entrouvert/wcs
entrouvert
/
wcs
14
1
Fork 0
Code Issues Pull Requests 35 Releases Activity

misc: pass bytes to hmac (#36515)

This commit is contained in:
Frédéric Péters 2019-11-13 00:29:31 +01:00
parent fd88b46128
commit 1987c5407f
2 changed files with 22 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
tests/test_api.py
View File

@ -14,6 +14,7 @@ import time
import json
import sys
from django.utils.encoding import force_bytes
from django.utils.six import StringIO
from django.utils.six.moves.urllib import parse as urllib
from django.utils.six.moves.urllib import parse as urlparse
@ -97,8 +98,8 @@ def sign_uri(uri, user=None, format='json'):
query += '&email=' + urllib.quote(user.email)
query += '&signature=%s' % urllib.quote(
base64.b64encode(
hmac.new('1234',
query,
hmac.new(b'1234',
force_bytes(query),
hashlib.sha256).digest()))
return urlparse.urlunparse((scheme, netloc, path, params, query, fragment))
@ -138,8 +139,8 @@ def test_get_user_from_api_query_string_error_invalid_signature(pub):
def test_get_user_from_api_query_string_error_missing_timestamp(pub):
signature = urllib.quote(
base64.b64encode(
hmac.new('1234',
'format=json&orig=coucou&algo=sha1',
hmac.new(b'1234',
b'format=json&orig=coucou&algo=sha1',
hashlib.sha1).digest()))
output = get_app(pub).get('/api/user/?format=json&orig=coucou&algo=sha1&signature=%s' % signature, status=403)
assert output.json['err_desc'] == 'missing/multiple timestamp field'
@ -149,8 +150,8 @@ def test_get_user_from_api_query_string_error_missing_email(pub):
query = 'format=json&orig=coucou&algo=sha1&timestamp=' + timestamp
signature = urllib.quote(
base64.b64encode(
hmac.new('1234',
query,
hmac.new(b'1234',
force_bytes(query),
hashlib.sha1).digest()))
output = get_app(pub).get('/api/user/?%s&signature=%s' % (query, signature), status=403)
assert output.json['err_desc'] == 'no user specified'
@ -160,8 +161,8 @@ def test_get_user_from_api_query_string_error_unknown_nameid(pub):
query = 'format=json&orig=coucou&algo=sha1&NameID=xxx&timestamp=' + timestamp
signature = urllib.quote(
base64.b64encode(
hmac.new('1234',
query,
hmac.new(b'1234',
force_bytes(query),
hashlib.sha1).digest()))
output = get_app(pub).get('/api/user/?%s&signature=%s' % (query, signature), status=403)
assert output.json['err_desc'] == 'unknown NameID'
@ -173,8 +174,8 @@ def test_get_user_from_api_query_string_error_missing_email_valid_endpoint(pub):
query = 'format=json&orig=coucou&algo=sha1&timestamp=' + timestamp
signature = urllib.quote(
base64.b64encode(
hmac.new('1234',
query,
hmac.new(b'1234',
force_bytes(query),
hashlib.sha1).digest()))
output = get_app(pub).get('/categories?%s&signature=%s' % (query, signature))
assert output.json == {'data': []}
@ -187,8 +188,8 @@ def test_get_user_from_api_query_string_error_unknown_nameid_valid_endpoint(pub)
query = 'format=json&NameID=xxx&orig=coucou&algo=sha1&timestamp=' + timestamp
signature = urllib.quote(
base64.b64encode(
hmac.new('1234',
query,
hmac.new(b'1234',
force_bytes(query),
hashlib.sha1).digest()))
output = get_app(pub).get('/categories?%s&signature=%s' % (query, signature))
assert output.json == {'data': []}
@ -200,8 +201,8 @@ def test_get_user_from_api_query_string_error_success_sha1(pub, local_user):
query = 'format=json&orig=coucou&algo=sha1&email=' + urllib.quote(local_user.email) + '&timestamp=' + timestamp
signature = urllib.quote(
base64.b64encode(
hmac.new('1234',
query,
hmac.new(b'1234',
force_bytes(query),
hashlib.sha1).digest()))
output = get_app(pub).get('/api/user/?%s&signature=%s' % (query, signature))
assert output.json['user_display_name'] == u'Jean Darmette'
@ -211,8 +212,8 @@ def test_get_user_from_api_query_string_error_invalid_signature_algo_mismatch(pu
query = 'format=json&orig=coucou&algo=sha256&email=' + urllib.quote(local_user.email) + '&timestamp=' + timestamp
signature = urllib.quote(
base64.b64encode(
hmac.new('1234',
query,
hmac.new(b'1234',
force_bytes(query),
hashlib.sha1).digest()))
output = get_app(pub).get('/api/user/?%s&signature=%s' % (query, signature), status=403)
assert output.json['err_desc'] == 'invalid signature'
@ -222,8 +223,8 @@ def test_get_user_from_api_query_string_error_success_sha256(pub, local_user):
query = 'format=json&orig=coucou&algo=sha256&email=' + urllib.quote(local_user.email) + '&timestamp=' + timestamp
signature = urllib.quote(
base64.b64encode(
hmac.new('1234',
query,
hmac.new(b'1234',
force_bytes(query),
hashlib.sha256).digest()))
output = get_app(pub).get('/api/user/?%s&signature=%s' % (query, signature))
assert output.json['user_display_name'] == u'Jean Darmette'

5
wcs/api_utils.py
View File

@ -24,6 +24,7 @@ import errno
import calendar
from django.utils import six
from django.utils.encoding import force_bytes
from django.utils.six.moves.urllib import parse as urllib
from django.utils.six.moves.urllib import parse as urlparse
@ -58,7 +59,7 @@ def is_url_signed(utcnow=None, duration=DEFAULT_DURATION):
except AttributeError:
raise AccessForbiddenError('invalid algo')
if signature != base64.standard_b64encode(
hmac.new(key, query_string[:query_string.find('&signature=')], algo).digest()):
hmac.new(force_bytes(key), force_bytes(query_string[:query_string.find('&signature=')]), algo).digest()):
raise AccessForbiddenError('invalid signature')
timestamp = get_request().form.get('timestamp')
if not isinstance(timestamp, six.string_types):
@ -169,7 +170,7 @@ def sign_query(query, key, algo='sha256', timestamp=None, nonce=None):
def sign_string(s, key, algo='sha256', timedelta=30):
digestmod = getattr(hashlib, algo)
hash = hmac.HMAC(key, digestmod=digestmod, msg=s)
hash = hmac.HMAC(force_bytes(key), digestmod=digestmod, msg=force_bytes(s))
return hash.digest()