access permissions: generate signed form data

2017-12-19 13:51:39 +01:00 · 2017-12-19 13:51:39 +01:00 · a1c3caaad3
commit a1c3caaad3
parent 3d3466ec31
3 changed files with 26 additions and 0 deletions
--- a/src/c3nav/control/admin.py
+++ b/src/c3nav/control/admin.py
@ -1,6 +1,7 @@
 from django.contrib import admin
 from django.contrib.auth.admin import UserAdmin as BaseUserAdmin
 from django.contrib.auth.models import User
+from django.urls import reverse
 from django.utils.translation import ugettext_lazy as _

 from c3nav.control.models import UserPermissions
--- a/src/c3nav/control/forms.py
+++ b/src/c3nav/control/forms.py
@ -1,3 +1,8 @@
+import binascii
+import hashlib
+import hmac
+import json
+import time
 from datetime import timedelta
 from itertools import chain

@ -118,6 +123,23 @@ class AccessPermissionForm(Form):
                                     can_grant=self.cleaned_data.get('can_grant', '0') == '1',
                                     restrictions=tuple(restrictions))

+    def get_signed_data(self, key=None):
+        if not self.author.permissions.api_secret:
+            raise ValueError('Author has no api secret.')
+        data = {
+            'id': self.data['access_restrictions'],
+            'time': int(time.time()),
+            'valid_until': int(self.cleaned_data['expires'].strftime('%s')),
+            'author': self.author.pk,
+        }
+        if key is not None:
+            data['key'] = key
+        data = json.dumps(data, separators=(',', ':'))
+        signature = hmac.new(self.author.permissions.api_secret.encode(),
+                             msg=data.encode(),
+                             digestmod=hashlib.sha256).digest()
+        return '%s:%s' % (data, binascii.b2a_base64(signature).strip().decode())
+

 class AnnouncementForm(I18nModelFormMixin, ModelForm):
    class Meta:
--- a/src/c3nav/control/views.py
+++ b/src/c3nav/control/views.py
@ -1,6 +1,7 @@
 import string
 from functools import wraps

+from django.conf import settings
 from django.contrib import messages
 from django.contrib.auth.decorators import login_required
 from django.contrib.auth.models import User
@ -162,6 +163,8 @@ def grant_access(request):
        if form.is_valid():
            token = form.get_token()
            token.save()
+            if settings.DEBUG and request.user_permissions.api_secret:
+                print(form.get_signed_data())
            return redirect(reverse('control.access.qr', kwargs={'token': token.token}))
    else:
        form = AccessPermissionForm(request=request)