Python hmac.compare_digest() Examples
The following are 30
code examples of hmac.compare_digest().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
hmac
, or try the search function
.
.
Example #1
| Source File: web.py From mergify-engine with Apache License 2.0 | 6 votes |
|
def authentification(request: requests.Request):
# Only SHA1 is supported
header_signature = request.headers.get("X-Hub-Signature")
if header_signature is None:
LOG.warning("Webhook without signature")
raise fastapi.HTTPException(status_code=403)
try:
sha_name, signature = header_signature.split("=")
except ValueError:
sha_name = None
if sha_name != "sha1":
LOG.warning("Webhook signature malformed")
raise fastapi.HTTPException(status_code=403)
body = await request.body()
mac = utils.compute_hmac(body)
if not hmac.compare_digest(mac, str(signature)):
LOG.warning("Webhook signature invalid")
raise fastapi.HTTPException(status_code=403)
Example #2
| Source File: keymanager.py From mini-key-server with MIT License | 6 votes |
|
def key_valid_const(app_id: int, token: str, origin: Origin) -> bool:
"""Constant time check to see if `token` exists in the database. Compares
against all keys even if a match is found. Validates against the app id
and the hardware id provided."""
current_app.logger.info(f"key lookup by token {token} from {origin}")
found = False
for key in Key.query.all():
if (compare_digest(token, key.token) and
key.enabled and key.app_id == app_id
and compare_digest(origin.hwid, key.hwid)):
found = True
key.last_check_ts = datetime.utcnow()
key.last_check_ip = origin.ip
key.total_checks += 1
AuditLog.from_key(key, f"key check from {origin}", Event.KeyAccess)
return found
Example #3
| Source File: app.py From github-webhook-lambda with MIT License | 6 votes |
|
def validate_signature(request):
"""Validate that the signature in the header matches the payload."""
if CONFIG["SECRET"] is None:
return
try:
signature = request.headers["X-Hub-Signature"]
hashname, hashval = signature.split("=")
except (KeyError, ValueError):
raise BadRequestError()
if (hashname in CONFIG["HASHLIB_BLACKLIST"]) or (
hashname not in hashlib.algorithms_available
):
raise BadRequestError("X-Hub-Signature hash algorithm unavailable")
digest = hmac.new(
CONFIG["SECRET"].encode(), request.raw_body.encode(), hashname
).hexdigest()
if not hmac.compare_digest(digest.encode(), hashval.encode("utf-8")):
raise UnauthorizedError("X-Hub-Signature mismatch")
Example #4
| Source File: test_profile.py From online-judge with GNU Affero General Public License v3.0 | 6 votes |
|
def test_generate_api_token(self):
token = self.profile.generate_api_token()
self.assertIsInstance(token, str)
self.assertIsInstance(self.profile.api_token, str)
user_id, raw_token = struct.unpack('>I32s', base64.urlsafe_b64decode(token))
self.assertEqual(self.users['normal'].id, user_id)
self.assertEqual(len(raw_token), 32)
self.assertTrue(
hmac.compare_digest(
hmac.new(force_bytes(settings.SECRET_KEY), msg=force_bytes(raw_token), digestmod='sha256').hexdigest(),
self.profile.api_token,
),
)
Example #5
| Source File: pierre.py From pierre-decheck with MIT License | 6 votes |
|
def verify_source_is_github(data, headers):
if USE_GITHUB_SECRET:
if data is None:
return False, {"statusCode": 400, "body": "Request body must contain json"}
digest = _get_digest(GITHUB_SECRET, data)
if digest is not None:
header_signature = headers.get("X-Hub-Signature")
sig_parts = header_signature.split('=', 1)
if not isinstance(digest, str):
digest = str(digest)
if len(sig_parts) < 2 or sig_parts[0] != 'sha1' or not hmac.compare_digest(sig_parts[1], digest):
