Hawk is an HTTP authentication scheme using a message authentication code (MAC) algorithm to provide partial HTTP request cryptographic verification.
PyHawk is great for consuming or providing webservices from Python.
If you had code that consumed a HAWK authenticated webservice, you could do something like the following
import hawk
import requests
# Hawk is secured with a shared secret
credentials = db.lookup_secrets(some_id)
# Prepare your request headers
header = hawk.client.header(url, 'GET', {
'credentials': credentials,
'ext': 'Yo Yo'})
# Which goes into Authorization field of HTTP headers
headers = [('Authorization', header['field'])]
res = requests.get(url, data=params, headers=headers)
response = { 'headers': res.headers }
# We can verify we're talking to our trusted server
verified = hawk.client.authenticate(response, credentials,
header['artifacts'],
{'payload': res.text})
if verified:
print res.text
else:
print "Something fishy going on."See sample_client.py for details.
If you provide a webservice and want to do authentication via HAWK, do something like the following:
:
import hawk
# A callback function for looking up credentials
def lookup_hawk_credentials(id):
# Some collection of secrets
return db.lookup(id)
# req is a Request object from your webserver framework
if 'Hawk ' in req.headers['Authorization']:
return check_auth_via_hawk(req)
else:
return failure(req, res)
def check_auth_via_hawk(req):
server = hawk.Server(req, lookup_hawk_credentials)
# This will raise a hawk.util.HawkException if it fails
artifacts = server.authenticate()
# Sign our response, so clients can trust us
auth = server.header(artifacts,
{ 'payload': payload,
'contentType': 'text/plain' })
headers = [('Content-Type', 'text/plain'),
('Server-Authorization', auth)]
start_response(status, headers)
return payloadSee sample_server.py for details.
PyHawk uses python logging to emit information about why authorization is failing and so on. You can configure these logger channels with INFO, DEBUG, etc, to get some helpful output.
- hawk
All hawk logging, including everything below.
- hawk.client
All hawk client related messages, including header construction.
- hawk.server
All hawk server related messages, including authorization.
- hawk.hcrypto
All hawk crypto related messages, including bewit handling.
- hawk.util
All shared hawk code such as header normalization.
This is under development, ready for adventurous users. There doesn't appear to be a Python library for HAWK. Let me know if there is already a robust library.
Optionally use env as a virtualenv
virtualenv env
source env/bin/activateLocally install source:
python setup.py developUnit tests are in hawk/tests.
python hawk/tests/test_*.pyAdditionally, one can test compatibility:
The compatibility/nodejs directory has a server.js and a client.js (Node code) which are from HAWK's usage.js.
To test the server, do the following:
- python sample_server.py
- cd compatibility/nodejs/
- node client.js
Output should be
Authenticated Request is 200 (OK)
Response validates (OK)
Unauthenticated request should 401 - (OK)Note: the port numbers in test_pyhawk.py and client.js must match.
To test the client, do the following:
- cd compatibility/nodejs/
- node server.js
- cd ../..
- python sample_client.py
Output should be
Response validates (OK)Edit setup.py and bump the version number.
python setup.py sdist uploadYou should see your updates at https://pypi.python.org/pypi?%3Aaction=pkg_edit&name=PyHawk
Iterate on a python library until it can communicate with the test client/server.
- ✓ Write Server API
- ✓ Write client API
- ✓ Switch to callback style
- Improve code style
- Make API elegant
- Put a release together
A source for inspiration on 4 and 5 should be macauthlib, from the Mozilla Services team, which is basically PyHawk, before Hawk existed. (Thanks rfk!)
Client and Server APIs are working according to the Node.js implementation. W00t!
Please file issues for code style, bugs, etc.