Source Code for Module oauth2client.xsrfutil

  1  #!/usr/bin/python2.5 
  2  # 
  3  # Copyright 2010 the Melange authors. 
  4  # 
  5  # Licensed under the Apache License, Version 2.0 (the "License"); 
  6  # you may not use this file except in compliance with the License. 
  7  # You may obtain a copy of the License at 
  8  # 
  9  #   http://www.apache.org/licenses/LICENSE-2.0 
 10  # 
 11  # Unless required by applicable law or agreed to in writing, software 
 12  # distributed under the License is distributed on an "AS IS" BASIS, 
 13  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 
 14  # See the License for the specific language governing permissions and 
 15  # limitations under the License. 
 16   
 17  """Helper methods for creating & verifying XSRF tokens.""" 
 18   
 19  __authors__ = [ 
 20    '"Doug Coker" <dcoker@google.com>', 
 21    '"Joe Gregorio" <jcgregorio@google.com>', 
 22  ] 
 23   
 24   
 25  import base64 
 26  import hmac 
 27  import os  # for urandom 
 28  import time 
 29   
 30  from oauth2client import util 
 31   
 32   
 33  # Delimiter character 
 34  DELIMITER = ':' 
 35   
 36  # 1 hour in seconds 
 37  DEFAULT_TIMEOUT_SECS = 1*60*60 
 38   
 39  @util.positional(2) 
 40 -def generate_token(key, user_id, action_id="", when=None): 
 41    """Generates a URL-safe token for the given user, action, time tuple. 
 42   
 43    Args: 
 44      key: secret key to use. 
 45      user_id: the user ID of the authenticated user. 
 46      action_id: a string identifier of the action they requested 
 47        authorization for. 
 48      when: the time in seconds since the epoch at which the user was 
 49        authorized for this action. If not set the current time is used. 
 50   
 51    Returns: 
 52      A string XSRF protection token. 
 53    """ 
 54    when = when or int(time.time()) 
 55    digester = hmac.new(key) 
 56    digester.update(str(user_id)) 
 57    digester.update(DELIMITER) 
 58    digester.update(action_id) 
 59    digester.update(DELIMITER) 
 60    digester.update(str(when)) 
 61    digest = digester.digest() 
 62   
 63    token = base64.urlsafe_b64encode('%s%s%d' % (digest, 
 64                                                 DELIMITER, 
 65                                                 when)) 
 66    return token 
 67   
 68   
 69  @util.positional(3) 
 70 -def validate_token(key, token, user_id, action_id="", current_time=None): 
 71    """Validates that the given token authorizes the user for the action. 
 72   
 73    Tokens are invalid if the time of issue is too old or if the token 
 74    does not match what generateToken outputs (i.e. the token was forged). 
 75   
 76    Args: 
 77      key: secret key to use. 
 78      token: a string of the token generated by generateToken. 
 79      user_id: the user ID of the authenticated user. 
 80      action_id: a string identifier of the action they requested 
 81        authorization for. 
 82   
 83    Returns: 
 84      A boolean - True if the user is authorized for the action, False 
 85      otherwise. 
 86    """ 
 87    if not token: 
 88      return False 
 89    try: 
 90      decoded = base64.urlsafe_b64decode(str(token)) 
 91      token_time = long(decoded.split(DELIMITER)[-1]) 
 92    except (TypeError, ValueError): 
 93      return False 
 94    if current_time is None: 
 95      current_time = time.time() 
 96    # If the token is too old it's not valid. 
 97    if current_time - token_time > DEFAULT_TIMEOUT_SECS: 
 98      return False 
 99   
100    # The given token should match the generated one with the same time. 
101    expected_token = generate_token(key, user_id, action_id=action_id, 
102                                    when=token_time) 
103    if len(token) != len(expected_token): 
104      return False 
105   
106    # Perform constant time comparison to avoid timing attacks 
107    different = 0 
108    for x, y in zip(token, expected_token): 
109      different |= ord(x) ^ ord(y) 
110    if different: 
111      return False 
112   
113    return True 
114