return False, {"statusCode": 400, "body": "Invalid Signature"}
# Implement ping
event = headers.get('X-GitHub-Event', 'ping')
if event == 'ping':
return False, {"statusCode": 200, "body": {'msg': 'pong'}}
return True, {}
Example #6
| Source File: base.py From freight with Apache License 2.0 | 6 votes |
|
def is_authorized(self):
current_user = get_current_user()
if current_user:
return True
try:
auth = request.headers["Authorization"]
except KeyError:
return False
try:
method, payload = auth.split(" ", 1)
except ValueError:
return False
if method != "Key":
return False
if not compare_digest(payload, current_app.config["API_KEY"]):
return False
return True
Example #7
| Source File: webhooks.py From freight with Apache License 2.0 | 6 votes |
|
def post(self, hook, action, app, env, digest):
expected = hmac.new(
current_app.config["API_KEY"].encode("utf8"),
f"{hook}/{action}/{app}/{env}".encode("utf8"),
sha256,
).hexdigest()
if not hmac.compare_digest(expected, digest):
return self.respond(status_code=403)
try:
hook = hooks.get(hook)
except InvalidHook:
return self.respond("Invalid hook", status_code=404)
if action != "deploy":
return self.respond("Unknown action", status_code=404)
app = App.query.filter(App.name == app).first()
if app is None:
return self.respond("Invalid app", status_code=404)
try:
return hook.deploy(app, env)
except NotImplementedError:
return self.respond(status_code=404)
Example #8
| Source File: __init__.py From virtkvm with GNU General Public License v3.0 | 6 votes |
|
def app_switch():
if switch.config.http.is_secure:
secret = request.headers.get("X-Secret")
if secret is None \
or not hmac.compare_digest(switch.config.http.secret, secret):
flask.abort(403)
cases = {
"host": switch.switch_to_host,
"guest": switch.switch_to_guest
}
if not request.json \
or not "to" in request.json \
or not request.json["to"] in cases:
flask.abort(400)
error = None
try:
cases[request.json["to"]]()
except:
error = traceback.format_exc()
return flask.jsonify({"success": True, "error": error})
Example #9
| Source File: main.py From python-docs-samples with Apache License 2.0 | 6 votes |
|
def verify_signature(request):
timestamp = request.headers.get('X-Slack-Request-Timestamp', '')
signature = request.headers.get('X-Slack-Signature', '')
req = str.encode('v0:{}:'.format(timestamp)) + request.get_data()
request_digest = hmac.new(
str.encode(os.environ['SLACK_SECRET']),
req, hashlib.sha256
).hexdigest()
request_hash = 'v0={}'.format(request_digest)
if not hmac.compare_digest(request_hash, signature):
raise ValueError('Invalid request/credentials.')
# [END functions_verify_webhook]
# [START functions_slack_format]
Example #10
| Source File: user.py From arch-security-tracker with MIT License | 6 votes |
|
def validate(self):
rv = BaseForm.validate(self)
if not rv:
return False
if current_user.name in self.password.data:
self.password.errors.append(ERROR_PASSWORD_CONTAINS_USERNAME)
return False
if self.password.data != self.password_repeat.data:
self.password_repeat.errors.append(ERROR_PASSWORD_REPEAT_MISMATCHES)
return False
if not compare_digest(current_user.password, hash_password(self.password_current.data, current_user.salt)):
self.password_current.errors.append(ERROR_PASSWORD_INCORRECT)
return False
return True
Example #11
| Source File: auth.py From SempoBlockchain with GNU General Public License v3.0 | 6 votes |
|
def verify_slack_requests(f=None):
"""
Verify the request signature of the request sent from Slack
Generate a new hash using the app's signing secret and request data
