185
|
1 import os |
|
2 import time |
|
3 import fcntl |
|
4 import hmac |
|
5 import binascii |
|
6 import sys |
189
|
7 import hashlib |
|
8 |
|
9 import bottle |
185
|
10 |
|
11 import config |
|
12 |
189
|
13 __all__ = ["get_csrf_blob", "check_csrf_blob", "setup_csrf", "get_user_hash"] |
|
14 |
|
15 HASH=hashlib.sha1 |
185
|
16 |
|
17 def get_user_hash(): |
189
|
18 if bottle.request.environ.get('SSL_CLIENT_VERIFY', '') != 'GENEROUS': |
|
19 return 'FAILVERIFY' |
|
20 blob = bottle.request.environ.get('SSL_CLIENT_CERT') |
|
21 if not blob: |
|
22 return 'NOCERT' |
|
23 |
|
24 b64 = ''.join(l for l in blob.split('\n') |
|
25 if not l.startswith('-')) |
|
26 |
|
27 return HASH(binascii.a2b_base64(b64)).hexdigest() |
185
|
28 |
|
29 def setup_csrf(): |
|
30 NONCE_SIZE=16 |
|
31 global _csrf_fd, _csrf_key |
|
32 _csrf_fd = open('%s/csrf.dat' % config.DATA_PATH, 'r+') |
|
33 |
|
34 try: |
|
35 fcntl.lockf(_csrf_fd, fcntl.LOCK_EX | fcntl.LOCK_NB) |
|
36 os.fchmod(_csrf_fd.fileno(), 0600) |
|
37 _csrf_fd.write("%d-%s" % (os.getpid(), binascii.hexlify(os.urandom(NONCE_SIZE)))) |
|
38 _csrf_fd.flush() |
|
39 _csrf_fd.seek(0) |
|
40 except IOError: |
|
41 pass |
|
42 fcntl.lockf(_csrf_fd, fcntl.LOCK_SH) |
|
43 _csrf_key = _csrf_fd.read() |
|
44 # keep the lock open until we go away |
|
45 |
|
46 |
|
47 def get_csrf_blob(): |
|
48 expiry = int(config.CSRF_TIMEOUT + time.time()) |
|
49 content = '%s-%s' % (get_user_hash(), expiry) |
|
50 mac = hmac.new(_csrf_key, content).hexdigest() |
|
51 return "%s-%s" % (content, mac) |
|
52 |
|
53 def check_csrf_blob(blob): |
|
54 toks = blob.split('-') |
|
55 if len(toks) != 3: |
|
56 return False |
|
57 |
|
58 user, expiry, mac = toks |
|
59 if user != get_user_hash(): |
|
60 return False |
|
61 |
|
62 try: |
|
63 exp = int(expiry) |
|
64 except ValueError: |
|
65 return False |
|
66 |
|
67 if exp < 1000000000: |
|
68 return False |
|
69 |
|
70 if exp > time.time(): |
|
71 return False |
|
72 |
|
73 check_content = "%s-%s" % (user, expiry) |
|
74 check_mac = hmac.new(_csrf_key, content).hexdigest() |
|
75 if mac == check_mac: |
|
76 return True |
|
77 |
|
78 return False |
|
79 |