def decrypt(self, data): eia = Composition() eia.from_json(data) self.iv = eia.iv self.cipher_text = eia.ciphertext if None in [self.iv, self.cipher_text, self.ia_key]: raise ValueError( "Empty required parameter in encrypted Identity Assertion" ) self.iv = from_b64(self.iv, return_bytes=True) self.cipher_text = from_b64(self.cipher_text, return_bytes=True) # First 12 characters for iv iv = self.iv[:12] # Last 16 characters for authentication tag auth_tag = self.cipher_text[-16:] # Remaining characters for cipher text cipher_text = self.cipher_text[0:-16] # Decrypt tag, in this case no additional authentication data is used return decrypt_aes_gcm(self.ia_key, iv, auth_tag, cipher_text)
def verify(self, signature): """ Verifies with a public key from whom the data came that it was indeed signed by their private key """ # Get signature from IA if signature is None: raise ValueError("Empty required parameter during: signature") ia = signature.decode('utf-8') ia_json = Composition() ia_json.from_json(ia) signature_b64 = ia_json.ia_signature signature_bytes = from_b64(signature_b64, return_bytes=True) # Update IA template with values from self update_existing_keys(self, self.expected_signature) if None in [*self.expected_signature.values(), self.public_key]: raise ValueError("Empty required parameter in expected signature") # Get expected signature expected_signature = self.expected_signature.to_json() expected_signature_bytes = expected_signature.encode('utf-8') public_key_bytes = self.public_key.encode('utf-8') # Verify, throws exception on failure verify_signature( public_key_bytes, signature_bytes, expected_signature_bytes )
def authenticate_user(self, request, response, environ): # Raise UserNotAuthenticated("message") Exception if the user could not # be authenticated locally. # POST parameter are accessible through the request object: email = request.post_param('email') password = request.post_param('password') session_cookie = request.get_cookie("idp_session") if session_cookie: session_cookie = from_b64(session_cookie, return_bytes=True) logged_in_as = sessions.get(session_cookie) if email is not None: if email == logged_in_as: # User is already logged in return if password is not None: # Place your login handler here if email in users: if users.get(email).get('password') == password: session_nonce = create_nonce(32) sessions.update({session_nonce: email}) return response.set_cookie('idp_session', to_b64(session_nonce), secure=False, http_only=False) # User could not be authenticated raise UserNotAuthenticated("Authentication failed")
def test_b64_decoding(self): data = "string" data_b64_bytes = b64encode(data.encode('utf-8')) data_b64 = data_b64_bytes.decode('utf-8') test = from_b64(data_b64) test_bytes = from_b64(data_b64_bytes) self.assertEqual(str, type(test)) self.assertEqual(str, type(test_bytes)) self.assertEqual(test, data) self.assertEqual(test_bytes, data) test = from_b64(data_b64, return_bytes=True) test_bytes = from_b64(data_b64_bytes, return_bytes=True) self.assertEqual(bytes, type(test)) self.assertEqual(bytes, type(test_bytes)) self.assertEqual(test, data.encode('utf-8')) self.assertEqual(test_bytes, data.encode('utf-8'))
def authenticate_user(self, request, response, environ): # Return User object, if the user is already logged in session_cookie = request.get_cookie("idp_session") if session_cookie: session_cookie = from_b64(session_cookie, return_bytes=True) email = sessions.get(session_cookie) if email: return User(email) return None
def read_validate_params(self, request): login_session_token = request.get_param('login_session_token') if not login_session_token: raise SpressoInvalidError( error="invalid_request", message="Missing required parameter in request", uri=request.path) self.login_session_token = from_b64(unquote(login_session_token), return_bytes=True)
def read_validate_params(self, request): login_session_token = request.post_param('login_session_token') self.eia = request.post_param('eia') origin_header = request.header('Origin') if None in [login_session_token, self.eia, origin_header]: raise SpressoInvalidError( error="invalid_request", message="Missing required parameter in request", uri=request.path) self.login_session_token = from_b64(login_session_token, return_bytes=True) origin = Origin(origin_header, settings=self.settings) if not origin.valid: raise SpressoInvalidError(error="invalid_request", message="Origin request_header mismatch", uri=request.path)