예제 #1
0
    def test_basic(self):
        hs = sign.HeaderSigner(key_id='Test', secret=self.key, headers=[
            '(request-target)',
            'host',
            'date',
        ])
        unsigned = {
            'Host': self.header_host,
            'Date': self.header_date,
        }
        signed = hs.sign(
            unsigned, method=self.test_method, path=self.test_path)

        self.assertIn('Date', signed)
        self.assertEqual(unsigned['Date'], signed['Date'])
        self.assertIn('Authorization', signed)
        auth = parse_authorization_header(signed['authorization'])
        params = auth[1]
        self.assertIn('keyId', params)
        self.assertIn('algorithm', params)
        self.assertIn('signature', params)
        self.assertEqual(params['keyId'], 'Test')
        self.assertEqual(params['algorithm'], 'rsa-sha256')
        self.assertEqual(
            params['headers'], '(request-target) host date')
        self.assertEqual(params['signature'], 'HUxc9BS3P/kPhSmJo+0pQ4IsCo007vkv6bUm4Qehrx+B1Eo4Mq5/6KylET72ZpMUS80XvjlOPjKzxfeTQj4DiKbAzwJAb4HX3qX6obQTa00/qPDXlMepD2JtTw33yNnm/0xV7fQuvILN/ys+378Ysi082+4xBQFwvhNvSoVsGv4=')  # noqa: E501
예제 #2
0
    def test_all(self):
        hs = sign.HeaderSigner(key_id='Test', secret=self.key, headers=[
            '(request-target)',
            'host',
            'date',
            'content-type',
            'digest',
            'content-length'
        ])
        unsigned = {
            'Host': self.header_host,
            'Date': self.header_date,
            'Content-Type': self.header_content_type,
            'Digest': self.header_digest,
            'Content-Length': self.header_content_length,
        }
        signed = hs.sign(
            unsigned, method=self.test_method, path=self.test_path)

        self.assertIn('Date', signed)
        self.assertEqual(unsigned['Date'], signed['Date'])
        self.assertIn('Authorization', signed)
        auth = parse_authorization_header(signed['authorization'])
        params = auth[1]
        self.assertIn('keyId', params)
        self.assertIn('algorithm', params)
        self.assertIn('signature', params)
        self.assertEqual(params['keyId'], 'Test')
        self.assertEqual(params['algorithm'], 'rsa-sha256')
        self.assertEqual(
            params['headers'],
            '(request-target) host date content-type digest content-length')
        self.assertEqual(params['signature'], 'Ef7MlxLXoBovhil3AlyjtBwAL9g4TN3tibLj7uuNB3CROat/9KaeQ4hW2NiJ+pZ6HQEOx9vYZAyi+7cmIkmJszJCut5kQLAwuX+Ms/mUFvpKlSo9StS2bMXDBNjOh4Auj774GFj4gwjS+3NhFeoqyr/MuN6HsEnkvn6zdgfE2i0=')  # noqa: E501
예제 #3
0
    def test_basic(self):
        hs = sign.HeaderSigner(key_id='Test',
                               secret=self.key_2048,
                               sign_algorithm=PSS(salt_length=0),
                               headers=[
                                   '(request-target)',
                                   'host',
                                   'date',
                               ])
        unsigned = {
            'Host': self.header_host,
            'Date': self.header_date,
        }
        signed = hs.sign(unsigned,
                         method=self.test_method,
                         path=self.test_path)

        self.assertIn('Date', signed)
        self.assertEqual(unsigned['Date'], signed['Date'])
        self.assertIn('Authorization', signed)
        auth = parse_authorization_header(signed['authorization'])
        params = auth[1]
        self.assertIn('keyId', params)
        self.assertIn('algorithm', params)
        self.assertIn('signature', params)
        self.assertEqual(params['keyId'], 'Test')
        self.assertEqual(params['algorithm'], 'hs2019')
        self.assertEqual(params['headers'], '(request-target) host date')
        self.assertEqual(
            params['signature'],
            'KkF4oeOJJH9TaYjQdaU634G7AVmM5Bf3fnfJCBZ7G0H5puW5XlQTpduA+TgouKOJhbv4aRRpunPzCHUxUjEvrR3TSALqW1EOsBwCVIusE9CnrhL7vUOvciIDai/jI15RsfR9+XyTmOSFbsI07E8mmywr3nLeWX6AAFDMO2vWc21zZxrSc13vFfAkVvFhXLxO4g0bBm6Z4m5/9ytWtdE0Gf3St2kY8aZTedllRCS8cMx8GVAIw/qYGeIlGKUCZKxrFxnviN7gfxixwova6lcxpppIo+WXxEiwMJfSQBlx0WGn3A3twCv6TsIxPOVUEW4jcogDh+jGFf1aGdVyHquTRQ=='
        )  # noqa: E501
예제 #4
0
 def test_all(self):
     hs = sign.HeaderSigner(key_id='Test', secret=self.key, headers=[
         '(request-target)',
         'host',
         'date',
         'content-type',
         'content-md5',
         'content-length'
     ])
     unsigned = {
         'Host': 'example.com',
         'Date': 'Thu, 05 Jan 2012 21:31:40 GMT',
         'Content-Type': 'application/json',
         'Content-MD5': 'Sd/dVLAcvNLSq16eXua5uQ==',
         'Content-Length': '18',
     }
     signed = hs.sign(unsigned, method='POST', path='/foo?param=value&pet=dog')
     
