def test_token_server_client_can_be_pass_a_verify_parameter(self): client = TokenserverClient("given_bid", "given_client_state", verify='root-ca.crt') with mock.patch("syncclient.client.requests") as requests: client.get_hawk_credentials(duration=300) requests.get.assert_called_with( "https://token.services.mozilla.com/1.0/sync/1.5", headers={ 'Authorization': "BrowserID given_bid", 'X-Client-State': "given_client_state" }, params={"duration": 300}, verify='root-ca.crt')
def test_token_server_request_handle_duration_parameter(self): client = TokenserverClient("given_bid", "given_client_state") with mock.patch("syncclient.client.requests") as requests: client.get_hawk_credentials(duration=300) requests.get.assert_called_with( "https://token.services.mozilla.com/1.0/sync/1.5", headers={ 'Authorization': "BrowserID given_bid", 'X-Client-State': "given_client_state" }, params={"duration": 300}, verify=None) requests.get.return_value.raise_for_status.assert_called_with() requests.get.return_value.json.assert_called_with()
def build_sync_client(request): # Get the BID assertion is_authorization_defined = AUTHORIZATION_HEADER in request.headers starts_with_browser_id = False if is_authorization_defined: authorization = request.headers[AUTHORIZATION_HEADER].lower() starts_with_browser_id = authorization.startswith("browserid ") if not is_authorization_defined or not starts_with_browser_id: msg = "Provide a BID assertion %s header." % AUTHORIZATION_HEADER response = http_error(httpexceptions.HTTPUnauthorized(), errno=ERRORS.MISSING_AUTH_TOKEN, message=msg) response.headers.extend(forget(request)) raise response bucket_id = request.matchdict["bucket_id"] is_client_state_header_defined = CLIENT_STATE_HEADER in request.headers if bucket_id == "syncto": if not is_client_state_header_defined: msg = "Provide the tokenserver %s header." % CLIENT_STATE_HEADER response = http_error(httpexceptions.HTTPUnauthorized(), errno=ERRORS.MISSING_AUTH_TOKEN, message=msg) response.headers.extend(forget(request)) raise response client_state = request.headers[CLIENT_STATE_HEADER] elif len(bucket_id) != CLIENT_STATE_LENGTH: msg = "The provided bucket ID is incorrect." response = http_error(httpexceptions.HTTPUnauthorized(), errno=ERRORS.MISSING_AUTH_TOKEN, message=msg) response.headers.extend(forget(request)) raise response else: client_state = bucket_id if is_client_state_header_defined: send_alert(request, "%s header is deprecated and should not be " "provided anymore." % CLIENT_STATE_HEADER) authorization_header = request.headers[AUTHORIZATION_HEADER] bid_assertion = authorization_header.split(" ", 1)[1] settings = request.registry.settings cache = request.registry.cache statsd = request.registry.statsd token_server_url = settings["token_server_url"] hmac_secret = settings["cache_hmac_secret"] cache_key = "credentials_%s" % utils.hmac_digest(hmac_secret, bid_assertion) ca_bundle = settings["certificate_ca_bundle"] encrypted_credentials = cache.get(cache_key) if not encrypted_credentials: settings_ttl = int(settings["cache_credentials_ttl_seconds"]) bid_ttl = _extract_bid_assertion_ttl(bid_assertion) ttl = min(settings_ttl, bid_ttl or settings_ttl) tokenserver = TokenserverClient(bid_assertion, client_state, token_server_url, verify=ca_bundle) if statsd: statsd.watch_execution_time(tokenserver, prefix="tokenserver") credentials = tokenserver.get_hawk_credentials(duration=ttl) encrypted = encrypt(json.dumps(credentials), client_state, hmac_secret) cache.set(cache_key, encrypted, ttl) else: credentials = json.loads(decrypt(encrypted_credentials, client_state, hmac_secret)) if statsd: timer = statsd.timer("syncclient.start_time") timer.start() sync_client = SyncClient(verify=ca_bundle, **credentials) if statsd: timer.stop() statsd.watch_execution_time(sync_client, prefix="syncclient") return sync_client
def build_sync_client(request): # Get the BID assertion is_authorization_defined = AUTHORIZATION_HEADER in request.headers starts_with_browser_id = False if is_authorization_defined: authorization = request.headers[AUTHORIZATION_HEADER].lower() starts_with_browser_id = authorization.startswith("browserid ") if not is_authorization_defined or not starts_with_browser_id: msg = "Provide a BID assertion %s header." % AUTHORIZATION_HEADER response = http_error(httpexceptions.HTTPUnauthorized(), errno=ERRORS.MISSING_AUTH_TOKEN, message=msg) response.headers.extend(forget(request)) raise response is_client_state_defined = CLIENT_STATE_HEADER in request.headers if not is_client_state_defined: msg = "Provide the tokenserver %s header." % CLIENT_STATE_HEADER response = http_error(httpexceptions.HTTPUnauthorized(), errno=ERRORS.MISSING_AUTH_TOKEN, message=msg) response.headers.extend(forget(request)) raise response authorization_header = request.headers[AUTHORIZATION_HEADER] bid_assertion = authorization_header.split(" ", 1)[1] client_state = request.headers[CLIENT_STATE_HEADER] settings = request.registry.settings cache = request.registry.cache statsd = request.registry.statsd token_server_url = settings['token_server_url'] hmac_secret = settings['cache_hmac_secret'] cache_key = 'credentials_%s' % utils.hmac_digest(hmac_secret, bid_assertion) encrypted_credentials = cache.get(cache_key) if not encrypted_credentials: settings_ttl = int(settings['cache_credentials_ttl_seconds']) bid_ttl = _extract_bid_assertion_ttl(bid_assertion) ttl = min(settings_ttl, bid_ttl or settings_ttl) tokenserver = TokenserverClient(bid_assertion, client_state, token_server_url) if statsd: statsd.watch_execution_time(tokenserver, prefix="tokenserver") credentials = tokenserver.get_hawk_credentials(duration=ttl) encrypted = encrypt(json.dumps(credentials), client_state, hmac_secret) cache.set(cache_key, encrypted, ttl) else: credentials = json.loads( decrypt(encrypted_credentials, client_state, hmac_secret)) if statsd: timer = statsd.timer("syncclient.start_time") timer.start() sync_client = SyncClient(**credentials) if statsd: timer.stop() statsd.watch_execution_time(sync_client, prefix="syncclient") return sync_client