"""
@wraps(f)
def wrapper(*args, **kwargs):
signature = request.headers['X-Slack-Signature']
timestamp = request.headers['X-Slack-Request-Timestamp']
data = request.data.decode('utf-8')
# data = urllib.parse.urlencode(urllib.parse.unquote(raw_string))
format_req = str.encode(f"v0:{timestamp}:{data}")
encoded_secret = str.encode(config.SLACK_SECRET)
request_hash = hmac.new(encoded_secret, format_req, hashlib.sha256).hexdigest()
calculated_signature = f"v0={request_hash}"
if hmac.compare_digest(calculated_signature, signature):
return f(*args, **kwargs)
return make_response(jsonify({'message': 'Invalid auth'})), 401
return wrapper
Example #12
| Source File: utility.py From razorpay-python with MIT License | 6 votes |
|
def verify_signature(self, body, signature, key):
if sys.version_info[0] == 3: # pragma: no cover
key = bytes(key, 'utf-8')
body = bytes(body, 'utf-8')
dig = hmac.new(key=key,
msg=body,
digestmod=hashlib.sha256)
generated_signature = dig.hexdigest()
if sys.version_info[0:3] < (2, 7, 7):
result = self.compare_string(generated_signature, signature)
else:
result = hmac.compare_digest(generated_signature, signature)
if not result:
raise SignatureVerificationError(
'Razorpay Signature Verification Failed')
return result
# Taken from Django Source Code
# Used in python version < 2.7.7
# As hmac.compare_digest is not present in prev versions
Example #13
| Source File: mailgun_api_service.py From intake with MIT License | 6 votes |
|
def is_a_valid_mailgun_post(request):
"""
Taken from
http://mailgun-documentation.readthedocs.io/en/latest/
user_manual.html#webhooks
:param request: Request object
:return: True or False if the request was signed by mailgun
"""
token = request.POST['token']
timestamp = request.POST['timestamp']
signature = request.POST['signature']
key = getattr(settings, 'MAILGUN_PRIVATE_API_KEY', '').encode('utf-8')
msg = ('{}{}'.format(timestamp, token)).encode('utf-8')
hmac_digest = hmac.new(key=key, msg=msg, digestmod=hashlib.sha256
).hexdigest()
return hmac.compare_digest(signature, hmac_digest)
Example #14
| Source File: login.py From arch-security-tracker with MIT License | 6 votes |
|
def validate(self):
self.user = None
rv = BaseForm.validate(self)
if not rv:
return False
def fail():
self.password.errors.append(ERROR_INVALID_USERNAME_PASSWORD)
return False
user = User.query.filter(User.name == self.username.data).first()
if not user:
compare_digest(dummy_password, hash_password(self.password.data, 'the cake is a lie!'))
return fail()
if not compare_digest(user.password, hash_password(self.password.data, user.salt)):
return fail()
if not user.active:
self.username.errors.append(ERROR_ACCOUNT_DISABLED)
return False
self.user = user
return True
Example #15
| Source File: csrf.py From quay with Apache License 2.0 | 6 votes |
|
def verify_csrf(
session_token_name=_QUAY_CSRF_TOKEN_NAME,
request_token_name=_QUAY_CSRF_TOKEN_NAME,
check_header=True,
):
"""
Verifies that the CSRF token with the given name is found in the session and that the matching
token is found in the request args or values.
"""
token = str(session.get(session_token_name, ""))
found_token = str(request.values.get(request_token_name, ""))
if check_header and not found_token:
found_token = str(request.headers.get(_QUAY_CSRF_HEADER_NAME, ""))
if not token or not found_token or not hmac.compare_digest(token, found_token):
msg = "CSRF Failure. Session token (%s) was %s and request token (%s) was %s"
logger.error(msg, session_token_name, token, request_token_name, found_token)
abort(403, message="CSRF token was invalid or missing.")
