etoccalino / django-rest-framework-httpsignature Goto Github PK

A 403 returned by this authentication scheme might indicate that the signature is invalid, or that the user doesn't have sufficient permissions.

DRF suggests raising an AuthenticationFailed for a bad signature, resulting in a 401 response (and not bothering to do the permissions check), leaving a 403 to indicate that the user was authenticated but has insufficient permissions. Further, an authenticate_header method could implement a WWW-Authenticate header in the 401 response with signature implementation instructions. i believe this potential exists in all the 3.x DRF releases.

Would that be a welcome PR? i recognize that it could break users' integration tests expecting the current "403" behavior.

@EnTeQuAk opened up the API to use algorithms other than hmac-sha256. Reflect that in the README file.

I am trying to use Django REST Framework 3 along with rest framework-httpsignature but from the requirements I see that the maximum supported versions of DRF is the 2.3. Are there any serious issues preventing me from using it with DRF3?

PyPI is currently down for maintenance. Once it comes back online, version & upload the latest changes (which enable algorithms other than hmac-sha256).

The code in header_canonical() transform headers first to lower case and then to upper case, while the referred text in https://docs.djangoproject.com/en/1.7/ref/request-response/#django.http.HttpRequest.META (1.6 do no longer exist) state:

With the exception of CONTENT_LENGTH and CONTENT_TYPE, as given above, any HTTP headers in the request are converted to META keys by converting all characters to uppercase, replacing any hyphens with underscores and adding an HTTP_ prefix to the name.

It is not safe to assume that, first converting to lower case and then to upper case will result in the same string as going directly to upper case. For example, depending on the locale, the Turkish dottet capital I, can result in a dodless lower case I, which in turn end up with a dotless capital I. See https://en.wikipedia.org/wiki/Turkish_dotted_and_dotless_I for more info on this example. I am sure there are other examples.

I recommend going directly to upper case in the code.

Hi,

I just tried to use SignatureAuthentication with ALGORITHM = 'rsa-sha256'.
After debugging around, I found out that build_signature() throws exception "TypeError: Private key not available in this object" in line 70. That is because when using RSA public keys that function should be Verify not sign. Sign expects to have private key and that of course is not available in servers end.

Hi!

I'm having trouble installing this package using pip 1.5.6 (latest stable) for python 2.7.6. Basically the dependency stated in this packages' requirements.txt file is not being fetched

-e git+https://github.com/digitalbazaar/py-http-signature

but rather getting to pypy and getting the latest stable version of http-signature, 0.1.4 , which doesn't work with django-rest-framework-httpsignature.

For the record, when I deploy my django app on amazon beanstalk it works fine, but they have pip 1.4.1 ... don't know if it's related.

This is the pip install log for this

$ pip install djangorestframework-httpsignature -v -v -v
Downloading/unpacking djangorestframework-httpsignature
Getting page https://pypi.python.org/simple/djangorestframework-httpsignature/
URLs to search for versions for djangorestframework-httpsignature:

• https://pypi.python.org/simple/djangorestframework-httpsignature/
  Analyzing links from page https://pypi.python.org/simple/djangorestframework-httpsignature/
  Found link https://pypi.python.org/packages/source/d/djangorestframework-httpsignature/djangorestframework-httpsignature-0.1.3.tar.gz#md5=6ddaa2ab64965a7132a1d4c6b3cdbf60 (from https://pypi.python.org/simple/djangorestframework-httpsignature/), version: 0.1.3
  Downloading djangorestframework-httpsignature-0.1.3.tar.gz
  Downloading from URL https://pypi.python.org/packages/source/d/djangorestframework-httpsignature/djangorestframework-httpsignature-0.1.3.tar.gz#md5=6ddaa2ab64965a7132a1d4c6b3cdbf60 (from https://pypi.python.org/simple/djangorestframework-httpsignature/)
  Running setup.py (path:/opt/python2.7/venv/project/build/djangorestframework-httpsignature/setup.py) egg_info for package djangorestframework-httpsignature
  Running command python setup.py egg_info
  running egg_info
  creating pip-egg-info/djangorestframework_httpsignature.egg-info
  writing requirements to pip-egg-info/djangorestframework_httpsignature.egg-info/requires.txt
  writing pip-egg-info/djangorestframework_httpsignature.egg-info/PKG-INFO
  writing top-level names to pip-egg-info/djangorestframework_httpsignature.egg-info/top_level.txt
  writing dependency_links to pip-egg-info/djangorestframework_httpsignature.egg-info/dependency_links.txt
  writing manifest file 'pip-egg-info/djangorestframework_httpsignature.egg-info/SOURCES.txt'
  warning: manifest_maker: standard file '-c' not found

