Attachment 'securitystring.py'

Download

   1 """
   2     MoinMoin - Handle the Security String
   3     FrankieChow
   4 """
   5 import os, hmac, string, random
   6 from MoinMoin import caching
   7 
   8 try:
   9    import cPickle as pickle
  10 except ImportError:
  11    import pickle
  12 
  13 # Set pickle protocol, see http://docs.python.org/lib/node64.html
  14 try:
  15    # Requires 2.3
  16    PICKLE_PROTOCOL = pickle.HIGHEST_PROTOCOL
  17 except AttributeError:
  18    # Use protocol 1, binary format compatible with all python versions
  19    PICKLE_PROTOCOL = 1
  20 
  21 
  22 # Follow http://moinmoin.wikiwikiweb.de/MoinMoinBugs/Cookie_is_not_secure_enough
  23 # This code is write by Nir Soffer
  24 
  25 def gen(number):
  26     safe = string.ascii_letters + string.digits + '_-'
  27     return "%s" % (''.join([random.choice(safe) for i in range(number)]))
  28 
  29 ###
  30 
  31 def luck():
  32     # ':=:' is FrankieChow luck string. maybe you can change this to
  33     #   self.cfg.site_luck_string
  34     return ':=:'
  35     
  36 def make_security_key(securitystring, userid):
  37     """
  38     Make the hmac value for
  39       Key: securitystring
  40       msg: userid
  41     """
  42     return hmac.new(securitystring, userid).hexdigest()
  43 
  44 class SecurityString:
  45 
  46     def __init__(self, request):
  47 
  48         # This is for cache for uid2security_string.
  49         arena = 'user'
  50         key = 'uid2security_hmac_string'
  51         self.cache = caching.CacheEntry(request, arena, key)
  52 	self.request = request
  53         # First load the cache do auth.
  54 	self.uid2security_hmac = self._load_cache()
  55 
  56     def _load_cache(self):
  57         try:
  58            return pickle.loads(self.cache.content())
  59         except: 
  60            return {}
  61     
  62     def _update_cache(self):
  63         self.cache.update( pickle.dumps(self.uid2security_hmac, PICKLE_PROTOCOL) )
  64     
  65     # Update the cache of uid2security_hmac_string, 
  66     #    don't need pass the user class obj.
  67     def update_uid2security_hmac_string_cache(self, storage_securitystring, storage_uid):
  68 	update_security_key = make_security_key(storage_securitystring, storage_uid)
  69 	if self.uid2security_hmac.has_key(storage_uid):
  70 	    if self.uid2security_hmac[storage_uid] == update_security_key:
  71 	        return None
  72         self.uid2security_hmac[storage_uid] = update_security_key
  73         self._update_cache()
  74     
  75     def cal_security_userid(self, security_cookie, user):
  76         """
  77 	pass the security_cookie and return the user.id or None
  78         """
  79         # storage the user Obj and Request.
  80 	self.user = user
  81     
  82         # Please care about the cookie syntax is change Maybe it have bug.
  83 	try:
  84             self.hmac_string, self.uid = security_cookie.split( luck() )[:2]
  85 	except:
  86 	    return None
  87     
  88         # In here. the cache hasn't user info.
  89         #   Please check it more then one time.
  90         if self.uid2security_hmac.has_key(self.uid):
  91             # user can use the old cookie contents to login MoinMoin.
  92        	    # But, when the user modifty the security_string.
  93        	    #   after see more then one page ( Not only UserPreferences )
  94     	    #   then cache contents will change.
  95             if self.uid2security_hmac[self.uid] == self.hmac_string:
  96                 return self.uid
  97             else:
  98     	        # If cann't auth by cache. then will find the security_string in user's
  99     	        # datafile. and do the auth again
 100     	        if self._validateSecurityString():
 101     	           # If can success auth. then update the cache.
 102     	           self.uid2security_hmac[self.uid] = self.hmac_string
 103     	           self._update_cache()
 104     	           return self.uid
 105     	        else: return None
 106         else:
 107             if self._validateSecurityString():
 108     	        self.uid2security_hmac[self.uid] = self.hmac_string
 109     	        self._update_cache()
 110                 return self.uid
 111             else: return None
 112     
 113     def _validateSecurityString(self):
 114         # Get UserList
 115         userslist = self.user.getUserList(self.request)
 116         if self.uid in userslist:
 117            thisuser = self.user.User(self.request, id=self.uid)
 118            thisuser.load_from_id()
 119            securitystring = thisuser.security_string
 120            if self.hmac_string == make_security_key(securitystring, self.uid):
 121                return True
 122            else: return False
 123         else: return False

Attached Files

To refer to attachments on a page, use attachment:filename, as shown below in the list of files. Do NOT use the URL of the [get] link, since this is subject to change and can break easily.
  • [get | view] (2005-12-29 12:11:24, 10.1 KB) [[attachment:security_string.patch]]
  • [get | view] (2006-01-07 08:59:28, 10.0 KB) [[attachment:security_string11.patch]]
  • [get | view] (2006-01-07 11:50:10, 11.4 KB) [[attachment:security_string13.patch]]
  • [get | view] (2006-01-08 01:35:46, 11.6 KB) [[attachment:security_string15.patch]]
  • [get | view] (2006-01-09 00:05:23, 11.6 KB) [[attachment:security_string16.patch]]
  • [get | view] (2006-01-21 11:44:21, 11.9 KB) [[attachment:security_string17.patch]]
  • [get | view] (2005-12-30 06:26:38, 8.9 KB) [[attachment:security_string6.patch]]
  • [get | view] (2005-12-30 09:14:39, 7.0 KB) [[attachment:security_string7.patch]]
  • [get | view] (2006-01-05 11:04:41, 10.6 KB) [[attachment:security_string8.patch]]
  • [get | view] (2006-01-04 15:03:44, 4.1 KB) [[attachment:securitystring.old.py]]
  • [get | view] (2006-01-04 15:04:58, 4.1 KB) [[attachment:securitystring.py]]
 All files | Selected Files: delete move to page copy to page

You are not allowed to attach a file to this page.