rhodecode-enterprise-ce Commit - r281:f41dae1c

encryption: Implement a slightly improved AesCipher encryption....

marcink -

r281:f41dae1c default

parent child

The requested changes are too big and content was truncated. Show full diff

configs/development.ini

0 +4 0

             ################################################################################
             ################################################################################
             # RhodeCode Enterprise - configuration file                                    #
             # Built-in functions and variables                                             #
             # The %(here)s variable will be replaced with the parent directory of this file#
             #                                                                              #
             ################################################################################
             [DEFAULT]
             debug = true
             ################################################################################
             ## Uncomment and replace with the email address which should receive          ##
             ## any error reports after an application crash                               ##
             ## Additionally these settings will be used by the RhodeCode mailing system   ##
             ################################################################################
             #email_to = admin@localhost
             #error_email_from = paste_error@localhost
             #app_email_from = rhodecode-noreply@localhost
             #error_message =
             #email_prefix = [RhodeCode]
             #smtp_server = mail.server.com
             #smtp_username =
             #smtp_password =
             #smtp_port =
             #smtp_use_tls = false
             #smtp_use_ssl = true
             ## Specify available auth parameters here (e.g. LOGIN PLAIN CRAM-MD5, etc.)
             #smtp_auth =
             [server:main]
             ## COMMON ##
             host = 127.0.0.1
             port = 5000
             ##################################
             ##     WAITRESS WSGI SERVER     ##
             ## Recommended for Development  ##
             ##################################
             use = egg:waitress#main
             ## number of worker threads
             threads = 5
             ## MAX BODY SIZE 100GB
             max_request_body_size = 107374182400
             ## Use poll instead of select, fixes file descriptors limits problems.
             ## May not work on old windows systems.
             asyncore_use_poll = true
             ##########################
             ## GUNICORN WSGI SERVER ##
             ##########################
             ## run with gunicorn --log-config <inifile.ini> --paste <inifile.ini>
             #use = egg:gunicorn#main
             ## Sets the number of process workers. You must set `instance_id = *`
             ## when this option is set to more than one worker, recommended
             ## value is (2 * NUMBER_OF_CPUS + 1), eg 2CPU = 5 workers
             ## The `instance_id = *` must be set in the [app:main] section below
             #workers = 2
             ## number of threads for each of the worker, must be set to 1 for gevent
             ## generally recommened to be at 1
             #threads = 1
             ## process name
             #proc_name = rhodecode
             ## type of worker class, one of sync, gevent
             ## recommended for bigger setup is using of of other than sync one
             #worker_class = sync
             ## The maximum number of simultaneous clients. Valid only for Gevent
             #worker_connections = 10
             ## max number of requests that worker will handle before being gracefully
             ## restarted, could prevent memory leaks
             #max_requests = 1000
             #max_requests_jitter = 30
             ## amount of time a worker can spend with handling a request before it
             ## gets killed and restarted. Set to 6hrs
             #timeout = 21600
             ## prefix middleware for RhodeCode, disables force_https flag.
             ## allows to set RhodeCode under a prefix in server.
             ## eg https://server.com/<prefix>. Enable `filter-with =` option below as well.
             #[filter:proxy-prefix]
             #use = egg:PasteDeploy#prefix
             #prefix = /<your-prefix>
             [app:main]
             use = egg:rhodecode-enterprise-ce
             ## enable proxy prefix middleware, defined below
             #filter-with = proxy-prefix
             # During development the we want to have the debug toolbar enabled
             pyramid.includes =
                 pyramid_debugtoolbar
                 rhodecode.utils.debugtoolbar
                 rhodecode.lib.middleware.request_wrapper
             pyramid.reload_templates = true
             debugtoolbar.hosts = 0.0.0.0/0
             debugtoolbar.exclude_prefixes =
                 /css
                 /fonts
                 /images
                 /js
             ## RHODECODE PLUGINS ##
             rhodecode.includes =
                 rhodecode.api
             # api prefix url
             rhodecode.api.url = /_admin/api
             ## END RHODECODE PLUGINS ##
             ## encryption key used to encrypt social plugin tokens,
             ## remote_urls with credentials etc, if not set it defaults to
             ## `beaker.session.secret`
             #rhodecode.encrypted_values.secret =
+            ## decryption strict mode (enabled by default). It controls if decryption raises
+            ## `SignatureVerificationError` in case of wrong key, or damaged encryption data.
+            #rhodecode.encrypted_values.strict = false
             full_stack = true
             ## Serve static files via RhodeCode, disable to serve them via HTTP server
             static_files = true
             # autogenerate javascript routes file on startup
             generate_js_files = false
             ## Optional Languages
             ## en(default), be, de, es, fr, it, ja, pl, pt, ru, zh
             lang = en
             ## perform a full repository scan on each server start, this should be
             ## set to false after first startup, to allow faster server restarts.
             startup.import_repos = false
             ## Uncomment and set this path to use archive download cache.
             ## Once enabled, generated archives will be cached at this location
             ## and served from the cache during subsequent requests for the same archive of
             ## the repository.
             #archive_cache_dir = /tmp/tarballcache
             ## change this to unique ID for security
             app_instance_uuid = rc-production
             ## cut off limit for large diffs (size in bytes)
             cut_off_limit_diff = 1024000
             cut_off_limit_file = 256000
             ## use cache version of scm repo everywhere
             vcs_full_cache = true
             ## force https in RhodeCode, fixes https redirects, assumes it's always https
             ## Normally this is controlled by proper http flags sent from http server
             force_https = false
             ## use Strict-Transport-Security headers
             use_htsts = false
             ## number of commits stats will parse on each iteration
             commit_parse_limit = 25
             ## git rev filter option, --all is the default filter, if you need to
             ## hide all refs in changelog switch this to --branches --tags
             git_rev_filter = --branches --tags
             # Set to true if your repos are exposed using the dumb protocol
             git_update_server_info = false
             ## RSS/ATOM feed options
             rss_cut_off_limit = 256000
             rss_items_per_page = 10
             rss_include_diff = false
             ## gist URL alias, used to create nicer urls for gist. This should be an
             ## url that does rewrites to _admin/gists/<gistid>.
             ## example: http://gist.rhodecode.org/{gistid}. Empty means use the internal
             ## RhodeCode url, ie. http[s]://rhodecode.server/_admin/gists/<gistid>
             gist_alias_url =
             ## List of controllers (using glob pattern syntax) that AUTH TOKENS could be
             ## used for access.
             ## Adding ?auth_token = <token> to the url authenticates this request as if it
             ## came from the the logged in user who own this authentication token.
             ##
             ## Syntax is <ControllerClass>:<function_pattern>.
             ## To enable access to raw_files put `FilesController:raw`.
             ## To enable access to patches add `ChangesetController:changeset_patch`.
             ## The list should be "," separated and on a single line.
             ##
             ## Recommended controllers to enable:
             #    ChangesetController:changeset_patch,
             #    ChangesetController:changeset_raw,
             #    FilesController:raw,
             #    FilesController:archivefile,
             #    GistsController:*,
             api_access_controllers_whitelist =
             ## default encoding used to convert from and to unicode
             ## can be also a comma separated list of encoding in case of mixed encodings
             default_encoding = UTF-8
             ## instance-id prefix
             ## a prefix key for this instance used for cache invalidation when running
             ## multiple instances of rhodecode, make sure it's globally unique for
             ## all running rhodecode instances. Leave empty if you don't use it
             instance_id =
             ## Fallback authentication plugin. Set this to a plugin ID to force the usage
             ## of an authentication plugin also if it is disabled by it's settings.
             ## This could be useful if you are unable to log in to the system due to broken
             ## authentication settings. Then you can enable e.g. the internal rhodecode auth
             ## module to log in again and fix the settings.
             ##
             ## Available builtin plugin IDs (hash is part of the ID):
             ## egg:rhodecode-enterprise-ce#rhodecode
             ## egg:rhodecode-enterprise-ce#pam
             ## egg:rhodecode-enterprise-ce#ldap
             ## egg:rhodecode-enterprise-ce#jasig_cas
             ## egg:rhodecode-enterprise-ce#headers
             ## egg:rhodecode-enterprise-ce#crowd
             #rhodecode.auth_plugin_fallback = egg:rhodecode-enterprise-ce#rhodecode
             ## alternative return HTTP header for failed authentication. Default HTTP
             ## response is 401 HTTPUnauthorized. Currently HG clients have troubles with
             ## handling that causing a series of failed authentication calls.
             ## Set this variable to 403 to return HTTPForbidden, or any other HTTP code
             ## This will be served instead of default 401 on bad authnetication
             auth_ret_code =
             ## use special detection method when serving auth_ret_code, instead of serving
             ## ret_code directly, use 401 initially (Which triggers credentials prompt)
             ## and then serve auth_ret_code to clients
             auth_ret_code_detection = false
             ## locking return code. When repository is locked return this HTTP code. 2XX
             ## codes don't break the transactions while 4XX codes do
             lock_ret_code = 423
             ## allows to change the repository location in settings page
             allow_repo_location_change = true
             ## allows to setup custom hooks in settings page
             allow_custom_hooks_settings = true
             ## generated license token, goto license page in RhodeCode settings to obtain
             ## new token
             license_token =
             ## supervisor connection uri, for managing supervisor and logs.
             supervisor.uri =
             ## supervisord group name/id we only want this RC instance to handle
             supervisor.group_id = dev
             ## Display extended labs settings
             labs_settings_active = true
             ####################################
             ###        CELERY CONFIG        ####
             ####################################
             use_celery = false
             broker.host = localhost
             broker.vhost = rabbitmqhost
             broker.port = 5672
             broker.user = rabbitmq
             broker.password = qweqwe
             celery.imports = rhodecode.lib.celerylib.tasks
             celery.result.backend = amqp
             celery.result.dburi = amqp://
             celery.result.serialier = json
             #celery.send.task.error.emails = true
             #celery.amqp.task.result.expires = 18000
             celeryd.concurrency = 2
             #celeryd.log.file = celeryd.log
             celeryd.log.level = debug
             celeryd.max.tasks.per.child = 1
             ## tasks will never be sent to the queue, but executed locally instead.
             celery.always.eager = false
             ####################################
             ###         BEAKER CACHE        ####
             ####################################
             # default cache dir for templates.  Putting this into a ramdisk
             ## can boost performance, eg. %(here)s/data_ramdisk
             cache_dir = %(here)s/data
             ## locking and default file storage for Beaker. Putting this into a ramdisk
