def test_basic(self): hs = sign.HeaderSigner(key_id='Test', secret=self.key, headers=[ '(request-target)', 'host', 'date', ]) unsigned = { 'Host': self.header_host, 'Date': self.header_date, } signed = hs.sign( unsigned, method=self.test_method, path=self.test_path) self.assertIn('Date', signed) self.assertEqual(unsigned['Date'], signed['Date']) self.assertIn('Authorization', signed) auth = parse_authorization_header(signed['authorization']) params = auth[1] self.assertIn('keyId', params) self.assertIn('algorithm', params) self.assertIn('signature', params) self.assertEqual(params['keyId'], 'Test') self.assertEqual(params['algorithm'], 'rsa-sha256') self.assertEqual( params['headers'], '(request-target) host date') self.assertEqual(params['signature'], 'HUxc9BS3P/kPhSmJo+0pQ4IsCo007vkv6bUm4Qehrx+B1Eo4Mq5/6KylET72ZpMUS80XvjlOPjKzxfeTQj4DiKbAzwJAb4HX3qX6obQTa00/qPDXlMepD2JtTw33yNnm/0xV7fQuvILN/ys+378Ysi082+4xBQFwvhNvSoVsGv4=') # noqa: E501
def test_all(self): hs = sign.HeaderSigner(key_id='Test', secret=self.key, headers=[ '(request-target)', 'host', 'date', 'content-type', 'digest', 'content-length' ]) unsigned = { 'Host': self.header_host, 'Date': self.header_date, 'Content-Type': self.header_content_type, 'Digest': self.header_digest, 'Content-Length': self.header_content_length, } signed = hs.sign( unsigned, method=self.test_method, path=self.test_path) self.assertIn('Date', signed) self.assertEqual(unsigned['Date'], signed['Date']) self.assertIn('Authorization', signed) auth = parse_authorization_header(signed['authorization']) params = auth[1] self.assertIn('keyId', params) self.assertIn('algorithm', params) self.assertIn('signature', params) self.assertEqual(params['keyId'], 'Test') self.assertEqual(params['algorithm'], 'rsa-sha256') self.assertEqual( params['headers'], '(request-target) host date content-type digest content-length') self.assertEqual(params['signature'], 'Ef7MlxLXoBovhil3AlyjtBwAL9g4TN3tibLj7uuNB3CROat/9KaeQ4hW2NiJ+pZ6HQEOx9vYZAyi+7cmIkmJszJCut5kQLAwuX+Ms/mUFvpKlSo9StS2bMXDBNjOh4Auj774GFj4gwjS+3NhFeoqyr/MuN6HsEnkvn6zdgfE2i0=') # noqa: E501
def test_basic(self): hs = sign.HeaderSigner(key_id='Test', secret=self.key_2048, sign_algorithm=PSS(salt_length=0), headers=[ '(request-target)', 'host', 'date', ]) unsigned = { 'Host': self.header_host, 'Date': self.header_date, } signed = hs.sign(unsigned, method=self.test_method, path=self.test_path) self.assertIn('Date', signed) self.assertEqual(unsigned['Date'], signed['Date']) self.assertIn('Authorization', signed) auth = parse_authorization_header(signed['authorization']) params = auth[1] self.assertIn('keyId', params) self.assertIn('algorithm', params) self.assertIn('signature', params) self.assertEqual(params['keyId'], 'Test') self.assertEqual(params['algorithm'], 'hs2019') self.assertEqual(params['headers'], '(request-target) host date') self.assertEqual( params['signature'], 'KkF4oeOJJH9TaYjQdaU634G7AVmM5Bf3fnfJCBZ7G0H5puW5XlQTpduA+TgouKOJhbv4aRRpunPzCHUxUjEvrR3TSALqW1EOsBwCVIusE9CnrhL7vUOvciIDai/jI15RsfR9+XyTmOSFbsI07E8mmywr3nLeWX6AAFDMO2vWc21zZxrSc13vFfAkVvFhXLxO4g0bBm6Z4m5/9ytWtdE0Gf3St2kY8aZTedllRCS8cMx8GVAIw/qYGeIlGKUCZKxrFxnviN7gfxixwova6lcxpppIo+WXxEiwMJfSQBlx0WGn3A3twCv6TsIxPOVUEW4jcogDh+jGFf1aGdVyHquTRQ==' ) # noqa: E501
