Produits Entr'ouvert » Authentic 2

# hobo - portal to configure and deploy applications

# Copyright (C) 2015-2022 Entr'ouvert

#

# This program is free software: you can redistribute it and/or modify it

# under the terms of the GNU Affero General Public License as published

# by the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU Affero General Public License for more details.

#

# You should have received a copy of the GNU Affero General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

import base64

import datetime

import hashlib

import hmac

import logging

import random

import urllib

from django.conf import settings

from django.utils.encoding import smart_bytes

from django.utils.http import quote, urlencode

from requests import Session as RequestsSession

from requests.auth import AuthBase

logger = logging.getLogger(__name__)

def sign_url(url, key, algo='sha256', timestamp=None, nonce=None):

    parsed = urllib.parse.urlparse(url)

    new_query = sign_query(parsed.query, key, algo, timestamp, nonce)

    return urllib.parse.urlunparse(parsed[:4] + (new_query,) + parsed[5:])

def sign_query(query, key, algo='sha256', timestamp=None, nonce=None):

    if timestamp is None:

        timestamp = datetime.datetime.utcnow()

    timestamp = timestamp.strftime('%Y-%m-%dT%H:%M:%SZ')

    if nonce is None:

        nonce = hex(random.getrandbits(128))[2:]

    new_query = query

    if new_query:

        new_query += '&'

    new_query += urlencode((('algo', algo), ('timestamp', timestamp)))

    if nonce:  # we don't add nonce if it's an empty string

        new_query += '&nonce=' + quote(nonce)

    signature = base64.b64encode(sign_string(new_query, key, algo=algo))

    new_query += '&signature=' + quote(signature)

    return new_query

def sign_string(s, key, algo='sha256'):

    digestmod = getattr(hashlib, algo)

    if isinstance(key, str):

        key = key.encode('utf-8')

    hash = hmac.HMAC(smart_bytes(key), digestmod=digestmod, msg=smart_bytes(s))

    return hash.digest()

class PublikSignature(AuthBase):

    def __init__(self, secret):

        self.secret = secret

    def __call__(self, request):

        request.url = sign_url(request.url, self.secret)

        return request

def get_known_service_for_url(url):

    netloc = urllib.parse.urlparse(url).netloc

    if hasattr(settings, 'KNOWN_SERVICES'):

        for services in settings.KNOWN_SERVICES.values():

            for service in services.values():

                remote_url = service.get('url')

                if urllib.parse.urlparse(remote_url).netloc == netloc:

                    return service

    return None

class Requests(RequestsSession):

    def request(self, method, url, **kwargs):

        remote_service = get_known_service_for_url(url)

        if remote_service:

            kwargs['auth'] = PublikSignature(remote_service.get('secret'))

            # only keeps the path (URI) in url parameter, scheme and netloc are

            # in remote_service

            scheme, netloc, path, params, query, fragment = urllib.parse.urlparse(url)

            url = urllib.parse.urlunparse(('', '', path, params, query, fragment))

            query_params = {'orig': remote_service.get('orig')}

            remote_service_base_url = remote_service.get('url')

            scheme, netloc, dummy, params, _dummy2, fragment = urllib.parse.urlparse(remote_service_base_url)

            query = urlencode(query_params)

            url = urllib.parse.urlunparse((scheme, netloc, path, params, query, fragment))

        else:

            logger.warning('remote service for url %s is unknown, not performing any signature', url)

        return super().request(method, url, **kwargs)