             ## can boost performance, eg. %(here)s/data_ramdisk/cache/beaker_data
             beaker.cache.data_dir = %(here)s/data/cache/beaker_data
             beaker.cache.lock_dir = %(here)s/data/cache/beaker_lock
             beaker.cache.regions = super_short_term, short_term, long_term, sql_cache_short, auth_plugins, repo_cache_long
             beaker.cache.super_short_term.type = memory
             beaker.cache.super_short_term.expire = 10
             beaker.cache.super_short_term.key_length = 256
             beaker.cache.short_term.type = memory
             beaker.cache.short_term.expire = 60
             beaker.cache.short_term.key_length = 256
             beaker.cache.long_term.type = memory
             beaker.cache.long_term.expire = 36000
             beaker.cache.long_term.key_length = 256
             beaker.cache.sql_cache_short.type = memory
             beaker.cache.sql_cache_short.expire = 10
             beaker.cache.sql_cache_short.key_length = 256
             # default is memory cache, configure only if required
             # using multi-node or multi-worker setup
             #beaker.cache.auth_plugins.type = ext:database
             #beaker.cache.auth_plugins.lock_dir = %(here)s/data/cache/auth_plugin_lock
             #beaker.cache.auth_plugins.url = postgresql://postgres:secret@localhost/rhodecode
             #beaker.cache.auth_plugins.url = mysql://root:secret@127.0.0.1/rhodecode
             #beaker.cache.auth_plugins.sa.pool_recycle = 3600
             #beaker.cache.auth_plugins.sa.pool_size = 10
             #beaker.cache.auth_plugins.sa.max_overflow = 0
             beaker.cache.repo_cache_long.type = memorylru_base
             beaker.cache.repo_cache_long.max_items = 4096
             beaker.cache.repo_cache_long.expire = 2592000
             # default is memorylru_base cache, configure only if required
             # using multi-node or multi-worker setup
             #beaker.cache.repo_cache_long.type = ext:memcached
             #beaker.cache.repo_cache_long.url = localhost:11211
             #beaker.cache.repo_cache_long.expire = 1209600
             #beaker.cache.repo_cache_long.key_length = 256
             ####################################
             ###       BEAKER SESSION        ####
             ####################################
             ## .session.type is type of storage options for the session, current allowed
             ## types are file, ext:memcached, ext:database, and memory (default).
             beaker.session.type = file
             beaker.session.data_dir = %(here)s/data/sessions/data
             ## db based session, fast, and allows easy management over logged in users ##
             #beaker.session.type = ext:database
             #beaker.session.table_name = db_session
             #beaker.session.sa.url = postgresql://postgres:secret@localhost/rhodecode
             #beaker.session.sa.url = mysql://root:secret@127.0.0.1/rhodecode
             #beaker.session.sa.pool_recycle = 3600
             #beaker.session.sa.echo = false
             beaker.session.key = rhodecode
             beaker.session.secret = develop-rc-uytcxaz
             beaker.session.lock_dir = %(here)s/data/sessions/lock
             ## Secure encrypted cookie. Requires AES and AES python libraries
             ## you must disable beaker.session.secret to use this
             #beaker.session.encrypt_key = <key_for_encryption>
             #beaker.session.validate_key = <validation_key>
             ## sets session as invalid(also logging out user) if it haven not been
             ## accessed for given amount of time in seconds
             beaker.session.timeout = 2592000
             beaker.session.httponly = true
             #beaker.session.cookie_path = /<your-prefix>
             ## uncomment for https secure cookie
             beaker.session.secure = false
             ## auto save the session to not to use .save()
             beaker.session.auto = false
             ## default cookie expiration time in seconds, set to `true` to set expire
             ## at browser close
             #beaker.session.cookie_expires = 3600
             ###################################
             ## SEARCH INDEXING CONFIGURATION ##
             ###################################
             ## Full text search indexer is available in rhodecode-tools under
             ## `rhodecode-tools index` command
             # WHOOSH Backend, doesn't require additional services to run
             # it works good with few dozen repos
             search.module = rhodecode.lib.index.whoosh
             search.location = %(here)s/data/index
             ###################################
             ##       APPENLIGHT CONFIG       ##
             ###################################
             ## Appenlight is tailored to work with RhodeCode, see
             ## http://appenlight.com for details how to obtain an account
             ## appenlight integration enabled
             appenlight = false
             appenlight.server_url = https://api.appenlight.com
             appenlight.api_key = YOUR_API_KEY
             #appenlight.transport_config = https://api.appenlight.com?threaded=1&timeout=5
             # used for JS client
             appenlight.api_public_key = YOUR_API_PUBLIC_KEY
             ## TWEAK AMOUNT OF INFO SENT HERE
             ## enables 404 error logging (default False)
             appenlight.report_404 = false
             ## time in seconds after request is considered being slow (default 1)
             appenlight.slow_request_time = 1
             ## record slow requests in application
             ## (needs to be enabled for slow datastore recording and time tracking)
             appenlight.slow_requests = true
             ## enable hooking to application loggers
             appenlight.logging = true
             ## minimum log level for log capture
             appenlight.logging.level = WARNING
             ## send logs only from erroneous/slow requests
             ## (saves API quota for intensive logging)
             appenlight.logging_on_error = false
             ## list of additonal keywords that should be grabbed from environ object
             ## can be string with comma separated list of words in lowercase
             ## (by default client will always send following info:
             ## 'REMOTE_USER', 'REMOTE_ADDR', 'SERVER_NAME', 'CONTENT_TYPE' + all keys that
             ## start with HTTP* this list be extended with additional keywords here
             appenlight.environ_keys_whitelist =
             ## list of keywords that should be blanked from request object
             ## can be string with comma separated list of words in lowercase
             ## (by default client will always blank keys that contain following words
             ## 'password', 'passwd', 'pwd', 'auth_tkt', 'secret', 'csrf'
             ## this list be extended with additional keywords set here
             appenlight.request_keys_blacklist =
             ## list of namespaces that should be ignores when gathering log entries
             ## can be string with comma separated list of namespaces
             ## (by default the client ignores own entries: appenlight_client.client)
             appenlight.log_namespace_blacklist =
             ################################################################################
             ## WARNING: *THE LINE BELOW MUST BE UNCOMMENTED ON A PRODUCTION ENVIRONMENT*  ##
             ## Debug mode will enable the interactive debugging tool, allowing ANYONE to  ##
             ## execute malicious code after an exception is raised.                       ##
             ################################################################################
             #set debug = false
             ##############
             ## STYLING  ##
             ##############
             debug_style = true
             #########################################################
             ### DB CONFIGS - EACH DB WILL HAVE IT'S OWN CONFIG    ###
             #########################################################
             sqlalchemy.db1.url = sqlite:///%(here)s/rhodecode.db?timeout=30
             #sqlalchemy.db1.url = postgresql://postgres:qweqwe@localhost/rhodecode
             #sqlalchemy.db1.url = mysql://root:qweqwe@localhost/rhodecode
             # see sqlalchemy docs for other advanced settings
             ## print the sql statements to output
             sqlalchemy.db1.echo = false
             ## recycle the connections after this ammount of seconds
             sqlalchemy.db1.pool_recycle = 3600
             sqlalchemy.db1.convert_unicode = true
             ## the number of connections to keep open inside the connection pool.
             ## 0 indicates no limit
             #sqlalchemy.db1.pool_size = 5
             ## the number of connections to allow in connection pool "overflow", that is
             ## connections that can be opened above and beyond the pool_size setting,
             ## which defaults to five.
             #sqlalchemy.db1.max_overflow = 10
             ##################
             ### VCS CONFIG ###
             ##################
             vcs.server.enable = true
             vcs.server = localhost:9900
             ## Web server connectivity protocol, responsible for web based VCS operatations
             ## Available protocols are:
             ## `pyro4` - using pyro4 server
             ## `http` - using http-rpc backend
             #vcs.server.protocol = http
             ## Push/Pull operations protocol, available options are:
             ## `pyro4` - using pyro4 server
             ## `rhodecode.lib.middleware.utils.scm_app_http` - Http based, recommended
             ## `vcsserver.scm_app` - internal app (EE only)
             #vcs.scm_app_implementation = rhodecode.lib.middleware.utils.scm_app_http
             ## Push/Pull operations hooks protocol, available options are:
             ## `pyro4` - using pyro4 server
             ## `http` - using http-rpc backend
             #vcs.hooks.protocol = http
             vcs.server.log_level = debug
             ## Start VCSServer with this instance as a subprocess, usefull for development
             vcs.start_server = true
             vcs.backends = hg, git, svn
             vcs.connection_timeout = 3600
             ## Compatibility version when creating SVN repositories. Defaults to newest version when commented out.
             ## Available options are: pre-1.4-compatible, pre-1.5-compatible, pre-1.6-compatible, pre-1.8-compatible
             #vcs.svn.compatible_version = pre-1.8-compatible
             ################################
             ### LOGGING CONFIGURATION   ####
             ################################
             [loggers]
             keys = root, routes, rhodecode, sqlalchemy, beaker, pyro4, templates, whoosh_indexer
             [handlers]
             keys = console, console_sql
             [formatters]
             keys = generic, color_formatter, color_formatter_sql
             #############
             ## LOGGERS ##
             #############
             [logger_root]
             level = NOTSET
             handlers = console
             [logger_routes]
             level = DEBUG
             handlers =
             qualname = routes.middleware
             ## "level = DEBUG" logs the route matched and routing variables.
             propagate = 1
             [logger_beaker]
             level = DEBUG
             handlers =
             qualname = beaker.container
             propagate = 1
             [logger_pyro4]
             level = DEBUG
             handlers =
             qualname = Pyro4
             propagate = 1
             [logger_templates]
             level = INFO
             handlers =
             qualname = pylons.templating
             propagate = 1
             [logger_rhodecode]
             level = DEBUG
             handlers =
             qualname = rhodecode
             propagate = 1
             [logger_sqlalchemy]
             level = INFO
             handlers = console_sql
             qualname = sqlalchemy.engine
             propagate = 0
             [logger_whoosh_indexer]
             level = DEBUG
             handlers =
             qualname = whoosh_indexer
             propagate = 1
             ##############
             ## HANDLERS ##
             ##############
             [handler_console]
             class = StreamHandler
             args = (sys.stderr,)
             level = DEBUG
             formatter = color_formatter
             [handler_console_sql]
             class = StreamHandler
             args = (sys.stderr,)
             level = DEBUG
             formatter = color_formatter_sql
             ################
             ## FORMATTERS ##
             ################
             [formatter_generic]
             class = rhodecode.lib.logging_formatter.Pyro4AwareFormatter
             format = %(asctime)s.%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
             datefmt = %Y-%m-%d %H:%M:%S
             [formatter_color_formatter]
             class = rhodecode.lib.logging_formatter.ColorFormatter
             format = %(asctime)s.%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
             datefmt = %Y-%m-%d %H:%M:%S
             [formatter_color_formatter_sql]
             class = rhodecode.lib.logging_formatter.ColorFormatterSql
             format = %(asctime)s.%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
             datefmt = %Y-%m-%d %H:%M:%S

