mail.send(msg)
flash('Record were added successfully')
return render_template('user_signup.html')
elif request.method == 'GET':
bloodCategoryL = b.BloodCategory.query.all()
return render_template('user_signup.html',
bloodCategoryList=bloodCategoryL)
def token(self) -> str:
signer = Signer(current_app.config['JWT_TOKEN_SECRET'])
jwt = JSONWebToken(secret_key=current_app.config['JWT_TOKEN_SECRET'],
expires_in=15 * 60)
string = ''.join((self.factor, self.code))
signature = signer.sign(
string.encode('utf-8')).decode('utf-8').split('.')[1]
return jwt.dumps({'signature': signature}).decode('utf-8')
def test_timestamp_missing(self, signer):
other = Signer("secret-key")
signed = other.sign("value")
with pytest.raises(BadTimeSignature) as exc_info:
signer.unsign(signed)
assert "missing" in str(exc_info.value)
def test_malformed_timestamp(self, signer):
other = Signer("secret-key")
signed = other.sign(b"value.____________")
with pytest.raises(BadTimeSignature) as exc_info:
signer.unsign(signed)
assert "Malformed" in str(exc_info.value)
def verify_email(addr):
s = Signer(app.config['SECRET_KEY'])
token = s.sign(addr)
text = """Please click the following link to confirm your email address for {}: {}""".format(
get_config('ctf_name'),
url_for('auth.confirm_user', _external=True) + '/' + urllib.quote_plus(token.encode('base64'))
)
sendmail(addr, text)
def test_malformed_timestamp(self, signer):
other = Signer("secret-key")
signed = other.sign(b"value.____________")
with pytest.raises(BadTimeSignature) as exc_info:
signer.unsign(signed)
assert "Malformed" in str(exc_info.value)
def test_timestamp_missing(self, signer):
other = Signer("secret-key")
signed = other.sign("value")
with pytest.raises(BadTimeSignature) as exc_info:
signer.unsign(signed)
assert "missing" in str(exc_info.value)
def verify_email(addr):
s = Signer(app.config['SECRET_KEY'])
token = s.sign(addr)
text = """Please click the following link to confirm your email address for {}: {}""".format(
get_config('ctf_name'),
url_for('auth.confirm_user', _external=True) + '/' + token.encode('base64')
)
sendmail(addr, text)
def test_frame_positive(self):
signer = Signer(globals.SECRET_KEY)
file = signer.sign(FILE_URL_POSITIVE)
result = self.app.get(FRAME_PATH,
query_string=dict(file_url=file),
follow_redirects=True)
self.assertEqual(result.status_code, 200)
assert 'Frame Integration' in result.data
def createreportdict(form):
dct = {}
dct["plz"] = form.plz.data
crd = json.loads(form.geolocation.data)
dct["latitude"] = crd["latitude"]
dct["longitude"] = crd["longitude"]
dct["accuracy"] = crd["accuracy"]
if dct["latitude"] == 0:
dct["longitude"], dct["latitude"] = plz2longlat(dct["plz"])
dct["latitude_rand"] = dct["latitude"] + 0.01 * random.random()
dct["longitude_rand"] = dct["longitude"] + 0.01 * random.random()
dct["username"] = form.username.data
s = Signer(form.password.data)
dct["signature"] = str(s.sign(form.username.data))
dct["age"] = form.age.data
dct["sex"] = form.sex.data
dct["plz"] = form.plz.data
dct["headache"] = form.headache.data
dct["cough"] = form.cough.data
dct["shortnessbreath"] = form.shortnessbreath.data
dct["musclepain"] = form.musclepain.data
dct["sorethroat"] = form.sorethroat.data
dct["nausea"] = form.nausea.data
dct["diarrhea"] = form.diarrhea.data
dct["rhinorrhea"] = form.rhinorrhea.data
dct["travelhistory"] = form.travelhistory.data
dct["contacthistory"] = form.contacthistory.data
dct["notherstest"] = form.notherstest.data
dct["dayssymptoms"] = form.dayssymptoms.data
dct["arzt"] = form.arzt.data
dct["test"] = form.test.data
dct["datetest"] = None if form.datetest.data is None else form.datetest.data.strftime("%d.%m.%Y")
dct["quarantine"] = form.quarantine.data
dct["datequarantine"] = None if form.datetest.data is None else form.datequarantine.data.strftime("%d.%m.%Y")
#dct["notherssymptoms"] = form.notherssymptoms.data
try:
dct["kreis"] = plz2kreis[dct["plz"]]
except:
dct["kreis"] = ""
print(f"error converting PLZ {dct['plz']} to Kreisebene")
dct["timestamp"] = firestore.SERVER_TIMESTAMP
dct["email_confirmed"] = False
dct["overwritten"] = False
dct["source"] = "report"
dct["token"] = str(generate_confirmation_token(dct["signature"]))
return dct
def create_url(text):
"""
Method that create signed link that should be send it to Slack.
