185
|
1 import os |
|
2 import time |
|
3 import fcntl |
|
4 import hmac |
|
5 import binascii |
|
6 import sys |
189
|
7 import hashlib |
|
8 |
|
9 import bottle |
185
|
10 |
|
11 import config |
|
12 |
189
|
13 __all__ = ["get_csrf_blob", "check_csrf_blob", "setup_csrf", "get_user_hash"] |
|
14 |
|
15 HASH=hashlib.sha1 |
185
|
16 |
|
17 def get_user_hash(): |
191
|
18 verify = bottle.request.environ.get('SSL_CLIENT_VERIFY', '') |
|
19 if not (verify == 'GENEROUS' or verify == 'SUCCESS'): |
189
|
20 return 'FAILVERIFY' |
|
21 blob = bottle.request.environ.get('SSL_CLIENT_CERT') |
|
22 if not blob: |
|
23 return 'NOCERT' |
|
24 |
|
25 b64 = ''.join(l for l in blob.split('\n') |
|
26 if not l.startswith('-')) |
|
27 |
|
28 return HASH(binascii.a2b_base64(b64)).hexdigest() |
185
|
29 |
|
30 def setup_csrf(): |
|
31 NONCE_SIZE=16 |
|
32 global _csrf_fd, _csrf_key |
|
33 _csrf_fd = open('%s/csrf.dat' % config.DATA_PATH, 'r+') |
|
34 |
|
35 try: |
|
36 fcntl.lockf(_csrf_fd, fcntl.LOCK_EX | fcntl.LOCK_NB) |
|
37 os.fchmod(_csrf_fd.fileno(), 0600) |
|
38 _csrf_fd.write("%d-%s" % (os.getpid(), binascii.hexlify(os.urandom(NONCE_SIZE)))) |
|
39 _csrf_fd.flush() |
|
40 _csrf_fd.seek(0) |
|
41 except IOError: |
|
42 pass |
|
43 fcntl.lockf(_csrf_fd, fcntl.LOCK_SH) |
|
44 _csrf_key = _csrf_fd.read() |
|
45 # keep the lock open until we go away |
|
46 |
|
47 |
|
48 def get_csrf_blob(): |
|
49 expiry = int(config.CSRF_TIMEOUT + time.time()) |
|
50 content = '%s-%s' % (get_user_hash(), expiry) |
|
51 mac = hmac.new(_csrf_key, content).hexdigest() |
|
52 return "%s-%s" % (content, mac) |
|
53 |
|
54 def check_csrf_blob(blob): |
|
55 toks = blob.split('-') |
|
56 if len(toks) != 3: |
194
|
57 print>>sys.stderr, "wrong toks" |
185
|
58 return False |
|
59 |
|
60 user, expiry, mac = toks |
|
61 if user != get_user_hash(): |
194
|
62 print>>sys.stderr, "wrong user" |
185
|
63 return False |
|
64 |
|
65 try: |
|
66 exp = int(expiry) |
|
67 except ValueError: |
194
|
68 print>>sys.stderr, "failed exp" |
185
|
69 return False |
|
70 |
|
71 if exp < 1000000000: |
|
72 return False |
|
73 |
194
|
74 if exp < time.time(): |
|
75 print>>sys.stderr, "expired %d %d" % (exp, time.time()) |
185
|
76 return False |
|
77 |
|
78 check_content = "%s-%s" % (user, expiry) |
194
|
79 check_mac = hmac.new(_csrf_key, check_content).hexdigest() |
185
|
80 if mac == check_mac: |
194
|
81 print>>sys.stderr, "good hmac" |
185
|
82 return True |
|
83 |
194
|
84 print>>sys.stderr, "fail" |
185
|
85 return False |
|
86 |