configs/production.ini

0 +4 0

             ################################################################################
             ################################################################################
             # RhodeCode Enterprise - configuration file                                    #
             # Built-in functions and variables                                             #
             # The %(here)s variable will be replaced with the parent directory of this file#
             #                                                                              #
             ################################################################################
             [DEFAULT]
             debug = true
             ################################################################################
             ## Uncomment and replace with the email address which should receive          ##
             ## any error reports after an application crash                               ##
             ## Additionally these settings will be used by the RhodeCode mailing system   ##
             ################################################################################
             #email_to = admin@localhost
             #error_email_from = paste_error@localhost
             #app_email_from = rhodecode-noreply@localhost
             #error_message =
             #email_prefix = [RhodeCode]
             #smtp_server = mail.server.com
             #smtp_username =
             #smtp_password =
             #smtp_port =
             #smtp_use_tls = false
             #smtp_use_ssl = true
             ## Specify available auth parameters here (e.g. LOGIN PLAIN CRAM-MD5, etc.)
             #smtp_auth =
             [server:main]
             ## COMMON ##
             host = 127.0.0.1
             port = 5000
             ##################################
             ##     WAITRESS WSGI SERVER     ##
             ## Recommended for Development  ##
             ##################################
             #use = egg:waitress#main
             ## number of worker threads
             #threads = 5
             ## MAX BODY SIZE 100GB
             #max_request_body_size = 107374182400
             ## Use poll instead of select, fixes file descriptors limits problems.
             ## May not work on old windows systems.
             #asyncore_use_poll = true
             ##########################
             ## GUNICORN WSGI SERVER ##
             ##########################
             ## run with gunicorn --log-config <inifile.ini> --paste <inifile.ini>
             use = egg:gunicorn#main
             ## Sets the number of process workers. You must set `instance_id = *`
             ## when this option is set to more than one worker, recommended
             ## value is (2 * NUMBER_OF_CPUS + 1), eg 2CPU = 5 workers
             ## The `instance_id = *` must be set in the [app:main] section below
             workers = 2
             ## number of threads for each of the worker, must be set to 1 for gevent
             ## generally recommened to be at 1
             #threads = 1
             ## process name
             proc_name = rhodecode
             ## type of worker class, one of sync, gevent
             ## recommended for bigger setup is using of of other than sync one
             worker_class = sync
             ## The maximum number of simultaneous clients. Valid only for Gevent
             #worker_connections = 10
             ## max number of requests that worker will handle before being gracefully
             ## restarted, could prevent memory leaks
             max_requests = 1000
             max_requests_jitter = 30
             ## amount of time a worker can spend with handling a request before it
             ## gets killed and restarted. Set to 6hrs
             timeout = 21600
             ## prefix middleware for RhodeCode, disables force_https flag.
             ## allows to set RhodeCode under a prefix in server.
             ## eg https://server.com/<prefix>. Enable `filter-with =` option below as well.
             #[filter:proxy-prefix]
             #use = egg:PasteDeploy#prefix
             #prefix = /<your-prefix>
             [app:main]
             use = egg:rhodecode-enterprise-ce
             ## enable proxy prefix middleware, defined below
             #filter-with = proxy-prefix
             ## encryption key used to encrypt social plugin tokens,
             ## remote_urls with credentials etc, if not set it defaults to
             ## `beaker.session.secret`
             #rhodecode.encrypted_values.secret =
+            ## decryption strict mode (enabled by default). It controls if decryption raises
+            ## `SignatureVerificationError` in case of wrong key, or damaged encryption data.
+            #rhodecode.encrypted_values.strict = false
             full_stack = true
             ## Serve static files via RhodeCode, disable to serve them via HTTP server
             static_files = true
             # autogenerate javascript routes file on startup
             generate_js_files = false
             ## Optional Languages
             ## en(default), be, de, es, fr, it, ja, pl, pt, ru, zh
             lang = en
             ## perform a full repository scan on each server start, this should be
             ## set to false after first startup, to allow faster server restarts.
             startup.import_repos = false
             ## Uncomment and set this path to use archive download cache.
             ## Once enabled, generated archives will be cached at this location
             ## and served from the cache during subsequent requests for the same archive of
             ## the repository.
             #archive_cache_dir = /tmp/tarballcache
             ## change this to unique ID for security
             app_instance_uuid = rc-production
             ## cut off limit for large diffs (size in bytes)
             cut_off_limit_diff = 1024000
             cut_off_limit_file = 256000
             ## use cache version of scm repo everywhere
             vcs_full_cache = true
             ## force https in RhodeCode, fixes https redirects, assumes it's always https
             ## Normally this is controlled by proper http flags sent from http server
             force_https = false
             ## use Strict-Transport-Security headers
             use_htsts = false
             ## number of commits stats will parse on each iteration
             commit_parse_limit = 25
             ## git rev filter option, --all is the default filter, if you need to
             ## hide all refs in changelog switch this to --branches --tags
             git_rev_filter = --branches --tags
             # Set to true if your repos are exposed using the dumb protocol
             git_update_server_info = false
             ## RSS/ATOM feed options
             rss_cut_off_limit = 256000
             rss_items_per_page = 10
             rss_include_diff = false
             ## gist URL alias, used to create nicer urls for gist. This should be an
             ## url that does rewrites to _admin/gists/<gistid>.
             ## example: http://gist.rhodecode.org/{gistid}. Empty means use the internal
             ## RhodeCode url, ie. http[s]://rhodecode.server/_admin/gists/<gistid>
             gist_alias_url =
             ## List of controllers (using glob pattern syntax) that AUTH TOKENS could be
             ## used for access.
             ## Adding ?auth_token = <token> to the url authenticates this request as if it
             ## came from the the logged in user who own this authentication token.
             ##
             ## Syntax is <ControllerClass>:<function_pattern>.
             ## To enable access to raw_files put `FilesController:raw`.
             ## To enable access to patches add `ChangesetController:changeset_patch`.
             ## The list should be "," separated and on a single line.
             ##
             ## Recommended controllers to enable:
             #    ChangesetController:changeset_patch,
             #    ChangesetController:changeset_raw,
             #    FilesController:raw,
             #    FilesController:archivefile,
             #    GistsController:*,
             api_access_controllers_whitelist =
             ## default encoding used to convert from and to unicode
             ## can be also a comma separated list of encoding in case of mixed encodings
             default_encoding = UTF-8
             ## instance-id prefix
             ## a prefix key for this instance used for cache invalidation when running
             ## multiple instances of rhodecode, make sure it's globally unique for
             ## all running rhodecode instances. Leave empty if you don't use it
             instance_id =
             ## Fallback authentication plugin. Set this to a plugin ID to force the usage
             ## of an authentication plugin also if it is disabled by it's settings.
             ## This could be useful if you are unable to log in to the system due to broken
             ## authentication settings. Then you can enable e.g. the internal rhodecode auth
             ## module to log in again and fix the settings.
             ##
             ## Available builtin plugin IDs (hash is part of the ID):
             ## egg:rhodecode-enterprise-ce#rhodecode
             ## egg:rhodecode-enterprise-ce#pam
             ## egg:rhodecode-enterprise-ce#ldap
             ## egg:rhodecode-enterprise-ce#jasig_cas
             ## egg:rhodecode-enterprise-ce#headers
             ## egg:rhodecode-enterprise-ce#crowd
             #rhodecode.auth_plugin_fallback = egg:rhodecode-enterprise-ce#rhodecode
             ## alternative return HTTP header for failed authentication. Default HTTP
             ## response is 401 HTTPUnauthorized. Currently HG clients have troubles with
             ## handling that causing a series of failed authentication calls.
             ## Set this variable to 403 to return HTTPForbidden, or any other HTTP code
             ## This will be served instead of default 401 on bad authnetication
             auth_ret_code =
             ## use special detection method when serving auth_ret_code, instead of serving
             ## ret_code directly, use 401 initially (Which triggers credentials prompt)
             ## and then serve auth_ret_code to clients
             auth_ret_code_detection = false
             ## locking return code. When repository is locked return this HTTP code. 2XX
             ## codes don't break the transactions while 4XX codes do
             lock_ret_code = 423
             ## allows to change the repository location in settings page
             allow_repo_location_change = true
             ## allows to setup custom hooks in settings page
             allow_custom_hooks_settings = true
             ## generated license token, goto license page in RhodeCode settings to obtain
             ## new token
             license_token =
             ## supervisor connection uri, for managing supervisor and logs.
             supervisor.uri =
             ## supervisord group name/id we only want this RC instance to handle
             supervisor.group_id = prod
             ## Display extended labs settings
             labs_settings_active = true
             ####################################
             ###        CELERY CONFIG        ####
             ####################################
             use_celery = false
             broker.host = localhost
             broker.vhost = rabbitmqhost
             broker.port = 5672
             broker.user = rabbitmq
             broker.password = qweqwe
             celery.imports = rhodecode.lib.celerylib.tasks
             celery.result.backend = amqp
             celery.result.dburi = amqp://
             celery.result.serialier = json
             #celery.send.task.error.emails = true
             #celery.amqp.task.result.expires = 18000
             celeryd.concurrency = 2
             #celeryd.log.file = celeryd.log
             celeryd.log.level = debug
             celeryd.max.tasks.per.child = 1
             ## tasks will never be sent to the queue, but executed locally instead.
             celery.always.eager = false
             ####################################
             ###         BEAKER CACHE        ####
             ####################################
             # default cache dir for templates.  Putting this into a ramdisk
             ## can boost performance, eg. %(here)s/data_ramdisk
             cache_dir = %(here)s/data
             ## locking and default file storage for Beaker. Putting this into a ramdisk
             ## can boost performance, eg. %(here)s/data_ramdisk/cache/beaker_data
             beaker.cache.data_dir = %(here)s/data/cache/beaker_data
             beaker.cache.lock_dir = %(here)s/data/cache/beaker_lock
             beaker.cache.regions = super_short_term, short_term, long_term, sql_cache_short, auth_plugins, repo_cache_long
             beaker.cache.super_short_term.type = memory