:param text: Url of the file that should be opened.
:return: Signed link for opening file within embedded Frame terminal.
"""
signer = Signer(globals.SECRET_KEY)
url = BASE_PATH + FRAME_PATH + '?file_url=' + signer.sign(text)
return url
def generate_csrf_token(user):
"""产生token"""
secret_key = current_app.config.get("WTF_CSRF_SECRET_KEY", current_app.secret_key)
nonce = os.urandom(24)
user_id = user.id
signer = Signer(secret_key)
csrf_token = signer.sign(str(user_id))
print csrf_token
return csrf_token
def get(user, instance):
if 'name' in request.json:
if type(request.json['name']) != str and type(
request.json['name']) != unicode:
abort(400)
name = request.json['name'].replace('.', '_')
s = Signer(instance.key)
signed = s.sign('GET.json.' + name)
return jsonify(action=signed)
abort(400)
def share(user, instance):
if 'name' in request.json:
if type(request.json['name']) != str and type(
request.json['name']) != unicode:
abort(400)
s = Signer(instance.key)
signed = s.sign(request.json['name'] + '.' +
user.name.replace('.', '_'))
return jsonify(sig=signed)
abort(400)
def sign_view():
if "token" in session:
bc = user_handle.uid_for_token(session["token"])
if (bc != -1):
s = Signer(apis[request.args.get('api')],
salt=request.args.get('rand'))
return s.sign(str(bc))
abort(403)
return ""
def test_submit_reset_form_invalid_user(self):
s = Signer(app.config['SECRET_KEY'])
token = s.sign('*****@*****.**')
response = self.client.post("/reset_password",
data=dict(
token=token,
password='******',
password_confirmation='blahblah'))
self.assertTemplateUsed("reset_invalid_token.html")
def send_user_confirmation_mail(app, user):
signer = Signer(app.config['SECRET_KEY'], salt='confirmation')
confirmation_token = signer.sign(user.username)
response = send_mail(app, user, subject='Confirm your account.', html=
"Hi %s \n <br>" % user.username+
"A user has been created for your mailbox.<br> "
"Please confirm your account.<br>"
"<a href='http://%s%s'>Confirm account</a>" % (app.config['SERVER_NAME'], url_for('confirm', confirmation_token=confirmation_token)))
return response.status_code == 200
def main():
k = 'bt6n4k2m'
signer = Signer(k)
s = '11878121-b36d-4c38-9f87-682e8986d1f9'
ss = signer.sign(s)
print('signed str: {}'.format(ss))
us = signer.unsign(ss)
print('unsigned str: {}'.format(us))
# 做点改动
try:
print(signer.unsign('{}a'.format(ss)))
except BadSignature as e:
print e
print('------')
cid = 110000000000000262
uid = 105697106
for i in xrange(10):
print(signer.sign("{}_{}".format(cid, uid + i)))
def forgot():
form = ForgotPasswordForm(request.form)
if request.method == "POST" and form.validate():
s = Signer(app.config['SECRET_KEY'])
token = s.sign(request.form['email'])
send_password_reset(form.get_user(), token)
return redirect('/forgot_confirmation')
return render_template("forgot.html", form=form)
def forgot():
form = ForgotPasswordForm(request.form)
if request.method == "POST" and form.validate():
s = Signer(app.config['SECRET_KEY'])
token = s.sign(request.form['email'])
send_password_reset(form.get_user(), token)
return redirect('/forgot_confirmation')
return render_template("forgot.html", form=form)
def serialize(user, instance):
if 'name' in request.json and 'object' in request.json:
if type(request.json['name']) != str and type(
request.json['name']) != unicode:
abort(400)
name = str(request.json['name'].replace('.', '_'))
data = pickle.dumps(byteify(request.json['object']))
s = Signer(instance.key)
signed = s.sign('STORE.' + name + '.' + data)
return jsonify(action=signed)
abort(400)
def tokenizar(dni):
# #print(type(dni)) # Punto de revision Input
if isinstance(dni, float):
dni = str(int(dni))
elif isinstance(dni, str):
dni = str(dni)
elif isinstance(dni, int):
dni = str(dni)
s = Signer('crosland_360')
#sing solo acepta cadena str
token_dni = str(s.sign(dni)).split('.')[1]
return token_dni
def gen_signed_code(self, identifier=None):
"""
Generate a signed code.