def test_all(self): hs = sign.HeaderSigner(key_id='Test', secret=self.key, headers=[ '(request-target)', 'host', 'date', 'content-type', 'content-md5', 'content-length' ]) unsigned = { 'Host': 'example.com', 'Date': 'Thu, 05 Jan 2012 21:31:40 GMT', 'Content-Type': 'application/json', 'Content-MD5': 'Sd/dVLAcvNLSq16eXua5uQ==', 'Content-Length': '18', } signed = hs.sign(unsigned, method='POST', path='/foo?param=value&pet=dog') self.assertIn('Date', signed) self.assertEqual(unsigned['Date'], signed['Date']) self.assertIn('Authorization', signed) auth = parse_authorization_header(signed['authorization']) params = auth[1] self.assertIn('keyId', params) self.assertIn('algorithm', params) self.assertIn('signature', params) self.assertEqual(params['keyId'], 'Test') self.assertEqual(params['algorithm'], 'rsa-sha256') self.assertEqual(params['headers'], '(request-target) host date content-type content-md5 content-length') self.assertEqual(params['signature'], 'G8/Uh6BBDaqldRi3VfFfklHSFoq8CMt5NUZiepq0q66e+fS3Up3BmXn0NbUnr3L1WgAAZGplifRAJqp2LgeZ5gXNk6UX9zV3hw5BERLWscWXlwX/dvHQES27lGRCvyFv3djHP6Plfd5mhPWRkmjnvqeOOSS0lZJYFYHJz994s6w=')
def authenticate(self, request): """ Perform the actual authentication. Note that the exception raised is always the same. This is so that we don't leak information about in/valid keyIds and other such useful things. """ auth_header = authentication.get_authorization_header(request) if not auth_header or len(auth_header) == 0: return None method, fields = utils.parse_authorization_header(auth_header) # Ignore foreign Authorization headers. if method.lower() != 'signature': return None # Verify basic header structure. if len(fields) == 0: raise FAILED # Ensure all required fields were included. if len(set(("keyid","algorithm","signature")) - set(fields.keys())) > 0: raise FAILED # Fetch the secret associated with the keyid user, secret = self.fetch_user_data( fields["keyid"], algorithm=fields["algorithm"] ) if not (user and secret): raise FAILED # Gather all request headers and translate them as stated in the Django docs: # https://docs.djangoproject.com/en/1.6/ref/request-response/#django.http.HttpRequest.META headers = {} for key in request.META.keys(): if key.startswith("HTTP_") or \ key in ("CONTENT_TYPE", "CONTENT_LENGTH"): header = key[5:].lower().replace('_', '-') headers[header] = request.META[key] # Verify headers hs = HeaderVerifier( headers, secret, required_headers=self.required_headers, method=request.method.lower(), path=request.get_full_path() ) # All of that just to get to this. if not hs.verify(): raise FAILED return (user, fields["keyid"])
def authenticate(self, request): """ Perform the actual authentication. Note that the exception raised is always the same. This is so that we don't leak information about in/valid keyIds and other such useful things. """ auth_header = authentication.get_authorization_header(request) if not auth_header or len(auth_header) == 0: return None method, fields = utils.parse_authorization_header(auth_header) # Ignore foreign Authorization headers. if method.lower() != 'signature': return None # Verify basic header structure. if len(fields) == 0: raise FAILED # Ensure all required fields were