summaryrefslogtreecommitdiff
path: root/postgresqleu/auth.py
diff options
context:
space:
mode:
authorMagnus Hagander2013-06-20 13:21:02 +0000
committerMagnus Hagander2013-06-20 13:21:02 +0000
commit0d49984a601b08fb25ebfa0a2f7ee2e75b663909 (patch)
tree0e843fad71b3428818bf06a3d739036408fae9df /postgresqleu/auth.py
parent8373ecfaa5de1a1d2afe0fc73f8b1b8a8bfe1045 (diff)
Update community authentication to use encrypted parameters for redirection
Diffstat (limited to 'postgresqleu/auth.py')
-rw-r--r--postgresqleu/auth.py37
1 files changed, 31 insertions, 6 deletions
diff --git a/postgresqleu/auth.py b/postgresqleu/auth.py
index c3118d51..3f750b4a 100644
--- a/postgresqleu/auth.py
+++ b/postgresqleu/auth.py
@@ -27,8 +27,10 @@ from django.conf import settings
import base64
import urlparse
-from urllib import quote_plus
+import urllib
from Crypto.Cipher import AES
+from Crypto.Hash import SHA
+from Crypto import Random
import time
class AuthBackend(ModelBackend):
@@ -45,9 +47,20 @@ class AuthBackend(ModelBackend):
# Handle login requests by sending them off to the main site
def login(request):
if request.GET.has_key('next'):
- return HttpResponseRedirect("%s?su=%s" % (
+ # Put together an url-encoded dict of parameters we're getting back,
+ # including a small nonce at the beginning to make sure it doesn't
+ # encrypt the same way every time.
+ s = "t=%s&%s" % (int(time.time()), urllib.urlencode({'r': request.GET['next']}))
+ # Now encrypt it
+ r = Random.new()
+ iv = r.read(16)
+ encryptor = AES.new(SHA.new(settings.SECRET_KEY).digest()[:16], AES.MODE_CBC, iv)
+ cipher = encryptor.encrypt(s + ' ' * (16-(len(s) % 16))) # pad to 16 bytes
+
+ return HttpResponseRedirect("%s?d=%s$%s" % (
settings.PGAUTH_REDIRECT,
- quote_plus(request.GET['next']),
+ base64.b64encode(iv, "-_"),
+ base64.b64encode(cipher, "-_"),
))
else:
return HttpResponseRedirect(settings.PGAUTH_REDIRECT)
@@ -119,9 +132,21 @@ def auth_receive(request):
user.backend = "%s.%s" % (AuthBackend.__module__, AuthBackend.__name__)
django_login(request, user)
- # Finally, redirect the user
- if data.has_key('su'):
- return HttpResponseRedirect(data['su'][0])
+ # Finally, check of we have a data package that tells us where to
+ # redirect the user.
+ if data.has_key('d'):
+ (ivs, datas) = data['d'][0].split('$')
+ decryptor = AES.new(SHA.new(settings.SECRET_KEY).digest()[:16],
+ AES.MODE_CBC,
+ base64.b64decode(ivs, "-_"))
+ s = decryptor.decrypt(base64.b64decode(datas, "-_")).rstrip(' ')
+ try:
+ rdata = urlparse.parse_qs(s, strict_parsing=True)
+ except ValueError, e:
+ raise Exception("Invalid encrypted data received.")
+ if rdata.has_key('r'):
+ # Redirect address
+ return HttpResponseRedirect(rdata['r'][0])
# No redirect specified, see if we have it in our settings
if hasattr(settings, 'PGAUTH_REDIRECT_SUCCESS'):
return HttpResponseRedirect(settings.PGAUTH_REDIRECT_SUCCESS)