def read_data(environ, start_response): log = logging.getLogger("read_data") log.debug("start") try: brand_identifier = environ['query_data']['brand_id'][0] escrowed_data = environ['post_data']['escrow_data'][0] serial_sign_key = environ['post_data']['sign_key'][0] except KeyError: log.warn("KeyError at start") return BadRequest()(environ, start_response) try: layer_count = int(environ['post_data'].get('layer_count', [])[0]) except IndexError: layer_count = None sign_key = serial.loads(serial_sign_key) log.debug("Being sent:") log.debug("brand_identifier: %r" % brand_identifier) log.debug("layer_count: %r" % layer_count) try: if layer_count is None: plaintext_data = server.read_escrow_data(brand_identifier, escrowed_data, sign_key=sign_key) else: plaintext_data = server.read_escrow_data(brand_identifier, escrowed_data, layer_count=layer_count, sign_key=sign_key) except ValueError: log.warn("ValueError at reading escrow data") return BadRequest()(environ, start_response) except KeyError: log.warn("KeyError at reading escrow data") return NotFound()(environ, start_response) except Exception: log.exception('500 error in reading escrow data') return ServerError()( environ, start_response, ) log.info("Read data for brand %s" % (brand_identifier, )) return SuperSimple(plaintext_data, ctype="application/octet-stream")(environ, start_response)
def read_data(environ, start_response): log = logging.getLogger("read_data") log.debug("start") try: brand_identifier = environ['query_data']['brand_id'][0] escrowed_data = environ['post_data']['escrow_data'][0] serial_sign_key = environ['post_data']['sign_key'][0] except KeyError: log.warn("KeyError at start") return BadRequest()(environ, start_response) try: layer_count = int(environ['post_data'].get('layer_count', [])[0]) except IndexError: layer_count = None sign_key = serial.loads(serial_sign_key) log.debug("Being sent:") log.debug("brand_identifier: %r" % brand_identifier) log.debug("layer_count: %r" % layer_count) try: if layer_count is None: plaintext_data = server.read_escrow_data(brand_identifier, escrowed_data, sign_key=sign_key) else: plaintext_data = server.read_escrow_data(brand_identifier, escrowed_data, layer_count=layer_count, sign_key=sign_key) except ValueError: log.warn("ValueError at reading escrow data") return BadRequest()(environ, start_response) except KeyError: log.warn("KeyError at reading escrow data") return NotFound()(environ, start_response) except Exception: log.exception('500 error in reading escrow data') return ServerError()(environ, start_response,) log.info("Read data for brand %s" % (brand_identifier,)) return SuperSimple(plaintext_data, ctype="application/octet-stream")(environ, start_response)
def test_encrypt_and_decrypt_with_layers(self): config = common.read_config_file() brand_identifier = config['api_user'] escrow_data = "test data" sign_key = RSA.generate(2048, random_string) escrowed_data = encrypt_with_layers(escrow_data, sign_key, brand_identifier) layer_count = 2 plaintext_data = server.read_escrow_data(brand_identifier, escrowed_data, layer_count=layer_count, sign_key=sign_key) self.assertEqual(escrow_data, plaintext_data)
def test_setup_brand(): from key_escrow.server import read_escrow_data brand_identifier = 'my_test_brand' brand_id, _brand_keypair, layers = setup_brand(brand_identifier) assert brand_id == layers[0][0] _user_key_id, user_keypair = make_keypair() test_data = "0123456789" escrowed_data = escrow_binary(layers, test_data, user_keypair) plain_escrowed_data = read_escrow_data(brand_identifier, escrowed_data, sign_key=user_keypair.publickey()) assert plain_escrowed_data == test_data print "setup brand test ok" return True
def test_get_auth_params(self, gen): gen.return_value = self.sign_key client = self._get_client_with_dummy_credentials() params = client.get_auth_params() auth = b64decode(params.pop('auth')) auth = json.loads(read_escrow_data('brand', auth, 1)) self.assertEqual(auth, { 'challenge': b64encode('challenge'), 'password': '******', }) self.assertEqual(params, { 'brand_id': 'brand', 'username': '******', })