included. if len(set(("keyid", "algorithm", "signature")) - set(fields.keys())) > 0: raise FAILED # Fetch the secret associated with the keyid try: user, secret = self.fetch_user_data(fields['keyid'], algorithm=fields["algorithm"]) except Exception as ex: print('Received Exception: {}'.format(ex)) if not (user and secret): raise FAILED # Gather all request headers and translate them as stated in the Django docs: # https://docs.djangoproject.com/en/1.6/ref/request-response/#django.http.HttpRequest.META headers = {} for key in request.META.keys(): if key.startswith("HTTP_") or \ key in ("CONTENT_TYPE", "CONTENT_LENGTH"): header = key[5:].lower().replace('_', '-') headers[header] = request.META[key] # Verify headers hs = HeaderVerifier(headers, secret, required_headers=self.required_headers, method=request.method.lower(), path=request.get_full_path()) # All of that just to get to this. if not hs.verify(): raise FAILED return user, secret
def test_hmac(self): hs = sign.HeaderSigner(key_id='pda', algorithm='hmac-sha256', secret='secret', headers=['(request-target)', 'Date']) unsigned = { 'Date': 'today', 'accept': 'llamas' } signed = hs.sign(unsigned, method='GET', path='/path?query=123') auth = parse_authorization_header(signed['authorization']) params = auth[1] self.assertIn('keyId', params) self.assertIn('algorithm', params) self.assertIn('signature', params) self.assertEqual(params['keyId'], 'pda') self.assertEqual(params['algorithm'], 'hmac-sha256') self.assertEqual(params['signature'], 'SFlytCGpsqb/9qYaKCQklGDvwgmrwfIERFnwt+yqPJw=')
def test_default(self): hs = sign.HeaderSigner(key_id='Test', secret=self.key) unsigned = { 'Date': self.header_date } signed = hs.sign(unsigned) self.assertIn('Date', signed) self.assertEqual(unsigned['Date'], signed['Date']) self.assertIn('Authorization', signed) auth = parse_authorization_header(signed['authorization']) params = auth[1] self.assertIn('keyId', params) self.assertIn('algorithm', params) self.assertIn('signature', params) self.assertEqual(params['keyId'], 'Test') self.assertEqual(params['algorithm'], 'rsa-sha256') self.assertEqual(params['signature'], 'jKyvPcxB4JbmYY4mByyBY7cZfNl4OW9HpFQlG7N4YcJPteKTu4MWCLyk+gIr0wDgqtLWf9NLpMAMimdfsH7FSWGfbMFSrsVTHNTk0rK3usrfFnti1dxsM4jl0kYJCKTGI/UWkqiaxwNiKqGcdlEDrTcUhhsFsOIo8VhddmZTZ8w=') # noqa: E501
def test_default(self): hs = sign.HeaderSigner(key_id='Test', secret=self.key) unsigned = { 'Date': 'Thu, 05 Jan 2012 21:31:40 GMT' } signed = hs.sign(unsigned) self.assertIn('Date', signed) self.assertEqual(unsigned['Date'], signed['Date']) self.assertIn('Authorization', signed) auth = parse_authorization_header(signed['authorization']) params = auth[1] self.assertIn('keyId', params) self.assertIn('algorithm', params) self.assertIn('signature', params) self.assertEqual(params['keyId'], 'Test') self.assertEqual(params['algorithm'], 'rsa-sha256') self.assertEqual(params['signature'], 'ATp0r26dbMIxOopqw0OfABDT7CKMIoENumuruOtarj8n/97Q3htHFYpH8yOSQk3Z5zh8UxUym6FYTb5+A0Nz3NRsXJibnYi7brE/4tx5But9kkFGzG+xpUmimN4c3TMN7OFH//+r8hBf7BT9/GmHDUVZT2JzWGLZES2xDOUuMtA=')
