Add existing GAM 3.21 code

2025-07-08 05:33:34 +00:00 · 2014-06-28 10:14:05 -04:00
parent 8a904a81f5
commit d0356796e9
486 changed files with 158994 additions and 0 deletions
--- a/oauth2client/xsrfutil.py
+++ b/oauth2client/xsrfutil.py
@ -0,0 +1,113 @@
+#!/usr/bin/python2.5
+#
+# Copyright 2010 the Melange authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Helper methods for creating & verifying XSRF tokens."""
+
+__authors__ = [
+  '"Doug Coker" <dcoker@google.com>',
+  '"Joe Gregorio" <jcgregorio@google.com>',
+]
+
+
+import base64
+import hmac
+import os  # for urandom
+import time
+
+from oauth2client import util
+
+
+# Delimiter character
+DELIMITER = ':'
+
+# 1 hour in seconds
+DEFAULT_TIMEOUT_SECS = 1*60*60
+
+@util.positional(2)
+def generate_token(key, user_id, action_id="", when=None):
+  """Generates a URL-safe token for the given user, action, time tuple.
+
+  Args:
+    key: secret key to use.
+    user_id: the user ID of the authenticated user.
+    action_id: a string identifier of the action they requested
+      authorization for.
+    when: the time in seconds since the epoch at which the user was
+      authorized for this action. If not set the current time is used.
+
+  Returns:
+    A string XSRF protection token.
+  """
+  when = when or int(time.time())
+  digester = hmac.new(key)
+  digester.update(str(user_id))
+  digester.update(DELIMITER)
+  digester.update(action_id)
+  digester.update(DELIMITER)
+  digester.update(str(when))
+  digest = digester.digest()
+
+  token = base64.urlsafe_b64encode('%s%s%d' % (digest,
+                                               DELIMITER,
+                                               when))
+  return token
+
+
+@util.positional(3)
+def validate_token(key, token, user_id, action_id="", current_time=None):
+  """Validates that the given token authorizes the user for the action.
+
+  Tokens are invalid if the time of issue is too old or if the token
+  does not match what generateToken outputs (i.e. the token was forged).
+
+  Args:
+    key: secret key to use.
+    token: a string of the token generated by generateToken.
+    user_id: the user ID of the authenticated user.
+    action_id: a string identifier of the action they requested
+      authorization for.
+
+  Returns:
+    A boolean - True if the user is authorized for the action, False
+    otherwise.
+  """
+  if not token:
+    return False
+  try:
+    decoded = base64.urlsafe_b64decode(str(token))
+    token_time = long(decoded.split(DELIMITER)[-1])
+  except (TypeError, ValueError):
+    return False
+  if current_time is None:
+    current_time = time.time()
+  # If the token is too old it's not valid.
+  if current_time - token_time > DEFAULT_TIMEOUT_SECS:
+    return False
+
+  # The given token should match the generated one with the same time.
+  expected_token = generate_token(key, user_id, action_id=action_id,
+                                  when=token_time)
+  if len(token) != len(expected_token):
+    return False
+
+  # Perform constant time comparison to avoid timing attacks
+  different = 0
+  for x, y in zip(token, expected_token):
+    different |= ord(x) ^ ord(y)
+  if different:
+    return False
+
+  return True