def authenticate(self, environ):
"""
Authenticate a user from a request.
"""
try:
cookie = BaseCookie(environ['HTTP_COOKIE'])
morsel = cookie['__ac']
except KeyError:
return False
try:
username, auth = base64.decodestring(unquote(morsel.value)).split("\0")
except ValueError:
del environ['HTTP_COOKIE']
return False
if not auth == hmac.new(self.secret, username, sha).hexdigest():
return False
add_signed_header(environ, 'REMOTE_USER', username, self.secret)
def test_header_signing():
environ = {'morx' : 'fleem'}
add_signed_header(environ, 'REMOTE_USER', 'ausername', 'secret')
assert environ['morx'] == 'fleem'
assert 'HTTP_REMOTE_USER_SIGNED' in environ
header = environ['HTTP_REMOTE_USER_SIGNED']
sendtime, nonce, key, authenticator, value = header.split(" ", 5)
assert value == 'ausername'
assert key == 'REMOTE_USER'
app = lambda environ, start_response: [environ.get('REMOTE_USER', 'no user')]
fname = os.path.join(os.path.dirname(__file__), 'secret.txt')
middleware = HeaderSignatureCheckingMiddleware(app, {'topp_secret_filename' : fname})
assert middleware(environ, None) == ['ausername']
#now check a bad signature
badval = " ".join([sendtime, nonce, 'REMOTE_USER', "abadauthenticator", 'ausername'])
environ['HTTP_REMOTE_USER_SIGNED'] = badval
assert middleware(environ, None) != ['ausername']
#try a bogus header
environ['HTTP_REMOTE_USER_SIGNED'] = "morx"
assert middleware(environ, None) != ['ausername']