def decorator(environ, start_response): log = logging.getLogger('login_required') log.debug("start") try: brand_identifier = environ['query_data']['brand_id'][0] username = environ['query_data']['username'][0] password = environ['query_data']['password'][0] crypt_pw = environ['query_data'].get('crypt_pw', ["True"])[0] except KeyError: log.error("Got bad request.") return BadRequest()(environ, start_response) decoded_user = unquote(username) # If we get anything OTHER than explicitly "False" in the request, we will assume it's an encrypted password. if crypt_pw == "False": plaintext_password = password else: try: plaintext_password = server.read_escrow_data( brand_identifier, password) except KeyError: log.warn("missing identifier %s" % (brand_identifier, )) return NotFound()(environ, start_response) except ValueError: log.warn("bad values for authenticating user %s" % (decoded_user, )) return BadRequest()(environ, start_response) except Exception: log.exception( "server.read_escrow_data failed for user %s brand %s" % ( decoded_user, brand_identifier, )) return ServerError()(environ, start_response) if not authenticator(read_config_file(), decoded_user, plaintext_password): log.info("Auth failed for %s" % (decoded_user, )) return Forbidden()(environ, start_response) log.info("Auth OK for brand %s with user %s" % ( brand_identifier, decoded_user, )) return fun(environ, start_response)
def authenticate_user(environ, start_response): log = logging.getLogger('authenticate_user') log.debug("start") try: brand_identifier = environ['query_data']['brand_id'][0] username = environ['query_data']['username'][0] password = environ['query_data']['password'][0] crypt_pw = environ['query_data'].get('crypt_pw', ["True"])[0] except KeyError: log.error("Got bad request.") return BadRequest()(environ, start_response) decoded_user = unquote(username) # If we get anything OTHER than explicitly "False" in the request, we will assume it's an encrypted password. if crypt_pw == "False": plaintext_password = password else: try: plaintext_password = server.read_escrow_data( brand_identifier, password) except KeyError: log.warn("missing identifier %s" % (brand_identifier,)) return NotFound()(environ, start_response) except ValueError: log.warn("bad values for authenticating user %s" % (decoded_user,)) return BadRequest()(environ, start_response) except Exception: log.exception("server.read_escrow_data failed for user %s brand %s" % (decoded_user, brand_identifier,)) return ServerError()(environ, start_response) if not authenticator(get_config(), decoded_user, plaintext_password): log.info("Auth failed for %s" % (decoded_user,)) return Forbidden()(environ, start_response) log.info("Auth OK for brand %s with user %s" % (brand_identifier, decoded_user, )) return SuperSimple("OK")(environ, start_response)
def read_data(request): log = logging.getLogger("read_data") log.debug("start") auth = request.session['auth'] brand_identifier = auth['brand_identifier'] sign_key = auth['sign_key'] layer_count = auth['layer_count'] try: escrowed_data = a2b_base64(request.POST['escrow_data']) except KeyError: log.warn("KeyError at start") return HttpResponseBadRequest() log.debug("Being sent:") log.debug("brand_identifier: %r" % brand_identifier) log.debug("layer_count: %r" % layer_count) try: plaintext_data = server.read_escrow_data(brand_identifier, escrowed_data, layer_count=layer_count, sign_key=sign_key) except ValueError: log.warn("ValueError at reading escrow data", exc_info=True) return HttpResponseBadRequest() except KeyError: log.warn("KeyError at reading escrow data", exc_info=True) return HttpResponseNotFound() except Exception: log.exception('500 error in reading escrow data', exc_info=True) return HttpResponseServerError() response = auth['secret_box'].encrypt(plaintext_data, auth['nonce']) log.info("Read data for brand %s" % (brand_identifier, )) return HttpResponse(response, content_type="application/octet-stream")
def read_data(request): log = logging.getLogger("read_data") log.debug("start") auth = request.session['auth'] brand_identifier = auth['brand_identifier'] sign_key = auth['sign_key'] layer_count = auth['layer_count'] try: escrowed_data = a2b_base64(request.POST['escrow_data']) except KeyError: log.warn("KeyError at start") return HttpResponseBadRequest() log.debug("Being sent:") log.debug("brand_identifier: %r" % brand_identifier) log.debug("layer_count: %r" % layer_count) try: plaintext_data = server.read_escrow_data(brand_identifier, escrowed_data, layer_count=layer_count, sign_key=sign_key) except ValueError: log.warn("ValueError at reading escrow data", exc_info=True) return HttpResponseBadRequest() except KeyError: log.warn("KeyError at reading escrow data", exc_info=True) return HttpResponseNotFound() except Exception: log.exception('500 error in reading escrow data', exc_info=True) return HttpResponseServerError() response = auth['secret_box'].encrypt(plaintext_data, auth['nonce']) log.info("Read data for brand %s" % (brand_identifier,)) return HttpResponse(response, content_type="application/octet-stream")