Format: ``discount_code_base.randint.signature``
"""
if not identifier:
identifier = buid()
signer = Signer(self.secret)
key = "{base}.{identifier}".format(base=self.discount_code_base,
identifier=identifier)
return signer.sign(key).decode('utf-8')
def auth_login():
"""
Authenticate user
Input:
email
password
device: to create an ApiKey associated with this device
Output:
200 and user info containing:
{
name: "John Wick",
mfa_enabled: true,
mfa_key: "a long string",
api_key: "a long string"
}
"""
data = request.get_json()
if not data:
return jsonify(error="request body cannot be empty"), 400
email = data.get("email")
password = data.get("password")
device = data.get("device")
user = User.filter_by(email=email).first()
if not user or not user.check_password(password):
return jsonify(error="Email or password incorrect"), 400
elif not user.activated:
return jsonify(error="Account not activated"), 400
ret = {
"name": user.name,
"mfa_enabled": user.enable_otp,
}
# do not give api_key, user can only obtain api_key after OTP verification
if user.enable_otp:
s = Signer(FLASK_SECRET)
ret["mfa_key"] = s.sign(str(user.id))
ret["api_key"] = None
else:
api_key = ApiKey.get_by(user_id=user.id, name=device)
if not api_key:
LOG.d("create new api key for %s and %s", user, device)
api_key = ApiKey.create(user.id, device)
db.session.commit()
ret["mfa_key"] = None
ret["api_key"] = api_key.code
return jsonify(**ret), 200
def login_user(current_user):
"""
Creates and assigns a session_id we can look for if
the user is logged in
:param current_user:
:type current_user: User Object
:return result: if session_id exists in the current user session cookie
:type result: boolean
"""
s = Signer('secret_key')
login_session['_session_id'] = s.sign(str(current_user.id))
return login_session.get('_session_id') is not None
def get_new_uid(user):
s = Signer(SECRET_SIGN_KEY)
with get_db() as cur:
cur.execute("insert into mfc.schedules (username, festival) values (%s, %s) returning id", [user['email'] if user else None, festival])
uid = cur.fetchall()[0]['id']
# cookie is uid hashed with our private key
cookie = cherrypy.response.cookie
cookie_name = 'mfc_sch'+str(uid)
cookie[cookie_name] = s.sign(str(uid))
cookie[cookie_name]['path'] = '/'
cookie[cookie_name]['max-age'] = 3600
cookie[cookie_name]['version'] = 1
return uid
def test_submit_reset_form(self):
s = Signer(app.config['SECRET_KEY'])
token = s.sign('*****@*****.**')
user = User(email='*****@*****.**')
db.session.add(user)
db.session.commit()
response = self.client.post("/reset_password",
data=dict(
token=token,
password='******',
password_confirmation='blahblah'))
self.assertRedirects(response, "/")
def verify_code(token: str, factor: str, code: str) -> bool:
signer = Signer(current_app.config['JWT_TOKEN_SECRET'])
jwt = JSONWebToken(secret_key=current_app.config['JWT_TOKEN_SECRET'],
expires_in=15 * 60)
try:
data = jwt.loads(token)
except (BadSignature, SignatureExpired) as e:
return False
string = ''.join((factor, code))
signature = signer.sign(
string.encode('utf-8')).decode('utf-8').split('.')[1]
if signature == data.get('signature', ''):
return True
return False
def render(self, template, **kwargs):
attach_obj = self.model.client.model('ir.attachment')
model = kwargs.get('model')
if model:
search_params = [
('res_id', '=', model.id),
('res_model', '=', self.model._name)
]
attach_ids = attach_obj.search(search_params)
fields_to_read = ['datas_fname', 'name']
if attach_ids:
attachments = attach_obj.read(attach_ids, fields_to_read)
else:
attachments = []
s = Signer(current_app.config.get('SECRET_KEY'), sep='$')
for att in attachments:
att['id'] = s.sign(str(att['id']))
kwargs['attachments'] = attachments
return super(OpenERPModelView, self).render(template, **kwargs)
def _defer(f, *a, **kw):
signer = Signer(current_app.secret_key)
env = [
]
data = json.dumps({
"args": a,
"kwargs": kw,
"env": env,
"call": "%s.%s" % (f.__module__,f.__name__),
})
task = {
"url": request.url_root+'_ah/task',
"method": "POST",
"body": { "_": signer.sign(data) },
