def create_and_return(self, **kwargs): token = crypto.create_token_string() salt = crypto.create_salt_string() digest = crypto.hash_token(token, salt) expires = kwargs.get('expires', None) if expires is not None: expires = timezone.now() + expires kwargs.update({ 'digest': digest, 'salt': salt, 'expires': expires, 'token_key': token[:CONSTANTS.TOKEN_KEY_LENGTH] }) auth_token = super(AuthTokenManager, self).create(**kwargs) auth_token.token = token return auth_token kwargs.update({ 'digest': digest, 'salt': salt, 'expires': expires }) auth_token = super(AuthTokenManager, self).create(**kwargs) auth_token.token = token return auth_token
def _create_user_tokens(self): # Hard code tokens used in gcapi integration tests user_tokens = { "admin": "1b9436200001f2eaf57cd77db075cbb60a49a00a", "retina": "f1f98a1733c05b12118785ffd995c250fe4d90da", "algorithmuser": "******", "readerstudy": "01614a77b1c0b4ecd402be50a8ff96188d5b011d", settings.RETINA_IMPORT_USER_NAME: "e8db90bfbea3c35f40b4537fdca9b3bf1cd78a51", } out = f"{'*' * 80}\n" for user, token in user_tokens.items(): salt = crypto.create_salt_string() digest = crypto.hash_token(token, salt) AuthToken( token_key=token[: CONSTANTS.TOKEN_KEY_LENGTH], digest=digest, salt=salt, user=self.users[user], expiry=None, ).save() out += f"\t{user} token is: {token}\n" out += f"{'*' * 80}\n" logger.debug(out)
def _create_user_tokens(users): # Hard code tokens used in gcapi integration tests user_tokens = { "admin": "1b9436200001f2eaf57cd77db075cbb60a49a00a", "retina": "f1f98a1733c05b12118785ffd995c250fe4d90da", "readerstudy": "01614a77b1c0b4ecd402be50a8ff96188d5b011d", "demop": "00aa710f4dc5621a0cb64b0795fbba02e39d7700", } out = f"{'*' * 80}\n" for user, token in user_tokens.items(): salt = crypto.create_salt_string() digest = crypto.hash_token(token, salt) AuthToken( token_key=token[:CONSTANTS.TOKEN_KEY_LENGTH], digest=digest, salt=salt, user=users[user], expiry=None, ).save() out += f"\t{user} token is: {token}\n" out += f"{'*' * 80}\n" logger.debug(out)
def create(self, user, password=None, expires=knox_settings.TOKEN_TTL, return_instance=False): token = crypto.create_token_string() salt = crypto.create_salt_string() digest = crypto.hash_token(token, salt) encrypted = None if password: fernet = Fernet(crypto.derive_fernet_key(password, salt)) encrypted = fernet.encrypt(encoding.force_bytes(token)) if expires is not None: expires = timezone.now() + expires auth_token = super(AuthTokenManager, self).create(digest=digest, salt=salt, encrypted=encrypted, user=user, expires=expires) if return_instance: return auth_token return token # Note only the token - not the AuthToken object - is returned
def create(self, user, time=knox_settings.DEFAULT_TOKEN_TTL, use=knox_settings.DEFAULT_TOKEN_USE): token = crypto.create_token_string() salt = crypto.create_salt_string() digest = crypto.hash_token(token, salt) auth_token = super(AuthTokenManager, self).create(digest=digest, salt=salt, user=user, time=time, use=use) return token # Note only the token - not the AuthToken object - is returned
def authenticate_credentials(self, token): ''' Due to the random nature of hashing a salted value, this must inspect each auth_token individually to find the correct one. Tokens that have expired will be deleted and skipped ''' msg = _('Invalid token.') for auth_token in AuthToken.objects.filter( token_key=token[:CONSTANTS.TOKEN_KEY_LENGTH]): for other_token in auth_token.user.auth_token_set.all(): if other_token.digest != auth_token.digest and other_token.expires is not None: if other_token.expires < timezone.now(): other_token.delete() if auth_token.expires is not None: if auth_token.expires < timezone.now(): auth_token.delete() continue try: digest = hash_token(token, auth_token.salt) except TypeError: raise exceptions.AuthenticationFailed(msg) if digest == auth_token.digest: return self.validate_user(auth_token) # Authentication with this token has failed raise exceptions.AuthenticationFailed(msg)
def create(self, user, expires=knox_settings.TOKEN_TTL): token = crypto.create_token_string() salt = crypto.create_salt_string() digest = crypto.hash_token(token, salt) if expires is not None: expires = timezone.now() + expires auth_token = super(AuthTokenManager, self).create(digest=digest, salt=salt, user=user, expires=expires, token_slice=token[:16]) return token # Note only the token - not the AuthToken object - is returned
def create_unsafe(self, user, expires=knox_settings.TOKEN_TTL): token = crypto.create_token_string() salt = crypto.create_salt_string() digest = crypto.hash_token(token, salt) if expires is not None: expires = timezone.now() + expires auth_token = super(AuthTokenManager, self).create(digest=digest, salt=salt, user=user, expires=expires) return auth_token, token # Note only the token - not the AuthToken object - is returned
