def _get_credentials(self, request):
"""Extract the Hawk userid and secret key from the request.
This method extracts and returns the claimed userid from the Hawk auth
data in the request, along with the corresonding request signing key.
It does *not* check the signature on the request.
If there are no Hawk auth credentials in the request then (None, None)
is returned. If the Hawk token id is invalid then HTTPUnauthorized
will be raised.
"""
params = self._get_params(request)
if params is None:
return None, None
# Extract the claimed Hawk id token.
tokenid = hawkauthlib.get_id(request, params=params)
if tokenid is None:
return None, None
# Parse the Hawk id into its userid and secret key.
try:
userid, key = self.decode_hawk_id(request, tokenid)
except ValueError:
msg = "invalid Hawk id: %s" % (tokenid,)
raise self.challenge(request, msg)
return userid, key
def identify(self, environ):
"""Extract the authentication info from the request.
We parse the Authorization header to get the Hawk auth parameters.
If they seem sensible, we cache them in the identity to speed up
signature checking in the authenticate() method.
Note that this method does *not* validate the Hawk signature.
"""
request = Request(environ)
# Parse the Authorization header, to be cached for future use.
params = hawkauthlib.utils.parse_authz_header(request, None)
if params is None:
return None
# Extract the Hawk id.
id = hawkauthlib.get_id(request, params=params)
if id is None:
return None
# Parse the Hawk id into its data and secret key.
try:
key, data = self.decode_hawk_id(request, id)
except ValueError:
msg = "invalid Hawk id: %s" % (id, )
return self._respond_unauthorized(request, msg)
# Return all that data so we can using it during authentication.
return {
"hawkauth.id": id,
"hawkauth.key": key,
"hawkauth.data": data,
"hawkauth.params": params,
}
def identify(self, environ):
"""Extract the authentication info from the request.
We parse the Authorization header to get the Hawk auth parameters.
If they seem sensible, we cache them in the identity to speed up
signature checking in the authenticate() method.
Note that this method does *not* validate the Hawk signature.
"""
request = Request(environ)
# Parse the Authorization header, to be cached for future use.
params = hawkauthlib.utils.parse_authz_header(request, None)
if params is None:
return None
# Extract the Hawk id.
id = hawkauthlib.get_id(request, params=params)
if id is None:
return None
# Parse the Hawk id into its data and secret key.
try:
key, data = self.decode_hawk_id(request, id)
except ValueError:
msg = "invalid Hawk id: %s" % (id,)
return self._respond_unauthorized(request, msg)
# Return all that data so we can using it during authentication.
return {
"hawkauth.id": id,
"hawkauth.key": key,
"hawkauth.data": data,
"hawkauth.params": params,
}
def test_purging_of_old_user_records(self):
# Make some old user records.
service = "sync-1.1"
email = "*****@*****.**"
user = self.backend.allocate_user(service,
email,
client_state="aa",
generation=123)
self.backend.update_user(service,
user,
client_state="bb",
generation=456,
keys_changed_at=450)
self.backend.update_user(service,
user,
client_state="cc",
generation=789)
user_records = list(self.backend.get_user_records(service, email))
self.assertEqual(len(user_records), 3)
user = self.backend.get_user(service, email)
self.assertEquals(user["client_state"], "cc")
self.assertEquals(len(user["old_client_states"]), 2)
# The default grace-period should prevent any cleanup.
self.assertTrue(purge_old_records(self.ini_file))
user_records = list(self.backend.get_user_records(service, email))
self.assertEqual(len(user_records), 3)
self.assertEqual(len(self.service_requests), 0)
# With no grace period, we should cleanup two old records.
self.assertTrue(purge_old_records(self.ini_file, grace_period=0))
user_records = list(self.backend.get_user_records(service, email))
self.assertEqual(len(user_records), 1)
self.assertEqual(len(self.service_requests), 2)
# Check that the proper delete requests were made to the service.
secrets = self.config.registry.settings["tokenserver.secrets"]
node_secret = secrets.get(self.service_node)[-1]
expected_kids = ["0000000000450-uw", "0000000000123-qg"]
for i, environ in enumerate(self.service_requests):
# They must be to the correct path.
self.assertEquals(environ["REQUEST_METHOD"], "DELETE")
self.assertTrue(re.match("/1.1/[0-9]+", environ["PATH_INFO"]))
# They must have a correct request signature.
token = hawkauthlib.get_id(environ)
secret = tokenlib.get_derived_secret(token, secret=node_secret)
self.assertTrue(hawkauthlib.check_signature(environ, secret))
userdata = tokenlib.parse_token(token, secret=node_secret)
self.assertTrue("uid" in userdata)
self.assertTrue("node" in userdata)
self.assertEqual(userdata["fxa_uid"], "test")
self.assertEqual(userdata["fxa_kid"], expected_kids[i])
# Check that the user's current state is unaffected
user = self.backend.get_user(service, email)
self.assertEquals(user["client_state"], "cc")
self.assertEquals(len(user["old_client_states"]), 0)
def test_purging_of_old_user_records(self):
# Make some old user records.
service = "test-1.0"
email = "*****@*****.**"
user = self.backend.allocate_user(service, email, client_state="a")
self.backend.update_user(service, user, client_state="b")
self.backend.update_user(service, user, client_state="c")
user_records = list(self.backend.get_user_records(service, email))
self.assertEqual(len(user_records), 3)
user = self.backend.get_user(service, email)
self.assertEquals(user["client_state"], "c")
self.assertEquals(len(user["old_client_states"]), 2)