             beaker.cache.super_short_term.expire = 10
             beaker.cache.super_short_term.key_length = 256
             beaker.cache.short_term.type = memory
             beaker.cache.short_term.expire = 60
             beaker.cache.short_term.key_length = 256
             beaker.cache.long_term.type = memory
             beaker.cache.long_term.expire = 36000
             beaker.cache.long_term.key_length = 256
             beaker.cache.sql_cache_short.type = memory
             beaker.cache.sql_cache_short.expire = 10
             beaker.cache.sql_cache_short.key_length = 256
             # default is memory cache, configure only if required
             # using multi-node or multi-worker setup
             #beaker.cache.auth_plugins.type = ext:database
             #beaker.cache.auth_plugins.lock_dir = %(here)s/data/cache/auth_plugin_lock
             #beaker.cache.auth_plugins.url = postgresql://postgres:secret@localhost/rhodecode
             #beaker.cache.auth_plugins.url = mysql://root:secret@127.0.0.1/rhodecode
             #beaker.cache.auth_plugins.sa.pool_recycle = 3600
             #beaker.cache.auth_plugins.sa.pool_size = 10
             #beaker.cache.auth_plugins.sa.max_overflow = 0
             beaker.cache.repo_cache_long.type = memorylru_base
             beaker.cache.repo_cache_long.max_items = 4096
             beaker.cache.repo_cache_long.expire = 2592000
             # default is memorylru_base cache, configure only if required
             # using multi-node or multi-worker setup
             #beaker.cache.repo_cache_long.type = ext:memcached
             #beaker.cache.repo_cache_long.url = localhost:11211
             #beaker.cache.repo_cache_long.expire = 1209600
             #beaker.cache.repo_cache_long.key_length = 256
             ####################################
             ###       BEAKER SESSION        ####
             ####################################
             ## .session.type is type of storage options for the session, current allowed
             ## types are file, ext:memcached, ext:database, and memory (default).
             beaker.session.type = file
             beaker.session.data_dir = %(here)s/data/sessions/data
             ## db based session, fast, and allows easy management over logged in users ##
             #beaker.session.type = ext:database
             #beaker.session.table_name = db_session
             #beaker.session.sa.url = postgresql://postgres:secret@localhost/rhodecode
             #beaker.session.sa.url = mysql://root:secret@127.0.0.1/rhodecode
             #beaker.session.sa.pool_recycle = 3600
             #beaker.session.sa.echo = false
             beaker.session.key = rhodecode
             beaker.session.secret = production-rc-uytcxaz
             beaker.session.lock_dir = %(here)s/data/sessions/lock
             ## Secure encrypted cookie. Requires AES and AES python libraries
             ## you must disable beaker.session.secret to use this
             #beaker.session.encrypt_key = <key_for_encryption>
             #beaker.session.validate_key = <validation_key>
             ## sets session as invalid(also logging out user) if it haven not been
             ## accessed for given amount of time in seconds
             beaker.session.timeout = 2592000
             beaker.session.httponly = true
             #beaker.session.cookie_path = /<your-prefix>
             ## uncomment for https secure cookie
             beaker.session.secure = false
             ## auto save the session to not to use .save()
             beaker.session.auto = false
             ## default cookie expiration time in seconds, set to `true` to set expire
             ## at browser close
             #beaker.session.cookie_expires = 3600
             ###################################
             ## SEARCH INDEXING CONFIGURATION ##
             ###################################
             ## Full text search indexer is available in rhodecode-tools under
             ## `rhodecode-tools index` command
             # WHOOSH Backend, doesn't require additional services to run
             # it works good with few dozen repos
             search.module = rhodecode.lib.index.whoosh
             search.location = %(here)s/data/index
             ###################################
             ##       APPENLIGHT CONFIG       ##
             ###################################
             ## Appenlight is tailored to work with RhodeCode, see
             ## http://appenlight.com for details how to obtain an account
             ## appenlight integration enabled
             appenlight = false
             appenlight.server_url = https://api.appenlight.com
             appenlight.api_key = YOUR_API_KEY
             #appenlight.transport_config = https://api.appenlight.com?threaded=1&timeout=5
             # used for JS client
             appenlight.api_public_key = YOUR_API_PUBLIC_KEY
             ## TWEAK AMOUNT OF INFO SENT HERE
             ## enables 404 error logging (default False)
             appenlight.report_404 = false
             ## time in seconds after request is considered being slow (default 1)
             appenlight.slow_request_time = 1
             ## record slow requests in application
             ## (needs to be enabled for slow datastore recording and time tracking)
             appenlight.slow_requests = true
             ## enable hooking to application loggers
             appenlight.logging = true
             ## minimum log level for log capture
             appenlight.logging.level = WARNING
             ## send logs only from erroneous/slow requests
             ## (saves API quota for intensive logging)
             appenlight.logging_on_error = false
             ## list of additonal keywords that should be grabbed from environ object
             ## can be string with comma separated list of words in lowercase
             ## (by default client will always send following info:
             ## 'REMOTE_USER', 'REMOTE_ADDR', 'SERVER_NAME', 'CONTENT_TYPE' + all keys that
             ## start with HTTP* this list be extended with additional keywords here
             appenlight.environ_keys_whitelist =
             ## list of keywords that should be blanked from request object
             ## can be string with comma separated list of words in lowercase
             ## (by default client will always blank keys that contain following words
             ## 'password', 'passwd', 'pwd', 'auth_tkt', 'secret', 'csrf'
             ## this list be extended with additional keywords set here
             appenlight.request_keys_blacklist =
             ## list of namespaces that should be ignores when gathering log entries
             ## can be string with comma separated list of namespaces
             ## (by default the client ignores own entries: appenlight_client.client)
             appenlight.log_namespace_blacklist =
             ################################################################################
             ## WARNING: *THE LINE BELOW MUST BE UNCOMMENTED ON A PRODUCTION ENVIRONMENT*  ##
             ## Debug mode will enable the interactive debugging tool, allowing ANYONE to  ##
             ## execute malicious code after an exception is raised.                       ##
             ################################################################################
             set debug = false
             #########################################################
             ### DB CONFIGS - EACH DB WILL HAVE IT'S OWN CONFIG    ###
             #########################################################
             #sqlalchemy.db1.url = sqlite:///%(here)s/rhodecode.db?timeout=30
             sqlalchemy.db1.url = postgresql://postgres:qweqwe@localhost/rhodecode
             #sqlalchemy.db1.url = mysql://root:qweqwe@localhost/rhodecode
             # see sqlalchemy docs for other advanced settings
             ## print the sql statements to output
             sqlalchemy.db1.echo = false
             ## recycle the connections after this ammount of seconds
             sqlalchemy.db1.pool_recycle = 3600
             sqlalchemy.db1.convert_unicode = true
             ## the number of connections to keep open inside the connection pool.
             ## 0 indicates no limit
             #sqlalchemy.db1.pool_size = 5
             ## the number of connections to allow in connection pool "overflow", that is
             ## connections that can be opened above and beyond the pool_size setting,
             ## which defaults to five.
             #sqlalchemy.db1.max_overflow = 10
             ##################
             ### VCS CONFIG ###
             ##################
             vcs.server.enable = true
             vcs.server = localhost:9900
             ## Web server connectivity protocol, responsible for web based VCS operatations
             ## Available protocols are:
             ## `pyro4` - using pyro4 server
             ## `http` - using http-rpc backend
             #vcs.server.protocol = http
             ## Push/Pull operations protocol, available options are:
             ## `pyro4` - using pyro4 server
             ## `rhodecode.lib.middleware.utils.scm_app_http` - Http based, recommended
             ## `vcsserver.scm_app` - internal app (EE only)
             #vcs.scm_app_implementation = rhodecode.lib.middleware.utils.scm_app_http
             ## Push/Pull operations hooks protocol, available options are:
             ## `pyro4` - using pyro4 server
             ## `http` - using http-rpc backend
             #vcs.hooks.protocol = http
             vcs.server.log_level = info
             ## Start VCSServer with this instance as a subprocess, usefull for development
             vcs.start_server = false
             vcs.backends = hg, git, svn
             vcs.connection_timeout = 3600
             ## Compatibility version when creating SVN repositories. Defaults to newest version when commented out.
             ## Available options are: pre-1.4-compatible, pre-1.5-compatible, pre-1.6-compatible, pre-1.8-compatible
             #vcs.svn.compatible_version = pre-1.8-compatible
             ################################
             ### LOGGING CONFIGURATION   ####
             ################################
             [loggers]
             keys = root, routes, rhodecode, sqlalchemy, beaker, pyro4, templates, whoosh_indexer
             [handlers]
             keys = console, console_sql
             [formatters]
             keys = generic, color_formatter, color_formatter_sql
             #############
             ## LOGGERS ##
             #############
             [logger_root]
             level = NOTSET
             handlers = console
             [logger_routes]
             level = DEBUG
             handlers =
             qualname = routes.middleware
             ## "level = DEBUG" logs the route matched and routing variables.
             propagate = 1
             [logger_beaker]
             level = DEBUG
             handlers =
             qualname = beaker.container
             propagate = 1
             [logger_pyro4]
             level = DEBUG
             handlers =
             qualname = Pyro4
             propagate = 1
             [logger_templates]
             level = INFO
             handlers =
             qualname = pylons.templating
             propagate = 1
             [logger_rhodecode]
             level = DEBUG
             handlers =
             qualname = rhodecode
             propagate = 1
             [logger_sqlalchemy]
             level = INFO
             handlers = console_sql
             qualname = sqlalchemy.engine
             propagate = 0
             [logger_whoosh_indexer]
             level = DEBUG
             handlers =
             qualname = whoosh_indexer
             propagate = 1
             ##############
             ## HANDLERS ##
             ##############
             [handler_console]
             class = StreamHandler
             args = (sys.stderr,)
             level = INFO
             formatter = generic
             [handler_console_sql]
             class = StreamHandler
             args = (sys.stderr,)
             level = WARN
             formatter = generic
             ################
             ## FORMATTERS ##
             ################
             [formatter_generic]
             class = rhodecode.lib.logging_formatter.Pyro4AwareFormatter
             format = %(asctime)s.%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
             datefmt = %Y-%m-%d %H:%M:%S
             [formatter_color_formatter]
             class = rhodecode.lib.logging_formatter.ColorFormatter
             format = %(asctime)s.%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
             datefmt = %Y-%m-%d %H:%M:%S
             [formatter_color_formatter_sql]
             class = rhodecode.lib.logging_formatter.ColorFormatterSql
             format = %(asctime)s.%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
             datefmt = %Y-%m-%d %H:%M:%S

