Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(3)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/oauth2client/xsrfutil.py

Issue 1094533003: Revert of Upgrade 3rd packages (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/tools/depot_tools
Patch Set: Created 5 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « third_party/oauth2client/util.py ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 #!/usr/bin/python2.5
1 # 2 #
2 # Copyright 2014 the Melange authors. 3 # Copyright 2010 the Melange authors.
3 # 4 #
4 # Licensed under the Apache License, Version 2.0 (the "License"); 5 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License. 6 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at 7 # You may obtain a copy of the License at
7 # 8 #
8 # http://www.apache.org/licenses/LICENSE-2.0 9 # http://www.apache.org/licenses/LICENSE-2.0
9 # 10 #
10 # Unless required by applicable law or agreed to in writing, software 11 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS, 12 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and 14 # See the License for the specific language governing permissions and
14 # limitations under the License. 15 # limitations under the License.
15 16
16 """Helper methods for creating & verifying XSRF tokens.""" 17 """Helper methods for creating & verifying XSRF tokens."""
17 18
18 __authors__ = [ 19 __authors__ = [
19 '"Doug Coker" <dcoker@google.com>', 20 '"Doug Coker" <dcoker@google.com>',
20 '"Joe Gregorio" <jcgregorio@google.com>', 21 '"Joe Gregorio" <jcgregorio@google.com>',
21 ] 22 ]
22 23
23 24
24 import base64 25 import base64
25 import hmac 26 import hmac
27 import os # for urandom
26 import time 28 import time
27 29
28 import six
29 from oauth2client import util 30 from oauth2client import util
30 31
31 32
32 # Delimiter character 33 # Delimiter character
33 DELIMITER = b':' 34 DELIMITER = ':'
34
35 35
36 # 1 hour in seconds 36 # 1 hour in seconds
37 DEFAULT_TIMEOUT_SECS = 1*60*60 37 DEFAULT_TIMEOUT_SECS = 1*60*60
38 38
39
40 def _force_bytes(s):
41 if isinstance(s, bytes):
42 return s
43 s = str(s)
44 if isinstance(s, six.text_type):
45 return s.encode('utf-8')
46 return s
47
48
49 @util.positional(2) 39 @util.positional(2)
50 def generate_token(key, user_id, action_id="", when=None): 40 def generate_token(key, user_id, action_id="", when=None):
51 """Generates a URL-safe token for the given user, action, time tuple. 41 """Generates a URL-safe token for the given user, action, time tuple.
52 42
53 Args: 43 Args:
54 key: secret key to use. 44 key: secret key to use.
55 user_id: the user ID of the authenticated user. 45 user_id: the user ID of the authenticated user.
56 action_id: a string identifier of the action they requested 46 action_id: a string identifier of the action they requested
57 authorization for. 47 authorization for.
58 when: the time in seconds since the epoch at which the user was 48 when: the time in seconds since the epoch at which the user was
59 authorized for this action. If not set the current time is used. 49 authorized for this action. If not set the current time is used.
60 50
61 Returns: 51 Returns:
62 A string XSRF protection token. 52 A string XSRF protection token.
63 """ 53 """
64 when = _force_bytes(when or int(time.time())) 54 when = when or int(time.time())
65 digester = hmac.new(_force_bytes(key)) 55 digester = hmac.new(key)
66 digester.update(_force_bytes(user_id)) 56 digester.update(str(user_id))
67 digester.update(DELIMITER) 57 digester.update(DELIMITER)
68 digester.update(_force_bytes(action_id)) 58 digester.update(action_id)
69 digester.update(DELIMITER) 59 digester.update(DELIMITER)
70 digester.update(when) 60 digester.update(str(when))
71 digest = digester.digest() 61 digest = digester.digest()
72 62
73 token = base64.urlsafe_b64encode(digest + DELIMITER + when) 63 token = base64.urlsafe_b64encode('%s%s%d' % (digest,
64 DELIMITER,
65 when))
74 return token 66 return token
75 67
76 68
77 @util.positional(3) 69 @util.positional(3)
78 def validate_token(key, token, user_id, action_id="", current_time=None): 70 def validate_token(key, token, user_id, action_id="", current_time=None):
79 """Validates that the given token authorizes the user for the action. 71 """Validates that the given token authorizes the user for the action.
80 72
81 Tokens are invalid if the time of issue is too old or if the token 73 Tokens are invalid if the time of issue is too old or if the token
82 does not match what generateToken outputs (i.e. the token was forged). 74 does not match what generateToken outputs (i.e. the token was forged).
83 75
84 Args: 76 Args:
85 key: secret key to use. 77 key: secret key to use.
86 token: a string of the token generated by generateToken. 78 token: a string of the token generated by generateToken.
87 user_id: the user ID of the authenticated user. 79 user_id: the user ID of the authenticated user.
88 action_id: a string identifier of the action they requested 80 action_id: a string identifier of the action they requested
89 authorization for. 81 authorization for.
90 82
91 Returns: 83 Returns:
92 A boolean - True if the user is authorized for the action, False 84 A boolean - True if the user is authorized for the action, False
93 otherwise. 85 otherwise.
94 """ 86 """
95 if not token: 87 if not token:
96 return False 88 return False
97 try: 89 try:
98 decoded = base64.urlsafe_b64decode(token) 90 decoded = base64.urlsafe_b64decode(str(token))
99 token_time = int(decoded.split(DELIMITER)[-1]) 91 token_time = long(decoded.split(DELIMITER)[-1])
100 except (TypeError, ValueError): 92 except (TypeError, ValueError):
101 return False 93 return False
102 if current_time is None: 94 if current_time is None:
103 current_time = time.time() 95 current_time = time.time()
104 # If the token is too old it's not valid. 96 # If the token is too old it's not valid.
105 if current_time - token_time > DEFAULT_TIMEOUT_SECS: 97 if current_time - token_time > DEFAULT_TIMEOUT_SECS:
106 return False 98 return False
107 99
108 # The given token should match the generated one with the same time. 100 # The given token should match the generated one with the same time.
109 expected_token = generate_token(key, user_id, action_id=action_id, 101 expected_token = generate_token(key, user_id, action_id=action_id,
110 when=token_time) 102 when=token_time)
111 if len(token) != len(expected_token): 103 if len(token) != len(expected_token):
112 return False 104 return False
113 105
114 # Perform constant time comparison to avoid timing attacks 106 # Perform constant time comparison to avoid timing attacks
115 different = 0 107 different = 0
116 for x, y in zip(bytearray(token), bytearray(expected_token)): 108 for x, y in zip(token, expected_token):
117 different |= x ^ y 109 different |= ord(x) ^ ord(y)
118 return not different 110 if different:
111 return False
112
113 return True
OLDNEW
« no previous file with comments | « third_party/oauth2client/util.py ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698