def authenticate(self, environ): """ Authenticate a user from a request. """ try: cookie = BaseCookie(environ['HTTP_COOKIE']) morsel = cookie['__ac'] except KeyError: return False try: username, auth = base64.decodestring(unquote(morsel.value)).split("\0") except ValueError: del environ['HTTP_COOKIE'] return False if not auth == hmac.new(self.secret, username, sha).hexdigest(): return False add_signed_header(environ, 'REMOTE_USER', username, self.secret)
def test_header_signing(): environ = {'morx' : 'fleem'} add_signed_header(environ, 'REMOTE_USER', 'ausername', 'secret') assert environ['morx'] == 'fleem' assert 'HTTP_REMOTE_USER_SIGNED' in environ header = environ['HTTP_REMOTE_USER_SIGNED'] sendtime, nonce, key, authenticator, value = header.split(" ", 5) assert value == 'ausername' assert key == 'REMOTE_USER' app = lambda environ, start_response: [environ.get('REMOTE_USER', 'no user')] fname = os.path.join(os.path.dirname(__file__), 'secret.txt') middleware = HeaderSignatureCheckingMiddleware(app, {'topp_secret_filename' : fname}) assert middleware(environ, None) == ['ausername'] #now check a bad signature badval = " ".join([sendtime, nonce, 'REMOTE_USER', "abadauthenticator", 'ausername']) environ['HTTP_REMOTE_USER_SIGNED'] = badval assert middleware(environ, None) != ['ausername'] #try a bogus header environ['HTTP_REMOTE_USER_SIGNED'] = "morx" assert middleware(environ, None) != ['ausername']