"""
If you want to catch any exception that might be raised,
catch :class:`mohawk.exc.HawkFail`.
.. important::
Never expose an exception message publicly, say, in an HTTP
response, as it may provide hints to an attacker.
"""
[docs]class HawkFail(Exception):
"""
All Mohawk exceptions derive from this base.
"""
[docs]class MissingAuthorization(HawkFail):
"""
No authorization header was sent by the client.
"""
[docs]class InvalidCredentials(HawkFail):
"""
The specified Hawk credentials are invalid.
For example, the dict could be formatted incorrectly.
"""
[docs]class CredentialsLookupError(HawkFail):
"""
A :class:`mohawk.Receiver` could not look up the
credentials for an incoming request.
"""
[docs]class MacMismatch(HawkFail):
"""
The locally calculated MAC did not match the MAC that was sent.
"""
[docs]class MisComputedContentHash(HawkFail):
"""
The signature of the content did not match the actual content.
"""
[docs]class TokenExpired(HawkFail):
"""
The timestamp on a message received has expired.
You may also receive this message if your server clock is out of sync.
Consider synchronizing it with something like `TLSdate`_.
If you are unable to synchronize your clock universally,
The `Hawk`_ spec mentions how you can `adjust`_
your sender's time to match that of the receiver in the case
of unexpected expiration.
The ``www_authenticate`` attribute of this exception is a header
that can be returned to the client. If the value is not None, it
will include a timestamp HMAC'd with the sender's credentials.
This will allow the client
to verify the value and safely apply an offset.
.. _`Hawk`: https://github.com/hueniverse/hawk
.. _`adjust`: https://github.com/hueniverse/hawk#future-time-manipulation
.. _`TLSdate`: http://linux-audit.com/tlsdate-the-secure-alternative-for-ntpd-ntpdate-and-rdate/
"""
#: Current local time in seconds that was used to compare timestamps.
localtime_in_seconds = None
# A header containing an HMAC'd server timestamp that the sender can verify.
www_authenticate = None
def __init__(self, *args, **kw):
self.localtime_in_seconds = kw.pop('localtime_in_seconds')
self.www_authenticate = kw.pop('www_authenticate')
super(HawkFail, self).__init__(*args, **kw)
[docs]class AlreadyProcessed(HawkFail):
"""
The message has already been processed and cannot be re-processed.
See :ref:`nonce` for details.
"""
[docs]class InvalidBewit(HawkFail):
"""
The bewit is invalid; e.g. it doesn't contain the right number of
parameters.
"""
[docs]class MissingContent(HawkFail):
"""
A payload's `content` or `content_type` were not provided.
See :ref:`skipping-content-checks` for details.
"""