  reading manifest file 'pip-egg-info/djangorestframework_httpsignature.egg-info/SOURCES.txt'
  reading manifest template 'MANIFEST.in'
  writing manifest file 'pip-egg-info/djangorestframework_httpsignature.egg-info/SOURCES.txt'
  Source in /opt/python2.7/venv/project/build/djangorestframework-httpsignature has version 0.1.3, which satisfies requirement djangorestframework-httpsignature
  Requirement already satisfied (use --upgrade to upgrade): Django==1.6.2 in /opt/python2.7/venv/project/lib/python2.7/site-packages (from djangorestframework-httpsignature)
  Requirement already satisfied (use --upgrade to upgrade): djangorestframework==2.3.12 in /opt/python2.7/venv/project/lib/python2.7/site-packages (from djangorestframework-httpsignature)
  Requirement already satisfied (use --upgrade to upgrade): pycrypto==2.6.1 in /opt/python2.7/venv/project/lib/python2.7/site-packages (from djangorestframework-httpsignature)
  Downloading/unpacking http-signature (from djangorestframework-httpsignature)
  Getting page https://pypi.python.org/simple/http_signature/
  URLs to search for versions for http-signature (from djangorestframework-httpsignature):

• https://pypi.python.org/simple/http_signature/
  Analyzing links from page https://pypi.python.org/simple/http_signature/
  Found link https://pypi.python.org/packages/source/h/http_signature/http_signature-0.1.0.tar.gz#md5=b03ef22b20f4a068d5227189d2338086 (from https://pypi.python.org/simple/http_signature/), version: 0.1.0
  Found link https://pypi.python.org/packages/source/h/http_signature/http_signature-0.1.1.tar.gz#md5=7aeb690573c6f3af27ffab6217557ec4 (from https://pypi.python.org/simple/http_signature/), version: 0.1.1
  Found link https://pypi.python.org/packages/source/h/http_signature/http_signature-0.1.2.tar.gz#md5=8a07a47e6de505739be9df110e8b18a2 (from https://pypi.python.org/simple/http_signature/), version: 0.1.2
  Found link https://pypi.python.org/packages/source/h/http_signature/http_signature-0.1.3.tar.gz#md5=27a8512b9b8325fd668aea20ea13418a (from https://pypi.python.org/simple/http_signature/), version: 0.1.3
  Found link https://pypi.python.org/packages/source/h/http_signature/http_signature-0.1.4.tar.gz#md5=015061846254bd5d8c5dbc2913985153 (from https://pypi.python.org/simple/http_signature/), version: 0.1.4
  Using version 0.1.4 (newest of versions: 0.1.4, 0.1.3, 0.1.2, 0.1.1, 0.1.0)
  Downloading http_signature-0.1.4.tar.gz
  Downloading from URL https://pypi.python.org/packages/source/h/http_signature/http_signature-0.1.4.tar.gz#md5=015061846254bd5d8c5dbc2913985153 (from https://pypi.python.org/simple/http_signature/)
  Running setup.py (path:/opt/python2.7/venv/project/build/http-signature/setup.py) egg_info for package http-signature
  Running command python setup.py egg_info
  running egg_info
  creating pip-egg-info/http_signature.egg-info
  writing requirements to pip-egg-info/http_signature.egg-info/requires.txt
  writing pip-egg-info/http_signature.egg-info/PKG-INFO
  writing top-level names to pip-egg-info/http_signature.egg-info/top_level.txt
  writing dependency_links to pip-egg-info/http_signature.egg-info/dependency_links.txt
  writing manifest file 'pip-egg-info/http_signature.egg-info/SOURCES.txt'
  warning: manifest_maker: standard file '-c' not found

