From e73d36621052a69aae327200c063ac1689bcf9e0 Mon Sep 17 00:00:00 2001
From: drebs <drebs@leap.se>
Date: Sun, 18 Dec 2016 14:21:54 -0200
Subject: [feat] reuse the url mapper instead of creating it for every request

---
 common/src/leap/soledad/common/__init__.py | 2 --
 1 file changed, 2 deletions(-)

(limited to 'common')

diff --git a/common/src/leap/soledad/common/__init__.py b/common/src/leap/soledad/common/__init__.py
index 1ba6ab89..4948ad20 100644
--- a/common/src/leap/soledad/common/__init__.py
+++ b/common/src/leap/soledad/common/__init__.py
@@ -30,8 +30,6 @@ Soledad routines common to client and server.
 #
 
 SHARED_DB_NAME = 'shared'
-SHARED_DB_LOCK_DOC_ID_PREFIX = 'lock-'
-USER_DB_PREFIX = 'user-'
 
 
 #
-- 
cgit v1.2.3


From 260805b9967184841c4499f94713a9a48c49a813 Mon Sep 17 00:00:00 2001
From: drebs <drebs@leap.se>
Date: Sun, 18 Dec 2016 16:36:39 -0200
Subject: [feat] use twisted web http auth and creds

---
 common/src/leap/soledad/common/couch/state.py | 46 ---------------------------
 1 file changed, 46 deletions(-)

(limited to 'common')

diff --git a/common/src/leap/soledad/common/couch/state.py b/common/src/leap/soledad/common/couch/state.py
index a7f5b7b6..a4841d0d 100644
--- a/common/src/leap/soledad/common/couch/state.py
+++ b/common/src/leap/soledad/common/couch/state.py
@@ -19,13 +19,10 @@ Server state using CouchDatabase as backend.
 """
 import couchdb
 import re
-import time
 from urlparse import urljoin
-from hashlib import sha512
 
 from leap.soledad.common.log import getLogger
 from leap.soledad.common.couch import CouchDatabase
-from leap.soledad.common.couch import couch_server
 from leap.soledad.common.couch import CONFIG_DOC_ID
 from leap.soledad.common.couch import SCHEMA_VERSION
 from leap.soledad.common.couch import SCHEMA_VERSION_KEY
@@ -59,12 +56,6 @@ class CouchServerState(ServerState):
     Inteface of the WSGI server with the CouchDB backend.
     """
 
-    TOKENS_DB_PREFIX = "tokens_"
-    TOKENS_DB_EXPIRE = 30 * 24 * 3600  # 30 days in seconds
-    TOKENS_TYPE_KEY = "type"
-    TOKENS_TYPE_DEF = "Token"
-    TOKENS_USER_ID_KEY = "user_id"
-
     def __init__(self, couch_url, create_cmd=None,
                  check_schema_versions=False):
         """
@@ -164,40 +155,3 @@ class CouchServerState(ServerState):
                              delete databases.
         """
         raise Unauthorized()
-
-    def verify_token(self, uuid, token):
-        """
-        Query couchdb to decide if C{token} is valid for C{uuid}.
-
-        @param uuid: The user uuid.
-        @type uuid: str
-        @param token: The token.
-        @type token: str
-        """
-        with couch_server(self.couch_url) as server:
-            # the tokens db rotates every 30 days, and the current db name is
-            # "tokens_NNN", where NNN is the number of seconds since epoch
-            # divide dby the rotate period in seconds. When rotating, old and
-            # new tokens db coexist during a certain window of time and valid
-            # tokens are replicated from the old db to the new one. See:
-            # https://leap.se/code/issues/6785
-            dbname = self._tokens_dbname()
-            db = server[dbname]
-        # lookup key is a hash of the token to prevent timing attacks.
-        token = db.get(sha512(token).hexdigest())
-        if token is None:
-            return False
-        # we compare uuid hashes to avoid possible timing attacks that
-        # might exploit python's builtin comparison operator behaviour,
-        # which fails immediatelly when non-matching bytes are found.
-        couch_uuid_hash = sha512(token[self.TOKENS_USER_ID_KEY]).digest()
-        req_uuid_hash = sha512(uuid).digest()
-        if token[self.TOKENS_TYPE_KEY] != self.TOKENS_TYPE_DEF \
-                or couch_uuid_hash != req_uuid_hash:
-            return False
-        return True
-
-    def _tokens_dbname(self):
-        dbname = self.TOKENS_DB_PREFIX + \
-            str(int(time.time() / self.TOKENS_DB_EXPIRE))
-        return dbname
-- 
cgit v1.2.3


From c3c8afb68330bdfb8fe70efc7d055b55ca9c1c3a Mon Sep 17 00:00:00 2001
From: drebs <drebs@leap.se>
Date: Thu, 22 Dec 2016 07:32:29 -0200
Subject: [refactor] remove leftover code from previous wsgi auth

---
 .../common/l2db/remote/basic_auth_middleware.py    | 66 ----------------------
 1 file changed, 66 deletions(-)
 delete mode 100644 common/src/leap/soledad/common/l2db/remote/basic_auth_middleware.py

(limited to 'common')

diff --git a/common/src/leap/soledad/common/l2db/remote/basic_auth_middleware.py b/common/src/leap/soledad/common/l2db/remote/basic_auth_middleware.py
deleted file mode 100644
index 96d0d872..00000000
--- a/common/src/leap/soledad/common/l2db/remote/basic_auth_middleware.py
+++ /dev/null
@@ -1,66 +0,0 @@
-# Copyright 2012 Canonical Ltd.
-#
-# This file is part of u1db.
-#
-# u1db is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Lesser General Public License version 3
-# as published by the Free Software Foundation.
-#
-# u1db is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU Lesser General Public License for more details.
-#
-# You should have received a copy of the GNU Lesser General Public License
-# along with u1db.  If not, see <http://www.gnu.org/licenses/>.
-"""U1DB Basic Auth authorisation WSGI middleware."""
-import httplib
-import json
-
-from wsgiref.util import shift_path_info
-
-
-class Unauthorized(Exception):
-    """User authorization failed."""
-
-
-class BasicAuthMiddleware(object):
-    """U1DB Basic Auth Authorisation WSGI middleware."""
-
-    def __init__(self, app, prefix):
-        self.app = app
-        self.prefix = prefix
-
-    def _error(self, start_response, status, description, message=None):
-        start_response("%d %s" % (status, httplib.responses[status]),
-                       [('content-type', 'application/json')])
-        err = {"error": description}
-        if message:
-            err['message'] = message
-        return [json.dumps(err)]
-
-    def __call__(self, environ, start_response):
-        if self.prefix and not environ['PATH_INFO'].startswith(self.prefix):
-            return self._error(start_response, 400, "bad request")
-        auth = environ.get('HTTP_AUTHORIZATION')
-        if not auth:
-            return self._error(start_response, 401, "unauthorized",
-                               "Missing Basic Authentication.")
-        scheme, encoded = auth.split(None, 1)
-        if scheme.lower() != 'basic':
-            return self._error(
-                start_response, 401, "unauthorized",
-                "Missing Basic Authentication")
-        user, password = encoded.decode('base64').split(':', 1)
-        try:
-            self.verify_user(environ, user, password)
-        except Unauthorized:
-            return self._error(
-                start_response, 401, "unauthorized",
-                "Incorrect password or login.")
-        del environ['HTTP_AUTHORIZATION']
-        shift_path_info(environ)
-        return self.app(environ, start_response)
-
-    def verify_user(self, environ, username, password):
-        raise NotImplementedError(self.verify_user)
-- 
cgit v1.2.3