rhodecode/lib/encrypt.py

0 +58 -5

             # -*- coding: utf-8 -*-
             # Copyright (C) 2014-2016  RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             """
             Generic encryption library for RhodeCode
             """
-            import hashlib
             import base64
             from Crypto.Cipher import AES
             from Crypto import Random
+            from Crypto.Hash import HMAC, SHA256
             from rhodecode.lib.utils2 import safe_str
+            class SignatureVerificationError(Exception):
+                pass
+            class InvalidDecryptedValue(str):
+                def __new__(cls, content):
+                    """
+                    This will generate something like this::
+                        <InvalidDecryptedValue(QkWusFgLJXR6m42v...)>
+                    And represent a safe indicator that encryption key is broken
+                    """
+                    content = '<{}({}...)>'.format(cls.__name__, content[:16])
+                    return str.__new__(cls, content)
             class AESCipher(object):
-                def __init__(self, key):
+                def __init__(self, key, hmac=False, strict_verification=True):
-                    # create padding, trim to long enc key
                     if not key:
                         raise ValueError('passed key variable is empty')
+                    self.strict_verification = strict_verification
                     self.block_size = 32
-                    self.key = hashlib.sha256(safe_str(key)).digest()
+                    self.hmac_size = 32
+                    self.hmac = hmac
+                    self.key = SHA256.new(safe_str(key)).digest()
+                    self.hmac_key = SHA256.new(self.key).digest()
+                def verify_hmac_signature(self, raw_data):
+                    org_hmac_signature = raw_data[-self.hmac_size:]
+                    data_without_sig = raw_data[:-self.hmac_size]
+                    recomputed_hmac = HMAC.new(
+                        self.hmac_key, data_without_sig, digestmod=SHA256).digest()
+                    return org_hmac_signature == recomputed_hmac
                 def encrypt(self, raw):
                     raw = self._pad(raw)
                     iv = Random.new().read(AES.block_size)
                     cipher = AES.new(self.key, AES.MODE_CBC, iv)
-                    return base64.b64encode(iv + cipher.encrypt(raw))
+                    enc_value = cipher.encrypt(raw)
+                    hmac_signature = ''
+                    if self.hmac:
+                        # compute hmac+sha256 on iv + enc text, we use
+                        # encrypt then mac method to create the signature
+                        hmac_signature = HMAC.new(
+                            self.hmac_key, iv + enc_value, digestmod=SHA256).digest()
+                    return base64.b64encode(iv + enc_value + hmac_signature)
                 def decrypt(self, enc):
+                    enc_org = enc
                     enc = base64.b64decode(enc)
+                    if self.hmac and len(enc) > self.hmac_size:
+                        if self.verify_hmac_signature(enc):
+                            # cut off the HMAC verification digest
+                            enc = enc[:-self.hmac_size]
+                        else:
+                            if self.strict_verification:
+                                raise SignatureVerificationError(
+                                    "Encryption signature verification failed. "
+                                    "Please check your secret key, and/or encrypted value. "
+                                    "Secret key is stored as "
+                                    "`rhodecode.encrypted_values.secret` or "
+                                    "`beaker.session.secret` inside .ini file")
+                            return InvalidDecryptedValue(enc_org)
                     iv = enc[:AES.block_size]
                     cipher = AES.new(self.key, AES.MODE_CBC, iv)
                     return self._unpad(cipher.decrypt(enc[AES.block_size:]))
                 def _pad(self, s):
                     return (s + (self.block_size - len(s) % self.block_size)
                             * chr(self.block_size - len(s) % self.block_size))
                 @staticmethod
                 def _unpad(s):
                     return s[:-ord(s[len(s)-1:])]

rhodecode/model/db.py

0 0 0

	1	NO CONTENT: modified file			NO CONTENT: modified file
The requested commit or file is too big and content was truncated. Show full diff

