hazza/jupyterhub
1
0
Fork 0
mirror of https://github.com/jupyterhub/jupyterhub.git synced 2025-10-10 11:33:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

only store hashed tokens

Browse Source 
- use PasswordType
- store first 4 bytes for filtering by prefix
  since we can't filter by equality on the hashed value.
- user.new_foo_token() returns token string, not ORM object
This commit is contained in:
MinRK
2014-10-27 12:15:40 -07:00
parent 73706632d5
commit bce2be7401
6 changed files with 57 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
jupyterhub/apihandlers/auth.py
View File

@@ -15,7 +15,7 @@ from .base import APIHandler
class TokenAPIHandler(APIHandler):
@token_authenticated
def get(self, token):
orm_token = self.db.query(orm.APIToken).filter(orm.APIToken.token == token).first()
orm_token = orm.APIToken.find(self.db, token)
if orm_token is None:
raise web.HTTPError(404)
self.write(json.dumps({
@@ -30,7 +30,7 @@ class CookieAPIHandler(APIHandler):
if not btoken:
raise web.HTTPError(404)
token = btoken.decode('utf8', 'replace')
orm_token = self.db.query(orm.CookieToken).filter(orm.CookieToken.token == token).first()
orm_token = orm.CookieToken.find(self.db, token)
if orm_token is None:
raise web.HTTPError(404)
self.write(json.dumps({

8
jupyterhub/handlers/base.py
View File

@@ -129,22 +129,18 @@ class BaseHandler(RequestHandler):
# create and set a new cookie token for the single-user server
if user.server:
cookie_token = user.new_cookie_token()
self.db.add(cookie_token)
self.db.commit()
self.set_secure_cookie(
user.server.cookie_name,
cookie_token.token,
cookie_token,
path=user.server.base_url,
)
# create and set a new cookie token for the hub
if not self.get_current_user_cookie():
cookie_token = user.new_cookie_token()
self.db.add(cookie_token)
self.db.commit()
self.set_secure_cookie(
self.hub.server.cookie_name,
cookie_token.token,
cookie_token,
path=self.hub.server.base_url)
@gen.coroutine

49
jupyterhub/orm.py
View File

@@ -3,7 +3,6 @@
# Copyright (c) Jupyter Development Team.
# Distributed under the terms of the Modified BSD License.
from binascii import b2a_hex
from datetime import datetime
import errno
import json
@@ -19,14 +18,14 @@ from tornado.httpclient import HTTPRequest, AsyncHTTPClient, HTTPError
from sqlalchemy.types import TypeDecorator, VARCHAR
from sqlalchemy import (
inspect,
Column, Integer, String, ForeignKey, Unicode, Binary, Boolean,
Column, Integer, ForeignKey, Unicode, Binary, Boolean,
DateTime,
)
from sqlalchemy.ext.declarative import declarative_base, declared_attr
from sqlalchemy.orm import sessionmaker, relationship, backref
from sqlalchemy.pool import StaticPool
from sqlalchemy import create_engine
from sqlalchemy_utils.types import EncryptedType
from sqlalchemy_utils.types import EncryptedType, PasswordType
from .utils import random_port, url_path_join, wait_for_server, wait_for_http_server
@@ -38,6 +37,7 @@ def new_token(*args, **kwargs):
"""
return text_type(uuid.uuid4().hex)
PASSWORD_SCHEMES = ['pbkdf2_sha512']
class JSONDict(TypeDecorator):
"""Represents an immutable structure as a json-encoded string.
@@ -273,8 +273,15 @@ class User(Base):
)
def _new_token(self, cls):
"""Create a new API or Cookie token"""
assert self.id is not None
return cls(token=new_token(), user_id=self.id)
db = inspect(self).session
token = new_token()
orm_token = cls(user_id=self.id)
orm_token.token = token
db.add(orm_token)
db.commit()
return token
def new_api_token(self):
"""Return a new API token"""
@@ -306,7 +313,6 @@ class User(Base):
db.commit()
api_token = self.new_api_token()
db.add(api_token)
db.commit()
@@ -317,7 +323,7 @@ class User(Base):
)
# we are starting a new server, make sure it doesn't restore state
spawner.clear_state()
spawner.api_token = api_token.token
spawner.api_token = api_token
yield spawner.start()
spawner.start_polling()
@@ -351,15 +357,32 @@ class User(Base):
class Token(object):
"""Mixin for token tables, since we have two"""
token = Column(EncryptedType(Unicode, key=b''), primary_key=True)
id = Column(Integer, primary_key=True)
hashed = Column(PasswordType(schemes=PASSWORD_SCHEMES))
prefix = Column(Unicode)
prefix_length = 4
_token = None
@property
def token(self):
"""plaintext tokens will only be accessible for tokens created during this session"""
return self._token
@token.setter
def token(self, token):
"""Store the hashed value and prefix for a token"""
self.prefix = token[:self.prefix_length]
self.hashed = token
self._token = token
@declared_attr
def user_id(cls):
return Column(Integer, ForeignKey('users.id'))
def __repr__(self):
return "<{cls}('{t}', user='{u}')>".format(
return "<{cls}('{pre}...', user='{u}')>".format(
cls=self.__class__.__name__,
t=self.token,
pre=self.prefix,
u=self.user.name,
)
@@ -369,7 +392,13 @@ class Token(object):
Returns None if not found.
"""
return db.query(cls).filter(cls.token==token).first()
prefix = token[:cls.prefix_length]
# since we can't filter on hashed values, filter on prefix
# so we aren't comparing with all tokens
prefix_match = db.query(cls).filter(cls.prefix==prefix)
for orm_token in prefix_match:
if orm_token.hashed == token:
return orm_token
class APIToken(Token, Base):