def decorator(request): log = logging.getLogger('login_required') log.debug("start") if valid_auth_session(request): return fun(request) else: try: brand_identifier = request.POST['brand_id'] username = request.POST['username'] auth = a2b_base64(request.POST['auth']) serial_sign_key = request.POST['sign_key'] layer_count = int(request.POST['layer_count']) except KeyError: log.error("Got bad request.") return HttpResponseBadRequest() try: sign_key = serial.loads(serial_sign_key) except (serial.EndOfFile, serial.NotSerializerFileError, serial.NotSerializableObjectError): log.error("Got bad request. Unable to load sign key") return HttpResponseBadRequest() decoded_user = urllib.unquote(username) try: data = server.read_escrow_data( brand_identifier, auth, sign_key=sign_key, layer_count=layer_count, ) plaintext_auth = json.loads(data) if ('challenge' not in plaintext_auth or 'password' not in plaintext_auth): log.warn("missing auth key %s" % (brand_identifier, )) return HttpResponseBadRequest() except KeyError: log.warn("missing identifier %s" % (brand_identifier, )) return HttpResponseNotFound() except ValueError: log.warn("bad values for authenticating user %s" % (decoded_user, )) return HttpResponseBadRequest() except Exception: log.exception( "server.read_escrow_data failed for user %s brand %s" % ( decoded_user, brand_identifier, )) return HttpResponseServerError() challenge = valid_challenge(request, plaintext_auth['challenge']) authenticated = authenticator(read_config_file(), decoded_user, plaintext_auth['password']) if not challenge or not authenticated: log.info("Auth failed for %s" % (decoded_user, )) return HttpResponseForbidden() session_challenge = get_challenge(request) secret_box, nonce = create_secret_box(plaintext_auth['password'], session_challenge[0]) request.session['auth'] = { 'secret_box': secret_box, 'nonce': nonce, 'time': session_challenge[1], 'brand_identifier': brand_identifier, 'sign_key': sign_key, 'layer_count': layer_count, } log.info("Auth OK for brand %s with user %s" % ( brand_identifier, decoded_user, )) return fun(request)
def decorator(request): log = logging.getLogger('login_required') log.debug("start") if valid_auth_session(request): return fun(request) else: try: brand_identifier = request.POST['brand_id'] username = request.POST['username'] auth = a2b_base64(request.POST['auth']) serial_sign_key = request.POST['sign_key'] layer_count = int(request.POST['layer_count']) except KeyError: log.error("Got bad request.") return HttpResponseBadRequest() try: sign_key = serial.loads(serial_sign_key) except (serial.EndOfFile, serial.NotSerializerFileError, serial.NotSerializableObjectError): log.error("Got bad request. Unable to load sign key") return HttpResponseBadRequest() decoded_user = urllib.unquote(username) try: data = server.read_escrow_data( brand_identifier, auth, sign_key=sign_key, layer_count=layer_count, ) plaintext_auth = json.loads(data) if ('challenge' not in plaintext_auth or 'password' not in plaintext_auth): log.warn("missing auth key %s" % (brand_identifier,)) return HttpResponseBadRequest() except KeyError: log.warn("missing identifier %s" % (brand_identifier,)) return HttpResponseNotFound() except ValueError: log.warn("bad values for authenticating user %s" % (decoded_user,)) return HttpResponseBadRequest() except Exception: log.exception("server.read_escrow_data failed for user %s brand %s" % (decoded_user, brand_identifier,)) return HttpResponseServerError() challenge = valid_challenge(request, plaintext_auth['challenge']) authenticated = authenticator(get_config(), decoded_user, plaintext_auth['password']) if not challenge or not authenticated: log.info("Auth failed for %s" % (decoded_user,)) return HttpResponseForbidden() session_challenge = get_challenge(request) secret_box, nonce = create_secret_box(plaintext_auth['password'], session_challenge[0]) request.session['auth'] = { 'secret_box': secret_box, 'nonce': nonce, 'time': session_challenge[1], 'brand_identifier': brand_identifier, 'sign_key': sign_key, 'layer_count': layer_count, } log.info("Auth OK for brand %s with user %s" % (brand_identifier, decoded_user, )) return fun(request)