delta/python-packages/paste.git/paste/auth/auth_tkt.py, branch pytest bitbucket.org: Obsolete (use python-packages/paste-git) Python 3: fix more submodules 2014-03-19T11:51:48+00:00 Victor Stinner victor.stinner@gmail.com 2014-03-19T11:51:48+00:00 4c177fce89fee925f0f4fbfde00ce2e1252562c0 * print syntax * replace "except Exception, exc:" with "except Exception as exc:" 
* print syntax
* replace "except Exception, exc:" with "except Exception as exc:"
Python 3: Replace "except Exception, exc" with "except Exception as exc:" 2014-03-18T11:47:35+00:00 Cyril Roelandt cyril.roelandt@enovance.com 2014-03-18T11:47:35+00:00 fbd07d8a7cf88daf5d821601578d2f7bc1c92928 






Python 3: use new names of standard library modules
2014-03-18T11:49:12+00:00

Cyril Roelandt
cyril.roelandt@enovance.com

2014-03-18T11:49:12+00:00

674ae7718bc06a8b8c8b658075bf82c8198fb632

Use "try/except ImportError" to try Python 2 and Python 3 names.





Use "try/except ImportError" to try Python 2 and Python 3 names.







allow strings and lists to be used in cookie tokens
2012-10-12T18:12:05+00:00

Kristian Kvilekval
kris@cs.ucsb.edu

2012-10-12T18:12:05+00:00

3daf4caa841fb8446f8c17b58e6e62334438743f












auth/auth_tkt.py: enable overriding digest algorithms
2012-03-05T20:14:08+00:00

Jan Pokorn?
jpokorny@redhat.com

2012-03-05T20:14:08+00:00

663ec52ddd568148e000f1e7d2ea65d2ec284dd5

Currently, mod_auth_tkt supports also SHA256 and SHA 512 [1],
not just plain MD5.  Quoting:

----v----
The default is MD5, which is faster, but has now been shown to be
vulnerable to collision attacks. Such attacks are not directly applicable
to mod_auth_tkt, which primarily relies on the security of the shared
secret rather than the strength of the hashing scheme. More paranoid users
will probably prefer to use one of the SHA digest types, however.

The default is likely to change in a future version, so setting the digest
type explicitly is encouraged.
----^----

Thus, enable it also in this implementation so one can optionally switch
to a stronger secure hash.

Backward compatibility should be untouched as ``md5`` is being passed
as a default kwarg.  The only change affecting external world is
a new parameter required at ``calculate_digest`` (specifying the
digest to use), but as it has probably no use outside the module,
this is a non-issue.  Alternatively: another optional kwarg.


Update (based Ian's comments):
The algorithm can also be specified as a string referring to the
algorithm known to hashlib (otherwise AttributeError will be raised).


Example session I used to check it works as expected (longish):

>>> import sys; sys.path.append('../..')
>>> from hashlib import sha256, sha512
>>> execfile('auth_tkt.py')
>>> AuthTicket('secret', 'me', '0.0.0.0').cookie_value()
'39fecb1395af5285232be390eba0eed34f5518c8me!'
>>> AuthTicket('secret', 'me', '0.0.0.0', "md5").cookie_value()
'c3b8eacbbbf76a9c993c7dcb99975d504f5518cfme!m,d,5!'
>>> AuthTicket('secret', 'me', '0.0.0.0', digest_algo="md5") \
... .cookie_value()
'db3b04de3c44b5bd0e2b47019e903c064f5518dbme!'
>>> AuthTicket('secret', 'me', '0.0.0.0', digest_algo="sha1") \
... .cookie_value()
'dddaadc2be960b6e89263ae7fb8c39591554103d4f5518edme!'
>>> AuthTicket('secret', 'me', '0.0.0.0', digest_algo=sha256) \
... .cookie_value()
'bf5c9a32e49920f2ca517ec19a9d55e10a83849e5d532e8997891b8ccdbf0e634f551902me!'
>>> AuthTicket('secret', 'me', '0.0.0.0', digest_algo="sha256") \
... .cookie_value()
'9cb12df90fd86b868c98353115df4da3b8f9fa83bebecdf0b7918fea5d06b0744f551908me!'
>>> AuthTicket('secret', 'me', '0.0.0.0', digest_algo='foo') \
... .cookie_value()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "auth_tkt.py", line 107, in __init__
    self.digest_algo = getattr(hashlib, digest_algo)
AttributeError: 'module' object has no attribute 'foo'
>>>
>>> parse_ticket('secret', \
...     AuthTicket('secret', 'me', '0.0.0.0').cookie_value(),'0.0.0.0')
(1330977060, 'me', [''], '')
>>> parse_ticket('secret', \
...     AuthTicket('secret', 'me', '0.0.0.0', digest_algo='md5') \
... .cookie_value(),'0.0.0.0', digest_algo='md5')
(1330977096, 'me', [''], '')
>>> parse_ticket('secret', \
...     AuthTicket('secret', 'me', '0.0.0.0', digest_algo=sha256) \
... .cookie_value(),'0.0.0.0', digest_algo=sha256)
(1330977115, 'me', [''], '')
>>> parse_ticket('secret', \
...     AuthTicket('secret', 'me', '0.0.0.0', digest_algo=sha512) \
... .cookie_value(),'0.0.0.0', digest_algo=sha512)
(1330977125, 'me', [''], '')
>>> parse_ticket('secret', \
...     AuthTicket('secret', 'me', '0.0.0.0', digest_algo=sha512) \
... .cookie_value(),'0.0.0.0')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "auth_tkt.py", line 179, in parse_ticket
    expected=(expected, digest))
__main__.BadTicket: Digest signature is not correct


