def get_session(self): session_id = self.get_argument("bokeh-session-id", default=None) if session_id is None: if self.application.generate_session_ids: session_id = generate_session_id(secret_key=self.application.secret_key, signed=self.application.sign_sessions) else: # if there is an auth server, redirect to it auth_server = os.environ.get('AUTH_SERVER') if auth_server: callback_url = '%s://%s/login?page=%s' % (self.request.protocol, self.request.host, self.request.uri) url = auth_server + '/login?next=%s' % callback_url self.set_status(302) self.set_header('Location', url) raise Finish() else: log.debug("Server configured not to generate session IDs and none was provided") raise HTTPError(status_code=403, reason="No bokeh-session-id provided") elif not check_session_id_signature(session_id, secret_key=self.application.secret_key, signed=self.application.sign_sessions): log.error("Session id had invalid signature: %r", session_id) raise HTTPError(status_code=403, reason="Invalid session ID") session = yield self.application_context.create_session_if_needed(session_id) raise gen.Return(session)
def open(self): ''' Initialize a connection to a client. ''' log.info('WebSocket connection opened') proto_version = self.get_argument("bokeh-protocol-version", default=None) if proto_version is None: self.close() raise ProtocolError("No bokeh-protocol-version specified") session_id = self.get_argument("bokeh-session-id", default=None) if session_id is None: self.close() raise ProtocolError("No bokeh-session-id specified") if not check_session_id_signature(session_id, signed=self.application.sign_sessions, secret_key=self.application.secret_key): log.error("Session id had invalid signature: %r", session_id) raise ProtocolError("Invalid session ID") def on_fully_opened(future): e = future.exception() if e is not None: # this isn't really an error (unless we have a # bug), it just means a client disconnected # immediately, most likely. log.debug("Failed to fully open connection %r", e) future = self._async_open(session_id, proto_version) self.application.io_loop.add_future(future, on_fully_opened)
def open(self): ''' Initialize a connection to a client. ''' log.info('WebSocket connection opened') proto_version = self.get_argument("bokeh-protocol-version", default=None) if proto_version is None: self.close() raise ProtocolError("No bokeh-protocol-version specified") session_id = self.get_argument("bokeh-session-id", default=None) if session_id is None: self.close() raise ProtocolError("No bokeh-session-id specified") if not check_session_id_signature(session_id): log.error("Session id had invalid signature: %r", session_id) raise ProtocolError("Invalid session ID") try: self.application_context.create_session_if_needed(session_id) session = self.application_context.get_session(session_id) protocol = Protocol(proto_version) self.receiver = Receiver(protocol) log.debug("Receiver created created for %r", protocol) self.handler = ServerHandler() log.debug("ServerHandler created created for %r", protocol) self.connection = self.application.new_connection(protocol, self, self.application_context, session) log.info("ServerConnection created") except ProtocolError as e: log.error("Could not create new server session, reason: %s", e) self.close() raise e def on_ack_sent(future): e = future.exception() if e is not None: # this isn't really an error (unless we have a # bug), it just means a client disconnected # immediately, most likely. log.debug("Failed to send ack %r", e) msg = self.connection.protocol.create('ACK') self.application.io_loop.add_future(self.send_message(msg), on_ack_sent)
def test__autocreate_signed_session_doc(): application = Application() with ManagedServerLoop(application, sign_sessions=True, secret_key='foo') as server: sessions = server.get_sessions('/') assert 0 == len(sessions) response = http_get(server.io_loop, url(server)) html = response.body sessionid = extract_sessionid_from_json(html) sessions = server.get_sessions('/') assert 1 == len(sessions) assert sessionid == sessions[0].id assert check_session_id_signature(sessionid, signed=True, secret_key='foo')
def get_session(self): session_id = self.get_argument("bokeh-session-id", default=None) if session_id is None: if self.application.generate_session_ids: session_id = generate_session_id(secret_key=self.application.secret_key, signed=self.application.sign_sessions) else: log.debug("Server configured not to generate session IDs and none was provided") raise HTTPError(status_code=403, reason="No bokeh-session-id provided") elif not check_session_id_signature(session_id, secret_key=self.application.secret_key, signed=self.application.sign_sessions): log.error("Session id had invalid signature: %r", session_id) raise HTTPError(status_code=403, reason="Invalid session ID") session = yield self.application_context.create_session_if_needed(session_id, self.request) raise gen.Return(session)
def get(self, *args, **kwargs): session_id = self.get_argument("bokeh-session-id", default=None) if session_id is None: session_id = generate_session_id() elif not check_session_id_signature(session_id): log.error("Session id had invalid signature: %r", session_id) raise HTTPError(status_code=403, reason="Invalid session ID") session = self.application_context.create_session_if_needed(session_id) websocket_url = self.application.websocket_url_for_request(self.request, self.bokeh_websocket_path) page = server_html_page_for_session( session_id, self.application.resources(self.request), title=session.document.title, websocket_url=websocket_url, ) self.set_header("Content-Type", "text/html") self.write(page)
async def get_session(self): session_id = self.get_argument("bokeh-session-id", default=None) if session_id is None: if self.application.generate_session_ids: session_id = generate_session_id( secret_key=self.application.secret_key, signed=self.application.sign_sessions) else: log.debug( "Server configured not to generate session IDs and none was provided" ) raise HTTPError(status_code=403, reason="No bokeh-session-id provided") elif not check_session_id_signature( session_id, secret_key=self.application.secret_key, signed=self.application.sign_sessions): log.error("Session id had invalid signature: %r", session_id) raise HTTPError(status_code=403, reason="Invalid session ID") session = await self.application_context.create_session_if_needed( session_id, self.request) return session
def test_check_signature_of_unsigned(self): session_id = generate_session_id(signed=False, secret_key="abc") # secret shouldn't be used assert not check_session_id_signature(session_id, secret_key="abc", signed=True)
def test_generate_signed(self): session_id = generate_session_id(signed=True, secret_key="abc") assert '-' in session_id assert check_session_id_signature(session_id, secret_key="abc", signed=True) assert not check_session_id_signature(session_id, secret_key="qrs", signed=True)
def test_check_signature_with_signing_disabled(self): assert check_session_id_signature("gobbledygook", secret_key="abc", signed=False)
def test_check_signature_of_junk_with_hyphen_in_it(self): assert not check_session_id_signature( "foo-bar-baz", secret_key="abc", signed=True)
def test_check_signature_of_empty_string(self): assert not check_session_id_signature( "", secret_key="abc", signed=True)
def test_string_encoding_does_not_affect_session_id_check(self): # originates from #6653 session_id = generate_session_id(signed=True, secret_key="abc") assert check_session_id_signature(session_id, secret_key="abc", signed=True) assert check_session_id_signature(decode_utf8(session_id), secret_key="abc", signed=True)
def test_generate_signed(self): session_id = generate_session_id(signed=True, secret_key="abc") self.assertTrue('-' in session_id) self.assertTrue(check_session_id_signature(session_id, secret_key="abc", signed=True)) self.assertFalse(check_session_id_signature(session_id, secret_key="qrs", signed=True))
def test_check_signature_of_empty_string(self): assert not check_session_id_signature("", secret_key="abc", signed=True)
def test_check_signature_of_junk_with_hyphen_in_it(self): assert not check_session_id_signature("foo-bar-baz", secret_key="abc", signed=True)
def test_check_signature_of_unsigned(self): session_id = generate_session_id( signed=False, secret_key="abc") # secret shouldn't be used assert not check_session_id_signature( session_id, secret_key="abc", signed=True)