def validate_csrf_token(self, request, token):
bad_token = request.config['CSRF_BAD_TOKEN_MESSAGE']
expired_token = request.config['CSRF_EXPIRED_TOKEN_MESSAGE']
if not token:
raise PermissionDenied(bad_token)
try:
jwt.decode(token, request.cache.session.id)
except jwt.ExpiredSignature:
raise PermissionDenied(expired_token)
except Exception:
raise PermissionDenied(bad_token)
def validate_csrf_token(self, request, token):
if not token:
raise PermissionDenied(REASON_BAD_TOKEN)
try:
assert self.jwt, 'Requires jwt package'
token = self.jwt.decode(token, self.secret_key)
except jwt.ExpiredSignature:
raise PermissionDenied('Expired token')
except Exception:
raise PermissionDenied(REASON_BAD_TOKEN)
else:
if token['session'] != self.session_key(request.cache.session):
raise PermissionDenied(REASON_BAD_TOKEN)
def validate_csrf_token(self, request, token):
if not jwt: # pragma nocover
raise ImproperlyConfigured('JWT library not available')
if not token:
raise PermissionDenied(self.REASON_BAD_TOKEN)
try:
secret_key = request.config['SECRET_KEY']
token = jwt.decode(token, secret_key)
except jwt.ExpiredSignature:
raise PermissionDenied('Expired token')
except Exception:
raise PermissionDenied(self.REASON_BAD_TOKEN)
else:
if token['session'] != request.cache.session.get_key():
raise PermissionDenied(self.REASON_BAD_TOKEN)
def validate(self, request):
hub_signature = request.get('HTTP_X_HUB_SIGNATURE')
if not hub_signature:
raise PermissionDenied('No signature')
if '=' in hub_signature:
sha_name, signature = hub_signature.split('=')
if sha_name != 'sha1':
raise PermissionDenied('Bad signature')
else:
raise BadRequest('bad signature')
payload = request.get('wsgi.input').read()
sig = github_signature(self.secret, payload)
if sig.hexdigest() != signature:
raise PermissionDenied('Bad signature')
def _owner_count(self, request, member, session):
odm = request.app.odm()
if member.role == MemberRole.owner:
owners = session.query(odm.orgmember).filter_by(
organisation_id=member.organisation_id,
role=MemberRole.owner).count()
if owners < 2:
raise PermissionDenied(
'Cannot remove owner - only one available')
def validate(self, request):
secret = to_bytes(self.secret)
hub_signature = request.get('HTTP_X_HUB_SIGNATURE')
if not hub_signature:
raise PermissionDenied('No signature')
if '=' in hub_signature:
sha_name, signature = hub_signature.split('=')
if sha_name != 'sha1':
raise PermissionDenied('Bad signature')
else:
raise BadRequest('bad signature')
payload = request.get('wsgi.input').read()
sig = hmac.new(secret, msg=payload, digestmod=hashlib.sha1)
if sig.hexdigest() != signature:
raise PermissionDenied('Bad signature')
def on_form(self, app, form):
'''Handle CSRF if in config.'''
request = form.request
if form.is_bound:
token = self.get_or_create_csrf_token(request)
form_token = form.rawdata.get('__csrf_token__')
if token != form_token:
raise PermissionDenied('CSRF token mismatch')
else:
token = self.get_or_create_csrf_token(request)
if token:
form.add_input('__csrf_token__', value=token)
def activate(self, request):
"""Activate a user from a registration ID.
Clients should POST to this endpoint once they are happy the user
has confirm his/her identity. This is a one time only operation.
"""
if request.method == 'OPTIONS':
request.app.fire('on_preflight', request, methods=('POST', ))
return request.response
ensure_service_user(request)
model = self.get_model(request)
with model.session(request) as session:
reg = self.get_instance(request, session=session)
if reg.expiry < datetime.utcnow():
raise PermissionDenied('registration token expired')
reg.user.active = True
session.add(reg.user)
model.delete_model(request, reg, session=session)
request.response.status_code = 204
return request.response
def _(self, request, *args, **kwargs):
user = request.user
if user and user.is_authenticated() and user.is_active:
return f(self, request, *args, **kwargs)
else:
raise PermissionDenied()