aboutsummaryrefslogtreecommitdiff
path: root/gn3/utility/hmac.py
blob: eb39e59517a2c0109c76d913bbc63c2a86e121da (about) (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
"""module for hmac """

# pylint: disable-all
import hmac
import hashlib

# xtodo work on this file

# from main import app


def hmac_creation(stringy):
    """Helper function to create the actual hmac"""

    # secret = app.config['SECRET_HMAC_CODE']
    # put in config
    secret = "my secret"
    hmaced = hmac.new(bytearray(secret, "latin-1"),
                      bytearray(stringy, "utf-8"),
                      hashlib.sha1)
    hm = hmaced.hexdigest()
    # ZS: Leaving the below comment here to ask Pjotr about
    # "Conventional wisdom is that you don't lose much in terms of security if you throw away up to half of the output."
    # http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html
    hm = hm[:20]
    return hm


def data_hmac(stringy):
    """Takes arbitrary data string and appends :hmac so we know data hasn't been tampered with"""
    return stringy + ":" + hmac_creation(stringy)


def url_for_hmac(endpoint, **values):
    """Like url_for but adds an hmac at the end to insure the url hasn't been tampered with"""

    url = url_for(endpoint, **values)

    hm = hmac_creation(url)
    if '?' in url:
        combiner = "&"
    else:
        combiner = "?"
    return url + combiner + "hm=" + hm



# todo
# app.jinja_env.globals.update(url_for_hmac=url_for_hmac,
#                              data_hmac=data_hmac)