     self.assertIn('Date', signed)
     self.assertEqual(unsigned['Date'], signed['Date'])
     self.assertIn('Authorization', signed)
     auth = parse_authorization_header(signed['authorization'])
     params = auth[1]
     self.assertIn('keyId', params)
     self.assertIn('algorithm', params)
     self.assertIn('signature', params)
     self.assertEqual(params['keyId'], 'Test')
     self.assertEqual(params['algorithm'], 'rsa-sha256')
     self.assertEqual(params['headers'], '(request-target) host date content-type content-md5 content-length')
     self.assertEqual(params['signature'], 'G8/Uh6BBDaqldRi3VfFfklHSFoq8CMt5NUZiepq0q66e+fS3Up3BmXn0NbUnr3L1WgAAZGplifRAJqp2LgeZ5gXNk6UX9zV3hw5BERLWscWXlwX/dvHQES27lGRCvyFv3djHP6Plfd5mhPWRkmjnvqeOOSS0lZJYFYHJz994s6w=')
예제 #5
0
 def authenticate(self, request):
     """
     Perform the actual authentication.
     
     Note that the exception raised is always the same. This is so that we
     don't leak information about in/valid keyIds and other such useful
     things.
     """
     auth_header = authentication.get_authorization_header(request)
     if not auth_header or len(auth_header) == 0:
         return None
     
     method, fields = utils.parse_authorization_header(auth_header)
     
     # Ignore foreign Authorization headers.
     if method.lower() != 'signature':
         return None
     
     # Verify basic header structure.
     if len(fields) == 0:
         raise FAILED
     
     # Ensure all required fields were included.
     if len(set(("keyid","algorithm","signature")) - set(fields.keys())) > 0:
         raise FAILED
     
     # Fetch the secret associated with the keyid
     user, secret = self.fetch_user_data(
         fields["keyid"],
         algorithm=fields["algorithm"]
         )
     
     if not (user and secret):
         raise FAILED
     
     # Gather all request headers and translate them as stated in the Django docs:
     # https://docs.djangoproject.com/en/1.6/ref/request-response/#django.http.HttpRequest.META
     headers = {}
     for key in request.META.keys():
         if key.startswith("HTTP_") or \
             key in ("CONTENT_TYPE", "CONTENT_LENGTH"):
             
             header = key[5:].lower().replace('_', '-')
             headers[header] = request.META[key]
     
     # Verify headers
     hs = HeaderVerifier(
         headers,
         secret,
         required_headers=self.required_headers,
         method=request.method.lower(),
         path=request.get_full_path()
         )
     
     # All of that just to get to this.
     if not hs.verify():
         raise FAILED            
     
     return (user, fields["keyid"])
    def authenticate(self, request):
        """
        Perform the actual authentication.

        Note that the exception raised is always the same. This is so that we
        don't leak information about in/valid keyIds and other such useful
        things.
        """

        auth_header = authentication.get_authorization_header(request)
        if not auth_header or len(auth_header) == 0:
            return None

        method, fields = utils.parse_authorization_header(auth_header)

        # Ignore foreign Authorization headers.
        if method.lower() != 'signature':
            return None

        # Verify basic header structure.
        if len(fields) == 0:
            raise FAILED

        # Ensure all required fields were included.
        if len(set(("keyid", "algorithm", "signature")) -
               set(fields.keys())) > 0:
            raise FAILED

