def _authenticate_mac(self, request, identity): # Check that these are MAC auth credentials. # They may not be if we're using multiple auth methods. if identity.get("scheme") != "MAC": return None token = identity["id"] # Decode the token. try: data, secret = self.token_manager.parse_token(token) except ValueError: msg = "invalid MAC id" return self._respond_unauthorized(request, msg) # Check the MAC signature. if not check_mac_signature(request, secret, identity): msg = "invalid MAC signature" return self._respond_unauthorized(request, msg) # Store the nonce to avoid re-use. # We do this *after* successul auth to avoid DOS attacks. nonce = identity["nonce"] timestamp = int(identity["ts"]) self.nonce_manager.add_nonce(token, timestamp, nonce) # Update the identity with the data from the token. identity.update(data) return identity["repoze.who.userid"]
def test_check_mac_signature_errors_when_missing_data(self): req = "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n" req = Request.from_string(req) req.authorization = ("MAC", {"ts": "1", "nonce": "2"}) self.assertFalse(check_mac_signature(req, "secretkeyohsecretkey"))