}
mc.set('task:url', json.dumps(task))
def create_new_app(self, app_name, app_type=None):
if not app_name:
return False
user = self.become(session_token=self.session_token)
app = Application()
query = Query(Application)
query.equal_to('user', user)
query.equal_to('app_name', app_name)
if not query.count():
app.set('app_name', app_name)
app.set('type', app_type)
app.set('user', user)
app.save()
app_id = app.id
signer = Signer('this is senz dashboard')
app_key = (signer.sign(app_id).split(app_id + '.'))[1]
app.set('app_id', app_id)
app.set('app_key', app_key)
app.save()
return app_name, app_key, app_id
return None
class Pastie:
SECRET_KEY = '\x85\xe1Pc\x11n\xe0\xc76\xa1\xd9\x93$\x1ei\x06'
HTTBL_KEY = 'THIS IS NOT A VALID HTTPBL KEY'
def __init__(self, data_dir='pastes/', host='http://localhost/'):
self.httpbl = HttpBL(self.HTTBL_KEY)
self.signer = Signer(self.SECRET_KEY)
self.jinja_env = Environment(loader=FileSystemLoader(
join(dirname(__file__), 'layouts'))
)
self.host = host
self.data_dir = data_dir
if not isdir(data_dir):
makedirs(data_dir)
def render_template(self, template_name, **kwargs):
return self.jinja_env.get_template(template_name).render(**kwargs)
def sign(self, value):
return self.signer.sign(value)
def unsign(self, value):
return self.signer.unsign(value)
def dispatch(self, request, start_response):
adapter = urlmap.bind_to_environ(request.environ)
request.adapter = adapter
try:
endpoint, values = adapter.match()
return endpoint(self, request, **values)
except NotFound, e:
return Response('Not Found', 404)
except HTTPException, e:
return e
def init_flask(flask_app, config):
""" Initialize Flask configuration and hooks. """
config_dict = dict(config.items('flask'))
# Try to convert numeric arguments to integers.
for k, v in config_dict.items():
try:
config_dict[k] = int(v)
except:
pass
flask_app.config.update(**config_dict)
# Disable caching for static assets in debug mode, otherwise
# many Angular templates will be stale when refreshing pages.
if flask_app.debug:
flask_app.config["SEND_FILE_MAX_AGE_DEFAULT"] = 0
db_engine = app.database.get_engine(dict(config.items('database')))
redis = app.database.get_redis(dict(config.items('redis')))
solr = app.database.get_solr(dict(config.items('solr')))
signer = Signer(config.get('flask', 'SECRET_KEY'))
sign_fn = lambda s: signer.sign(str(s).encode('utf8')).decode('utf-8')
unsign_fn = signer.unsign
@flask_app.after_request
def after_request(response):
''' Clean up request context. '''
g.db.close()
return response
if flask_app.latency is not None:
@flask_app.before_request
def api_latency():
if request.path[:5] == '/api/':
time.sleep(flask_app.latency)
@flask_app.before_request
def before_request():
''' Initialize request context. '''
g.config = config
g.debug = flask_app.debug
g.db = app.database.get_session(db_engine)
g.redis = redis
g.solr = solr
g.sign = sign_fn
g.unsign = unsign_fn
@flask_app.url_defaults
def static_asset_cache_busting(endpoint, values):
if endpoint == 'static' and 'filename' in values:
filename = values['filename']
if filename.startswith('img') or \
filename.startswith('fonts'):
values['version'] = flask_app.config['VERSION']
if flask_app.debug:
flask_app.config["SEND_FILE_MAX_AGE_DEFAULT"] = 0
def generate_machine_token(self):
s = Signer(self.secret)
machine_token = s.sign('haxxorbb')
return machine_token
def sign(value, secret_key, *, salt=''):
signer = Signer(secret_key, salt=salt)
return signer.sign(value)
def get_token(self):
signer = Signer(flask.current_app.config["SECRET_KEY"])
return signer.sign("{0}".format(self.id).encode("ascii")) \
.decode("ascii")
def set_sign_safe(sign_file):
s = Signer(Config.login_sign)
return s.sign(sign_file)
class cook():
def __init__(self):
self.s = {}
self.s['ip'] = '127.0.0.1'
self.s['first_reg'] = 1442955065
self.s['kolvo_visits'] = 1
self.s['user_id'] = 'yap1442955065'
self.s['last_visit'] = '16702'
self.minus_days = 0
self.sig = Signer('andrii')
def create(self):
stat = json.dumps(self.s)
c = self.sig.sign(str(stat))
last_elem = len(c.split('.'))