        # Fetch the secret associated with the keyid
        try:
            user, secret = self.fetch_user_data(fields['keyid'],
                                                algorithm=fields["algorithm"])
        except Exception as ex:
            print('Received Exception: {}'.format(ex))

        if not (user and secret):
            raise FAILED

        # Gather all request headers and translate them as stated in the Django docs:
        # https://docs.djangoproject.com/en/1.6/ref/request-response/#django.http.HttpRequest.META
        headers = {}
        for key in request.META.keys():
            if key.startswith("HTTP_") or \
                            key in ("CONTENT_TYPE", "CONTENT_LENGTH"):
                header = key[5:].lower().replace('_', '-')
                headers[header] = request.META[key]

        # Verify headers
        hs = HeaderVerifier(headers,
                            secret,
                            required_headers=self.required_headers,
                            method=request.method.lower(),
                            path=request.get_full_path())

        # All of that just to get to this.
        if not hs.verify():
            raise FAILED

        return user, secret
    def test_hmac(self):
        hs = sign.HeaderSigner(key_id='pda', algorithm='hmac-sha256', secret='secret', headers=['(request-target)', 'Date'])
        unsigned = {
            'Date': 'today',
            'accept': 'llamas'
        }
        signed = hs.sign(unsigned, method='GET', path='/path?query=123')