Example #16
| Source File: middleware.py From online-judge with GNU Affero General Public License v3.0 | 5 votes |
|
def __call__(self, request):
full_token = request.META.get('HTTP_AUTHORIZATION', '')
if not full_token:
return self.get_response(request)
token = self.header_pattern.match(full_token)
if not token:
return HttpResponse('Invalid authorization header', status=400)
if request.path.startswith(reverse('admin:index')):
return HttpResponse('Admin inaccessible', status=403)
try:
id, secret = struct.unpack('>I32s', base64.urlsafe_b64decode(token.group(1)))
request.user = User.objects.get(id=id)
# User hasn't generated a token
if not request.user.profile.api_token:
raise HTTPError()
# Token comparison
digest = hmac.new(force_bytes(settings.SECRET_KEY), msg=secret, digestmod='sha256').hexdigest()
if not hmac.compare_digest(digest, request.user.profile.api_token):
raise HTTPError()
request._cached_user = request.user
request.csrf_processing_done = True
request.session['2fa_passed'] = True
except (User.DoesNotExist, HTTPError):
response = HttpResponse('Invalid token')
response['WWW-Authenticate'] = 'Bearer realm="API"'
response.status_code = 401
return response
return self.get_response(request)
Example #17
| Source File: jwk.py From python-jwt with Apache License 2.0 | 5 votes |
|
def verify(self, message: bytes, signature: bytes, **options) -> bool:
signer = self._get_signer(options)
return hmac.compare_digest(signature, signer(message, self.key))
Example #18
| Source File: crypto_common.py From torpy with Apache License 2.0 | 5 votes |
|
def rsa_verify(pubkey, sig, dig):
dig_size = len(dig)
sig_int = int(sig.hex(), 16)
pn = pubkey.public_numbers()
decoded = pow(sig_int, pn.e, pn.n)
buf = '%x' % decoded
if len(buf) % 2:
buf = '0' + buf
buf = '00' + buf
hash_buf = bytes.fromhex(buf)
pad_type = b'\0\1'
pad_len = len(hash_buf) - 2 - 1 - dig_size
cmp_dig = pad_type + b'\xff' * pad_len + b'\0' + dig
return compare_digest(hash_buf, cmp_dig)
Example #19
| Source File: crypto.py From python with Apache License 2.0 | 5 votes |
|
def constant_time_compare(val1, val2):
return hmac.compare_digest(force_bytes(val1), force_bytes(val2))
Example #20
| Source File: webhook.py From python-github-webhook with Apache License 2.0 | 5 votes |
|
def _postreceive(self):
"""Callback from Flask"""
digest = self._get_digest()
if digest is not None:
sig_parts = _get_header("X-Hub-Signature").split("=", 1)
if not isinstance(digest, six.text_type):
digest = six.text_type(digest)
if len(sig_parts) < 2 or sig_parts[0] != "sha1" or not hmac.compare_digest(sig_parts[1], digest):
abort(400, "Invalid signature")
event_type = _get_header("X-Github-Event")
content_type = _get_header("content-type")
data = (
json.loads(request.form.to_dict(flat=True)["payload"])
if content_type == "application/x-www-form-urlencoded"
else request.get_json()
)
if data is None:
abort(400, "Request body must contain json")
self._logger.info("%s (%s)", _format_event(event_type, data), _get_header("X-Github-Delivery"))
for hook in self._hooks.get(event_type, []):
hook(data)
return "", 204
Example #21
| Source File: auth.py From learn_python3_spider with MIT License | 5 votes |
|
def compare_digest(a, b, _xor_bytes=_xor_bytes):
left = None
right = b
if len(a) == len(b):
left = a
result = 0
if len(a) != len(b):
left = b
result = 1
for x, y in zip(left, right):
result |= _xor_bytes(x, y)
return result == 0
Example #22
| Source File: operations.py From dffml with MIT License | 5 votes |
|
def check_secret_match(self, headers, body):
expected = headers["X-Hub-Signature"].replace("sha1=", "")
# Getting secret value from file
secret = await self.sctx.get(name="github_webhook")
key = secret.encode()
calculated = hmac.new(key, body, hashlib.sha1).hexdigest()
match = hmac.compare_digest(expected, calculated)
if match:
return {"git_payload": json.loads(body.decode())}
return
Example #23
| Source File: utils.py From datasette-auth-github with Apache License 2.0 | 5 votes |
|
def unsign(self, signed_value):
if ":" not in signed_value:
raise BadSignature("No : found")
value, signature = signed_value.rsplit(":", 1)
if hmac.compare_digest(signature, self.signature(value)):
return value
raise BadSignature("Signature does not match")
Example #24
| Source File: _compat.py From Building-Recommendation-Systems-with-Python with MIT License | 5 votes |
|
def _constant_time_compare(val1, val2):
"""Return ``True`` if the two strings are equal, ``False``
otherwise.
