templog: web/secure.py annotate

annotate web/secure.py @ 185:adbf70d1449f

working

author	Matt Johnston <matt@ucc.asn.au>
date	Thu, 06 Feb 2014 22:45:16 +0800
parents
children	101c66da848d

rev	line source
185 adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1 import os
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2 import time
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3 import fcntl
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	4 import hmac
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	5 import binascii
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	6 import sys
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	7
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	8 import config
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	9
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	10 __all__ = ["get_csrf_blob", "check_csrf_blob", "setup_csrf"]
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	11
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	12 def get_user_hash():
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	13 return "aaa"
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	14
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	15 def setup_csrf():
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	16 NONCE_SIZE=16
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	17 global _csrf_fd, _csrf_key
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	18 _csrf_fd = open('%s/csrf.dat' % config.DATA_PATH, 'r+')
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	19
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	20 try:
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	21 fcntl.lockf(_csrf_fd, fcntl.LOCK_EX \| fcntl.LOCK_NB)
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	22 os.fchmod(_csrf_fd.fileno(), 0600)
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	23 _csrf_fd.write("%d-%s" % (os.getpid(), binascii.hexlify(os.urandom(NONCE_SIZE))))
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	24 _csrf_fd.flush()
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	25 _csrf_fd.seek(0)
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	26 except IOError:
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	27 pass
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	28 fcntl.lockf(_csrf_fd, fcntl.LOCK_SH)
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	29 _csrf_key = _csrf_fd.read()
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	30 # keep the lock open until we go away
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	31
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	32
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	33 def get_csrf_blob():
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	34 expiry = int(config.CSRF_TIMEOUT + time.time())
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	35 content = '%s-%s' % (get_user_hash(), expiry)
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	36 mac = hmac.new(_csrf_key, content).hexdigest()
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	37 return "%s-%s" % (content, mac)
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	38
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	39 def check_csrf_blob(blob):
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	40 toks = blob.split('-')
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	41 if len(toks) != 3:
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	42 return False
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	43
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	44 user, expiry, mac = toks
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	45 if user != get_user_hash():
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	46 return False
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	47
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	48 try:
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	49 exp = int(expiry)
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	50 except ValueError:
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	51 return False
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	52
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	53 if exp < 1000000000:
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	54 return False
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	55
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	56 if exp > time.time():
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	57 return False
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	58
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	59 check_content = "%s-%s" % (user, expiry)
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	60 check_mac = hmac.new(_csrf_key, content).hexdigest()
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	61 if mac == check_mac:
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	62 return True
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	63
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	64 return False
adbf70d1449f working Matt Johnston <matt@ucc.asn.au> parents: diff changeset	65

Mercurial > templog

annotate web/secure.py @ 185:adbf70d1449f