[1] http://linux.die.net/man/3/mod_auth_tkt





Currently, mod_auth_tkt supports also SHA256 and SHA 512 [1],
not just plain MD5.  Quoting:

----v----
The default is MD5, which is faster, but has now been shown to be
vulnerable to collision attacks. Such attacks are not directly applicable
to mod_auth_tkt, which primarily relies on the security of the shared
secret rather than the strength of the hashing scheme. More paranoid users
will probably prefer to use one of the SHA digest types, however.

The default is likely to change in a future version, so setting the digest
type explicitly is encouraged.
----^----

Thus, enable it also in this implementation so one can optionally switch
to a stronger secure hash.

Backward compatibility should be untouched as ``md5`` is being passed
as a default kwarg.  The only change affecting external world is
a new parameter required at ``calculate_digest`` (specifying the
digest to use), but as it has probably no use outside the module,
this is a non-issue.  Alternatively: another optional kwarg.


Update (based Ian's comments):
The algorithm can also be specified as a string referring to the
algorithm known to hashlib (otherwise AttributeError will be raised).


Example session I used to check it works as expected (longish):

>>> import sys; sys.path.append('../..')
>>> from hashlib import sha256, sha512
>>> execfile('auth_tkt.py')
>>> AuthTicket('secret', 'me', '0.0.0.0').cookie_value()
'39fecb1395af5285232be390eba0eed34f5518c8me!'
>>> AuthTicket('secret', 'me', '0.0.0.0', "md5").cookie_value()
'c3b8eacbbbf76a9c993c7dcb99975d504f5518cfme!m,d,5!'
>>> AuthTicket('secret', 'me', '0.0.0.0', digest_algo="md5") \
... .cookie_value()
'db3b04de3c44b5bd0e2b47019e903c064f5518dbme!'
>>> AuthTicket('secret', 'me', '0.0.0.0', digest_algo="sha1") \
... .cookie_value()
'dddaadc2be960b6e89263ae7fb8c39591554103d4f5518edme!'
>>> AuthTicket('secret', 'me', '0.0.0.0', digest_algo=sha256) \
... .cookie_value()
'bf5c9a32e49920f2ca517ec19a9d55e10a83849e5d532e8997891b8ccdbf0e634f551902me!'
>>> AuthTicket('secret', 'me', '0.0.0.0', digest_algo="sha256") \
... .cookie_value()
'9cb12df90fd86b868c98353115df4da3b8f9fa83bebecdf0b7918fea5d06b0744f551908me!'
>>> AuthTicket('secret', 'me', '0.0.0.0', digest_algo='foo') \
... .cookie_value()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "auth_tkt.py", line 107, in __init__
    self.digest_algo = getattr(hashlib, digest_algo)
AttributeError: 'module' object has no attribute 'foo'
>>>
>>> parse_ticket('secret', \
...     AuthTicket('secret', 'me', '0.0.0.0').cookie_value(),'0.0.0.0')
(1330977060, 'me', [''], '')
>>> parse_ticket('secret', \
...     AuthTicket('secret', 'me', '0.0.0.0', digest_algo='md5') \
... .cookie_value(),'0.0.0.0', digest_algo='md5')
(1330977096, 'me', [''], '')
>>> parse_ticket('secret', \
...     AuthTicket('secret', 'me', '0.0.0.0', digest_algo=sha256) \
... .cookie_value(),'0.0.0.0', digest_algo=sha256)
(1330977115, 'me', [''], '')
>>> parse_ticket('secret', \
...     AuthTicket('secret', 'me', '0.0.0.0', digest_algo=sha512) \
... .cookie_value(),'0.0.0.0', digest_algo=sha512)
(1330977125, 'me', [''], '')
>>> parse_ticket('secret', \
...     AuthTicket('secret', 'me', '0.0.0.0', digest_algo=sha512) \
... .cookie_value(),'0.0.0.0')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "auth_tkt.py", line 179, in parse_ticket
    expected=(expected, digest))
__main__.BadTicket: Digest signature is not correct


