def testXsrf(self):
timestamp1 = 1329858903.8305809
timestamp2 = 1329859175.3705659
token1 = 'fZDmmR1yZzyjL9cyX0Zl7XwjfDEzMjk4NTg5MDMuODM='.decode('utf-8')
token2 = util.XsrfTokenGenerate(
'action', user='******', timestamp=timestamp1).decode('utf-8')
token3 = util.XsrfTokenGenerate('action', user='******').decode('utf-8')
token4 = util.XsrfTokenGenerate('action', user='******').decode('utf-8')
self.assertEquals(token1, token2)
self.assertNotEquals(token1, token3)
self.assertNotEquals(token3, token4)
class MockTime1(object):
def time(self): # pylint: disable=g-bad-name
return timestamp1
class MockTime2(object):
def time(self): # pylint: disable=g-bad-name
return timestamp1 + 999
self.assertTrue(util.XsrfTokenValidate(
token1, 'action', user='******', time_=MockTime1()))
self.assertFalse(util.XsrfTokenValidate(
token1, 'action', user='******', time_=MockTime2()))
self.assertTrue(util.XsrfTokenValidate(
token1, 'action', user='******', timestamp=timestamp1, time_=MockTime1()))
self.assertFalse(util.XsrfTokenValidate(
token1, 'action', user='******', timestamp=timestamp2, time_=MockTime1()))
def get(self, action=None):
"""Handles GET requests."""
if not action:
self.error(httplib.NOT_FOUND)
return
try:
email = base.GetCurrentUser().email
except errors.AccessDeniedError:
raise errors.AccessDeniedError
self.response.headers['Content-Type'] = 'text/plain'
self.response.out.write(util.XsrfTokenGenerate(action, user=email))
def get(self, volume_uuid): # pylint: disable=g-bad-name
"""Handles GET requests."""
self.VerifyPermissions(permissions.CHANGE_OWNER)
self.RenderTemplate(
'change_owner.html', {
'volume_uuid':
volume_uuid,
'current_owner':
self.entity.owner,
'xsrf_token':
util.XsrfTokenGenerate(base_settings.CHANGE_OWNER_ACTION),
})
def get(self, action=None):
"""Handles GET requests."""
if not action:
self.error(httplib.NOT_FOUND)
return
try:
base.GetCurrentUser()
except base.AccessDeniedError:
self.error(httplib.UNAUTHORIZED)
return
self.response.headers['Content-Type'] = 'text/plain'
self.response.out.write(util.XsrfTokenGenerate(action))
def get(self, action=None):
"""Handles GET requests."""
if not action:
self.error(404)
return
try:
models.GetCurrentUser()
except models.AccessDeniedError:
self.error(401)
return
self.response.headers['Content-Type'] = 'text/plain'
self.response.out.write(util.XsrfTokenGenerate(action))
def testPutWithValidXsrfToken(self):
volume_uuid = 'foovolumeuuid'
params = {
'xsrf-token': util.XsrfTokenGenerate('UploadPassphrase'),
'hdd_serial': 'serial',
'platform_uuid': 'uuid',
'hostname': 'foohost'
}
resp = gae_main.app.get_response(
'/luks/%s/?%s' % (volume_uuid, urllib.urlencode(params)),
{'REQUEST_METHOD': 'PUT'},
body='passphrase')
self.assertEqual(httplib.OK, resp.status_int)
self.assertEqual('Secret successfully escrowed!', resp.body)
def get(self): # pylint: disable=g-bad-name
"""Handles GET requests."""
# TODO(user): Users with retrieve_own should not need to search to
# retrieve their escrowed secrets.
# Get the user's search and retrieve permissions for all permission types.
search_perms = self.VerifyAllPermissionTypes(permissions.SEARCH)
retrieve_perms = self.VerifyAllPermissionTypes(
permissions.RETRIEVE_OWN)
retrieve_created = self.VerifyAllPermissionTypes(
permissions.RETRIEVE_CREATED_BY)
# If the user is performing a search, ensure they have permissions.
search_type = self.request.get('search_type')
if (search_type and not search_perms.get(search_type)
and not retrieve_perms.get(search_type)
and not retrieve_created.get(search_type)):
raise models.AccessDeniedError('User lacks %s permission' %
search_type)
template_name = None
queried = False
params = {}
if search_type in SEARCH_TYPES:
field1 = self.request.get('field1')
value1 = self.request.get('value1').strip()
if field1 and value1:
queried = True
prefix_search = self.request.get('prefix_search', '0') == '1'
# TODO(user): implement multi-field search by building query here
# or better yet using JavaScript.
q = '%s:%s' % (field1, value1)
try:
volumes = VolumesForQuery(q, search_type, prefix_search)
except ValueError:
self.error(404)
return
if not search_perms.get(search_type):
username = models.GetCurrentUser().user.nickname()
volumes = [x for x in volumes if x.owner == username]
template_name = 'search_result.html'
params = {
'q': q,
'search_type': search_type,
'volumes': volumes
}
if not queried:
template_name = 'search_form.html'
params = {}
if search_perms[permissions.TYPE_BITLOCKER]:
params[
'bitlocker_fields'] = models.BitLockerVolume.SEARCH_FIELDS
if search_perms[permissions.TYPE_FILEVAULT]:
params[
'filevault_fields'] = models.FileVaultVolume.SEARCH_FIELDS
if search_perms[permissions.TYPE_LUKS]:
params['luks_fields'] = models.LuksVolume.SEARCH_FIELDS
if search_perms[permissions.TYPE_PROVISIONING]:
provisioning_fields = models.ProvisioningVolume.SEARCH_FIELDS
params['provisioning_fields'] = provisioning_fields
params['xsrf_token'] = util.XsrfTokenGenerate(
base_settings.GET_PASSPHRASE_ACTION)
self.RenderTemplate(template_name, params)