rhodecode/templates/base/base.html

0 +1 -1

             ## -*- coding: utf-8 -*-
             <%inherit file="root.html"/>
             <div class="outerwrapper">
               <!-- HEADER -->
               <div class="header">
                   <div id="header-inner" class="wrapper">
                       <div id="logo">
                           <div class="logo-wrapper">
                               <a href="${h.url('home')}"><img src="${h.url('/images/rhodecode-logo-white-216x60.png')}" alt="RhodeCode"/></a>
                           </div>
                           %if c.rhodecode_name:
                            <div class="branding">- ${h.branding(c.rhodecode_name)}</div>
                           %endif
                       </div>
                       <!-- MENU BAR NAV -->
                       ${self.menu_bar_nav()}
                       <!-- END MENU BAR NAV -->
                       ${self.body()}
                   </div>
               </div>
               ${self.menu_bar_subnav()}
               <!-- END HEADER -->
               <!-- CONTENT -->
               <div id="content" class="wrapper">
                   ${self.flash_msg()}
                   <div class="main">
                       ${next.main()}
                   </div>
               </div>
               <!-- END CONTENT -->
             </div>
             <!-- FOOTER -->
             <div id="footer">
                <div id="footer-inner" class="title wrapper">
                    <div>
                        <p class="footer-link-right">
                            % if c.visual.show_version:
                                RhodeCode Enterprise ${c.rhodecode_version} ${c.rhodecode_edition}
                            % endif
                            &copy; 2010-${h.datetime.today().year}, <a href="${h.url('rhodecode_official')}" target="_blank">RhodeCode GmbH</a>. All rights reserved.
                            % if c.visual.rhodecode_support_url:
                               <a href="${c.visual.rhodecode_support_url}" target="_blank">${_('Support')}</a>
                            % endif
                        </p>
                        <% sid = 'block' if request.GET.get('showrcid') else 'none' %>
                        <p class="server-instance" style="display:${sid}">
                            ## display hidden instance ID if specially defined
                            % if c.rhodecode_instanceid:
                                ${_('RhodeCode instance id: %s') % c.rhodecode_instanceid}
                            % endif
                        </p>
                    </div>
                </div>
             </div>
             <!-- END FOOTER -->
             ### MAKO DEFS ###
             <%def name="menu_bar_subnav()">
             </%def>
             <%def name="flash_msg()">
                 <%include file="/base/flash_msg.html"/>
             </%def>
             <%def name="breadcrumbs(class_='breadcrumbs')">
                 <div class="${class_}">
                 ${self.breadcrumbs_links()}
                 </div>
             </%def>
             <%def name="admin_menu()">
               <ul class="admin_menu submenu">
                   <li><a href="${h.url('admin_home')}">${_('Admin journal')}</a></li>
                   <li><a href="${h.url('repos')}">${_('Repositories')}</a></li>
                   <li><a href="${h.url('repo_groups')}">${_('Repository groups')}</a></li>
                   <li><a href="${h.url('users')}">${_('Users')}</a></li>
                   <li><a href="${h.url('users_groups')}">${_('User groups')}</a></li>
                   <li><a href="${h.url('admin_permissions_application')}">${_('Permissions')}</a></li>
                   <li><a href="${h.route_path('auth_home', traverse='')}">${_('Authentication')}</a></li>
                   <li><a href="${h.url('admin_defaults_repositories')}">${_('Defaults')}</a></li>
                   <li class="last"><a href="${h.url('admin_settings')}">${_('Settings')}</a></li>
               </ul>
             </%def>
             <%def name="dt_info_panel(elements)">
                 <dl class="dl-horizontal">
                 %for dt, dd, title, show_items in elements:
                   <dt>${dt}:</dt>
                   <dd title="${title}">
                   %if callable(dd):
                       ## allow lazy evaluation of elements
                       ${dd()}
                   %else:
                       ${dd}
                   %endif
                   %if show_items:
                       <span class="btn-collapse" data-toggle="item-${h.md5(dt)[:6]}-details">${_('Show More')} </span>
                   %endif
                   </dd>
                   %if show_items:
                       <div class="collapsable-content" data-toggle="item-${h.md5(dt)[:6]}-details" style="display: none">
                       %for item in show_items:
                           <dt></dt>
                           <dd>${item}</dd>
                       %endfor
                       </div>
                   %endif
                 %endfor
                 </dl>
             </%def>
             <%def name="gravatar(email, size=16)">
               <%
                 if (size > 16):
                     gravatar_class = 'gravatar gravatar-large'
                 else:
                     gravatar_class = 'gravatar'
               %>
               <%doc>
                 TODO: johbo: For now we serve double size images to make it smooth
                 for retina. This is how it worked until now. Should be replaced
                 with a better solution at some point.
               </%doc>
               <img class="${gravatar_class}" src="${h.gravatar_url(email, size * 2)}" height="${size}" width="${size}">
             </%def>
             <%def name="gravatar_with_user(contact, size=16, show_disabled=False)">
               <div class="rc-user tooltip" title="${contact}">
                 ${self.gravatar(h.email_or_none(contact), size)}
                 <span class="${'user user-disabled' if show_disabled else 'user'}"> ${h.link_to_user(contact)}</span>
               </div>
             </%def>
             ## admin menu used for people that have some admin resources
             <%def name="admin_menu_simple(repositories=None, repository_groups=None, user_groups=None)">
               <ul class="submenu">
                %if repositories:
                   <li><a href="${h.url('repos')}">${_('Repositories')}</a></li>
                %endif
                %if repository_groups:
                   <li><a href="${h.url('repo_groups')}">${_('Repository groups')}</a></li>
                %endif
                %if user_groups:
                   <li><a href="${h.url('users_groups')}">${_('User groups')}</a></li>
                %endif
               </ul>
             </%def>
             <%def name="repo_page_title(repo_instance)">
             <div class="title-content">
                 <div class="title-main">
                     ## SVN/HG/GIT icons
                     %if h.is_hg(repo_instance):
                         <i class="icon-hg"></i>
                     %endif
                     %if h.is_git(repo_instance):
                         <i class="icon-git"></i>
                     %endif
                     %if h.is_svn(repo_instance):
                         <i class="icon-svn"></i>
                     %endif
                     ## public/private
                     %if repo_instance.private:
                         <i class="icon-repo-private"></i>
                     %else:
                         <i class="icon-repo-public"></i>
                     %endif
                     ## repo name with group name
                     ${h.breadcrumb_repo_link(c.rhodecode_db_repo)}
                 </div>
                 ## FORKED
                 %if repo_instance.fork:
                 <p>
                     <i class="icon-code-fork"></i> ${_('Fork of')}
                     <a href="${h.url('summary_home',repo_name=repo_instance.fork.repo_name)}">${repo_instance.fork.repo_name}</a>
                 </p>
                 %endif
                 ## IMPORTED FROM REMOTE
                 %if repo_instance.clone_uri:
                 <p>
                    <i class="icon-code-fork"></i> ${_('Clone from')}
-                   <a href="${h.url(str(h.hide_credentials(repo_instance.clone_uri)))}">${h.hide_credentials(repo_instance.clone_uri)}</a>
+                   <a href="${h.url(h.safe_str(h.hide_credentials(repo_instance.clone_uri)))}">${h.hide_credentials(repo_instance.clone_uri)}</a>
                 </p>
                 %endif
                 ## LOCKING STATUS
                  %if repo_instance.locked[0]:
                    <p class="locking_locked">
                        <i class="icon-repo-lock"></i>
                        ${_('Repository locked by %(user)s') % {'user': h.person_by_id(repo_instance.locked[0])}}
                    </p>
                  %elif repo_instance.enable_locking:
                      <p class="locking_unlocked">
                          <i class="icon-repo-unlock"></i>
                          ${_('Repository not locked. Pull repository to lock it.')}
                      </p>
                  %endif
             </div>
             </%def>
             <%def name="repo_menu(active=None)">
                 <%
                 def is_active(selected):
                     if selected == active:
                         return "active"
                 %>
               <!--- CONTEXT BAR -->
               <div id="context-bar">
                 <div class="wrapper">
                   <ul id="context-pages" class="horizontal-list navigation">
                     <li class="${is_active('summary')}"><a class="menulink" href="${h.url('summary_home', repo_name=c.repo_name)}"><div class="menulabel">${_('Summary')}</div></a></li>
                     <li class="${is_active('changelog')}"><a class="menulink" href="${h.url('changelog_home', repo_name=c.repo_name)}"><div class="menulabel">${_('Changelog')}</div></a></li>
                     <li class="${is_active('files')}"><a class="menulink" href="${h.url('files_home', repo_name=c.repo_name, revision=c.rhodecode_db_repo.landing_rev[1])}"><div class="menulabel">${_('Files')}</div></a></li>
                     <li class="${is_active('compare')}">
                         <a class="menulink" href="${h.url('compare_home',repo_name=c.repo_name)}"><div class="menulabel">${_('Compare')}</div></a>
                     </li>
                     ## TODO: anderson: ideally it would have a function on the scm_instance "enable_pullrequest() and enable_fork()"
                     %if c.rhodecode_db_repo.repo_type in ['git','hg']:
                       <li class="${is_active('showpullrequest')}">
                         <a class="menulink" href="${h.url('pullrequest_show_all',repo_name=c.repo_name)}" title="${_('Show Pull Requests for %s') % c.repo_name}">
                           %if c.repository_pull_requests:
                             <span class="pr_notifications">${c.repository_pull_requests}</span>
                           %endif
                           <div class="menulabel">${_('Pull Requests')}</div>
                         </a>
                       </li>
                     %endif
                     <li class="${is_active('options')}">
                       <a class="menulink" href="#" class="dropdown"><div class="menulabel">${_('Options')} <div class="show_more"></div></div></a>
                       <ul class="submenu">
                          %if h.HasRepoPermissionAll('repository.admin')(c.repo_name):
                                <li><a href="${h.url('edit_repo',repo_name=c.repo_name)}">${_('Settings')}</a></li>
                          %endif
                           %if c.rhodecode_db_repo.fork:
                            <li><a href="${h.url('compare_url',repo_name=c.rhodecode_db_repo.fork.repo_name,source_ref_type=c.rhodecode_db_repo.landing_rev[0],source_ref=c.rhodecode_db_repo.landing_rev[1], target_repo=c.repo_name,target_ref_type='branch' if request.GET.get('branch') else c.rhodecode_db_repo.landing_rev[0],target_ref=request.GET.get('branch') or c.rhodecode_db_repo.landing_rev[1], merge=1)}">
                                ${_('Compare fork')}</a></li>
                           %endif
                           <li><a href="${h.url('search_repo_home',repo_name=c.repo_name)}">${_('Search')}</a></li>
                           %if h.HasRepoPermissionAny('repository.write','repository.admin')(c.repo_name) and c.rhodecode_db_repo.enable_locking:
                             %if c.rhodecode_db_repo.locked[0]:
                               <li><a class="locking_del" href="${h.url('toggle_locking',repo_name=c.repo_name)}">${_('Unlock')}</a></li>
                             %else:
                               <li><a class="locking_add" href="${h.url('toggle_locking',repo_name=c.repo_name)}">${_('Lock')}</a></li>
                             %endif
                           %endif
                           %if c.rhodecode_user.username != h.DEFAULT_USER:
                             %if c.rhodecode_db_repo.repo_type in ['git','hg']:
                               <li><a href="${h.url('repo_fork_home',repo_name=c.repo_name)}">${_('Fork')}</a></li>
                               <li><a href="${h.url('pullrequest_home',repo_name=c.repo_name)}">${_('Create Pull Request')}</a></li>
                             %endif
                           %endif
                          </ul>
                     </li>
                   </ul>
                 </div>
                 <div class="clear"></div>
               </div>
               <!--- END CONTEXT BAR -->
             </%def>
             <%def name="usermenu()">
                 ## USER MENU
                 <li id="quick_login_li">
                   <a id="quick_login_link" class="menulink childs">
                     ${gravatar(c.rhodecode_user.email, 20)}
                     <span class="user">
                       %if c.rhodecode_user.username != h.DEFAULT_USER:
                         <span class="menu_link_user">${c.rhodecode_user.username}</span><div class="show_more"></div>
                       %else:
                         <span>${_('Sign in')}</span>
                       %endif
                     </span>
                   </a>
               <div class="user-menu submenu">
                   <div id="quick_login">
                     %if c.rhodecode_user.username == h.DEFAULT_USER:
                         <h4>${_('Sign in to your account')}</h4>
                         ${h.form(h.route_path('login', _query={'came_from': h.url.current()}), needs_csrf_token=False)}
                         <div class="form form-vertical">
                             <div class="fields">
                                 <div class="field">
                                     <div class="label">
                                         <label for="username">${_('Username')}:</label>
                                     </div>
                                     <div class="input">
                                         ${h.text('username',class_='focus',tabindex=1)}
                                     </div>
                                 </div>
                                 <div class="field">
                                     <div class="label">
                                         <label for="password">${_('Password')}:</label>
                                         <span class="forgot_password">${h.link_to(_('(Forgot password?)'),h.route_path('reset_password'))}</span>
                                     </div>
                                     <div class="input">
                                         ${h.password('password',class_='focus',tabindex=2)}
                                     </div>
                                 </div>
                                 <div class="buttons">
                                     <div class="register">
                                     %if h.HasPermissionAny('hg.admin', 'hg.register.auto_activate', 'hg.register.manual_activate')():
                                      ${h.link_to(_("Don't have an account ?"),h.route_path('register'))}
                                     %endif
                                     </div>
                                     <div class="submit">
                                         ${h.submit('sign_in',_('Sign In'),class_="btn btn-small",tabindex=3)}
                                     </div>
                                 </div>
                             </div>