signature = c.split('.')[last_elem-1]
cookie = 'stat="'+stat+'";stat_signature='+signature
return cookie
def create_wrong(self):
stat = json.dumps(self.s)
c = self.sig.sign(str(stat))
last_elem = len(c.split('.'))
signature = c.split('.')[last_elem-1]
signature = signature[0:len(signature)-5]
cookie = 'stat="'+stat+'";stat_signature='+signature
return cookie
def create_with_login(self,roles=None):
stat = json.dumps(self.s)
c = self.sig.sign(str(stat))
last_elem = len(c.split('.'))
signature = c.split('.')[last_elem-1]
if roles==None:
roles = ['admin']
log_token = self.gen_token('andrii',roles,86400)
cookie = 'stat="'+stat+'";stat_signature='+signature+';log_token="'+log_token+'"'
return cookie
def gen_token(self,user_id,user_roles,token_live_time):
self.session = {}
self.session['user_id'] = user_id
self.session['ts'] = int(time.time())-self.minus_days
self.session['roles'] = user_roles
self.session['live_time'] = token_live_time
self.session['ip'] = self.s['ip']
#create JSON from dict and compress
j = json.dumps(self.session)
j64 = base64.b64encode(j)
#create signature
j64_sign = self.sig.sign(j64)
return j64_sign
def create_with_wrong_token_login(self):
stat = json.dumps(self.s)
c = self.sig.sign(str(stat))
last_elem = len(c.split('.'))
signature = c.split('.')[last_elem-1]
log_token = self.gen_token('andrii',['admin'],86400)
cookie = 'stat="'+stat+'";stat_signature='+signature+';log_token="'+log_token[0:len(log_token)-3]+'"'
return cookie
def create_with_wrong_ip_login(self):
stat = json.dumps(self.s)
c = self.sig.sign(str(stat))
last_elem = len(c.split('.'))
signature = c.split('.')[last_elem-1]
log_token = self.gen_token('andrii',['admin'],86400)
cookie = 'stat="'+stat+'";stat_signature='+signature+';log_token="'+log_token+'"'
return cookie
def _generate_session_id(self):
signer = Signer(self.secure_key)
tmp = sha1("%s%s" % (time.time(), uuid.uuid4())).hexdigest()
return signer.sign(tmp)
#!/usr/bin/env python3
# imports go here
from itsdangerous import Signer, BadSignature, TimestampSigner, SignatureExpired, JSONWebSignatureSerializer
import time
#
# Free Coding session for 2015-03-09
# Written by Matt Warren
#
if __name__ == '__main__':
s = Signer('secret-password')
signed_string = s.sign(b'data to sign')
print(signed_string) # HMAC SHA1 signed string
# tamper with string
signed_string = b'my ' + signed_string
try:
s.unsign(signed_string)
except BadSignature as e:
print("failed to unsign the modified data")
s = TimestampSigner('secret-password', salt='signup') # adds current time to data
signed_string = s.sign(b'data to sign')
print(signed_string)
s.unsign(signed_string, max_age=5) # would only unsign if signed less than 5 seconds ago
time.sleep(2)
try:
s.unsign(signed_string, max_age=1) # would only unsign if signed less than 1 seconds ago
except SignatureExpired as e:
def sign(s, config):
signer = Signer(config['SIGNING_KEY'])
try:
return signer.sign(s)
except BadSignature:
raise BadRequestError()
def get_auth_token(self):
s = Signer(current_app.config['SECRET_KEY'])
return s.sign(self.auth_token)
class User():
def __init__(self,secret_key):
#initialize signer
self.s = Signer(secret_key)
def deserialize(self,request):
#it runs in framework BEFORE_REQUEST function
self.cookies = request.cookies
#check stat in cookie and verify it
stat_str = str(self.cookies.get('stat'))
stat_signature = str(self.cookies.get('stat_signature'))
stat_token = stat_str+'.'+stat_signature
if stat_str=='None' or self.s.validate(stat_token)==False:
self._create_new_stat(request)
#if validation success
else:
self.stat = json.loads(stat_str)
#increase kolvo_visits
self._increase_kolvo_visits()
#add actual IP for checking log_token
self.stat['ip'] = request.environ['REMOTE_ADDR']
self.log_token = str(self.cookies.get('log_token'))
#initialize DB
self._db_init()
def serialize(self,response):
#it runs in framework AFTER_REQUEST function
stat_str = json.dumps(self.stat)
sign_str = self.s.sign(stat_str)
last_elem = len(sign_str.split('.'))
