def test_oauth_crypto(self): phrase = 'MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE' token = { 'access_token': 'MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE', 'expires_in': oauth2_settings.ACCESS_TOKEN_EXPIRE_SECONDS, 'token_type': 'Password', 'refresh_token': 'abc', 'scope': 'read write' } data = encrypt_access_token(token) if not data: self.fail() result = decrypt_access_token(data) if not result: self.fail() if phrase != result['access_token']: self.fail('Decrypted value does not match phrase.')
def has_permission(self, request, view): """ During Node registration, we won't have the machine_id in data, so security is handled by the oauth2 rest framework authentication provider. Otherwise the node needs to provide a node authentication header value. """ if 'token' in request.COOKIES: # Get the encrypted access token data, fix any equal sign encoding. enc_token = request.COOKIES['token'].replace('%3D', '=').encode('UTF-8') token = decrypt_access_token(enc_token) # Add the HTTP_Authorization header based off the encrypted token. # We can only add something to the META property if we make a copy and store back the copy. meta = request.META.copy() meta['HTTP_Authorization'] = 'bearer {0}'.format(token['access_token']) request.META = meta # Retrieve the AccessToken record from the DB. request.auth = AccessToken.objects.get(token=token['access_token']) result = TokenHasReadWriteScope().has_permission(request, view) return result # Note: Not sure if we need to do any further permission checks on the Node here. return True
def test_token_encryption(self): """ Test the encryption and decryption of the access token """ enc_token = encrypt_access_token(self.token) self.assertTrue(enc_token) token = decrypt_access_token(enc_token) self.assertTrue(is_access_token_valid(token)) self.assertTrue(token)
def process_request(self, request): # Check to see if this is the login/logout page, if so just return. if '/accounts/login/' in request.path or '/accounts/logout/' in request.path: return # TODO: Only do oauth token stuff when the url is an API url if 'token' in request.COOKIES: # Get the encrypted access token data, fix any equal sign encoding. enc = request.COOKIES['token'].replace('%3D', '=').encode('UTF-8') # Decrypt the access token data token = decrypt_access_token(enc) # Check for a valid oauth token. if token is not None and 'access_token' in token: # Check to see if access token is not valid. if not is_access_token_valid(token): # TODO: Figure out when we should *not* just refresh the token. # Try to refresh the token. token = refresh_access_token(token) # If we have a good refreshed token, update the cookies. if 'access_token' in token: # Encrypt the new token enc = encrypt_access_token(token) # Set the token into the request object cookies = request.COOKIES.copy() cookies['token'] = enc.decode('UTF-8') cookies['token-update'] = "1" request.COOKIES = cookies.copy() else: # Refresh token failed return HttpResponseRedirect('/accounts/logout/') # Create the Authorization header with the access token. request.META['Authorization'] = 'bearer {0}'.format(token['access_token']) else: pass
def authenticate(self, request): """ security is handled by the Oauth2 rest framework authentication provider. Otherwise an API authentication header needs to be provided. """ # TODO: Remove this later after all auth headers have been coded for. # return None # Try Oauth2 authentication first if 'token' in request.COOKIES: # Get the encrypted access token data, fix any equal sign encoding. enc_token = request.COOKIES['token'].replace('%3D', '=').encode('UTF-8') token = decrypt_access_token(enc_token) # Add the HTTP_Authorization header based off the encrypted token. # We can only add something to the META property if we make a copy and store back the copy. meta = request.META.copy() meta['HTTP_Authorization'] = 'bearer {0}'.format( token['access_token']) request.META = meta # Retrieve the AccessToken record from the DB. request.auth = AccessToken.objects.get(token=token['access_token']) result = OAuth2Authentication().authenticate(request) return result # Try API_KEY authentication if "HTTP_API_KEY" in request.META: m_key = request.META.get('HTTP_API_KEY') # Look up API key in UserProfile table. try: profile = UserProfile.objects.get(api_code=m_key) if profile.user.is_active is True and profile.api_access is True: return (profile.user, m_key) except ObjectDoesNotExist: pass raise exceptions.AuthenticationFailed( 'Valid API credentials were not provided.')
def authenticate(self, request): """ During Node registration, we won't have the machine_id in data, so security is handled by the oauth2 rest framework authentication provider. Otherwise the node needs to provide a node authentication header value. """ if 'token' in request.COOKIES: # Get the encrypted access token data, fix any equal sign encoding. enc_token = request.COOKIES['token'].replace('%3D', '=').encode('UTF-8') token = decrypt_access_token(enc_token) # Add the HTTP_Authorization header based off the encrypted token. # We can only add something to the META property if we make a copy and store back the copy. meta = request.META.copy() meta['HTTP_Authorization'] = 'bearer {0}'.format(token['access_token']) request.META = meta # Retrieve the AccessToken record from the DB. request.auth = AccessToken.objects.get(token=token['access_token']) result = OAuth2Authentication().authenticate(request) return result m_id = request.META.get('HTTP_NODE') if not m_id: raise exceptions.AuthenticationFailed('Node credentials were not provided.') try: node = Node.objects.get(machine_id=m_id) node.last_connection = datetime.datetime.now() node.save() except: raise exceptions.AuthenticationFailed('Valid Node credentials were not provided.') return None