update to 0.2.3

5 files changed, 25 insertions, 26 deletions

diff --git a/soledad/setup.py b/soledad/setup.py
index 747b02bd..3e46c353 100644
--- a/soledad/setup.py
+++ b/soledad/setup.py
@@ -62,7 +62,7 @@ trove_classifiers = (
 
 setup(
     name='leap.soledad',
-    version='0.2.2',
+    version='0.2.3',
     url='https://leap.se/',
     license='GPLv3+',
     description='Synchronization of locally encrypted data among devices.',
diff --git a/soledad/src/leap/soledad/auth.py b/soledad/src/leap/soledad/auth.py
index 8c093099..81e838d2 100644
--- a/soledad/src/leap/soledad/auth.py
+++ b/soledad/src/leap/soledad/auth.py
@@ -24,7 +24,6 @@ they can do token-based auth requests to the Soledad server.
 """
 
 
-from u1db.remote.http_client import HTTPClientBase
 from u1db import errors
 
 
@@ -68,4 +67,4 @@ class TokenBasedAuth(object):
             return [('Authorization', 'Token %s' % auth.encode('base64')[:-1])]
         else:
             raise errors.UnknownAuthMethod(
-                'Wrong credentials: %s' % self._creds)
+                'Wrong credentials: %s' % self._creds)
\ No newline at end of file
diff --git a/soledad/src/leap/soledad/target.py b/soledad/src/leap/soledad/target.py
index 8b7aa8c7..9fac9f54 100644
--- a/soledad/src/leap/soledad/target.py
+++ b/soledad/src/leap/soledad/target.py
@@ -231,7 +231,14 @@ def decrypt_doc(crypto, doc):
         crypto, doc.doc_id, doc.rev,
         ciphertext,
         doc.content[MAC_METHOD_KEY])
-    if binascii.a2b_hex(doc.content[MAC_KEY]) != mac:  # mac is stored as hex.
+    # we compare mac's hashes to avoid possible timing attacks that might
+    # exploit python's builtin comparison operator behaviour, which fails
+    # immediatelly when non-matching bytes are found.
+    doc_mac_hash = hashlib.sha256(
+        binascii.a2b_hex(  # the mac is stored as hex
+            doc.content[MAC_KEY])).digest()
+    calculated_mac_hash = hashlib.sha256(mac).digest()
+    if doc_mac_hash != calculated_mac_hash:
         raise WrongMac('Could not authenticate document\'s contents.')
     # decrypt doc's content
     enc_scheme = doc.content[ENC_SCHEME_KEY]
diff --git a/soledad/src/leap/soledad/tests/test_server.py b/soledad/src/leap/soledad/tests/test_server.py
index 490d2fc8..24cd68dc 100644
--- a/soledad/src/leap/soledad/tests/test_server.py
+++ b/soledad/src/leap/soledad/tests/test_server.py
@@ -21,19 +21,14 @@ Tests for server-related functionality.
 """
 
 import os
-import shutil
 import tempfile
 import simplejson as json
-import hashlib
 import mock
 
 
 from leap.soledad import Soledad
-from leap.soledad_server import (
-    SoledadApp,
-    SoledadAuthMiddleware,
-    URLToAuth,
-)
+from leap.soledad_server import SoledadApp
+from leap.soledad_server.auth import URLToAuthorization
 from leap.soledad_server.couch import (
     CouchServerState,
     CouchDatabase,
@@ -42,11 +37,9 @@ from leap.soledad import target
 
 
 from leap.common.testing.basetest import BaseLeapTest
-from leap.soledad.tests import ADDRESS
 from leap.soledad.tests.u1db_tests import (
     TestCaseWithServer,
     simple_doc,
-    nested_doc,
 )
 from leap.soledad.tests.test_couch import CouchDBTestCase
 from leap.soledad.tests.test_target import (
@@ -93,7 +86,8 @@ class ServerAuthorizationTestCase(BaseLeapTest):
             /user-db/sync-from/{source}   | GET, PUT, POST
         """
         uuid = 'myuuid'
-        authmap = URLToAuth(uuid)
+        authmap = URLToAuthorization(
+            uuid, SoledadApp.SHARED_DB_NAME, SoledadApp.USER_DB_PREFIX)
         dbname = authmap._uuid_dbname(uuid)
         # test global auth
         self.assertTrue(
@@ -208,7 +202,8 @@ class ServerAuthorizationTestCase(BaseLeapTest):
         Test if authorization fails for a wrong dbname.
         """
         uuid = 'myuuid'
-        authmap = URLToAuth(uuid)
+        authmap = URLToAuthorization(
+            uuid, SoledadApp.SHARED_DB_NAME, SoledadApp.USER_DB_PREFIX)
         dbname = 'somedb'
         # test wrong-db database resource auth
         self.assertFalse(
diff --git a/soledad/src/leap/soledad/tests/test_target.py b/soledad/src/leap/soledad/tests/test_target.py
index 73c9fe68..ca2878a5 100644
--- a/soledad/src/leap/soledad/tests/test_target.py
+++ b/soledad/src/leap/soledad/tests/test_target.py
@@ -40,10 +40,8 @@ from leap.soledad import (
     auth,
 )
 from leap.soledad.document import SoledadDocument
-from leap.soledad_server import (
-    SoledadApp,
-    SoledadAuthMiddleware,
-)
+from leap.soledad_server import SoledadApp
+from leap.soledad_server.auth import SoledadTokenAuthMiddleware
 
 
 from leap.soledad.tests import u1db_tests as tests
@@ -74,18 +72,18 @@ def make_soledad_app(state):
 def make_token_soledad_app(state):
     app = SoledadApp(state)
 
-    def verify_token(environ, uuid, token):
-        if uuid == 'user-uuid' and token == 'auth-token':
+    def _verify_authentication_data(uuid, auth_data):
+        if uuid == 'user-uuid' and auth_data == 'auth-token':
             return True
         return False
 
     # we test for action authorization in leap.soledad.tests.test_server
-    def verify_action(environ, uuid):
+    def _verify_authorization(uuid, environ):
         return True
 
-    application = SoledadAuthMiddleware(app)
-    application.verify_token = verify_token
-    application.verify_action = verify_action
+    application = SoledadTokenAuthMiddleware(app)
+    application._verify_authentication_data = _verify_authentication_data
+    application._verify_authorization = _verify_authorization
     return application
 
 
@@ -190,7 +188,7 @@ class TestSoledadClientBase(test_http_client.TestHTTPClientBase):
             return res
         # mime solead application here.
         if '/token' in environ['PATH_INFO']:
-            auth = environ.get(SoledadAuthMiddleware.HTTP_AUTH_KEY)
+            auth = environ.get(SoledadTokenAuthMiddleware.HTTP_AUTH_KEY)
             if not auth:
                 start_response("401 Unauthorized",
                                [('Content-Type', 'application/json')])