        auth = parse_authorization_header(signed['authorization'])
        params = auth[1]
        self.assertIn('keyId', params)
        self.assertIn('algorithm', params)
        self.assertIn('signature', params)
        self.assertEqual(params['keyId'], 'pda')
        self.assertEqual(params['algorithm'], 'hmac-sha256')
        self.assertEqual(params['signature'], 'SFlytCGpsqb/9qYaKCQklGDvwgmrwfIERFnwt+yqPJw=')
예제 #8
0
 def test_default(self):
     hs = sign.HeaderSigner(key_id='Test', secret=self.key)
     unsigned = {
         'Date': self.header_date
     }
     signed = hs.sign(unsigned)
     self.assertIn('Date', signed)
     self.assertEqual(unsigned['Date'], signed['Date'])
     self.assertIn('Authorization', signed)
     auth = parse_authorization_header(signed['authorization'])
     params = auth[1]
     self.assertIn('keyId', params)
     self.assertIn('algorithm', params)
     self.assertIn('signature', params)
     self.assertEqual(params['keyId'], 'Test')
     self.assertEqual(params['algorithm'], 'rsa-sha256')
     self.assertEqual(params['signature'], 'jKyvPcxB4JbmYY4mByyBY7cZfNl4OW9HpFQlG7N4YcJPteKTu4MWCLyk+gIr0wDgqtLWf9NLpMAMimdfsH7FSWGfbMFSrsVTHNTk0rK3usrfFnti1dxsM4jl0kYJCKTGI/UWkqiaxwNiKqGcdlEDrTcUhhsFsOIo8VhddmZTZ8w=')  # noqa: E501
예제 #9
0
 def test_default(self):
     hs = sign.HeaderSigner(key_id='Test', secret=self.key)
     unsigned = {
         'Date': 'Thu, 05 Jan 2012 21:31:40 GMT'
     }
     signed = hs.sign(unsigned)
     self.assertIn('Date', signed)
     self.assertEqual(unsigned['Date'], signed['Date'])
     self.assertIn('Authorization', signed)
     auth = parse_authorization_header(signed['authorization'])
     params = auth[1]
     self.assertIn('keyId', params)
     self.assertIn('algorithm', params)
     self.assertIn('signature', params)
     self.assertEqual(params['keyId'], 'Test')
     self.assertEqual(params['algorithm'], 'rsa-sha256')
     self.assertEqual(params['signature'], 'ATp0r26dbMIxOopqw0OfABDT7CKMIoENumuruOtarj8n/97Q3htHFYpH8yOSQk3Z5zh8UxUym6FYTb5+A0Nz3NRsXJibnYi7brE/4tx5But9kkFGzG+xpUmimN4c3TMN7OFH//+r8hBf7BT9/GmHDUVZT2JzWGLZES2xDOUuMtA=')
예제 #10
0
 def test_default(self):
     hs = sign.HeaderSigner(key_id='Test', secret=self.key)
     unsigned = {'Date': 'Thu, 05 Jan 2012 21:31:40 GMT'}
     signed = hs.sign(unsigned)
     self.assertIn('Date', signed)
     self.assertEqual(unsigned['Date'], signed['Date'])
     self.assertIn('Authorization', signed)
     auth = parse_authorization_header(signed['authorization'])
     params = auth[1]
     self.assertIn('keyId', params)
     self.assertIn('algorithm', params)
     self.assertIn('signature', params)
     self.assertEqual(params['keyId'], 'Test')
     self.assertEqual(params['algorithm'], 'rsa-sha256')
     self.assertEqual(
         params['signature'],
         'ATp0r26dbMIxOopqw0OfABDT7CKMIoENumuruOtarj8n/97Q3htHFYpH8yOSQk3Z5zh8UxUym6FYTb5+A0Nz3NRsXJibnYi7brE/4tx5But9kkFGzG+xpUmimN4c3TMN7OFH//+r8hBf7BT9/GmHDUVZT2JzWGLZES2xDOUuMtA='
     )
예제 #11
0
 def test_other_default(self):
     hs = sign.HeaderSigner(key_id='Test',
                            secret=self.key_1024,
                            sign_algorithm=PSS(hash_algorithm="sha512",
                                               salt_length=0))
     unsigned = {'Date': self.header_date}
     signed = hs.sign(unsigned)
     self.assertIn('Date', signed)
     self.assertEqual(unsigned['Date'], signed['Date'])
     self.assertIn('Authorization', signed)
     auth = parse_authorization_header(signed['authorization'])
     params = auth[1]
     self.assertIn('keyId', params)
     self.assertIn('algorithm', params)
     self.assertIn('signature', params)
     self.assertEqual(params['keyId'], 'Test')
     self.assertEqual(params['algorithm'], 'hs2019')
     self.assertEqual(
         params['signature'],
         'Gw8FOaXNxqwJHXwJ30OKiMFpK5zP916CFtzK7/biKi9NppjGAlpUfFKqp5kK+bFRyXxqUzQ1x5cbSeFzRWnqodNNO60ApYbOVD7ePqJfZ3DJFAxYOMzoECzc+lyVskSHKC0Ue8aYiV66gXTuY7hrEIqUsK3To/DhSNgO8csdzwg='
     )
예제 #12
0
 def test_default(self):
     hs = sign.HeaderSigner(key_id='Test',
                            secret=self.key_2048,
                            sign_algorithm=PSS(hash_algorithm="sha512",
                                               salt_length=0))
     unsigned = {'Date': self.header_date}
     signed = hs.sign(unsigned)
     self.assertIn('Date', signed)
     self.assertEqual(unsigned['Date'], signed['Date'])
     self.assertIn('Authorization', signed)
     auth = parse_authorization_header(signed['authorization'])
     params = auth[1]
     self.assertIn('keyId', params)
     self.assertIn('algorithm', params)
     self.assertIn('signature', params)
     self.assertEqual(params['keyId'], 'Test')
     self.assertEqual(params['algorithm'], 'hs2019')
     self.assertEqual(
         params['signature'],
         'T8+Cj3Zp2cBDm2r8/loPgfHUSSFXXyZJNxxbNx1NvKVz/r5T4z6pVxhl9rqk8WfYHMdlh2aT5hCrYKvhs88Jy0DDmeUP4nELWRsO1BF0oAqHfcrbEikZQL7jA6z0guVaLr0S5QRGmd1K5HUEkP/vYEOns+FRL+JrFG4dNJNESvG5iyKUoaXfoZCFdqtzLlIteEAL7dW/kaX/dE116wfpbem1eCABuGopRhuFtjqLKVjuUVwyP/zSYTqd9j+gDhinkAifTJPxbGMh0b5LZdNCqw5irT9NkTcTFRXDp8ioX8r805Z9QhjT7H+rSo350U2LsAFoQ9ttryPBOoMPCiQTlw=='
     )  # noqa: E501
예제 #13
0
    def test_all(self):
        hs = sign.HeaderSigner(key_id='Test',
                               secret=self.key,
                               headers=[
                                   '(request-target)', 'host', 'date',
                                   'content-type', 'content-md5',
                                   'content-length'
                               ])
        unsigned = {
            'Host': 'example.com',
            'Date': 'Thu, 05 Jan 2012 21:31:40 GMT',
            'Content-Type': 'application/json',
            'Content-MD5': 'Sd/dVLAcvNLSq16eXua5uQ==',
            'Content-Length': '18',
        }
        signed = hs.sign(unsigned,
                         method='POST',
                         path='/foo?param=value&pet=dog')

