def encrypt(self, padding=True):
if None in [self.rp_nonce, self.rp_origin]:
raise ValueError("Empty required parameter in tag")
self.rp_nonce = to_b64(self.rp_nonce)
if padding:
# Prevent Tag length side channel attacks by padding
padding_length = self.max_domain_length - len(self.rp_origin)
self.rp_origin += "={0}".format(
create_random_characters(padding_length - 1)
)
# Create Tag
update_existing_keys(self, self.tag)
if None in [*self.tag, self.key, self.iv]:
raise ValueError("Empty required parameter during encryption")
tag_json = self.tag.to_json().encode('utf-8')
# Encrypt
cipher_text, auth_tag = encrypt_aes_gcm(self.key, self.iv, tag_json)
iv = to_b64(self.iv)
encrypted_tag = to_b64(cipher_text + auth_tag)
return Composition(iv=iv, ciphertext=encrypted_tag)
def test_b64_encoding(self):
data = "string"
data_enc = to_b64(data)
self.assertEqual(str, type(data_enc))
data_bytes = data.encode('utf-8')
data_bytes_enc = to_b64(data_bytes)
self.assertEqual(str, type(data_bytes_enc))
test = b64encode(data.encode('utf-8')).decode('utf-8')
self.assertEqual(data_enc, test)
self.assertEqual(data_bytes_enc, test)
def set_cookie(self, service_token, response):
# Set client cookie with service_token
response.set_cookie("rp_session",
to_b64(service_token),
secure=False,
http_only=False)
return response
def authenticate_user(self, request, response, environ):
# Raise UserNotAuthenticated("message") Exception if the user could not
# be authenticated locally.
# POST parameter are accessible through the request object:
email = request.post_param('email')
password = request.post_param('password')
session_cookie = request.get_cookie("idp_session")
if session_cookie:
session_cookie = from_b64(session_cookie, return_bytes=True)
logged_in_as = sessions.get(session_cookie)
if email is not None:
if email == logged_in_as:
# User is already logged in
return
if password is not None:
# Place your login handler here
if email in users:
if users.get(email).get('password') == password:
session_nonce = create_nonce(32)
sessions.update({session_nonce: email})
return response.set_cookie('idp_session',
to_b64(session_nonce),
secure=False,
http_only=False)
# User could not be authenticated
raise UserNotAuthenticated("Authentication failed")
def json(self):
login_session_token = to_b64(self.session.token)
tag_key = to_b64(self.session.tag_key)
schema = self.settings.json_schemata.get("start_login").schema
info_schema = {
schema.forwarder_domain: self.session.forwarder_domain,
schema.login_session_token: login_session_token,
schema.tag_key: tag_key
}
info = Composition(info_schema)
schema.validate(info)
info_json = info.to_json()
return info_json
def get_login_url(self):
tag = self._create_tag()
tag_enc = tag.encrypt(self.padding)
ld_path = self._create_ld_path()
self.tag_enc_json = tag_enc.to_json()
email = self.user.email
ia_key = to_b64(self.ia_key)
login_url = "{}#{}&{}&{}&{}".format(ld_path, quote(self.tag_enc_json),
quote(email), quote(ia_key),
self.forwarder_domain)
return login_url
def sign(self):
"""
Method for signing the identity assertion.
"""
# Update IA template with values from self
update_existing_keys(self, self.signature)
if self.settings.private_key is None:
raise InvalidSettings(
"Private key is empty"
)
if None in self.signature.values():
raise ValueError(
"Empty required parameter during signature creation"
)
# Create b64 encoded JSON
ia_json = self.signature.to_json()
ia_json_bytes = ia_json.encode('utf-8')
# Create signature
signature = create_signature(self.settings.private_key, ia_json_bytes)
return to_b64(signature)