                         </div>
                         ${h.end_form()}
                     %else:
                         <div class="">
                             <div class="big_gravatar">${gravatar(c.rhodecode_user.email, 48)}</div>
                             <div class="full_name">${c.rhodecode_user.full_name_or_username}</div>
                             <div class="email">${c.rhodecode_user.email}</div>
                         </div>
                         <div class="">
                         <ol class="links">
                           <li>${h.link_to(_(u'My account'),h.url('my_account'))}</li>
                           <li class="logout">
                           ${h.secure_form(h.route_path('logout'))}
                               ${h.submit('log_out', _(u'Sign Out'),class_="btn btn-primary")}
                           ${h.end_form()}
                           </li>
                         </ol>
                         </div>
                     %endif
                   </div>
               </div>
                   %if c.rhodecode_user.username != h.DEFAULT_USER:
                     <div class="pill_container">
                     % if c.unread_notifications == 0:
                       <a class="menu_link_notifications empty" href="${h.url('notifications')}">${c.unread_notifications}</a>
                     % else:
                       <a class="menu_link_notifications" href="${h.url('notifications')}">${c.unread_notifications}</a>
                     % endif
                     </div>
                   % endif
                 </li>
             </%def>
             <%def name="menu_items(active=None)">
                 <%
                 def is_active(selected):
                     if selected == active:
                         return "active"
                     return ""
                 %>
                 <ul id="quick" class="main_nav navigation horizontal-list">
                   <!-- repo switcher -->
                   <li class="${is_active('repositories')} repo_switcher_li has_select2">
                     <input id="repo_switcher" name="repo_switcher" type="hidden">
                   </li>
                   ## ROOT MENU
                   %if c.rhodecode_user.username != h.DEFAULT_USER:
                     <li class="${is_active('journal')}">
                       <a class="menulink" title="${_('Show activity journal')}" href="${h.url('journal')}">
                         <div class="menulabel">${_('Journal')}</div>
                       </a>
                     </li>
                   %else:
                     <li class="${is_active('journal')}">
                       <a class="menulink" title="${_('Show Public activity journal')}" href="${h.url('public_journal')}">
                         <div class="menulabel">${_('Public journal')}</div>
                       </a>
                     </li>
                   %endif
                     <li class="${is_active('gists')}">
                       <a class="menulink childs" title="${_('Show Gists')}" href="${h.url('gists')}">
                         <div class="menulabel">${_('Gists')}</div>
                       </a>
                     </li>
                   <li class="${is_active('search')}">
                       <a class="menulink" title="${_('Search in repositories you have access to')}" href="${h.url('search')}">
                         <div class="menulabel">${_('Search')}</div>
                       </a>
                   </li>
                   % if h.HasPermissionAll('hg.admin')('access admin main page'):
                     <li class="${is_active('admin')}">
                       <a class="menulink childs" title="${_('Admin settings')}" href="#" onclick="return false;">
                         <div class="menulabel">${_('Admin')} <div class="show_more"></div></div>
                       </a>
                       ${admin_menu()}
                     </li>
                   % elif c.rhodecode_user.repositories_admin or c.rhodecode_user.repository_groups_admin or c.rhodecode_user.user_groups_admin:
                   <li class="${is_active('admin')}">
                       <a class="menulink childs" title="${_('Delegated Admin settings')}">
                         <div class="menulabel">${_('Admin')} <div class="show_more"></div></div>
                       </a>
                       ${admin_menu_simple(c.rhodecode_user.repositories_admin,
                                           c.rhodecode_user.repository_groups_admin,
                                           c.rhodecode_user.user_groups_admin or h.HasPermissionAny('hg.usergroup.create.true')())}
                   </li>
                   % endif
                   % if c.debug_style:
                   <li class="${is_active('debug_style')}">
                       <a class="menulink" title="${_('Style')}" href="${h.url('debug_style_home')}">
                         <div class="menulabel">${_('Style')}</div>
                       </a>
                   </li>
                   % endif
                   ## render extra user menu
                   ${usermenu()}
                 </ul>
                 <script type="text/javascript">
                     var visual_show_public_icon = "${c.visual.show_public_icon}" == "True";
                     /*format the look of items in the list*/
                     var format = function(state, escapeMarkup){
                         if (!state.id){
                           return state.text; // optgroup
                         }
                         var obj_dict = state.obj;
                         var tmpl = '';
                         if(obj_dict && state.type == 'repo'){
                             if(obj_dict['repo_type'] === 'hg'){
                                 tmpl += '<i class="icon-hg"></i> ';
                             }
                             else if(obj_dict['repo_type'] === 'git'){
                                 tmpl += '<i class="icon-git"></i> ';
                             }
                             else if(obj_dict['repo_type'] === 'svn'){
                                 tmpl += '<i class="icon-svn"></i> ';
                             }
                             if(obj_dict['private']){
                                 tmpl += '<i class="icon-lock" ></i> ';
                             }
                             else if(visual_show_public_icon){
                                 tmpl += '<i class="icon-unlock-alt"></i> ';
                             }
                         }
                         if(obj_dict && state.type == 'commit') {
                             tmpl += '<i class="icon-tag"></i>';
                         }
                         if(obj_dict && state.type == 'group'){
                             tmpl += '<i class="icon-folder-close"></i> ';
                         }
                         tmpl += escapeMarkup(state.text);
                         return tmpl;
                     };
                     var formatResult = function(result, container, query, escapeMarkup) {
                         return format(result, escapeMarkup);
                     };
                     var formatSelection = function(data, container, escapeMarkup) {
                         return format(data, escapeMarkup);
                     };
                     $("#repo_switcher").select2({
                         cachedDataSource: {},
                         minimumInputLength: 2,
                         placeholder: '<div class="menulabel">${_('Go to')} <div class="show_more"></div></div>',
                         dropdownAutoWidth: true,
                         formatResult: formatResult,
                         formatSelection: formatSelection,
                         containerCssClass: "repo-switcher",
                         dropdownCssClass: "repo-switcher-dropdown",
                         escapeMarkup: function(m){
                             // don't escape our custom placeholder
                             if(m.substr(0,23) == '<div class="menulabel">'){
                                 return m;
                             }
                             return Select2.util.escapeMarkup(m);
                         },
                         query: $.debounce(250, function(query){
                             self = this;
                             var cacheKey = query.term;
                             var cachedData = self.cachedDataSource[cacheKey];
                             if (cachedData) {
                                 query.callback({results: cachedData.results});
                             } else {
                                 $.ajax({
                                     url: "${h.url('goto_switcher_data')}",
                                     data: {'query': query.term},
                                     dataType: 'json',
                                     type: 'GET',
                                     success: function(data) {
                                         self.cachedDataSource[cacheKey] = data;
                                         query.callback({results: data.results});
                                     },
                                     error: function(data, textStatus, errorThrown) {
                                         alert("Error while fetching entries.\nError code {0} ({1}).".format(data.status, data.statusText));
                                     }
                                 })
                             }
                         })
                     });
                     $("#repo_switcher").on('select2-selecting', function(e){
                         e.preventDefault();
                         window.location = e.choice.url;
                     });
                     ## Global mouse bindings ##
                     // general help "?"
                     Mousetrap.bind(['?'], function(e) {
                         $('#help_kb').modal({})
                     });
                     // / open the quick filter
                     Mousetrap.bind(['/'], function(e) {
                         $("#repo_switcher").select2("open");
                         // return false to prevent default browser behavior
                         // and stop event from bubbling
                         return false;
                     });
                     // general nav g + action
                     Mousetrap.bind(['g h'], function(e) {
                         window.location = pyroutes.url('home');
                     });
                     Mousetrap.bind(['g g'], function(e) {
                         window.location = pyroutes.url('gists', {'private':1});
                     });
                     Mousetrap.bind(['g G'], function(e) {
                         window.location = pyroutes.url('gists', {'public':1});
                     });
                     Mousetrap.bind(['n g'], function(e) {
                         window.location = pyroutes.url('new_gist');
                     });
                     Mousetrap.bind(['n r'], function(e) {
                         window.location = pyroutes.url('new_repo');
                     });
                     % if hasattr(c, 'repo_name') and hasattr(c, 'rhodecode_db_repo'):
                         // nav in repo context
                         Mousetrap.bind(['g s'], function(e) {
                             window.location = pyroutes.url('summary_home', {'repo_name': REPO_NAME});
                         });
                         Mousetrap.bind(['g c'], function(e) {
                             window.location = pyroutes.url('changelog_home', {'repo_name': REPO_NAME});
                         });
                         Mousetrap.bind(['g F'], function(e) {
                             window.location = pyroutes.url('files_home', {'repo_name': REPO_NAME, 'revision': '${c.rhodecode_db_repo.landing_rev[1]}', 'f_path': '', 'search': '1'});
                         });
                         Mousetrap.bind(['g f'], function(e) {
                             window.location = pyroutes.url('files_home', {'repo_name': REPO_NAME, 'revision': '${c.rhodecode_db_repo.landing_rev[1]}', 'f_path': ''});
                         });
                         Mousetrap.bind(['g p'], function(e) {
                             window.location = pyroutes.url('pullrequest_show_all', {'repo_name': REPO_NAME});
                         });
                         Mousetrap.bind(['g o'], function(e) {
                             window.location = pyroutes.url('edit_repo', {'repo_name': REPO_NAME});
                         });
                         Mousetrap.bind(['g O'], function(e) {
                             window.location = pyroutes.url('edit_repo_perms', {'repo_name': REPO_NAME});
                         });
                     % endif
                 </script>
                 <script src="${h.url('/js/rhodecode/base/keyboard-bindings.js', ver=c.rhodecode_version_hash)}"></script>
             </%def>
             <div class="modal" id="help_kb" tabindex="-1" role="dialog" aria-labelledby="myModalLabel" aria-hidden="true">
                 <div class="modal-dialog">
                   <div class="modal-content">
                     <div class="modal-header">
                       <button type="button" class="close" data-dismiss="modal" aria-hidden="true">&times;</button>
                       <h4 class="modal-title" id="myModalLabel">${_('Keyboard shortcuts')}</h4>
                     </div>
                     <div class="modal-body">
                           <div class="block-left">
                             <table class="keyboard-mappings">
                                 <tbody>
                               <tr>
                                 <th></th>
                                 <th>${_('Site-wide shortcuts')}</th>
                               </tr>
                               <%
                                  elems = [
                                      ('/', 'Open quick search box'),
                                      ('g h', 'Goto home page'),
                                      ('g g', 'Goto my private gists page'),
                                      ('g G', 'Goto my public gists page'),
                                      ('n r', 'New repository page'),
                                      ('n g', 'New gist page'),
                                  ]
                               %>
                               %for key, desc in elems:
                               <tr>
                                 <td class="keys">
                                   <span class="key tag">${key}</span>
                                 </td>
                                 <td>${desc}</td>
                               </tr>
                             %endfor
                             </tbody>
                               </table>
                           </div>
                           <div class="block-left">
                             <table class="keyboard-mappings">
                             <tbody>
                               <tr>
                                 <th></th>
                                 <th>${_('Repositories')}</th>
                               </tr>
                               <%
                                  elems = [
                                      ('g s', 'Goto summary page'),
                                      ('g c', 'Goto changelog page'),
                                      ('g f', 'Goto files page'),
                                      ('g F', 'Goto files page with file search activated'),
                                      ('g p', 'Goto pull requests page'),
                                      ('g o', 'Goto repository settings'),
                                      ('g O', 'Goto repository permissions settings'),
                                  ]
                               %>
                               %for key, desc in elems:
                               <tr>
                                 <td class="keys">
                                   <span class="key tag">${key}</span>
                                 </td>
                                 <td>${desc}</td>
                               </tr>
                             %endfor
                             </tbody>
                           </table>
                         </div>
                     </div>
                     <div class="modal-footer">
                     </div>
                   </div><!-- /.modal-content -->
                 </div><!-- /.modal-dialog -->
             </div><!-- /.modal -->

