quay/endpoints/csrf.py

import logging
import os
import base64
import hmac

from functools import wraps
from flask import session, request, Response

import features

from app import app
from auth.auth_context import get_validated_oauth_token
from util.http import abort


logger = logging.getLogger(__name__)

OAUTH_CSRF_TOKEN_NAME = '_oauth_csrf_token'
_QUAY_CSRF_TOKEN_NAME = '_csrf_token'
_QUAY_CSRF_HEADER_NAME = 'X-CSRF-Token'

QUAY_CSRF_UPDATED_HEADER_NAME = 'X-Next-CSRF-Token'


def generate_csrf_token(session_token_name=_QUAY_CSRF_TOKEN_NAME, force=False):
  """ If not present in the session, generates a new CSRF token with the given name
      and places it into the session. Returns the generated token.
  """
  if session_token_name not in session or force:
    session[session_token_name] = base64.b64encode(os.urandom(48))

  return session[session_token_name]


def verify_csrf(session_token_name=_QUAY_CSRF_TOKEN_NAME,
                request_token_name=_QUAY_CSRF_TOKEN_NAME,
                check_header=True):
  """ Verifies that the CSRF token with the given name is found in the session and
      that the matching token is found in the request args or values.
  """
  token = str(session.get(session_token_name, ''))
  found_token = str(request.values.get(request_token_name, ''))
  if check_header and not found_token:
    found_token = str(request.headers.get(_QUAY_CSRF_HEADER_NAME, ''))

  if not token or not found_token or not hmac.compare_digest(token, found_token):
    msg = 'CSRF Failure. Session token (%s) was %s and request token (%s) was %s'
    logger.error(msg, session_token_name, token, request_token_name, found_token)
    abort(403, message='CSRF token was invalid or missing.')


def csrf_protect(session_token_name=_QUAY_CSRF_TOKEN_NAME,
                 request_token_name=_QUAY_CSRF_TOKEN_NAME,
                 all_methods=False,
                 check_header=True):
  def inner(func):
    @wraps(func)
    def wrapper(*args, **kwargs):
      # Verify the CSRF token.
      if get_validated_oauth_token() is None:
        if all_methods or (request.method != "GET" and request.method != "HEAD"):
          verify_csrf(session_token_name, request_token_name, check_header)

      # Invoke the handler.
      resp = func(*args, **kwargs)
      return resp
    return wrapper
  return inner


app.jinja_env.globals['csrf_token'] = generate_csrf_token
initial import for Open Source 🎉 2019-11-12 16:09:47 +00:00			`import logging`
			`import os`
			`import base64`
			`import hmac`

			`from functools import wraps`
			`from flask import session, request, Response`

			`import features`

			`from app import app`
			`from auth.auth_context import get_validated_oauth_token`
			`from util.http import abort`


			`logger = logging.getLogger(__name__)`

			`OAUTH_CSRF_TOKEN_NAME = '_oauth_csrf_token'`
			`_QUAY_CSRF_TOKEN_NAME = '_csrf_token'`
			`_QUAY_CSRF_HEADER_NAME = 'X-CSRF-Token'`

			`QUAY_CSRF_UPDATED_HEADER_NAME = 'X-Next-CSRF-Token'`


			`def generate_csrf_token(session_token_name=_QUAY_CSRF_TOKEN_NAME, force=False):`
			`""" If not present in the session, generates a new CSRF token with the given name`
			`and places it into the session. Returns the generated token.`
			`"""`
			`if session_token_name not in session or force:`
			`session[session_token_name] = base64.b64encode(os.urandom(48))`

			`return session[session_token_name]`


			`def verify_csrf(session_token_name=_QUAY_CSRF_TOKEN_NAME,`
			`request_token_name=_QUAY_CSRF_TOKEN_NAME,`
			`check_header=True):`
			`""" Verifies that the CSRF token with the given name is found in the session and`
			`that the matching token is found in the request args or values.`
			`"""`
			`token = str(session.get(session_token_name, ''))`
			`found_token = str(request.values.get(request_token_name, ''))`
			`if check_header and not found_token:`
			`found_token = str(request.headers.get(_QUAY_CSRF_HEADER_NAME, ''))`

			`if not token or not found_token or not hmac.compare_digest(token, found_token):`
			`msg = 'CSRF Failure. Session token (%s) was %s and request token (%s) was %s'`
			`logger.error(msg, session_token_name, token, request_token_name, found_token)`
			`abort(403, message='CSRF token was invalid or missing.')`


			`def csrf_protect(session_token_name=_QUAY_CSRF_TOKEN_NAME,`
			`request_token_name=_QUAY_CSRF_TOKEN_NAME,`
			`all_methods=False,`
			`check_header=True):`
			`def inner(func):`
			`@wraps(func)`
			`def wrapper(args, *kwargs):`
			`# Verify the CSRF token.`
			`if get_validated_oauth_token() is None:`
			`if all_methods or (request.method != "GET" and request.method != "HEAD"):`
			`verify_csrf(session_token_name, request_token_name, check_header)`

			`# Invoke the handler.`
			`resp = func(args, *kwargs)`
			`return resp`
			`return wrapper`
			`return inner`


			`app.jinja_env.globals['csrf_token'] = generate_csrf_token`