def decrypt(self, data):
eia = Composition()
eia.from_json(data)
self.iv = eia.iv
self.cipher_text = eia.ciphertext
if None in [self.iv, self.cipher_text, self.ia_key]:
raise ValueError(
"Empty required parameter in encrypted Identity Assertion"
)
self.iv = from_b64(self.iv, return_bytes=True)
self.cipher_text = from_b64(self.cipher_text, return_bytes=True)
# First 12 characters for iv
iv = self.iv[:12]
# Last 16 characters for authentication tag
auth_tag = self.cipher_text[-16:]
# Remaining characters for cipher text
cipher_text = self.cipher_text[0:-16]
# Decrypt tag, in this case no additional authentication data is used
return decrypt_aes_gcm(self.ia_key, iv, auth_tag, cipher_text)
def verify(self, signature):
"""
Verifies with a public key from whom the data came that
it was indeed signed by their private key
"""
# Get signature from IA
if signature is None:
raise ValueError("Empty required parameter during: signature")
ia = signature.decode('utf-8')
ia_json = Composition()
ia_json.from_json(ia)
signature_b64 = ia_json.ia_signature
signature_bytes = from_b64(signature_b64, return_bytes=True)
# Update IA template with values from self
update_existing_keys(self, self.expected_signature)
if None in [*self.expected_signature.values(), self.public_key]:
raise ValueError("Empty required parameter in expected signature")
# Get expected signature
expected_signature = self.expected_signature.to_json()
expected_signature_bytes = expected_signature.encode('utf-8')
public_key_bytes = self.public_key.encode('utf-8')
# Verify, throws exception on failure
verify_signature(
public_key_bytes,
signature_bytes,
expected_signature_bytes
)
def authenticate_user(self, request, response, environ):
# Raise UserNotAuthenticated("message") Exception if the user could not
# be authenticated locally.
# POST parameter are accessible through the request object:
email = request.post_param('email')
password = request.post_param('password')
session_cookie = request.get_cookie("idp_session")
if session_cookie:
session_cookie = from_b64(session_cookie, return_bytes=True)
logged_in_as = sessions.get(session_cookie)
if email is not None:
if email == logged_in_as:
# User is already logged in
return
if password is not None:
# Place your login handler here
if email in users:
if users.get(email).get('password') == password:
session_nonce = create_nonce(32)
sessions.update({session_nonce: email})
return response.set_cookie('idp_session',
to_b64(session_nonce),
secure=False,
http_only=False)
# User could not be authenticated
raise UserNotAuthenticated("Authentication failed")
def test_b64_decoding(self):
data = "string"
data_b64_bytes = b64encode(data.encode('utf-8'))
data_b64 = data_b64_bytes.decode('utf-8')
test = from_b64(data_b64)
test_bytes = from_b64(data_b64_bytes)
self.assertEqual(str, type(test))
self.assertEqual(str, type(test_bytes))
self.assertEqual(test, data)
self.assertEqual(test_bytes, data)
test = from_b64(data_b64, return_bytes=True)
test_bytes = from_b64(data_b64_bytes, return_bytes=True)
self.assertEqual(bytes, type(test))
self.assertEqual(bytes, type(test_bytes))
self.assertEqual(test, data.encode('utf-8'))
self.assertEqual(test_bytes, data.encode('utf-8'))
def authenticate_user(self, request, response, environ):
# Return User object, if the user is already logged in
session_cookie = request.get_cookie("idp_session")
if session_cookie:
session_cookie = from_b64(session_cookie, return_bytes=True)
email = sessions.get(session_cookie)
if email:
return User(email)
return None
def read_validate_params(self, request):
login_session_token = request.get_param('login_session_token')
if not login_session_token:
raise SpressoInvalidError(
error="invalid_request",
message="Missing required parameter in request",
uri=request.path)
self.login_session_token = from_b64(unquote(login_session_token),
return_bytes=True)
def read_validate_params(self, request):
login_session_token = request.post_param('login_session_token')
self.eia = request.post_param('eia')
origin_header = request.header('Origin')
if None in [login_session_token, self.eia, origin_header]:
raise SpressoInvalidError(
error="invalid_request",
message="Missing required parameter in request",
uri=request.path)
self.login_session_token = from_b64(login_session_token,
return_bytes=True)
origin = Origin(origin_header, settings=self.settings)
if not origin.valid:
raise SpressoInvalidError(error="invalid_request",
message="Origin request_header mismatch",
uri=request.path)