#because dots in IP
self.stat_signature = sign_str.split('.')[last_elem-1]
response.set_cookie('stat',value=stat_str)
response.set_cookie('stat_signature',value=self.stat_signature)
if self.log_token!='None':
response.set_cookie('log_token',value=self.log_token)
else:
response.set_cookie('log_token','',expires=0)
#increase visits
return response
def _create_new_stat(self,request):
self.stat = {}
self.stat['ip'] = request.environ['REMOTE_ADDR']
self.stat['first_reg'] = int(time.time())
self.stat['kolvo_visits'] = 1
self.stat['_id'] = 'yap'+str(int(time.time()))
self.stat['last_visit'] = int(time.time()/86400)
def _increase_kolvo_visits(self):
new_day = int(time.time()/86400)
if self.stat.get('last_visit')==None:
self.stat['last_visit'] = int(time.time()/86400)
if int(self.stat.get('last_visit'))<new_day:
self.stat['kolvo_visits'] = self.stat['kolvo_visits']+1
self.stat['last_visit'] = new_day
def check_auth(self,roles):
if self.log_token=='None':
return 'Error User:Not Login, Please Log IN'
if self.s.validate(self.log_token)!=True:
return 'Error User:Not Valid Login Token. Please, Log IN'
self.session = self._get_json(self.log_token)
if self.session['ip']!=self.stat['ip']:
return 'Error User:Not valid IP. Please, log IN'
if (int(time.time()) - int(self.session['ts']))>int(self.session['live_time']):
return 'Error User:Session nor fresh, please Log IN'
#check permission
for each in self.session['roles']:
if each in roles:
return True
return 'Error User:Not enough permission'
def _gen_token(self,user_id,u_doc):
self.session = {}
self.session['_id'] = user_id
self.session['name'] = u_doc['name']
self.session['ts'] = int(time.time())
self.session['roles'] = u_doc['roles']
self.session['live_time'] = u_doc.get('token_live_time')
self.session['ip'] = self.stat['ip']
#create JSON from dict and compress
j = json.dumps(self.session)
j64 = base64.b64encode(j)
#create signature
j64_sign = self.s.sign(j64)
return j64_sign
def _get_json(self,token):
if self.s.validate(token)!=True:
return 'Error User: not valid Log Token'
jb64 = self.s.unsign(token)
j = base64.b64decode(jb64)
j = json.loads(j)
return j
def login(self,user_name,user_pass):
#if user id in db and pass is equal md5 with secret
#check user name and get user doc
u_doc,u_id = self._db_check_in(user_name)
if u_doc==False:
return 'Error User:No such User'
#check pass
if self._md5_trans(user_pass)!=u_doc['pass']:
return 'Error User:Wrong Pass'
self.log_token = self._gen_token(u_id, u_doc)
return True
def registr(self,u_doc):
user_id = 'yap'+str(int(time.time()))
if self._db_check_in(u_doc['name'])!=[False,False]:
return 'Error User:There is user with the name '+u_doc['name']
u_doc['pass'] = self._md5_trans(u_doc['pass'])
self._db_add(user_id,u_doc)
return True
def drop_log_token(self):
self.log_token = 'None'
return True
def _md5_trans(self,rec):
m = md5.new()
m.update(rec)
return m.hexdigest()
########## DB #################
def _db_init(self):
cl = MongoClient('localhost',27017)
_db = cl['users']
self.db = _db['users']
def _db_check_in(self,u_name):
u_doc = self.db.find_one({'name':u_name})
if u_doc==None:
return [False,False]
return u_doc,u_doc['_id']
def _db_add(self,u_id,user_d):
user_d['_id'] = u_id
self.db.insert_one(user_d)