def ensure_valid_auth_token(self, user, token): for auth_token in AuthToken.objects.filter(user=user): if auth_token.expires is not None and auth_token.expires < timezone.now(): auth_token.delete() continue digest = hash_token(token, auth_token.salt) if digest == auth_token.digest: return auth_token msg = _('Invalid token.') raise exceptions.AuthenticationFailed(msg)
def get_user_by_token(token): log.debug("LOGIN - User by token - Token: " + token) for auth_token in AuthToken.objects.all(): digest = hash_token(token, auth_token.salt) if (digest == auth_token.digest): auth_token.user.backend = 'django.contrib.auth.backends.ModelBackend' log.debug("LOGIN - User by token - User found") return auth_token.user log.error("LOGIN - User by token - User not found") return None
def create(self, user, expiry=knox_settings.TOKEN_TTL): token = crypto.create_token_string() salt = crypto.create_salt_string() digest = crypto.hash_token(token, salt) if expiry is not None: expiry = timezone.now() + expiry instance = super(AuthTokenManager, self).create( token_key=token[:CONSTANTS.TOKEN_KEY_LENGTH], digest=digest, salt=salt, user=user, expiry=expiry) return instance, token
def refresh_credentials(self, token): msg = _('Invalid token.') for auth_token in AuthToken.objects.filter( token_key=token[:CONSTANTS.TOKEN_KEY_LENGTH]): try: digest = hash_token(token, auth_token.salt) except (TypeError, binascii.Error): raise exceptions.AuthenticationFailed(msg) if compare_digest(digest, auth_token.digest): self.renew_token(auth_token) return raise exceptions.AuthenticationFailed(msg)
def ensure_valid_auth_token(self, user, token): for auth_token in AuthToken.objects.filter(user=user): if auth_token.expires is not None: if auth_token.expires < timezone.now(): auth_token.delete() continue digest = hash_token(token, auth_token.salt) if digest == auth_token.digest: return auth_token msg = _('Invalid token.') raise exceptions.AuthenticationFailed(msg)
def create(self, user, expires=knox_settings.TOKEN_TTL): token = crypto.create_token_string() salt = crypto.create_salt_string() digest = crypto.hash_token(token, salt) if expires is not None: expires = timezone.now() + expires super(AuthTokenManager, self).create( token_key=token[:CONSTANTS.TOKEN_KEY_LENGTH], digest=digest, salt=salt, user=user, expires=expires) # Note only the token - not the AuthToken object - is returned return token
def create(self, user, expiry=knox_settings.TOKEN_TTL): token = crypto.create_token_string() digest = crypto.hash_token(token) if expiry is not None: expiry = timezone.now() + expiry instance = super(AuthTokenManager, self).create( token_key=token[:CONSTANTS.TOKEN_KEY_LENGTH], digest=digest, user=user, expiry=expiry) return instance, token
def get_token_validity(token): log.debug("LOGIN - Get token validity - Token : " + token) for auth_token in AuthToken.objects.all(): digest = hash_token(token, auth_token.salt) if (digest == auth_token.digest): if auth_token.expires < timezone.now(): log.error("LOGIN - Get token validity - Token expired") return False else: log.debug("LOGIN - Get token validity - Token valid") return True log.error("LOGIN - Get token validity - Token not found") return False
def create(self, user, expires=knox_settings.TOKEN_TTL): token = crypto.create_token_string() salt = crypto.create_salt_string() digest = crypto.hash_token(token, salt) if expires is not None: expires = timezone.now() + expires super(AuthTokenManager, self).create(token_key=token[:CONSTANTS.TOKEN_KEY_LENGTH], digest=digest, salt=salt, user=user, expires=expires) # Note only the token - not the AuthToken object - is returned return token
def __delete_token(request): try: auth = get_authorization_header(request).split() if not auth or auth[0].lower() != b'token': log.info("Delete Token - No token exist to be deleted") if len(auth) == 2: # Everything is fine token_in_header = auth[1] log.info("Delete Token - Delete token " + str(token_in_header)) for auth_token in AuthToken.objects.all(): digest = hash_token(token_in_header, auth_token.salt) if (digest == auth_token.digest): auth_token.delete() return except Exception as e: log.error("Delete Token - Exception triggered")
def authenticate_credentials(self, token): """ Due to the random nature of hashing a salted value, this must inspect each auth_token individually to find the correct one. Tokens that have expired will be deleted and skipped """ for auth_token in AuthToken.objects.all(): if auth_token.expires is not None: if auth_token.expires < timezone.now(): auth_token.delete() continue digest = hash_token(token, auth_token.salt) if digest == auth_token.digest: return self.validate_user(auth_token) # Authentication with this token has failed raise exceptions.AuthenticationFailed(_("Invalid token."))
