/usr/lib/python3/dist-packages/pymacaroons/caveat_delegates/third_party.py is in python3-pymacaroons 0.13.0-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 | from __future__ import unicode_literals
import binascii
from nacl.secret import SecretBox
from pymacaroons import Caveat
from pymacaroons.utils import (
convert_to_bytes,
truncate_or_pad,
generate_derived_key,
sign_third_party_caveat,
)
from pymacaroons.exceptions import MacaroonUnmetCaveatException
from .base_third_party import (
BaseThirdPartyCaveatDelegate,
BaseThirdPartyCaveatVerifierDelegate,
)
class ThirdPartyCaveatDelegate(BaseThirdPartyCaveatDelegate):
def __init__(self, *args, **kwargs):
super(ThirdPartyCaveatDelegate, self).__init__(*args, **kwargs)
def add_third_party_caveat(self,
macaroon,
location,
key,
key_id,
**kwargs):
derived_key = truncate_or_pad(
generate_derived_key(convert_to_bytes(key))
)
old_key = truncate_or_pad(binascii.unhexlify(macaroon.signature_bytes))
box = SecretBox(key=old_key)
verification_key_id = box.encrypt(
derived_key, nonce=kwargs.get('nonce')
)
caveat = Caveat(
caveat_id=key_id,
location=location,
verification_key_id=verification_key_id,
version=macaroon.version
)
macaroon.caveats.append(caveat)
encode_key = binascii.unhexlify(macaroon.signature_bytes)
macaroon.signature = sign_third_party_caveat(
encode_key,
caveat._verification_key_id,
caveat._caveat_id
)
return macaroon
class ThirdPartyCaveatVerifierDelegate(BaseThirdPartyCaveatVerifierDelegate):
def __init__(self, *args, **kwargs):
super(ThirdPartyCaveatVerifierDelegate, self).__init__(*args, **kwargs)
def verify_third_party_caveat(self,
verifier,
caveat,
root,
macaroon,
discharge_macaroons,
signature):
caveat_macaroon = self._caveat_macaroon(caveat, discharge_macaroons)
caveat_key = self._extract_caveat_key(signature, caveat)
caveat_met = verifier.verify_discharge(
root,
caveat_macaroon,
caveat_key,
discharge_macaroons=discharge_macaroons
)
return caveat_met
def update_signature(self, signature, caveat):
return binascii.unhexlify(
sign_third_party_caveat(
signature,
caveat._verification_key_id,
caveat._caveat_id
)
)
def _caveat_macaroon(self, caveat, discharge_macaroons):
# TODO: index discharge macaroons by identifier
caveat_macaroon = next(
(m for m in discharge_macaroons
if m.identifier_bytes == caveat.caveat_id_bytes), None)
if not caveat_macaroon:
raise MacaroonUnmetCaveatException(
'Caveat not met. No discharge macaroon found for identifier: '
'{}'.format(caveat.caveat_id_bytes)
)
return caveat_macaroon
def _extract_caveat_key(self, signature, caveat):
key = truncate_or_pad(signature)
box = SecretBox(key=key)
decrypted = box.decrypt(caveat._verification_key_id)
return decrypted
|