Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(2)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/oauth2client/xsrfutil.py

Issue 1085893002: Upgrade 3rd packages (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/tools/depot_tools
Patch Set: rebase Created 5 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« third_party/oauth2client/client.py ('K') | « third_party/oauth2client/util.py ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 #!/usr/bin/python2.5
2 # 1 #
3 # Copyright 2010 the Melange authors. 2 # Copyright 2014 the Melange authors.
4 # 3 #
5 # Licensed under the Apache License, Version 2.0 (the "License"); 4 # Licensed under the Apache License, Version 2.0 (the "License");
6 # you may not use this file except in compliance with the License. 5 # you may not use this file except in compliance with the License.
7 # You may obtain a copy of the License at 6 # You may obtain a copy of the License at
8 # 7 #
9 # http://www.apache.org/licenses/LICENSE-2.0 8 # http://www.apache.org/licenses/LICENSE-2.0
10 # 9 #
11 # Unless required by applicable law or agreed to in writing, software 10 # Unless required by applicable law or agreed to in writing, software
12 # distributed under the License is distributed on an "AS IS" BASIS, 11 # distributed under the License is distributed on an "AS IS" BASIS,
13 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 # See the License for the specific language governing permissions and 13 # See the License for the specific language governing permissions and
15 # limitations under the License. 14 # limitations under the License.
16 15
17 """Helper methods for creating & verifying XSRF tokens.""" 16 """Helper methods for creating & verifying XSRF tokens."""
18 17
19 __authors__ = [ 18 __authors__ = [
20 '"Doug Coker" <dcoker@google.com>', 19 '"Doug Coker" <dcoker@google.com>',
21 '"Joe Gregorio" <jcgregorio@google.com>', 20 '"Joe Gregorio" <jcgregorio@google.com>',
22 ] 21 ]
23 22
24 23
25 import base64 24 import base64
26 import hmac 25 import hmac
27 import os # for urandom
28 import time 26 import time
29 27
28 import six
30 from oauth2client import util 29 from oauth2client import util
31 30
32 31
33 # Delimiter character 32 # Delimiter character
34 DELIMITER = ':' 33 DELIMITER = b':'
34
35 35
36 # 1 hour in seconds 36 # 1 hour in seconds
37 DEFAULT_TIMEOUT_SECS = 1*60*60 37 DEFAULT_TIMEOUT_SECS = 1*60*60
38 38
39
40 def _force_bytes(s):
41 if isinstance(s, bytes):
42 return s
43 s = str(s)
44 if isinstance(s, six.text_type):
45 return s.encode('utf-8')
46 return s
47
48
39 @util.positional(2) 49 @util.positional(2)
40 def generate_token(key, user_id, action_id="", when=None): 50 def generate_token(key, user_id, action_id="", when=None):
41 """Generates a URL-safe token for the given user, action, time tuple. 51 """Generates a URL-safe token for the given user, action, time tuple.
42 52
43 Args: 53 Args:
44 key: secret key to use. 54 key: secret key to use.
45 user_id: the user ID of the authenticated user. 55 user_id: the user ID of the authenticated user.
46 action_id: a string identifier of the action they requested 56 action_id: a string identifier of the action they requested
47 authorization for. 57 authorization for.
48 when: the time in seconds since the epoch at which the user was 58 when: the time in seconds since the epoch at which the user was
49 authorized for this action. If not set the current time is used. 59 authorized for this action. If not set the current time is used.
50 60
51 Returns: 61 Returns:
52 A string XSRF protection token. 62 A string XSRF protection token.
53 """ 63 """
54 when = when or int(time.time()) 64 when = _force_bytes(when or int(time.time()))
55 digester = hmac.new(key) 65 digester = hmac.new(_force_bytes(key))
56 digester.update(str(user_id)) 66 digester.update(_force_bytes(user_id))
57 digester.update(DELIMITER) 67 digester.update(DELIMITER)
58 digester.update(action_id) 68 digester.update(_force_bytes(action_id))
59 digester.update(DELIMITER) 69 digester.update(DELIMITER)
60 digester.update(str(when)) 70 digester.update(when)
61 digest = digester.digest() 71 digest = digester.digest()
62 72
63 token = base64.urlsafe_b64encode('%s%s%d' % (digest, 73 token = base64.urlsafe_b64encode(digest + DELIMITER + when)
64 DELIMITER,
65 when))
66 return token 74 return token
67 75
68 76
69 @util.positional(3) 77 @util.positional(3)
70 def validate_token(key, token, user_id, action_id="", current_time=None): 78 def validate_token(key, token, user_id, action_id="", current_time=None):
71 """Validates that the given token authorizes the user for the action. 79 """Validates that the given token authorizes the user for the action.
72 80
73 Tokens are invalid if the time of issue is too old or if the token 81 Tokens are invalid if the time of issue is too old or if the token
74 does not match what generateToken outputs (i.e. the token was forged). 82 does not match what generateToken outputs (i.e. the token was forged).
75 83
76 Args: 84 Args:
77 key: secret key to use. 85 key: secret key to use.
78 token: a string of the token generated by generateToken. 86 token: a string of the token generated by generateToken.
79 user_id: the user ID of the authenticated user. 87 user_id: the user ID of the authenticated user.
80 action_id: a string identifier of the action they requested 88 action_id: a string identifier of the action they requested
81 authorization for. 89 authorization for.
82 90
83 Returns: 91 Returns:
84 A boolean - True if the user is authorized for the action, False 92 A boolean - True if the user is authorized for the action, False
85 otherwise. 93 otherwise.
86 """ 94 """
87 if not token: 95 if not token:
88 return False 96 return False
89 try: 97 try:
90 decoded = base64.urlsafe_b64decode(str(token)) 98 decoded = base64.urlsafe_b64decode(token)
91 token_time = long(decoded.split(DELIMITER)[-1]) 99 token_time = int(decoded.split(DELIMITER)[-1])
92 except (TypeError, ValueError): 100 except (TypeError, ValueError):
93 return False 101 return False
94 if current_time is None: 102 if current_time is None:
95 current_time = time.time() 103 current_time = time.time()
96 # If the token is too old it's not valid. 104 # If the token is too old it's not valid.
97 if current_time - token_time > DEFAULT_TIMEOUT_SECS: 105 if current_time - token_time > DEFAULT_TIMEOUT_SECS:
98 return False 106 return False
99 107
100 # The given token should match the generated one with the same time. 108 # The given token should match the generated one with the same time.
101 expected_token = generate_token(key, user_id, action_id=action_id, 109 expected_token = generate_token(key, user_id, action_id=action_id,
102 when=token_time) 110 when=token_time)
103 if len(token) != len(expected_token): 111 if len(token) != len(expected_token):
104 return False 112 return False
105 113
106 # Perform constant time comparison to avoid timing attacks 114 # Perform constant time comparison to avoid timing attacks
107 different = 0 115 different = 0
108 for x, y in zip(token, expected_token): 116 for x, y in zip(bytearray(token), bytearray(expected_token)):
109 different |= ord(x) ^ ord(y) 117 different |= x ^ y
110 if different: 118 return not different
111 return False
112
113 return True
OLDNEW
« third_party/oauth2client/client.py ('K') | « third_party/oauth2client/util.py ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698