def test_default(self): hs = sign.HeaderSigner(key_id='Test', secret=self.key) unsigned = {'Date': 'Thu, 05 Jan 2012 21:31:40 GMT'} signed = hs.sign(unsigned) self.assertIn('Date', signed) self.assertEqual(unsigned['Date'], signed['Date']) self.assertIn('Authorization', signed) auth = parse_authorization_header(signed['authorization']) params = auth[1] self.assertIn('keyId', params) self.assertIn('algorithm', params) self.assertIn('signature', params) self.assertEqual(params['keyId'], 'Test') self.assertEqual(params['algorithm'], 'rsa-sha256') self.assertEqual( params['signature'], 'ATp0r26dbMIxOopqw0OfABDT7CKMIoENumuruOtarj8n/97Q3htHFYpH8yOSQk3Z5zh8UxUym6FYTb5+A0Nz3NRsXJibnYi7brE/4tx5But9kkFGzG+xpUmimN4c3TMN7OFH//+r8hBf7BT9/GmHDUVZT2JzWGLZES2xDOUuMtA=' )
def test_other_default(self): hs = sign.HeaderSigner(key_id='Test', secret=self.key_1024, sign_algorithm=PSS(hash_algorithm="sha512", salt_length=0)) unsigned = {'Date': self.header_date} signed = hs.sign(unsigned) self.assertIn('Date', signed) self.assertEqual(unsigned['Date'], signed['Date']) self.assertIn('Authorization', signed) auth = parse_authorization_header(signed['authorization']) params = auth[1] self.assertIn('keyId', params) self.assertIn('algorithm', params) self.assertIn('signature', params) self.assertEqual(params['keyId'], 'Test') self.assertEqual(params['algorithm'], 'hs2019') self.assertEqual( params['signature'], 'Gw8FOaXNxqwJHXwJ30OKiMFpK5zP916CFtzK7/biKi9NppjGAlpUfFKqp5kK+bFRyXxqUzQ1x5cbSeFzRWnqodNNO60ApYbOVD7ePqJfZ3DJFAxYOMzoECzc+lyVskSHKC0Ue8aYiV66gXTuY7hrEIqUsK3To/DhSNgO8csdzwg=' )
def test_default(self): hs = sign.HeaderSigner(key_id='Test', secret=self.key_2048, sign_algorithm=PSS(hash_algorithm="sha512", salt_length=0)) unsigned = {'Date': self.header_date} signed = hs.sign(unsigned) self.assertIn('Date', signed) self.assertEqual(unsigned['Date'], signed['Date']) self.assertIn('Authorization', signed) auth = parse_authorization_header(signed['authorization']) params = auth[1] self.assertIn('keyId', params) self.assertIn('algorithm', params) self.assertIn('signature', params) self.assertEqual(params['keyId'], 'Test') self.assertEqual(params['algorithm'], 'hs2019') self.assertEqual( params['signature'], 'T8+Cj3Zp2cBDm2r8/loPgfHUSSFXXyZJNxxbNx1NvKVz/r5T4z6pVxhl9rqk8WfYHMdlh2aT5hCrYKvhs88Jy0DDmeUP4nELWRsO1BF0oAqHfcrbEikZQL7jA6z0guVaLr0S5QRGmd1K5HUEkP/vYEOns+FRL+JrFG4dNJNESvG5iyKUoaXfoZCFdqtzLlIteEAL7dW/kaX/dE116wfpbem1eCABuGopRhuFtjqLKVjuUVwyP/zSYTqd9j+gDhinkAifTJPxbGMh0b5LZdNCqw5irT9NkTcTFRXDp8ioX8r805Z9QhjT7H+rSo350U2LsAFoQ9ttryPBOoMPCiQTlw==' ) # noqa: E501
def test_all(self): hs = sign.HeaderSigner(key_id='Test', secret=self.key, headers=[ '(request-target)', 'host', 'date', 'content-type', 'content-md5', 'content-length' ]) unsigned = { 'Host': 'example.com', 'Date': 'Thu, 05 Jan 2012 21:31:40 GMT', 'Content-Type': 'application/json', 'Content-MD5': 'Sd/dVLAcvNLSq16eXua5uQ==', 'Content-Length': '18', } signed = hs.sign(unsigned, method='POST', path='/foo?param=value&pet=dog') self.assertIn('Date', signed) self.assertEqual(unsigned['Date'], signed['Date']) self.assertIn('Authorization', signed) auth = parse_authorization_header(signed['authorization']) params = auth[1] self.assertIn('keyId', params) self.assertIn('algorithm', params) self.assertIn('signature', params) self.assertEqual(params['keyId'], 'Test') self.assertEqual(params['algorithm'], 'rsa-sha256') self.assertEqual( params['headers'], '(request-target) host date content-type content-md5 content-length' ) self.assertEqual( params['signature'], 'G8/Uh6BBDaqldRi3VfFfklHSFoq8CMt5NUZiepq0q66e+fS3Up3BmXn0NbUnr3L1WgAAZGplifRAJqp2LgeZ5gXNk6UX9zV3hw5BERLWscWXlwX/dvHQES27lGRCvyFv3djHP6Plfd5mhPWRkmjnvqeOOSS0lZJYFYHJz994s6w=' )