The time taken is independent of the number of characters that
match. Do not use this function for anything else than comparision
with known length targets.
This is should be implemented in C in order to get it completely
right.
This is an alias of :func:`hmac.compare_digest` on Python>=2.7,3.3.
"""
len_eq = len(val1) == len(val2)
if len_eq:
result = 0
left = val1
else:
result = 1
left = val2
for x, y in izip(bytearray(left), bytearray(val2)):
result |= x ^ y
return result == 0
# Starting with 2.7/3.3 the standard library has a c-implementation for
# constant time string compares.
Example #25
| Source File: _compat.py From Building-Recommendation-Systems-with-Python with MIT License | 5 votes |
|
def _constant_time_compare(val1, val2):
"""Return ``True`` if the two strings are equal, ``False``
otherwise.
The time taken is independent of the number of characters that
match. Do not use this function for anything else than comparision
with known length targets.
This is should be implemented in C in order to get it completely
right.
This is an alias of :func:`hmac.compare_digest` on Python>=2.7,3.3.
"""
len_eq = len(val1) == len(val2)
if len_eq:
result = 0
left = val1
else:
result = 1
left = val2
for x, y in izip(bytearray(left), bytearray(val2)):
result |= x ^ y
return result == 0
# Starting with 2.7/3.3 the standard library has a c-implementation for
# constant time string compares.
Example #26
| Source File: judge_handler.py From online-judge with GNU Affero General Public License v3.0 | 5 votes |
|
def _authenticate(self, id, key):
try:
judge = Judge.objects.get(name=id, is_blocked=False)
except Judge.DoesNotExist:
result = False
else:
result = hmac.compare_digest(judge.auth_key, key)
if not result:
json_log.warning(self._make_json_log(action='auth', judge=id, info='judge failed authentication'))
return result
Example #27
| Source File: core.py From flask-githubapp with MIT License | 5 votes |
|
def _verify_webhook(self):
signature = request.headers['X-Hub-Signature'].split('=')[1]
mac = hmac.new(self.secret, msg=request.data, digestmod='sha1')
if not hmac.compare_digest(mac.hexdigest(), signature):
LOG.warning('GitHub hook signature verification failed.')
abort(400)
Example #28
| Source File: decorators.py From Sanic-JWT-Extended with MIT License | 5 votes |
|
def _csrf_check(csrf_from_request, csrf_from_jwt):
if not csrf_from_jwt or not isinstance(csrf_from_jwt, str):
raise CSRFError('Can not find valid CSRF data from token')
if not compare_digest(csrf_from_request, csrf_from_jwt):
raise CSRFError('CSRF double submit tokens do not match')
Example #29
| Source File: decorators.py From Sanic-JWT-Extended with MIT License | 5 votes |
|
def compare_digest(a, b):
if isinstance(a, str):
a = a.encode("utf-8")
if isinstance(b, str):
b = b.encode("utf-8")
if len(a) != len(b):
return False
r = 0
for x, y in zip(a, b):
r |= x ^ y
return not r
Example #30
| Source File: api_helper.py From comet-core with Apache License 2.0 | 5 votes |
|
def assert_valid_token(fingerprint, token):
"""
Check if the token given in the request is valid by comparing to the calculated API token.
Args:
fingerprint (str): the fingerprint to compute the API token with
token (str): the token to validate
Raises:
ValueError: if the token is not valid
"""
expected_token = fingerprint_hmac(fingerprint, current_app.config["hmac_secret"])
if not hmac.compare_digest(bytes(expected_token, "utf-8"), bytes(token, "utf-8")):
raise ValueError("Invalid token for the given fingerprint.")