20
jupyterhub/tests/test_api.py
View File

@@ -20,13 +20,8 @@ def auth_header(db, name):
user = find_user(db, name)
if user is None:
user = add_user(db, name=name)
if not user.api_tokens:
token = user.new_api_token()
db.add(token)
db.commit()
else:
token = user.api_tokens[0]
return {'Authorization': 'token %s' % token.token}
token = user.new_api_token()
return {'Authorization': 'token %s' % token}
def api_request(app, *api_path, **kwargs):
"""Make an API request"""
@@ -49,25 +44,22 @@ def test_auth_api(app):
# make a new cookie token
user = db.query(orm.User).first()
api_token = user.new_api_token()
db.add(api_token)
cookie_token = user.new_cookie_token()
db.add(cookie_token)
db.commit()
# check success:
r = api_request(app, 'authorizations/token', api_token.token)
r = api_request(app, 'authorizations/token', api_token)
assert r.status_code == 200
reply = r.json()
assert reply['user'] == user.name
# check fail
r = api_request(app, 'authorizations/token', api_token.token,
r = api_request(app, 'authorizations/token', api_token,
headers={'Authorization': 'no sir'},
)
assert r.status_code == 403
r = api_request(app, 'authorizations/token', api_token.token,
headers={'Authorization': 'token: %s' % cookie_token.token},
r = api_request(app, 'authorizations/token', api_token,
headers={'Authorization': 'token: %s' % cookie_token},
)
assert r.status_code == 403

18
jupyterhub/tests/test_orm.py
View File

@@ -81,17 +81,13 @@ def test_tokens(db):
db.add(user)
db.commit()
token = user.new_cookie_token()
db.add(token)
db.commit()
assert token in user.cookie_tokens
db.add(user.new_cookie_token())
db.add(user.new_cookie_token())
db.add(user.new_api_token())
db.commit()
assert any(t.hashed == token for t in user.cookie_tokens)
user.new_cookie_token()
user.new_cookie_token()
user.new_api_token()
assert len(user.api_tokens) == 1
assert len(user.cookie_tokens) == 3
found = orm.CookieToken.find(db, token=token.token)
assert found.token == token.token
found = orm.APIToken.find(db, token.token)
found = orm.CookieToken.find(db, token=token)
assert found.hashed == token
found = orm.APIToken.find(db, 'something else')
assert found is None

1
requirements.txt
View File

@@ -5,5 +5,6 @@ simplepam
sqlalchemy
sqlalchemy-utils
cryptography
passlib
requests
six