  reading manifest file 'pip-egg-info/http_signature.egg-info/SOURCES.txt'
  writing manifest file 'pip-egg-info/http_signature.egg-info/SOURCES.txt'
  Source in /opt/python2.7/venv/project/build/http-signature has version 0.1.4, which satisfies requirement http-signature (from djangorestframework-httpsignature)
  Installing collected packages: djangorestframework-httpsignature, http-signature
  Running setup.py install for djangorestframework-httpsignature
  Running command /opt/python2.7/venv/project/bin/python -c "import setuptools, tokenize;file='/opt/python2.7/venv/project/build/djangorestframework-httpsignature/setup.py';exec(compile(getattr(tokenize, 'open', open)(file).read().replace('\r\n', '\n'), file, 'exec'))" install --record /tmp/pip-KlN9KM-record/install-record.txt --single-version-externally-managed --compile --install-headers /opt/python2.7/venv/project/include/site/python2.7
  running install
  running build
  running build_py
  creating build
  creating build/lib
  creating build/lib/rest_framework_httpsignature
  copying rest_framework_httpsignature/views.py -> build/lib/rest_framework_httpsignature
  copying rest_framework_httpsignature/init.py -> build/lib/rest_framework_httpsignature
  copying rest_framework_httpsignature/models.py -> build/lib/rest_framework_httpsignature
  copying rest_framework_httpsignature/authentication.py -> build/lib/rest_framework_httpsignature
  copying rest_framework_httpsignature/tests.py -> build/lib/rest_framework_httpsignature
  running install_lib
  creating /opt/python2.7/venv/project/lib/python2.7/site-packages/rest_framework_httpsignature
  copying build/lib/rest_framework_httpsignature/views.py -> /opt/python2.7/venv/project/lib/python2.7/site-packages/rest_framework_httpsignature
  copying build/lib/rest_framework_httpsignature/init.py -> /opt/python2.7/venv/project/lib/python2.7/site-packages/rest_framework_httpsignature
  copying build/lib/rest_framework_httpsignature/models.py -> /opt/python2.7/venv/project/lib/python2.7/site-packages/rest_framework_httpsignature
  copying build/lib/rest_framework_httpsignature/authentication.py -> /opt/python2.7/venv/project/lib/python2.7/site-packages/rest_framework_httpsignature
  copying build/lib/rest_framework_httpsignature/tests.py -> /opt/python2.7/venv/project/lib/python2.7/site-packages/rest_framework_httpsignature
  byte-compiling /opt/python2.7/venv/project/lib/python2.7/site-packages/rest_framework_httpsignature/views.py to views.pyc
  byte-compiling /opt/python2.7/venv/project/lib/python2.7/site-packages/rest_framework_httpsignature/init.py to init.pyc
  byte-compiling /opt/python2.7/venv/project/lib/python2.7/site-packages/rest_framework_httpsignature/models.py to models.pyc
  byte-compiling /opt/python2.7/venv/project/lib/python2.7/site-packages/rest_framework_httpsignature/authentication.py to authentication.pyc
  byte-compiling /opt/python2.7/venv/project/lib/python2.7/site-packages/rest_framework_httpsignature/tests.py to tests.pyc
  running install_egg_info
  running egg_info
  writing requirements to djangorestframework_httpsignature.egg-info/requires.txt
  writing djangorestframework_httpsignature.egg-info/PKG-INFO
  writing top-level names to djangorestframework_httpsignature.egg-info/top_level.txt
  writing dependency_links to djangorestframework_httpsignature.egg-info/dependency_links.txt
  warning: manifest_maker: standard file '-c' not found