# The default grace-period should prevent any cleanup.
self.assertTrue(purge_old_records(self.ini_file))
user_records = list(self.backend.get_user_records(service, email))
self.assertEqual(len(user_records), 3)
self.assertEqual(len(self.service_requests), 0)
# With no grace period, we should cleanup two old records.
self.assertTrue(purge_old_records(self.ini_file, grace_period=0))
user_records = list(self.backend.get_user_records(service, email))
self.assertEqual(len(user_records), 1)
self.assertEqual(len(self.service_requests), 2)
# Check that the proper delete requests were made to the service.
secrets = self.config.registry.settings["tokenserver.secrets"]
node_secret = secrets.get(self.service_node)[-1]
expected_kids = ["b", "a"]
for i, environ in enumerate(self.service_requests):
# They must be to the correct path.
self.assertEquals(environ["REQUEST_METHOD"], "DELETE")
self.assertTrue(re.match("/1.0/[0-9]+", environ["PATH_INFO"]))
# They must have a correct request signature.
token = hawkauthlib.get_id(environ)
secret = tokenlib.get_derived_secret(token, secret=node_secret)
self.assertTrue(hawkauthlib.check_signature(environ, secret))
userdata = tokenlib.parse_token(token, secret=node_secret)
self.assertTrue("uid" in userdata)
self.assertTrue("node" in userdata)
self.assertEqual(userdata["fxa_uid"], "test")
self.assertEqual(userdata["fxa_kid"], expected_kids[i])
# Check that the user's current state is unaffected
user = self.backend.get_user(service, email)
self.assertEquals(user["client_state"], "c")
self.assertEquals(len(user["old_client_states"]), 0)
def test_purging_of_old_user_records(self):
# Make some old user records.
service = "test-1.0"
email = "*****@*****.**"
user = self.backend.allocate_user(service, email, client_state="a")
self.backend.update_user(service, user, client_state="b")
self.backend.update_user(service, user, client_state="c")
user_records = list(self.backend.get_user_records(service, email))
self.assertEqual(len(user_records), 3)
user = self.backend.get_user(service, email)
self.assertEquals(user["client_state"], "c")
self.assertEquals(len(user["old_client_states"]), 2)
# The default grace-period should prevent any cleanup.
self.assertTrue(purge_old_records(self.ini_file))
user_records = list(self.backend.get_user_records(service, email))
self.assertEqual(len(user_records), 3)
self.assertEqual(len(self.service_requests), 0)
# With no grace period, we should cleanup two old records.
self.assertTrue(purge_old_records(self.ini_file, grace_period=0))
user_records = list(self.backend.get_user_records(service, email))
self.assertEqual(len(user_records), 1)
self.assertEqual(len(self.service_requests), 2)
# Check that the proper delete requests were made to the service.
secrets = self.config.registry.settings["tokenserver.secrets"]
node_secret = secrets.get(self.service_node)[-1]
for environ in self.service_requests:
# They must be to the correct path.
self.assertEquals(environ["REQUEST_METHOD"], "DELETE")
self.assertTrue(re.match("/1.0/[0-9]+", environ["PATH_INFO"]))
# They must have a correct request signature.
token = hawkauthlib.get_id(environ)
secret = tokenlib.get_derived_secret(token, secret=node_secret)
self.assertTrue(hawkauthlib.check_signature(environ, secret))
# Check that the user's current state is unaffected
user = self.backend.get_user(service, email)
self.assertEquals(user["client_state"], "c")
self.assertEquals(len(user["old_client_states"]), 0)
def test_get_id_returns_none_if_the_id_is_missing(self):
req = b"GET / HTTP/1.1\r\nHost: example.com\r\n\r\n"
req = Request.from_bytes(req)
req.authorization = ("Hawk", {"ts": "1", "nonce": "2"})
self.assertEquals(get_id(req), None)
def test_get_id_returns_none_for_other_auth_schemes(self):
req = b"GET / HTTP/1.1\r\nHost: example.com\r\n\r\n"
req = Request.from_bytes(req)
req.authorization = ("OAuth", {"id": "user1", "ts": "1", "nonce": "2"})
self.assertEquals(get_id(req), None)
def test_get_id_works_on_valid_header(self):
req = b"GET / HTTP/1.1\r\nHost: example.com\r\n\r\n"
req = Request.from_bytes(req)
req.authorization = ("Hawk", {"id": "user1", "ts": "1", "nonce": "2"})
self.assertEquals(get_id(req), "user1")
def test_get_id_returns_none_if_the_id_is_missing(self):
req = b"GET / HTTP/1.1\r\nHost: example.com\r\n\r\n"
req = Request.from_bytes(req)
req.authorization = ("Hawk", {"ts": "1", "nonce": "2"})
self.assertEquals(get_id(req), None)
def test_get_id_returns_none_for_other_auth_schemes(self):
req = b"GET / HTTP/1.1\r\nHost: example.com\r\n\r\n"
req = Request.from_bytes(req)
req.authorization = ("OAuth", {"id": "user1", "ts": "1", "nonce": "2"})
self.assertEquals(get_id(req), None)
def test_get_id_works_on_valid_header(self):
req = b"GET / HTTP/1.1\r\nHost: example.com\r\n\r\n"
req = Request.from_bytes(req)
req.authorization = ("Hawk", {"id": "user1", "ts": "1", "nonce": "2"})
self.assertEquals(get_id(req), "user1")