def get_signature(key_for_secret, method, path, timestamp, signed_headers_value=[], body=''):
secret = settings.FOST_AUTHN_GET_SECRET(key_for_secret,'secret')
document, signature = fost_hmac_request_signature_with_headers(
secret,method,path,timestamp,signed_headers_value,body)
return document, signature
def _request_signature(backend, request, key, hmac):
if not request.META.has_key('HTTP_X_FOST_TIMESTAMP'):
return _forbid("No HTTP_X_FOST_TIMESTAMP was found")
secret = getattr(settings, 'FOST_AUTHN_GET_SECRET',
_default_authn_get_secret)(request, key)
logging.info("Found secret %s for key %s", secret, key)
logging.info("About to parse time stamp from %s",
request.META['HTTP_X_FOST_TIMESTAMP'][:19])
signed_time = datetime.strptime(
request.META['HTTP_X_FOST_TIMESTAMP'][:19].replace('T', ' '),
'%Y-%m-%d %H:%M:%S')
utc_now = datetime.utcnow()
delta = timedelta(0, getattr(settings, 'FOST_AUTHN_MAXIMUM_CLOCK_SKEW',
300))
skew = max(signed_time - utc_now, utc_now - signed_time)
logging.info(
"Clock skew is %s based on signed time %s and current time %s "
"(maximum skew is %s) %s", skew, signed_time, utc_now, delta,
"skew is too high" if skew > delta else "skew is ok")
if skew < delta:
signed_headers, signed = [], {}
logging.debug("Signed headers: %s",
request.META['HTTP_X_FOST_HEADERS'])
for header in request.META['HTTP_X_FOST_HEADERS'].split():
logging.info("Header %s included in signed set", header)
name = 'HTTP_%s' % header.upper().replace('-', '_')
value = request.META[name]
signed[header] = value
signed_headers.append(value)
if _django_1_0_hack(request): # pragma: no cover
logging.warning("Django 1.0 with content length so we assume "
"that the signature is correct")
signature = hmac
else:
if hasattr(request, 'body'):
# Django 1.6 compatibility
body = request.body
else:
body = request.raw_post_data
document, signature = fost_hmac_request_signature_with_headers(
secret, request.method, request.path,
request.META['HTTP_X_FOST_TIMESTAMP'], signed_headers, body
or request.META.get('QUERY_STRING', ''))
if signature == hmac:
request.SIGNED = signed
if request.SIGNED.has_key('X-FOST-User'):
return backend.get_user(
request.SIGNED['X-FOST-User'].decode('utf-7'))
else:
return backend.get_user(unquote(key))
else:
return _forbid("Signature didn't match provided hmac")
else:
return _forbid("Clock skew too high")
def _request_signature(backend, request, key, hmac):
if not request.META.has_key("HTTP_X_FOST_TIMESTAMP"):
return _forbid("No HTTP_X_FOST_TIMESTAMP was found")
secret = getattr(settings, "FOST_AUTHN_GET_SECRET", _default_authn_get_secret)(request, key)
logging.info("Found secret %s for key %s", secret, key)
logging.info("About to parse time stamp from %s", request.META["HTTP_X_FOST_TIMESTAMP"][:19])
signed_time = datetime.strptime(request.META["HTTP_X_FOST_TIMESTAMP"][:19].replace("T", " "), "%Y-%m-%d %H:%M:%S")
utc_now = datetime.utcnow()
delta = timedelta(0, getattr(settings, "FOST_AUTHN_MAXIMUM_CLOCK_SKEW", 300))
skew = max(signed_time - utc_now, utc_now - signed_time)
logging.info(
"Clock skew is %s based on signed time %s and current time %s " "(maximum skew is %s) %s",
skew,
signed_time,
utc_now,
delta,
"skew is too high" if skew > delta else "skew is ok",
)
if skew < delta:
signed_headers, signed = [], {}
logging.debug("Signed headers: %s", request.META["HTTP_X_FOST_HEADERS"])
for header in request.META["HTTP_X_FOST_HEADERS"].split():
logging.info("Header %s included in signed set", header)
name = "HTTP_%s" % header.upper().replace("-", "_")
value = request.META[name]
signed[header] = value
signed_headers.append(value)
if _django_1_0_hack(request): # pragma: no cover
logging.warning("Django 1.0 with content length so we assume " "that the signature is correct")
signature = hmac
else:
if hasattr(request, "body"):
# Django 1.6 compatibility
body = request.body
else:
body = request.raw_post_data
document, signature = fost_hmac_request_signature_with_headers(
secret,
request.method,
request.path,
request.META["HTTP_X_FOST_TIMESTAMP"],
signed_headers,
body or request.META.get("QUERY_STRING", ""),
)
if signature == hmac:
request.SIGNED = signed
if request.SIGNED.has_key("X-FOST-User"):
return backend.get_user(request.SIGNED["X-FOST-User"].decode("utf-7"))
else:
return backend.get_user(unquote(key))
else:
return _forbid("Signature didn't match provided hmac")
else:
return _forbid("Clock skew too high")
def __call__(self, request):
"""
modify and return the request
"""
secret = settings.FOST_AUTHN_GET_SECRET(request, "secret")
timestamp = datetime.utcnow().strftime("%Y-%m-%d %H:%M:%S")
path = unicode(request.path_url.split("?")[0])
body = urllib.urlencode(request.data)
document, signature = fost_hmac_request_signature_with_headers(
secret, request.method, path, timestamp, [self.username], body
)
request.headers["X-FOST-User"] = self.username
request.headers["X-FOST-Headers"] = "X-FOST-User"
request.headers["X-FOST-Timestamp"] = timestamp
request.headers["Authorization"] = "FOST %s:%s" % (self.username, signature)
return request