def authenticate_credentials(self, token): ''' Due to the random nature of hashing a salted value, this must inspect each auth_token individually to find the correct one. Tokens that have expired will be deleted and skipped ''' for auth_token in AuthToken.objects.all(): if auth_token.expires is not None: if auth_token.expires < timezone.now(): auth_token.delete() continue digest = hash_token(token, auth_token.salt) if digest == auth_token.digest: return self.validate_user(auth_token) # Authentication with this token has failed raise exceptions.AuthenticationFailed(_('Invalid token.'))
def authenticate_credentials(self, token): ''' Due to the random nature of hashing a salted value, this must inspect each auth_token individually to find the correct one. Tokens that have expired will be deleted and skipped ''' for auth_token in AuthToken.objects.filter( token_slice__exact=token[:16]): # move the expired tokens deletion into an external manage.py command # if auth_token.expires is not None: # if auth_token.expires < timezone.now(): # auth_token.delete() # continue digest = hash_token(token, auth_token.salt) if digest == auth_token.digest: return self.validate_user(auth_token) # Authentication with this token has failed raise exceptions.AuthenticationFailed(_('Invalid token.'))
def create( self, user, password=None, expires=knox_settings.TOKEN_TTL, return_instance=False): token = crypto.create_token_string() salt = crypto.create_salt_string() digest = crypto.hash_token(token, salt) encrypted = None if password: fernet = Fernet(crypto.derive_fernet_key(password, salt)) encrypted = fernet.encrypt(encoding.force_bytes(token)) if expires is not None: expires = timezone.now() + expires auth_token = super(AuthTokenManager, self).create( digest=digest, salt=salt, encrypted=encrypted, user=user, expires=expires) if return_instance: return auth_token return token # Note only the token - not the AuthToken object - is returned
def authenticate_credentials(self, token): ''' Due to the random nature of hashing a salted value, this must inspect each auth_token individually to find the correct one. Tokens that have expired will be deleted and skipped ''' token = token.decode("utf-8") for auth_token in AuthToken.objects.filter( token_key=token[:CONSTANTS.TOKEN_KEY_LENGTH]): if self._cleanup_token(auth_token): continue try: digest = hash_token(token, auth_token.salt) except (TypeError, binascii.Error): return None if compare_digest(digest, auth_token.digest): if knox_settings.AUTO_REFRESH and auth_token.expiry: self.renew_token(auth_token) return self.validate_user(auth_token) return None
def login_user_by_header_token(request): try: auth = get_authorization_header(request).split() if not auth or auth[0].lower() != b'token': log.debug("LOGIN - User by header token - No token exists") if len(auth) == 2: # Everything is fine token_in_header = auth[1] log.debug("LOGIN - User by header token - Token found: " + str(token_in_header)) for auth_token in AuthToken.objects.all(): digest = hash_token(token_in_header, auth_token.salt) if (digest == auth_token.digest): auth_token.user.backend = 'django.contrib.auth.backends.ModelBackend' login(request, auth_token.user) return True except Exception as e: log.error("LOGIN - User by header token - Exception triggered" + str(e)) log.error("LOGIN - User by header token - User could not be found") return False
def authenticate_credentials(self, token): ''' Due to the random nature of hashing a salted value, this must inspect each auth_token individually to find the correct one. Tokens that have expired will be deleted and skipped ''' msg = _('Invalid token.') token = token.decode("utf-8") for auth_token in AuthToken.objects.filter( token_key=token[:CONSTANTS.TOKEN_KEY_LENGTH]): if self._cleanup_token(auth_token): continue try: digest = hash_token(token, auth_token.salt) except (TypeError, binascii.Error): raise exceptions.AuthenticationFailed(msg) if compare_digest(digest, auth_token.digest): if knox_settings.AUTO_REFRESH and auth_token.expires: self.renew_token(auth_token) return self.validate_user(auth_token) raise exceptions.AuthenticationFailed(msg)