def test_all(self): hs = sign.HeaderSigner(key_id='Test', secret=self.key_2048, sign_algorithm=PSS("sha512", salt_length=0), headers=[ '(request-target)', 'host', 'date', 'content-type', 'digest', 'content-length' ]) unsigned = { 'Host': self.header_host, 'Date': self.header_date, 'Content-Type': self.header_content_type, 'Digest': self.header_digest, 'Content-Length': self.header_content_length, } signed = hs.sign(unsigned, method=self.test_method, path=self.test_path) self.assertIn('Date', signed) self.assertEqual(unsigned['Date'], signed['Date']) self.assertIn('Authorization', signed) auth = parse_authorization_header(signed['authorization']) params = auth[1] self.assertIn('keyId', params) self.assertIn('algorithm', params) self.assertIn('signature', params) self.assertEqual(params['keyId'], 'Test') self.assertEqual(params['algorithm'], 'hs2019') self.assertEqual( params['headers'], '(request-target) host date content-type digest content-length') self.assertEqual( params['signature'], 'bxWyLDB/Tuhzxd/tWG2g60l3Goyk9XJZzj2ouNKizZuZoe1Ngj+19N11bhK7FABHJ7lSzH5g6fp5LkN894ivIv6N29L2sPssuAkqgzNXyvYkp4KWOr5j7sVpApmRH7gf7THljcXosmrYk5gdBTspixpJJJ5LGkkPKCRAFurmi/LqopSH6cJbLJNIccTu2dTMGEeDOqqNterVmfonpZyPeBsEEwoeOo6d8zgHzB/1Xxk7dfELFbA1c0LE5kZbwEIEFPmS01YFz6EJW7Aj8kzvzwQRyvgDobi25niGOy/D7JVHvtDjBIaJedFuFJSb8rZ2DGryBQ6NwchMp3f2MUoTGg==' ) # noqa: E501
def authenticate(self, request): """ Perform the actual authentication. Note that the exception raised is always the same. This is so that we don't leak information about in/valid keyIds and other such useful things. """ auth_header = authentication.get_authorization_header(request) if not auth_header or len(auth_header) == 0: return None method, fields = utils.parse_authorization_header(auth_header) # Ignore foreign Authorization headers. if method.lower() != "signature": return None # Verify basic header structure. if len(fields) == 0: raise FAILED # Ensure all required fields were included. if len(set(("keyid", "algorithm", "signature")) - set(fields.keys())) > 0: raise FAILED # Fetch the secret associated with the keyid user, secret = self.fetch_user_data(fields["keyid"], algorithm=fields["algorithm"]) if not (user and secret): raise FAILED # Verify headers hs = HeaderVerifier( request.headers, secret, required_headers=self.required_headers, method=request.method.lower(), path=request.get_full_path(), ) # All of that just to get to this. if not hs.verify(): raise FAILED # Check if the signature is expired expires = request.headers.get("(expires)", None) try: expires = int(expires) except TypeError: expires = None if expires and time.time() > expires: raise FAILED if 'On-Behalf-Of' in request.headers: user = self.fetch_on_behalf_of_user( request.headers['On-Behalf-Of']) if not user: raise exceptions.AuthenticationFailed( "On behalf of user was not found.") return (user, None) return (user, fields["keyid"])