Changeset fcdc60 in indico for indico/web/http_api/handlers.py


Ignore:
Timestamp:
08/23/11 15:38:51 (21 months ago)
Author:
Jose Benito <jose.benito.gonzalez@…>
Branches:
master, hello-world-walkthrough, ipv6, v0.98-series, v0.98.2, v0.98.3, v0.98b2, v0.99, 051b2622c51afb171a1dedb46a0df4fbb0cbd02e, 0da0c1403bae8e51d8229f460181c71b9e6dda72
Children:
92ad85
Parents:
315708
git-author:
Adrian Moennich <jerome.ernst.monnich@…> (05/12/11 14:59:04)
git-committer:
Jose Benito <jose.benito.gonzalez@…> (08/23/11 15:38:51)
Message:

[IMP] Make signature ttl configurable

File:
1 edited

Legend:

Unmodified
Added
Removed

  • indico/web/http_api/handlers.py

    r315708 rfcdc60  
    6868 
    6969 
    70 def normalizeQuery(path, query, ts=None, remove=('timestamp', 'signature')): 
     70def normalizeQuery(path, query, remove=('signature',)): 
    7171    """Normalize request path and query so it can be used for caching and signing 
    7272 
     
    7878        for key in remove: 
    7979            qdata.pop(key, None) 
    80     if ts is not None: 
    81         qdata['timestamp'] = ts 
    8280    sortedQuery = sorted(qdata.items(), key=lambda x: x[0].lower()) 
    8381    if sortedQuery: 
     
    8785 
    8886 
    89 def validateSignature(key, signature, path, query, timestamp=None): 
    90     if timestamp is None: 
    91         timestamp = int(time.time()) 
    92     ts = timestamp / 300 
    93     candidates = [] 
    94     for i in xrange(-1, 2): 
    95         h = hmac.new(key, normalizeQuery(path, query, ts + i), hashlib.sha1) 
    96         candidates.append(h.hexdigest()) 
    97     if signature not in candidates: 
    98         raise HTTPAPIError('Signature invalid (check system clock)', apache.HTTP_FORBIDDEN) 
    99  
    100  
    101 def getAK(apiKey, signature, path, query): 
     87def validateSignature(key, signature, timestamp, path, query): 
     88    ttl = HelperMaKaCInfo.getMaKaCInfoInstance().getAPISignatureTTL() 
     89    if not timestamp: 
     90        raise HTTPAPIError('Signature invalid (no timestamp)', apache.HTTP_FORBIDDEN) 
     91    elif abs(timestamp - int(time.time())) > ttl: 
     92        raise HTTPAPIError('Signature invalid (bad timestamp)', apache.HTTP_FORBIDDEN) 
     93    digest = hmac.new(key, normalizeQuery(path, query), hashlib.sha1).hexdigest() 
     94    if signature != digest: 
     95        raise HTTPAPIError('Signature invalid', apache.HTTP_FORBIDDEN) 
     96 
     97 
     98def checkAK(apiKey, signature, timestamp, path, query): 
    10299    minfo = HelperMaKaCInfo.getMaKaCInfoInstance() 
    103100    apiMode = minfo.getAPIMode() 
     
    115112    onlyPublic = False 
    116113    if signature: 
    117         validateSignature(ak.getSignKey(), signature, path, query) 
     114        validateSignature(ak.getSignKey(), signature, timestamp, path, query) 
    118115    elif apiMode in (API_MODE_SIGNED, API_MODE_ALL_SIGNED): 
    119116        raise HTTPAPIError('Signature missing', apache.HTTP_FORBIDDEN) 
     
    203200    apiKey = get_query_parameter(qdata, ['ak', 'apikey'], None) 
    204201    signature = get_query_parameter(qdata, ['signature']) 
     202    timestamp = get_query_parameter(qdata, ['timestamp'], 0, integer=True) 
    205203    no_cache = get_query_parameter(qdata, ['nc', 'nocache'], 'no') == 'yes' 
    206204    pretty = get_query_parameter(qdata, ['p', 'pretty'], 'no') == 'yes' 
     
    216214    try: 
    217215        # Validate the API key (and its signature) 
    218         ak, enforceOnlyPublic = getAK(apiKey, signature, path, query) 
     216        ak, enforceOnlyPublic = checkAK(apiKey, signature, timestamp, path, query) 
    219217        if enforceOnlyPublic: 
    220218            onlyPublic = True 
Note: See TracChangeset for help on using the changeset viewer.