def encrypt(self, padding=True): if None in [self.rp_nonce, self.rp_origin]: raise ValueError("Empty required parameter in tag") self.rp_nonce = to_b64(self.rp_nonce) if padding: # Prevent Tag length side channel attacks by padding padding_length = self.max_domain_length - len(self.rp_origin) self.rp_origin += "={0}".format( create_random_characters(padding_length - 1) ) # Create Tag update_existing_keys(self, self.tag) if None in [*self.tag, self.key, self.iv]: raise ValueError("Empty required parameter during encryption") tag_json = self.tag.to_json().encode('utf-8') # Encrypt cipher_text, auth_tag = encrypt_aes_gcm(self.key, self.iv, tag_json) iv = to_b64(self.iv) encrypted_tag = to_b64(cipher_text + auth_tag) return Composition(iv=iv, ciphertext=encrypted_tag)
def test_b64_encoding(self): data = "string" data_enc = to_b64(data) self.assertEqual(str, type(data_enc)) data_bytes = data.encode('utf-8') data_bytes_enc = to_b64(data_bytes) self.assertEqual(str, type(data_bytes_enc)) test = b64encode(data.encode('utf-8')).decode('utf-8') self.assertEqual(data_enc, test) self.assertEqual(data_bytes_enc, test)
def set_cookie(self, service_token, response): # Set client cookie with service_token response.set_cookie("rp_session", to_b64(service_token), secure=False, http_only=False) return response
def authenticate_user(self, request, response, environ): # Raise UserNotAuthenticated("message") Exception if the user could not # be authenticated locally. # POST parameter are accessible through the request object: email = request.post_param('email') password = request.post_param('password') session_cookie = request.get_cookie("idp_session") if session_cookie: session_cookie = from_b64(session_cookie, return_bytes=True) logged_in_as = sessions.get(session_cookie) if email is not None: if email == logged_in_as: # User is already logged in return if password is not None: # Place your login handler here if email in users: if users.get(email).get('password') == password: session_nonce = create_nonce(32) sessions.update({session_nonce: email}) return response.set_cookie('idp_session', to_b64(session_nonce), secure=False, http_only=False) # User could not be authenticated raise UserNotAuthenticated("Authentication failed")
def json(self): login_session_token = to_b64(self.session.token) tag_key = to_b64(self.session.tag_key) schema = self.settings.json_schemata.get("start_login").schema info_schema = { schema.forwarder_domain: self.session.forwarder_domain, schema.login_session_token: login_session_token, schema.tag_key: tag_key } info = Composition(info_schema) schema.validate(info) info_json = info.to_json() return info_json
def get_login_url(self): tag = self._create_tag() tag_enc = tag.encrypt(self.padding) ld_path = self._create_ld_path() self.tag_enc_json = tag_enc.to_json() email = self.user.email ia_key = to_b64(self.ia_key) login_url = "{}#{}&{}&{}&{}".format(ld_path, quote(self.tag_enc_json), quote(email), quote(ia_key), self.forwarder_domain) return login_url
def sign(self): """ Method for signing the identity assertion. """ # Update IA template with values from self update_existing_keys(self, self.signature) if self.settings.private_key is None: raise InvalidSettings( "Private key is empty" ) if None in self.signature.values(): raise ValueError( "Empty required parameter during signature creation" ) # Create b64 encoded JSON ia_json = self.signature.to_json() ia_json_bytes = ia_json.encode('utf-8') # Create signature signature = create_signature(self.settings.private_key, ia_json_bytes) return to_b64(signature)