Made an application for supporting sustainable local businesses in San Pancho.
Never really got completed, but it has some useful Svelte components for maps that we can reuse.
http://greenspots.dctrl.space
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
257 lines
9.1 KiB
257 lines
9.1 KiB
import hashlib |
|
import hmac |
|
import typing as _t |
|
|
|
from .encoding import _base64_alphabet |
|
from .encoding import base64_decode |
|
from .encoding import base64_encode |
|
from .encoding import want_bytes |
|
from .exc import BadSignature |
|
|
|
_t_str_bytes = _t.Union[str, bytes] |
|
_t_opt_str_bytes = _t.Optional[_t_str_bytes] |
|
_t_secret_key = _t.Union[_t.Iterable[_t_str_bytes], _t_str_bytes] |
|
|
|
|
|
class SigningAlgorithm: |
|
"""Subclasses must implement :meth:`get_signature` to provide |
|
signature generation functionality. |
|
""" |
|
|
|
def get_signature(self, key: bytes, value: bytes) -> bytes: |
|
"""Returns the signature for the given key and value.""" |
|
raise NotImplementedError() |
|
|
|
def verify_signature(self, key: bytes, value: bytes, sig: bytes) -> bool: |
|
"""Verifies the given signature matches the expected |
|
signature. |
|
""" |
|
return hmac.compare_digest(sig, self.get_signature(key, value)) |
|
|
|
|
|
class NoneAlgorithm(SigningAlgorithm): |
|
"""Provides an algorithm that does not perform any signing and |
|
returns an empty signature. |
|
""" |
|
|
|
def get_signature(self, key: bytes, value: bytes) -> bytes: |
|
return b"" |
|
|
|
|
|
class HMACAlgorithm(SigningAlgorithm): |
|
"""Provides signature generation using HMACs.""" |
|
|
|
#: The digest method to use with the MAC algorithm. This defaults to |
|
#: SHA1, but can be changed to any other function in the hashlib |
|
#: module. |
|
default_digest_method: _t.Any = staticmethod(hashlib.sha1) |
|
|
|
def __init__(self, digest_method: _t.Any = None): |
|
if digest_method is None: |
|
digest_method = self.default_digest_method |
|
|
|
self.digest_method: _t.Any = digest_method |
|
|
|
def get_signature(self, key: bytes, value: bytes) -> bytes: |
|
mac = hmac.new(key, msg=value, digestmod=self.digest_method) |
|
return mac.digest() |
|
|
|
|
|
def _make_keys_list(secret_key: _t_secret_key) -> _t.List[bytes]: |
|
if isinstance(secret_key, (str, bytes)): |
|
return [want_bytes(secret_key)] |
|
|
|
return [want_bytes(s) for s in secret_key] |
|
|
|
|
|
class Signer: |
|
"""A signer securely signs bytes, then unsigns them to verify that |
|
the value hasn't been changed. |
|
|
|
The secret key should be a random string of ``bytes`` and should not |
|
be saved to code or version control. Different salts should be used |
|
to distinguish signing in different contexts. See :doc:`/concepts` |
|
for information about the security of the secret key and salt. |
|
|
|
:param secret_key: The secret key to sign and verify with. Can be a |
|
list of keys, oldest to newest, to support key rotation. |
|
:param salt: Extra key to combine with ``secret_key`` to distinguish |
|
signatures in different contexts. |
|
:param sep: Separator between the signature and value. |
|
:param key_derivation: How to derive the signing key from the secret |
|
key and salt. Possible values are ``concat``, ``django-concat``, |
|
or ``hmac``. Defaults to :attr:`default_key_derivation`, which |
|
defaults to ``django-concat``. |
|
:param digest_method: Hash function to use when generating the HMAC |
|
signature. Defaults to :attr:`default_digest_method`, which |
|
defaults to :func:`hashlib.sha1`. Note that the security of the |
|
hash alone doesn't apply when used intermediately in HMAC. |
|
:param algorithm: A :class:`SigningAlgorithm` instance to use |
|
instead of building a default :class:`HMACAlgorithm` with the |
|
``digest_method``. |
|
|
|
.. versionchanged:: 2.0 |
|
Added support for key rotation by passing a list to |
|
``secret_key``. |
|
|
|
.. versionchanged:: 0.18 |
|
``algorithm`` was added as an argument to the class constructor. |
|
|
|
.. versionchanged:: 0.14 |
|
``key_derivation`` and ``digest_method`` were added as arguments |
|
to the class constructor. |
|
""" |
|
|
|
#: The default digest method to use for the signer. The default is |
|
#: :func:`hashlib.sha1`, but can be changed to any :mod:`hashlib` or |
|
#: compatible object. Note that the security of the hash alone |
|
#: doesn't apply when used intermediately in HMAC. |
|
#: |
|
#: .. versionadded:: 0.14 |
|
default_digest_method: _t.Any = staticmethod(hashlib.sha1) |
|
|
|
#: The default scheme to use to derive the signing key from the |
|
#: secret key and salt. The default is ``django-concat``. Possible |
|
#: values are ``concat``, ``django-concat``, and ``hmac``. |
|
#: |
|
#: .. versionadded:: 0.14 |
|
default_key_derivation: str = "django-concat" |
|
|
|
def __init__( |
|
self, |
|
secret_key: _t_secret_key, |
|
salt: _t_opt_str_bytes = b"itsdangerous.Signer", |
|
sep: _t_str_bytes = b".", |
|
key_derivation: _t.Optional[str] = None, |
|
digest_method: _t.Optional[_t.Any] = None, |
|
algorithm: _t.Optional[SigningAlgorithm] = None, |
|
): |
|
#: The list of secret keys to try for verifying signatures, from |
|
#: oldest to newest. The newest (last) key is used for signing. |
|
#: |
|
#: This allows a key rotation system to keep a list of allowed |
|
#: keys and remove expired ones. |
|
self.secret_keys: _t.List[bytes] = _make_keys_list(secret_key) |
|
self.sep: bytes = want_bytes(sep) |
|
|
|
if self.sep in _base64_alphabet: |
|
raise ValueError( |
|
"The given separator cannot be used because it may be" |
|
" contained in the signature itself. ASCII letters," |
|
" digits, and '-_=' must not be used." |
|
) |
|
|
|
if salt is not None: |
|
salt = want_bytes(salt) |
|
else: |
|
salt = b"itsdangerous.Signer" |
|
|
|
self.salt = salt |
|
|
|
if key_derivation is None: |
|
key_derivation = self.default_key_derivation |
|
|
|
self.key_derivation: str = key_derivation |
|
|
|
if digest_method is None: |
|
digest_method = self.default_digest_method |
|
|
|
self.digest_method: _t.Any = digest_method |
|
|
|
if algorithm is None: |
|
algorithm = HMACAlgorithm(self.digest_method) |
|
|
|
self.algorithm: SigningAlgorithm = algorithm |
|
|
|
@property |
|
def secret_key(self) -> bytes: |
|
"""The newest (last) entry in the :attr:`secret_keys` list. This |
|
is for compatibility from before key rotation support was added. |
|
""" |
|
return self.secret_keys[-1] |
|
|
|
def derive_key(self, secret_key: _t_opt_str_bytes = None) -> bytes: |
|
"""This method is called to derive the key. The default key |
|
derivation choices can be overridden here. Key derivation is not |
|
intended to be used as a security method to make a complex key |
|
out of a short password. Instead you should use large random |
|
secret keys. |
|
|
|
:param secret_key: A specific secret key to derive from. |
|
Defaults to the last item in :attr:`secret_keys`. |
|
|
|
.. versionchanged:: 2.0 |
|
Added the ``secret_key`` parameter. |
|
""" |
|
if secret_key is None: |
|
secret_key = self.secret_keys[-1] |
|
else: |
|
secret_key = want_bytes(secret_key) |
|
|
|
if self.key_derivation == "concat": |
|
return _t.cast(bytes, self.digest_method(self.salt + secret_key).digest()) |
|
elif self.key_derivation == "django-concat": |
|
return _t.cast( |
|
bytes, self.digest_method(self.salt + b"signer" + secret_key).digest() |
|
) |
|
elif self.key_derivation == "hmac": |
|
mac = hmac.new(secret_key, digestmod=self.digest_method) |
|
mac.update(self.salt) |
|
return mac.digest() |
|
elif self.key_derivation == "none": |
|
return secret_key |
|
else: |
|
raise TypeError("Unknown key derivation method") |
|
|
|
def get_signature(self, value: _t_str_bytes) -> bytes: |
|
"""Returns the signature for the given value.""" |
|
value = want_bytes(value) |
|
key = self.derive_key() |
|
sig = self.algorithm.get_signature(key, value) |
|
return base64_encode(sig) |
|
|
|
def sign(self, value: _t_str_bytes) -> bytes: |
|
"""Signs the given string.""" |
|
value = want_bytes(value) |
|
return value + self.sep + self.get_signature(value) |
|
|
|
def verify_signature(self, value: _t_str_bytes, sig: _t_str_bytes) -> bool: |
|
"""Verifies the signature for the given value.""" |
|
try: |
|
sig = base64_decode(sig) |
|
except Exception: |
|
return False |
|
|
|
value = want_bytes(value) |
|
|
|
for secret_key in reversed(self.secret_keys): |
|
key = self.derive_key(secret_key) |
|
|
|
if self.algorithm.verify_signature(key, value, sig): |
|
return True |
|
|
|
return False |
|
|
|
def unsign(self, signed_value: _t_str_bytes) -> bytes: |
|
"""Unsigns the given string.""" |
|
signed_value = want_bytes(signed_value) |
|
|
|
if self.sep not in signed_value: |
|
raise BadSignature(f"No {self.sep!r} found in value") |
|
|
|
value, sig = signed_value.rsplit(self.sep, 1) |
|
|
|
if self.verify_signature(value, sig): |
|
return value |
|
|
|
raise BadSignature(f"Signature {sig!r} does not match", payload=value) |
|
|
|
def validate(self, signed_value: _t_str_bytes) -> bool: |
|
"""Only validates the given signed value. Returns ``True`` if |
|
the signature exists and is valid. |
|
""" |
|
try: |
|
self.unsign(signed_value) |
|
return True |
|
except BadSignature: |
|
return False
|
|
|