rhodecode/tests/lib/test_encrypt.py

0 +37 -1

             # -*- coding: utf-8 -*-
             # Copyright (C) 2010-2016  RhodeCode GmbH
             #
             # This program is free software: you can redistribute it and/or modify
             # it under the terms of the GNU Affero General Public License, version 3
             # (only), as published by the Free Software Foundation.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU Affero General Public License
             # along with this program.  If not, see <http://www.gnu.org/licenses/>.
             #
             # This program is dual-licensed. If you wish to learn more about the
             # RhodeCode Enterprise Edition, including its added features, Support services,
             # and proprietary license terms, please see https://rhodecode.com/licenses/
             import pytest
-            from rhodecode.lib.encrypt import AESCipher
+            from rhodecode.lib.encrypt import (
+                AESCipher, SignatureVerificationError, InvalidDecryptedValue)
             class TestEncryptModule(object):
                 @pytest.mark.parametrize(
                     "key, text",
                     [
                         ('a', 'short'),
                         ('a'*64, 'too long(trimmed to 32)'),
                         ('a'*32, 'just enough'),
                         ('ąćęćę', 'non asci'),
                         ('$asa$asa', 'special $ used'),
                     ]
                 )
                 def test_encryption(self, key, text):
                     enc = AESCipher(key).encrypt(text)
                     assert AESCipher(key).decrypt(enc) == text
+                def test_encryption_with_hmac(self):
+                    key = 'secret'
+                    text = 'ihatemysql'
+                    enc = AESCipher(key, hmac=True).encrypt(text)
+                    assert AESCipher(key, hmac=True).decrypt(enc) == text
+                def test_encryption_with_hmac_with_bad_key(self):
+                    key = 'secretstring'
+                    text = 'ihatemysql'
+                    enc = AESCipher(key, hmac=True).encrypt(text)
+                    with pytest.raises(SignatureVerificationError) as e:
+                        assert AESCipher('differentsecret', hmac=True).decrypt(enc) == ''
+                    assert 'Encryption signature verification failed' in str(e)
+                def test_encryption_with_hmac_with_bad_data(self):
+                    key = 'secret'
+                    text = 'ihatemysql'
+                    enc = AESCipher(key, hmac=True).encrypt(text)
+                    enc = 'xyz' + enc[3:]
+                    with pytest.raises(SignatureVerificationError) as e:
+                        assert AESCipher(key, hmac=True).decrypt(enc) == text
+                    assert 'Encryption signature verification failed' in str(e)
+                def test_encryption_with_hmac_with_bad_key_not_strict(self):
+                    key = 'secretstring'
+                    text = 'ihatemysql'
+                    enc = AESCipher(key, hmac=True).encrypt(text)
+                    assert isinstance(AESCipher(
+                        'differentsecret', hmac=True, strict_verification=False
+                    ).decrypt(enc), InvalidDecryptedValue)

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages