本文整理匯總了Python中cryptography.fernet.MultiFernet類的典型用法代碼示例。如果您正苦於以下問題:Python MultiFernet類的具體用法?Python MultiFernet怎麽用?Python MultiFernet使用的例子?那麽, 這裏精選的類代碼示例或許可以為您提供幫助。
在下文中一共展示了MultiFernet類的15個代碼示例,這些例子默認根據受歡迎程度排序。您可以為喜歡或者感覺有用的代碼點讚,您的評價將有助於係統推薦出更棒的Python代碼示例。
示例1: test_rotate_decrypt_no_shared_keys
def test_rotate_decrypt_no_shared_keys(self, backend):
f1 = Fernet(base64.urlsafe_b64encode(b"\x00" * 32), backend=backend)
f2 = Fernet(base64.urlsafe_b64encode(b"\x01" * 32), backend=backend)
mf1 = MultiFernet([f1])
mf2 = MultiFernet([f2])
with pytest.raises(InvalidToken):
mf2.rotate(mf1.encrypt(b"abc"))示例2: test_decrypt
def test_decrypt(self, backend):
f1 = Fernet(base64.urlsafe_b64encode(b"\x00" * 32), backend=backend)
f2 = Fernet(base64.urlsafe_b64encode(b"\x01" * 32), backend=backend)
f = MultiFernet([f1, f2])
assert f.decrypt(f1.encrypt(b"abc")) == b"abc"
assert f.decrypt(f2.encrypt(b"abc")) == b"abc"
with pytest.raises(InvalidToken):
f.decrypt(b"\x00" * 16)示例3: __init__
def __init__(self, *master_keys, encrypted_store: dict = None):
if not len(master_keys):
raise ValueError('at least one master key must be passed')
self.crypt = MultiFernet([Fernet(key) for key in master_keys])
if not encrypted_store:
self.encrypted_store = dict()
else:
self.encrypted_store = encrypted_store示例4: test_rotate_preserves_timestamp
def test_rotate_preserves_timestamp(self, backend, monkeypatch):
f1 = Fernet(base64.urlsafe_b64encode(b"\x00" * 32), backend=backend)
f2 = Fernet(base64.urlsafe_b64encode(b"\x01" * 32), backend=backend)
mf1 = MultiFernet([f1])
mf2 = MultiFernet([f2, f1])
plaintext = b"abc"
mf1_ciphertext = mf1.encrypt(plaintext)
later = datetime.datetime.now() + datetime.timedelta(minutes=5)
later_time = time.mktime(later.timetuple())
monkeypatch.setattr(time, "time", lambda: later_time)
original_time, _ = Fernet._get_unverified_token_data(mf1_ciphertext)
rotated_time, _ = Fernet._get_unverified_token_data(
mf2.rotate(mf1_ciphertext)
)
assert later_time != rotated_time
assert original_time == rotated_time示例5: EncryptingPacker
class EncryptingPacker(object):
"""Implement conversion of Python objects to/from encrypted bytestrings.
:param str key: a `Fernet`_ key to use for encryption and decryption
:param list old_keys: additional `Fernet`_ keys to use for decryption
.. note::
Encrypted messages contain the timestamp at which they were generated
*in plaintext*. See `our audit`_ for discussion of this and other
considerations with `Fernet`_.
.. _Fernet: https://cryptography.io/en/latest/fernet/
.. _our audit: https://github.com/gratipay/gratipay.com/pull/3998#issuecomment-216227070
"""
def __init__(self, key, *old_keys):
keys = [key] + list(old_keys)
self.fernet = MultiFernet([Fernet(k) for k in keys])
def pack(self, obj):
"""Given a JSON-serializable object, return a `Fernet`_ token.
"""
obj = json.dumps(obj) # serialize to unicode
obj = obj.encode('utf8') # convert to bytes
obj = self.fernet.encrypt(obj) # encrypt
return obj
def unpack(self, token):
"""Given a `Fernet`_ token with JSON in the ciphertext, return a Python object.
"""
obj = token
if not type(obj) is bytes:
raise TypeError("need bytes, got {}".format(type(obj)))
obj = self.fernet.decrypt(obj) # decrypt
obj = obj.decode('utf8') # convert to unicode
obj = json.loads(obj) # deserialize from unicode
return obj示例6: update
def update(self, **kwargs):
"""Update the arguments, if a ``crypto_key`` is in kwargs then the
``self.fernet`` attribute will be initialized"""
for key, val in kwargs.items():
if key == "crypto_key":
fkeys = []
if not isinstance(val, list):
val = [val]
for v in val:
fkeys.append(Fernet(v))
self.fernet = MultiFernet(fkeys)
else:
setattr(self, key, val)示例7: __init__
def __init__(self):
if website.env.aws_secret_access_key:
sm = self.secrets_manager = boto3.client('secretsmanager', region_name='eu-west-1')
secret = sm.get_secret_value(SecretId='Fernet')
rotation_start = secret['CreatedDate'].date()
keys = secret['SecretString'].split()
else:
self.secrets_manager = None
parts = os.environ['SECRET_FERNET_KEYS'].split()
rotation_start = date(*map(int, parts[0].split('-')))
keys = parts[1:]
self.fernet_rotation_start = rotation_start
self.fernet_keys = [k.encode('ascii') for k in keys]
self.fernet = MultiFernet([Fernet(k) for k in self.fernet_keys])示例8: __init__
def __init__(self, expiry=60, hosts=None, prefix="asgi:", group_expiry=86400, capacity=100, channel_capacity=None,
symmetric_encryption_keys=None):
super(RedisChannelLayer, self).__init__(
expiry=expiry,
group_expiry=group_expiry,
capacity=capacity,
channel_capacity=channel_capacity,
)
# Make sure they provided some hosts, or provide a default
if not hosts:
hosts = [("localhost", 6379)]
self.hosts = []
if isinstance(hosts, six.string_types):
# user accidentally used one host string instead of providing a list of hosts
raise ValueError('ASGI Redis hosts must be specified as an iterable list of hosts.')
for entry in hosts:
if isinstance(entry, six.string_types):
self.hosts.append(entry)
else:
self.hosts.append("redis://%s:%d/0" % (entry[0], entry[1]))
self.prefix = prefix
assert isinstance(self.prefix, six.text_type), "Prefix must be unicode"
# Precalculate some values for ring selection
self.ring_size = len(self.hosts)
self.ring_divisor = int(math.ceil(4096 / float(self.ring_size)))
# Create connections ahead of time (they won't call out just yet, but
# we want to connection-pool them later)
self._connection_list = self._generate_connections()
# Decide on a unique client prefix to use in ! sections
# TODO: ensure uniqueness better, e.g. Redis keys with SETNX
self.client_prefix = "".join(random.choice(string.ascii_letters) for i in range(8))
# Register scripts
connection = self.connection(None)
self.chansend = connection.register_script(self.lua_chansend)
self.lpopmany = connection.register_script(self.lua_lpopmany)
self.delprefix = connection.register_script(self.lua_delprefix)
# See if we can do encryption if they asked
if symmetric_encryption_keys:
if isinstance(symmetric_encryption_keys, six.string_types):
raise ValueError("symmetric_encryption_keys must be a list of possible keys")
try:
from cryptography.fernet import MultiFernet
except ImportError:
raise ValueError("Cannot run with encryption without 'cryptography' installed.")
sub_fernets = [self.make_fernet(key) for key in symmetric_encryption_keys]
self.crypter = MultiFernet(sub_fernets)
else:
self.crypter = None示例9: test_rotate
def test_rotate(self, backend):
f1 = Fernet(base64.urlsafe_b64encode(b"\x00" * 32), backend=backend)
f2 = Fernet(base64.urlsafe_b64encode(b"\x01" * 32), backend=backend)
mf1 = MultiFernet([f1])
mf2 = MultiFernet([f2, f1])
plaintext = b"abc"
mf1_ciphertext = mf1.encrypt(plaintext)
assert mf2.decrypt(mf1_ciphertext) == plaintext
rotated = mf2.rotate(mf1_ciphertext)
assert rotated != mf1_ciphertext
assert mf2.decrypt(rotated) == plaintext
with pytest.raises(InvalidToken):
mf1.decrypt(rotated)示例10: AutopushSettings
#.........這裏部分代碼省略.........
self.metrics = TwistedMetrics(statsd_host, statsd_port)
else:
self.metrics = SinkMetrics()
if not crypto_key:
crypto_key = [Fernet.generate_key()]
if not isinstance(crypto_key, list):
crypto_key = [crypto_key]
self.update(crypto_key=crypto_key)
self.crypto_key = crypto_key
if auth_key is None:
auth_key = []
if not isinstance(auth_key, list):
auth_key = [auth_key]
self.auth_key = auth_key
self.max_data = max_data
self.clients = {}
# Setup hosts/ports/urls
default_hostname = socket.gethostname()
self.hostname = hostname or default_hostname
if resolve_hostname:
self.hostname = resolve_ip(self.hostname)
self.port = port
self.endpoint_hostname = endpoint_hostname or self.hostname
self.router_hostname = router_hostname or self.hostname
self.router_conf = router_conf
self.router_url = canonical_url(
router_scheme or 'http',
self.router_hostname,
router_port
)
self.endpoint_url = canonical_url(
endpoint_scheme or 'http',
self.endpoint_hostname,
endpoint_port
)
# Database objects
self.router_table = get_router_table(router_tablename,
router_read_throughput,
router_write_throughput)
self.storage_table = get_storage_table(storage_tablename,
storage_read_throughput,
storage_write_throughput)
self.message_table = get_message_table(message_tablename,
message_read_throughput,
message_write_throughput)
self.storage = Storage(self.storage_table, self.metrics)
self.router = Router(self.router_table, self.metrics)
self.message = Message(self.message_table, self.metrics)
# Run preflight check
preflight_check(self.storage, self.router)
# CORS
self.cors = enable_cors
# Force timeout in idle seconds
self.wake_timeout = wake_timeout
# Setup the routers
self.routers = {}
self.routers["simplepush"] = SimpleRouter(
self,
router_conf.get("simplepush")
)
self.routers["webpush"] = WebPushRouter(self, None)
if 'apns' in router_conf:
self.routers["apns"] = APNSRouter(self, router_conf["apns"])
if 'gcm' in router_conf:
self.routers["gcm"] = GCMRouter(self, router_conf["gcm"])
# Env
self.env = env
self.hello_timeout = hello_timeout
def update(self, **kwargs):
"""Update the arguments, if a ``crypto_key`` is in kwargs then the
``self.fernet`` attribute will be initialized"""
for key, val in kwargs.items():
if key == "crypto_key":
fkeys = []
if not isinstance(val, list):
val = [val]
for v in val:
fkeys.append(Fernet(v))
self.fernet = MultiFernet(fkeys)
else:
setattr(self, key, val)
def make_endpoint(self, uaid, chid):
""" Create an endpoint from the identifiers"""
return self.endpoint_url + '/push/' + \
self.fernet.encrypt((uaid + ':' + chid).encode('utf8'))示例11: test_encrypt
def test_encrypt(self, backend):
f1 = Fernet(base64.urlsafe_b64encode(b"\x00" * 32), backend=backend)
f2 = Fernet(base64.urlsafe_b64encode(b"\x01" * 32), backend=backend)
f = MultiFernet([f1, f2])
assert f1.decrypt(f.encrypt(b"abc")) == b"abc"示例12: Cryptograph
class Cryptograph(object):
"""Symmetric encryption and decryption for the storage of sensitive data.
We currently rely on Fernet, which was the algorithm adopted by Gratipay:
https://github.com/gratipay/gratipay.com/pull/3998#issuecomment-216227070
For encryption Fernet uses the AES cipher in CBC mode with PKCS7 padding and
a 128 bits key. For authentication it uses HMAC-SHA256 with another 128 bits
key.
Fernet messages contain the timestamp at which they were generated *in plain
text*. This isn't a problem for us since we want to store the time at which
the data was encrypted in order to facilitate key rotation.
We use CBOR (Concise Binary Object Representation) to serialize objects
before encryption. Compared to JSON, CBOR is faster to parse and serialize,
more compact, and extensible (it can represent any data type using "tags").
More info on CBOR: http://cbor.io/ https://tools.ietf.org/html/rfc7049
"""
KEY_ROTATION_DELAY = timedelta(weeks=1)
def __init__(self):
if website.env.aws_secret_access_key:
sm = self.secrets_manager = boto3.client('secretsmanager', region_name='eu-west-1')
secret = sm.get_secret_value(SecretId='Fernet')
rotation_start = secret['CreatedDate'].date()
keys = secret['SecretString'].split()
else:
self.secrets_manager = None
parts = os.environ['SECRET_FERNET_KEYS'].split()
rotation_start = date(*map(int, parts[0].split('-')))
keys = parts[1:]
self.fernet_rotation_start = rotation_start
self.fernet_keys = [k.encode('ascii') for k in keys]
self.fernet = MultiFernet([Fernet(k) for k in self.fernet_keys])
def encrypt_dict(self, dic, allow_single_key=False):
"""Serialize and encrypt a dictionary for storage in the database.
Encrypting partially predictable data may help an attacker break the
encryption key, so to make our data less predictable we randomize the
order of the dict's items before serializing it.
For this to be effective the CBOR serializer must not sort the items
again in an attempt to produce Canonical CBOR, so we explicitly pass
`canonical=False` to the `cbor.dumps` function.
In addition, the dict must not contain only one key if that key is
predictable, so a `CryptoWarning` is emitted when `dic` only contains
one key, unless `allow_single_key` is set to `True`.
"""
dic = self.randomize_dict(dic, allow_single_key=allow_single_key)
serialized = cbor.dumps(dic, canonical=False)
encrypted = self.fernet.encrypt(serialized)
return Encrypted(dict(scheme='fernet', payload=encrypted, ts=utcnow()))
def decrypt(self, scheme, payload):
"""Decrypt and reconstruct an object stored in the database.
"""
if scheme == 'fernet':
decrypted = self.fernet.decrypt(payload)
else:
raise ValueError('unknown encryption scheme %r' % scheme)
return cbor.loads(decrypted)
@staticmethod
def randomize_dict(dic, allow_single_key=False):
"""Randomize the order of a dictionary's items.
Emits a `CryptoWarning` if `dic` only contains one key, unless
`allow_single_key` is set to `True`.
"""
if not isinstance(dic, dict):
raise TypeError("expected a dict, got %s" % type(dic))
# Compute the number of random bytes needed based on the size of the dict
n = len(dic)
if n < 2:
# Can't randomize the order if the dict contains less than 2 items
if n == 1 and not allow_single_key:
warnings.warn("dict only contains one key", CryptoWarning)
return dic
n = int(log(n, 2) // 8) + 2
# Return a new ordered dict sorted randomly
return OrderedDict(
t[1] for t in sorted((urandom(n), item) for item in dic.items())
)
def rotate_key(self):
"""Generate a new key and send it to the secrets manager.
"""
keys = b' '.join([Fernet.generate_key()] + self.fernet_keys).decode()
if self.secrets_manager:
self.secrets_manager.update_secret(SecretId='Fernet', SecretString=keys)
else:
keys = utcnow().date().isoformat() + ' ' + keys
print("No secrets manager, updating the key storage is up to you.")
return keys
def rotate_message(self, msg, force=False):
#.........這裏部分代碼省略.........
示例13: AutopushSettings
#.........這裏部分代碼省略.........
# Used to determine whether a connection is out of date with current
# db objects
self.current_msg_month = make_rotating_tablename(self._message_prefix)
self.current_month = datetime.date.today().month
self.create_initial_message_tables()
# Run preflight check
preflight_check(self.storage, self.router)
# CORS
self.cors = enable_cors
# Force timeout in idle seconds
self.wake_timeout = wake_timeout
# Setup the routers
self.routers = {}
self.routers["simplepush"] = SimpleRouter(
self,
router_conf.get("simplepush")
)
self.routers["webpush"] = WebPushRouter(self, None)
if 'apns' in router_conf:
self.routers["apns"] = APNSRouter(self, router_conf["apns"])
if 'gcm' in router_conf:
self.routers["gcm"] = GCMRouter(self, router_conf["gcm"])
# Env
self.env = env
self.hello_timeout = hello_timeout
@property
def message(self):
"""Property that access the current message table"""
return self.message_tables[self.current_msg_month]
@message.setter
def message(self, value):
"""Setter to set the current message table"""
self.message_tables[self.current_msg_month] = value
def create_initial_message_tables(self):
"""Initializes a dict of the initial rotating messages tables.