        self.assertIn('Date', signed)
        self.assertEqual(unsigned['Date'], signed['Date'])
        self.assertIn('Authorization', signed)
        auth = parse_authorization_header(signed['authorization'])
        params = auth[1]
        self.assertIn('keyId', params)
        self.assertIn('algorithm', params)
        self.assertIn('signature', params)
        self.assertEqual(params['keyId'], 'Test')
        self.assertEqual(params['algorithm'], 'rsa-sha256')
        self.assertEqual(
            params['headers'],
            '(request-target) host date content-type content-md5 content-length'
        )
        self.assertEqual(
            params['signature'],
            'G8/Uh6BBDaqldRi3VfFfklHSFoq8CMt5NUZiepq0q66e+fS3Up3BmXn0NbUnr3L1WgAAZGplifRAJqp2LgeZ5gXNk6UX9zV3hw5BERLWscWXlwX/dvHQES27lGRCvyFv3djHP6Plfd5mhPWRkmjnvqeOOSS0lZJYFYHJz994s6w='
        )
예제 #14
0
    def test_all(self):
        hs = sign.HeaderSigner(key_id='Test',
                               secret=self.key_2048,
                               sign_algorithm=PSS("sha512", salt_length=0),
                               headers=[
                                   '(request-target)', 'host', 'date',
                                   'content-type', 'digest', 'content-length'
                               ])
        unsigned = {
            'Host': self.header_host,
            'Date': self.header_date,
            'Content-Type': self.header_content_type,
            'Digest': self.header_digest,
            'Content-Length': self.header_content_length,
        }
        signed = hs.sign(unsigned,
                         method=self.test_method,
                         path=self.test_path)

        self.assertIn('Date', signed)
        self.assertEqual(unsigned['Date'], signed['Date'])
        self.assertIn('Authorization', signed)
        auth = parse_authorization_header(signed['authorization'])
        params = auth[1]
        self.assertIn('keyId', params)
        self.assertIn('algorithm', params)
        self.assertIn('signature', params)
        self.assertEqual(params['keyId'], 'Test')
        self.assertEqual(params['algorithm'], 'hs2019')
        self.assertEqual(
            params['headers'],
            '(request-target) host date content-type digest content-length')
        self.assertEqual(
            params['signature'],
            'bxWyLDB/Tuhzxd/tWG2g60l3Goyk9XJZzj2ouNKizZuZoe1Ngj+19N11bhK7FABHJ7lSzH5g6fp5LkN894ivIv6N29L2sPssuAkqgzNXyvYkp4KWOr5j7sVpApmRH7gf7THljcXosmrYk5gdBTspixpJJJ5LGkkPKCRAFurmi/LqopSH6cJbLJNIccTu2dTMGEeDOqqNterVmfonpZyPeBsEEwoeOo6d8zgHzB/1Xxk7dfELFbA1c0LE5kZbwEIEFPmS01YFz6EJW7Aj8kzvzwQRyvgDobi25niGOy/D7JVHvtDjBIaJedFuFJSb8rZ2DGryBQ6NwchMp3f2MUoTGg=='
        )  # noqa: E501
예제 #15
0
    def authenticate(self, request):
        """
        Perform the actual authentication.

        Note that the exception raised is always the same. This is so that we
        don't leak information about in/valid keyIds and other such useful
        things.
        """
        auth_header = authentication.get_authorization_header(request)
        if not auth_header or len(auth_header) == 0:
            return None

        method, fields = utils.parse_authorization_header(auth_header)

        # Ignore foreign Authorization headers.
        if method.lower() != "signature":
            return None

        # Verify basic header structure.
        if len(fields) == 0:
            raise FAILED

        # Ensure all required fields were included.
        if len(set(("keyid", "algorithm", "signature")) -
               set(fields.keys())) > 0:
            raise FAILED

        # Fetch the secret associated with the keyid
        user, secret = self.fetch_user_data(fields["keyid"],
                                            algorithm=fields["algorithm"])

        if not (user and secret):
            raise FAILED

        # Verify headers
        hs = HeaderVerifier(
            request.headers,
            secret,
            required_headers=self.required_headers,
            method=request.method.lower(),
            path=request.get_full_path(),
        )

        # All of that just to get to this.
        if not hs.verify():
            raise FAILED

        # Check if the signature is expired
        expires = request.headers.get("(expires)", None)
        try:
            expires = int(expires)
        except TypeError:
            expires = None
        if expires and time.time() > expires:
            raise FAILED

        if 'On-Behalf-Of' in request.headers:
            user = self.fetch_on_behalf_of_user(
                request.headers['On-Behalf-Of'])
            if not user:
                raise exceptions.AuthenticationFailed(
                    "On behalf of user was not found.")
            return (user, None)

        return (user, fields["keyid"])