[1] http://linux.die.net/man/3/mod_auth_tkt







auth/auth_tkt.py: enable overriding digest algorithms
2012-02-29T23:56:41+00:00

Jan Pokorn?
jpokorny@redhat.com

2012-02-29T23:56:41+00:00

531c568bd89a2e34ca3077314587e421c5867091

Currently, mod_auth_tkt supports also SHA256 and SHA 512 [1],
not just plain MD5.  Quoting:

----v----
The default is MD5, which is faster, but has now been shown to be vulnerable
to collision attacks. Such attacks are not directly applicable to
mod_auth_tkt, which primarily relies on the security of the shared secret
rather than the strength of the hashing scheme. More paranoid users will
probably prefer to use one of the SHA digest types, however.

The default is likely to change in a future version, so setting the digest
type explicitly is encouraged.
----^----

Thus, enable it also in this implementation so one can optionally switch
to a stronger secure hash.

Backward compatibility should be untouched as ``md`` is being passed
as a default kwarg.  The only change affecting external world is
a new parameter required at ``calculate digest`` (specifying the
digest to use), but as it has probably no use outside the module,
this is a non-issue.  Alternatively: another optional kwarg.

[1] http://linux.die.net/man/3/mod_auth_tkt





Currently, mod_auth_tkt supports also SHA256 and SHA 512 [1],
not just plain MD5.  Quoting:

----v----
The default is MD5, which is faster, but has now been shown to be vulnerable
to collision attacks. Such attacks are not directly applicable to
mod_auth_tkt, which primarily relies on the security of the shared secret
rather than the strength of the hashing scheme. More paranoid users will
probably prefer to use one of the SHA digest types, however.

The default is likely to change in a future version, so setting the digest
type explicitly is encouraged.
----^----

Thus, enable it also in this implementation so one can optionally switch
to a stronger secure hash.

Backward compatibility should be untouched as ``md`` is being passed
as a default kwarg.  The only change affecting external world is
a new parameter required at ``calculate digest`` (specifying the
digest to use), but as it has probably no use outside the module,
this is a non-issue.  Alternatively: another optional kwarg.

[1] http://linux.die.net/man/3/mod_auth_tkt







Fix #443: url_unquote undefined
2010-09-16T17:18:45+00:00

Ian Bicking
ianb@colorstudy.com

2010-09-16T17:18:45+00:00

dc8a588b82fd813876fbfd1fb68d989b9f16bc5f












Quote usernames in auth_tkt tickets (http://trac.pythonpaste.org/pythonpaste/ticket/380)
2010-09-01T23:42:51+00:00

Ian Bicking
ianb@colorstudy.com

2010-09-01T23:42:51+00:00

0d687c2dacd7485694e093c7f1b7a4777af39aed












Fix the auth_tkt middleware so it doesn't give exceptions when the token is bad
2009-03-07T03:29:21+00:00

ianb
devnull@localhost

2009-03-07T03:29:21+00:00

608be9fa2ca93d0122bb7d3ab39ed6e078ee0b4d












Make cookies expire on logout
2009-03-05T19:00:57+00:00

ianb
devnull@localhost

2009-03-05T19:00:57+00:00

c1cde173851d9713fb0a27f7b6683364ec861940