quay/endpoints/csrf.py

import logging
import os
import base64
import hmac

from functools import wraps
from flask import session, request

from app import app
from auth.auth_context import get_validated_oauth_token
from util.http import abort


logger = logging.getLogger(__name__)

OAUTH_CSRF_TOKEN_NAME = '_oauth_csrf_token'
_QUAY_CSRF_TOKEN_NAME = '_csrf_token'

def generate_csrf_token(session_token_name=_QUAY_CSRF_TOKEN_NAME):
  """ If not present in the session, generates a new CSRF token with the given name
      and places it into the session. Returns the generated token.
  """
  if session_token_name not in session:
    session[session_token_name] = base64.b64encode(os.urandom(48))

  return session[session_token_name]


def verify_csrf(session_token_name=_QUAY_CSRF_TOKEN_NAME,
                request_token_name=_QUAY_CSRF_TOKEN_NAME):
  """ Verifies that the CSRF token with the given name is found in the session and
      that the matching token is found in the request args or values.
  """
  token = str(session.get(session_token_name, ''))
  found_token = str(request.values.get(request_token_name, ''))

  if not token or not found_token or not hmac.compare_digest(token, found_token):
    msg = 'CSRF Failure. Session token (%s) was %s and request token (%s) was %s'
    logger.error(msg, session_token_name, token, request_token_name, found_token)
    abort(403, message='CSRF token was invalid or missing.')


def csrf_protect(session_token_name=_QUAY_CSRF_TOKEN_NAME,
                 request_token_name=_QUAY_CSRF_TOKEN_NAME,
                 all_methods=False):
  def inner(func):
    @wraps(func)
    def wrapper(*args, **kwargs):
      if get_validated_oauth_token() is None:
        if all_methods or (request.method != "GET" and request.method != "HEAD"):
          verify_csrf(session_token_name, request_token_name)

      return func(*args, **kwargs)
    return wrapper
  return inner


app.jinja_env.globals['csrf_token'] = generate_csrf_token
Fix and unify CSRF support across web and API endpoints. 2014-03-25 18:32:26 +00:00			`import logging`
Fix CSRF token generation. 2014-03-25 21:51:22 +00:00			`import os`
			`import base64`
Switch csrf token check to use `compare_digest` to prevent timing attacks Also adds some additional tests for CSRF tokens 2016-12-09 04:46:31 +00:00			`import hmac`
Fix and unify CSRF support across web and API endpoints. 2014-03-25 18:32:26 +00:00
			`from functools import wraps`
Switch csrf token check to use `compare_digest` to prevent timing attacks Also adds some additional tests for CSRF tokens 2016-12-09 04:46:31 +00:00			`from flask import session, request`
Fix and unify CSRF support across web and API endpoints. 2014-03-25 18:32:26 +00:00
			`from app import app`
			`from auth.auth_context import get_validated_oauth_token`
			`from util.http import abort`


			`logger = logging.getLogger(__name__)`

Have Quay always use an OAuth-specific CSRF token This change ensures that we always store and then check the contents of the OAuth `state` argument against a session-stored CSRF token. Fixes https://www.pivotaltracker.com/story/show/135803615 2016-12-08 21:11:57 +00:00			`OAUTH_CSRF_TOKEN_NAME = '_oauth_csrf_token'`
			`_QUAY_CSRF_TOKEN_NAME = '_csrf_token'`

			`def generate_csrf_token(session_token_name=_QUAY_CSRF_TOKEN_NAME):`
			`""" If not present in the session, generates a new CSRF token with the given name`
			`and places it into the session. Returns the generated token.`
			`"""`
			`if session_token_name not in session:`
			`session[session_token_name] = base64.b64encode(os.urandom(48))`

			`return session[session_token_name]`


			`def verify_csrf(session_token_name=_QUAY_CSRF_TOKEN_NAME,`
			`request_token_name=_QUAY_CSRF_TOKEN_NAME):`
			`""" Verifies that the CSRF token with the given name is found in the session and`
			`that the matching token is found in the request args or values.`
			`"""`
Switch csrf token check to use `compare_digest` to prevent timing attacks Also adds some additional tests for CSRF tokens 2016-12-09 04:46:31 +00:00			`token = str(session.get(session_token_name, ''))`
			`found_token = str(request.values.get(request_token_name, ''))`

			`if not token or not found_token or not hmac.compare_digest(token, found_token):`
Have Quay always use an OAuth-specific CSRF token This change ensures that we always store and then check the contents of the OAuth `state` argument against a session-stored CSRF token. Fixes https://www.pivotaltracker.com/story/show/135803615 2016-12-08 21:11:57 +00:00			`msg = 'CSRF Failure. Session token (%s) was %s and request token (%s) was %s'`
			`logger.error(msg, session_token_name, token, request_token_name, found_token)`
Add ability to download system logs 2014-12-23 19:01:00 +00:00			`abort(403, message='CSRF token was invalid or missing.')`
Fix and unify CSRF support across web and API endpoints. 2014-03-25 18:32:26 +00:00

Have Quay always use an OAuth-specific CSRF token This change ensures that we always store and then check the contents of the OAuth `state` argument against a session-stored CSRF token. Fixes https://www.pivotaltracker.com/story/show/135803615 2016-12-08 21:11:57 +00:00			`def csrf_protect(session_token_name=_QUAY_CSRF_TOKEN_NAME,`
			`request_token_name=_QUAY_CSRF_TOKEN_NAME,`
			`all_methods=False):`
			`def inner(func):`
			`@wraps(func)`
			`def wrapper(args, *kwargs):`
Refactor auth code to be cleaner and more extensible We move all the auth handling, serialization and deserialization into a new AuthContext interface, and then standardize a registration model for handling of specific auth context types (user, robot, token, etc). 2018-01-05 21:27:03 +00:00			`if get_validated_oauth_token() is None:`
Have Quay always use an OAuth-specific CSRF token This change ensures that we always store and then check the contents of the OAuth `state` argument against a session-stored CSRF token. Fixes https://www.pivotaltracker.com/story/show/135803615 2016-12-08 21:11:57 +00:00			`if all_methods or (request.method != "GET" and request.method != "HEAD"):`
			`verify_csrf(session_token_name, request_token_name)`

			`return func(args, *kwargs)`
			`return wrapper`
			`return inner`
Fix and unify CSRF support across web and API endpoints. 2014-03-25 18:32:26 +00:00

Strip whitespace from ALL the things. 2014-11-24 21:07:38 +00:00			`app.jinja_env.globals['csrf_token'] = generate_csrf_token`