core/homeassistant/components/auth/client.py

"""Helpers to resolve client ID/secret."""
import base64
from functools import wraps
import hmac

import aiohttp.hdrs


def verify_client(method):
    """Decorator to verify client id/secret on requests."""
    @wraps(method)
    async def wrapper(view, request, *args, **kwargs):
        """Verify client id/secret before doing request."""
        client_id = await _verify_client(request)

        if client_id is None:
            return view.json({
                'error': 'invalid_client',
            }, status_code=401)

        return await method(
            view, request, *args, client_id=client_id, **kwargs)

    return wrapper


async def _verify_client(request):
    """Method to verify the client id/secret in consistent time.

    By using a consistent time for looking up client id and comparing the
    secret, we prevent attacks by malicious actors trying different client ids
    and are able to derive from the time it takes to process the request if
    they guessed the client id correctly.
    """
    if aiohttp.hdrs.AUTHORIZATION not in request.headers:
        return None

    auth_type, auth_value = \
        request.headers.get(aiohttp.hdrs.AUTHORIZATION).split(' ', 1)

    if auth_type != 'Basic':
        return None

    decoded = base64.b64decode(auth_value).decode('utf-8')
    try:
        client_id, client_secret = decoded.split(':', 1)
    except ValueError:
        # If no ':' in decoded
        return None

    client = await request.app['hass'].auth.async_get_client(client_id)

    if client is None:
        # Still do a compare so we run same time as if a client was found.
        hmac.compare_digest(client_secret.encode('utf-8'),
                            client_secret.encode('utf-8'))
        return None

    if hmac.compare_digest(client_secret.encode('utf-8'),
                           client.secret.encode('utf-8')):
        return client_id

    return None
Foundation for users (#13968) * Add initial user foundation to Home Assistant * Address comments * Address comments * Allow non-ascii passwords * One more utf-8 hmac compare digest * Add new line 2018-05-01 16:20:41 +00:00			`"""Helpers to resolve client ID/secret."""`
			`import base64`
			`from functools import wraps`
			`import hmac`

			`import aiohttp.hdrs`


			`def verify_client(method):`
			`"""Decorator to verify client id/secret on requests."""`
			`@wraps(method)`
			`async def wrapper(view, request, args, *kwargs):`
			`"""Verify client id/secret before doing request."""`
			`client_id = await _verify_client(request)`

			`if client_id is None:`
			`return view.json({`
			`'error': 'invalid_client',`
			`}, status_code=401)`

			`return await method(`
			`view, request, args, client_id=client_id, *kwargs)`

			`return wrapper`


			`async def _verify_client(request):`
			`"""Method to verify the client id/secret in consistent time.`

			`By using a consistent time for looking up client id and comparing the`
			`secret, we prevent attacks by malicious actors trying different client ids`
			`and are able to derive from the time it takes to process the request if`
			`they guessed the client id correctly.`
			`"""`
			`if aiohttp.hdrs.AUTHORIZATION not in request.headers:`
			`return None`

			`auth_type, auth_value = \`
			`request.headers.get(aiohttp.hdrs.AUTHORIZATION).split(' ', 1)`

			`if auth_type != 'Basic':`
			`return None`

			`decoded = base64.b64decode(auth_value).decode('utf-8')`
			`try:`
			`client_id, client_secret = decoded.split(':', 1)`
			`except ValueError:`
			`# If no ':' in decoded`
			`return None`

			`client = await request.app['hass'].auth.async_get_client(client_id)`

			`if client is None:`
			`# Still do a compare so we run same time as if a client was found.`
			`hmac.compare_digest(client_secret.encode('utf-8'),`
			`client_secret.encode('utf-8'))`
			`return None`

			`if hmac.compare_digest(client_secret.encode('utf-8'),`
			`client.secret.encode('utf-8')):`
			`return client_id`

			`return None`