def decrypt_cookie(encrypted_content):
s = URLSafeSerializer(current_app.config["SECRET_KEY"], salt="cookie")
try:
content = s.loads(encrypted_content)
except:
content = "-1"
return content
def test_should_response_200_json(self, session):
self._create_dagrun(session)
key = self.app.config["SECRET_KEY"]
serializer = URLSafeSerializer(key)
token = serializer.dumps({"download_logs": False})
headers = {'Accept': 'application/json'}
response = self.client.get(
f"api/v1/dags/{self.DAG_ID}/dagRuns/TEST_DAG_RUN_ID/"
f"taskInstances/{self.TASK_ID}/logs/1?token={token}",
headers=headers
)
expected_filename = "{}/{}/{}/{}/1.log".format(
self.log_dir,
self.DAG_ID,
self.TASK_ID,
self.default_time.replace(":", ".")
)
self.assertEqual(
response.json['content'],
f"*** Reading local file: {expected_filename}\nLog for testing."
)
info = serializer.loads(response.json['continuation_token'])
self.assertEqual(
info,
{'end_of_log': True}
)
self.assertEqual(200, response.status_code)
def retrieve_cookie(
cookie_name: str, request: flask.Request = flask.request
) -> Union[str, None]:
"""
Returns the decoded version of a signed cookie. If the cookie was
tampered with, then it will return `None`.
"""
serializer = URLSafeSerializer(flask.current_app.config["SECRET_KEY"])
try:
return serializer.loads(request.cookies[cookie_name])
except (BadSignature, BadData, KeyError):
# Somebody tampered with the data and its better to return None.
return None
def unserialize_user_flag(user_flag, *, secret=None):
if secret is None:
secret = current_app.config["SECRET_KEY"]
user_flag = re.sub(".+?{(.+)}", r"\1", user_flag)[::-1]
serializer = URLSafeSerializer(secret)
data = serializer.loads(user_flag)
data.append(None)
account_id, challenge_id, challenge_data, *_ = data
return account_id, challenge_id, challenge_data
def test_should_respond_200_json(self, session):
self._create_dagrun(session)
key = self.app.config["SECRET_KEY"]
serializer = URLSafeSerializer(key)
token = serializer.dumps({"download_logs": False})
response = self.client.get(
f"api/v1/dags/{self.DAG_ID}/dagRuns/TEST_DAG_RUN_ID/"
f"taskInstances/{self.TASK_ID}/logs/1?token={token}",
headers={'Accept': 'application/json'},
environ_overrides={'REMOTE_USER': "******"},
)
expected_filename = "{}/{}/{}/{}/1.log".format(
self.log_dir, self.DAG_ID, self.TASK_ID, self.default_time.replace(":", ".")
)
assert (
response.json['content']
== f"[('', '*** Reading local file: {expected_filename}\\nLog for testing.')]"
)
info = serializer.loads(response.json['continuation_token'])
assert info == {'end_of_log': True}
assert 200 == response.status_code
from itsdangerous.serializer import Serializer
s = Serializer("secret-key")
serializer_value = s.dumps([1, 2, 3, 4])
print(serializer_value)
print(s.loads(serializer_value))
from itsdangerous.url_safe import URLSafeSerializer
s1 = URLSafeSerializer("secret-key", salt="activate")
s1.dumps(1)
s2 = URLSafeSerializer("secret-key", salt="upgrade")
s2.dumps(1)
print(s1.dumps(1))
print(s2.dumps(1))
print(s1.loads(s1.dumps(1)))
print(s2.loads(s2.dumps(1)))
s = URLSafeSerializer("secret-key")
s.dumps([1, 2, 3, 4])
print(s.dumps([1, 2, 3, 4]))
print(s.loads(s.dumps([1, 2, 3, 4])))
class CSRFMiddleware(BaseHTTPMiddleware):
def __init__(
self,
app: ASGIApp,
secret: str,
sensitive_cookies: Optional[Set[str]] = None,
cookie_name: str = "csrftoken",
cookie_path: str = "/",
cookie_domain: Optional[str] = None,
cookie_secure: bool = False,
cookie_httponly: bool = False,
cookie_samesite: str = "lax",
header_name: str = "x-csrftoken",
safe_methods: Set[str] = {"GET", "HEAD", "OPTIONS", "TRACE"},
exempt_urls: Optional[List[Pattern]] = None,
) -> None:
super().__init__(app)
self.serializer = URLSafeSerializer(secret, "csrftoken")
self.secret = secret
self.sensitive_cookies = sensitive_cookies
self.cookie_name = cookie_name
self.cookie_path = cookie_path
self.cookie_domain = cookie_domain
self.cookie_secure = cookie_secure
self.cookie_httponly = cookie_httponly
self.cookie_samesite = cookie_samesite
self.header_name = header_name
self.safe_methods = safe_methods
self.exempt_urls = exempt_urls
async def dispatch(self, request: Request, call_next: RequestResponseEndpoint):
csrf_cookie = request.cookies.get(self.cookie_name)
if (
request.method not in self.safe_methods
and self._has_sensitive_cookies(request.cookies)
and not self._url_is_exempt(request.url)
):
submitted_csrf_token = await self._get_submitted_csrf_token(request)
if (
not csrf_cookie
or not submitted_csrf_token
or not self._csrf_tokens_match(csrf_cookie, submitted_csrf_token)
):
return self._get_error_response(request)
response = await call_next(request)
if not csrf_cookie:
response.set_cookie(
self.cookie_name,
self._generate_csrf_token(),
path=self.cookie_path,
domain=self.cookie_domain,
secure=self.cookie_secure,
httponly=self.cookie_httponly,
samesite=self.cookie_samesite,
)
return response
def _has_sensitive_cookies(self, cookies: Dict[str, str]) -> bool:
if not self.sensitive_cookies:
return True
for sensitive_cookie in self.sensitive_cookies:
if sensitive_cookie in cookies:
return True
return False
def _url_is_exempt(self, url: URL) -> bool:
if not self.exempt_urls:
return False
for exempt_url in self.exempt_urls:
if exempt_url.match(url.path):
return True
return False
async def _get_submitted_csrf_token(self, request: Request) -> Optional[str]:
return request.headers.get(self.header_name)
def _generate_csrf_token(self) -> str:
return cast(str, self.serializer.dumps(secrets.token_urlsafe(128)))
def _csrf_tokens_match(self, token1: str, token2: str) -> bool:
try:
decoded1: str = self.serializer.loads(token1)
decoded2: str = self.serializer.loads(token2)
return secrets.compare_digest(decoded1, decoded2)
except BadSignature:
return False
def _get_error_response(self, request: Request) -> Response:
return PlainTextResponse(
content="CSRF token verification failed", status_code=403
)