  reading manifest file 'djangorestframework_httpsignature.egg-info/SOURCES.txt'
  reading manifest template 'MANIFEST.in'
  writing manifest file 'djangorestframework_httpsignature.egg-info/SOURCES.txt'
  Copying djangorestframework_httpsignature.egg-info to /opt/python2.7/venv/project/lib/python2.7/site-packages/djangorestframework_httpsignature-0.1.3-py2.7.egg-info
  running install_scripts
  writing list of installed files to '/tmp/pip-KlN9KM-record/install-record.txt'
  Running setup.py install for http-signature
  Running command /opt/python2.7/venv/project/bin/python -c "import setuptools, tokenize;file='/opt/python2.7/venv/project/build/http-signature/setup.py';exec(compile(getattr(tokenize, 'open', open)(file).read().replace('\r\n', '\n'), file, 'exec'))" install --record /tmp/pip-0b13sK-record/install-record.txt --single-version-externally-managed --compile --install-headers /opt/python2.7/venv/project/include/site/python2.7
  running install
  running build
  got version from file http_signature/_version.py {'version': '0.1.4', 'full': '0872fa367ba2fd5c2338de460bd419c5c4ef996d'}
  running build_py
  creating build
  creating build/lib
  creating build/lib/http_signature
  copying http_signature/sign.py -> build/lib/http_signature
  copying http_signature/requests_auth.py -> build/lib/http_signature
  copying http_signature/utils.py -> build/lib/http_signature
  copying http_signature/init.py -> build/lib/http_signature
  copying http_signature/_version.py -> build/lib/http_signature
  running egg_info
  creating http_signature.egg-info
  writing requirements to http_signature.egg-info/requires.txt
  writing http_signature.egg-info/PKG-INFO
  writing top-level names to http_signature.egg-info/top_level.txt
  writing dependency_links to http_signature.egg-info/dependency_links.txt
  writing manifest file 'http_signature.egg-info/SOURCES.txt'
  warning: manifest_maker: standard file '-c' not found

  reading manifest file 'http_signature.egg-info/SOURCES.txt'
  writing manifest file 'http_signature.egg-info/SOURCES.txt'
  UPDATING build/lib/http_signature/_version.py
  running install_lib
  creating /opt/python2.7/venv/project/lib/python2.7/site-packages/http_signature
  copying build/lib/http_signature/sign.py -> /opt/python2.7/venv/project/lib/python2.7/site-packages/http_signature
  copying build/lib/http_signature/requests_auth.py -> /opt/python2.7/venv/project/lib/python2.7/site-packages/http_signature
  copying build/lib/http_signature/utils.py -> /opt/python2.7/venv/project/lib/python2.7/site-packages/http_signature
  copying build/lib/http_signature/init.py -> /opt/python2.7/venv/project/lib/python2.7/site-packages/http_signature
  copying build/lib/http_signature/_version.py -> /opt/python2.7/venv/project/lib/python2.7/site-packages/http_signature
  byte-compiling /opt/python2.7/venv/project/lib/python2.7/site-packages/http_signature/sign.py to sign.pyc
  byte-compiling /opt/python2.7/venv/project/lib/python2.7/site-packages/http_signature/requests_auth.py to requests_auth.pyc
  byte-compiling /opt/python2.7/venv/project/lib/python2.7/site-packages/http_signature/utils.py to utils.pyc
  byte-compiling /opt/python2.7/venv/project/lib/python2.7/site-packages/http_signature/init.py to init.pyc
  byte-compiling /opt/python2.7/venv/project/lib/python2.7/site-packages/http_signature/_version.py to _version.pyc
  running install_egg_info
  Copying http_signature.egg-info to /opt/python2.7/venv/project/lib/python2.7/site-packages/http_signature-0.1.4-py2.7.egg-info
  running install_scripts
  writing list of installed files to '/tmp/pip-0b13sK-record/install-record.txt'
  Successfully installed djangorestframework-httpsignature http-signature
  Cleaning up...
  Removing temporary dir /opt/python2.7/venv/project/build...

You can see pip fetching http_signature 0.1.4. Also, If I check what pip has downloaded for djangorestframework-httpsignature I can see

$ cat /opt/python2.7/venv/project/lib/python2.7/site-packages/djangorestframework_httpsignature-0.1.3-py2.7.egg-info/requires.txt

Django==1.6.2
djangorestframework==2.3.12
pycrypto==2.6.1

No trace of the git repo ... and finally if I try to install it explicitly I get

$ pip install -e git+https://github.com/digitalbazaar/py-http-signature
--editable=git+https://github.com/digitalbazaar/py-http-signature is not the right format; it must have #egg=Package
Storing debug log for failure in /home/vagrant/.pip/pip.log

Any ideas?

Thanks!

The example from the readme calls Base64 and Hmac as command line utilities or shell functions. Could you add information on how to get these utilities?
It also passes the literal string SSS in the second command. I guess this should be $SSS?

Right now the requirements specify 'Django>=1.6.2,<1.8'. There is no need to restrict installation with the upcoming release. I suggest to have only 'Django>=1.6.2' instead.

Hi. I am considering to package this library for Debian, and wonder if it is still being developed? I need to set up a django service with signed http request, and this seem like a good alternative.