An entry for last months table, and an entry for this months table.
"""
last_month = get_rotating_message_table(self._message_prefix, -1)
this_month = get_rotating_message_table(self._message_prefix)
self.message_tables = {
last_month.table_name: Message(last_month, self.metrics),
this_month.table_name: Message(this_month, self.metrics),
}
@inlineCallbacks
def update_rotating_tables(self):
"""This method is intended to be tasked to run periodically off the
twisted event hub to rotate tables.
When today is a new month from yesterday, then we swap out all the
table objects on the settings object.
"""
today = datetime.date.today()
if today.month == self.current_month:
# No change in month, we're fine.
returnValue(False)
# Get tables for the new month, and verify they exist before we try to
# switch over
message_table = yield deferToThread(get_rotating_message_table,
self._message_prefix)
# Both tables found, safe to switch-over
self.current_month = today.month
self.current_msg_month = message_table.table_name
self.message_tables[self.current_msg_month] = \
Message(message_table, self.metrics)
returnValue(True)
def update(self, **kwargs):
"""Update the arguments, if a ``crypto_key`` is in kwargs then the
``self.fernet`` attribute will be initialized"""
for key, val in kwargs.items():
if key == "crypto_key":
fkeys = []
if not isinstance(val, list):
val = [val]
for v in val:
fkeys.append(Fernet(v))
self.fernet = MultiFernet(fkeys)
else:
setattr(self, key, val)
def make_endpoint(self, uaid, chid):
""" Create an endpoint from the identifiers"""
return self.endpoint_url + '/push/' + \
self.fernet.encrypt((uaid + ':' + chid).encode('utf8'))示例14: __init__
def __init__(self, key, *old_keys):
keys = [key] + list(old_keys)
self.fernet = MultiFernet([Fernet(k) for k in keys])示例15: AutopushSettings
#.........這裏部分代碼省略.........
sorted(self.message_tables.keys())[-1] !=
tomorrow.month):
next_month = get_rotating_message_table(
self._message_prefix, 0, tomorrow)
self.message_tables[next_month.table_name] = Message(
next_month, self.metrics)
if today.month == self.current_month:
# No change in month, we're fine.
returnValue(False)
# Get tables for the new month, and verify they exist before we try to
# switch over
message_table = yield deferToThread(get_rotating_message_table,
self._message_prefix)
# Both tables found, safe to switch-over
self.current_month = today.month
self.current_msg_month = message_table.table_name
self.message_tables[self.current_msg_month] = \
Message(message_table, self.metrics)
returnValue(True)
def update(self, **kwargs):
"""Update the arguments, if a ``crypto_key`` is in kwargs then the
``self.fernet`` attribute will be initialized"""
for key, val in kwargs.items():
if key == "crypto_key":
fkeys = []
if not isinstance(val, list):
val = [val]
for v in val:
fkeys.append(Fernet(v))
self.fernet = MultiFernet(fkeys)
else:
setattr(self, key, val)
def make_simplepush_endpoint(self, uaid, chid):
"""Create a simplepush endpoint"""
root = self.endpoint_url + "/spush/"
base = (uaid.replace('-', '').decode("hex") +
chid.replace('-', '').decode("hex"))
return root + 'v1/' + self.fernet.encrypt(base).strip('=')
def make_endpoint(self, uaid, chid, key=None):
"""Create an v1 or v2 WebPush endpoint from the identifiers.
Both endpoints use bytes instead of hex to reduce ID length.
v0 is uaid.hex + ':' + chid.hex and is deprecated.
v1 is the uaid + chid
v2 is the uaid + chid + sha256(key).bytes
:param uaid: User Agent Identifier
:param chid: Channel or Subscription ID
:param key: Optional Base64 URL-encoded application server key
:returns: Push endpoint
"""
root = self.endpoint_url + '/push/'
base = (uaid.replace('-', '').decode("hex") +
chid.replace('-', '').decode("hex"))
if key is None:
return root + 'v1/' + self.fernet.encrypt(base).strip('=')
raw_key = base64url_decode(key.encode('utf8'))