U cx@sdZddlmZddlmZddlmZmZddlm Z ddl m Z ddl m Z mZmZddlZddlZddlZddlZd ZeeZd d ZGd d d e ZdS)a: WSGI middleware for HTTP basic and digest authentication. Usage:: from http_authenticator import HTTPAuthenticator WSGIApp = HTTPAuthenticator(ProtectedWSGIApp, domain_controller, accept_basic, accept_digest, default_to_digest) where: ProtectedWSGIApp is the application requiring authenticated access domain_controller is a domain controller object meeting specific requirements (below) accept_basic is a boolean indicating whether to accept requests using the basic authentication scheme (default = True) accept_digest is a boolean indicating whether to accept requests using the digest authentication scheme (default = True) default_to_digest is a boolean. if True, an unauthenticated request will be sent a digest authentication required response, else the unauthenticated request will be sent a basic authentication required response (default = True) The HTTPAuthenticator will put the following authenticated information in the environ dictionary:: environ["wsgidav.auth.realm"] = realm name environ["wsgidav.auth.user_name"] = user_name environ["wsgidav.auth.roles"] = (optional) environ["wsgidav.auth.permissions"] = (optional) **Domain Controllers** The HTTP basic and digest authentication schemes are based on the following concept: Each requested relative URI can be resolved to a realm for authentication, for example: /fac_eng/courses/ee5903/timetable.pdf -> might resolve to realm 'Engineering General' /fac_eng/examsolns/ee5903/thisyearssolns.pdf -> might resolve to realm 'Engineering Lecturers' /med_sci/courses/m500/surgery.htm -> might resolve to realm 'Medical Sciences General' and each realm would have a set of user_name and password pairs that would allow access to the resource. A domain controller provides this information to the HTTPAuthenticator. This allows developers to write their own domain controllers, that might, for example, interface with their own user database. for simple applications, a SimpleDomainController is provided that will take in a single realm name (for display) and a single dictionary of user_name (key) and password (value) string pairs Usage:: from wsgidav.dc.simple_dc import SimpleDomainController users = dict(({'John Smith': 'YouNeverGuessMe', 'Dan Brown': 'DontGuessMeEither'}) realm = 'Sample Realm' domain_controller = SimpleDomainController(users, realm) Domain Controllers must provide the methods as described in ``wsgidav.interfaces.domaincontrollerinterface`` (interface_) .. _interface : interfaces/domaincontrollerinterface.py The environ variable here is the WSGI 'environ' dictionary. It is passed to all methods of the domain controller as a means for developers to pass information from previous middleware or server config (if required). )md5)dedent)compatutil)SimpleDomainController)BaseMiddleware) calc_base64calc_hexdigestdynamic_import_classNreStructuredTextcCsb|did}|}|dks"|s(t}nt|r:t|}t|rP|||}ntd||S)Nhttp_authenticatordomain_controllerTz2Could not resolve domain controller class (got {})) getrr is_basestringr inspectisclass RuntimeErrorformat) wsgidav_appconfigdcZorg_dcr*/opt/wsgidav/wsgidav/http_authenticator.pymake_domain_controllerbs    rcseZdZdZedZfddZddZddZe d Z d d Z d d Z ddZddZddZddZddZddZZS)HTTPAuthenticatorz4WSGI Middleware for basic and digest authentication.z 401 Access not authorized

401 Access not authorized

csDtt|||||dd|_||_t||}||_|di}|dd|_|dd|_ |di}|dd |_ |d d |_ |d d |_ |d d|_ |s|j s|j s|j std |jjtg|_td|_td|_td|_ddlm}||did|_d|_|jr@|j|_dS)Nverbosehotfixeswinxp_accept_root_share_loginFwin_accept_anonymous_optionsr accept_basicT accept_digestdefault_to_digesttrusted_auth_headerzn{} does not support digest authentication. Set accept_basic=True, accept_digest=False, default_to_digest=Falsez([\w]+)=([^,]*),z([\w]+)=("[^"]*,[^"]*"),z^([\w]+)r)PathZacrm_dc pub_key_path) superr__init__r_verboserrr rrr r!r"r#Zsupports_http_digest_authrr __class____name__dictZ _nonce_dictrecompile_header_parser_header_fix_parser_header_methodpathlibr$r%pub_keyexists read_bytes)selfrnext_apprrr auth_confr$r)rrr'sP         zHTTPAuthenticator.__init__cCs|jSN)r )r5rrrget_domain_controllersz'HTTPAuthenticator.get_domain_controllercCs|j|dSr9)r require_authentication)r5Zsharerrrallow_anonymous_accesssz(HTTPAuthenticator.allow_anonymous_accessz)^s_[a-zA-Z0-9_@.-]+_[a-zA-Z0-9@\.]{8}_87$c Csddl}ddl}z|j||jddgd}Wn|jk rBYdSX|d}|d}|dp`d}||d <||d <d g|d <||d <||d<dS)NrZRS256ZHS256)keyZ algorithmsloginexpscopewsgidav.auth.user_namewsgidav.auth.realm*wsgidav.auth.roleszwsgidav.auth.jwtzwsgidav.auth.jwt_decoded)socketjwtdecoder2ZInvalidTokenErrorrsplit gethostname) r5environZ jwt_contentrFrGZ jwt_decodedr>r?r@rrrset_environ_from_jwts  z&HTTPAuthenticator.set_environ_from_jwtcCs|j|d|}||d<d|d<d|d<d|d<d}d|d dkrTd }td d}|jrx|d d krxtdd }|s|j||s|||Sd}d}|dd}|st |dkr|d}|j |rddl } ddl } ddl} |dd} | d| d|} | s$td| }| |}|d}|d}|d}|| krftdd|d|di}|r||krtddd|dd|d<t| dd|d<||d<| | |ddl}|j|d}d}|s,|r,|d }|r,|jd!kr,|j}d }td"t||sJd}t|dd#t|d$d%|rZtd&||||dr8td'|r,td(|d$}|std)| ||S|d*d+}dd,l!m"}||#}|d-d} |d| kr,td.| ||S|||S|d$sZtd/| ||S|j$r||j$rtd0%|j$||j$|||j$|d<|||Sd$|kr|s|d$}|j&'|}d!}|r|(d)}|d1kr|j*r|+||S|d1kr"|j,r"|-||S|d2kr@|j,r@|.||S|j/r\|j*r\|0||S|j,rp|-||Std3%||d4d5d6t12fgdgS|j/r|0||S|-||S)7N PATH_INFOrCrArBrEzwsgidav.auth.permissionsFZlogout QUERY_STRINGTz Force logoutREQUEST_METHODZOPTIONSz,No authorization required for OPTIONS method/r_z/opt/rdisk/sessions/u Сессия не найденаrGr?Z CLIENT_DATAu1Срок действия сессии истекZ REMOTE_ADDRz X-Real-IPuИзменился клиентiQZ HTTP_COOKIEZ access_tokenNonezASDJKLJLKASDKLJASD uНЕТ КУКИHTTP_AUTHORIZATIONuНЕТ HTTP_AUTHORIZATIONzif jwt:zif wsgidav.auth.user_namezif jwt_from_cookiezif not http_auth ) b64decode:zif user_name != loginz!if wsgidav.auth.user_name: | elsez.Accept trusted user_name {}='{}'for realm '{}'digestZbasicz@HTTPAuthenticator: respond with 400 Bad request; Auth-Method: {}z400 Bad Request)Content-Length0Date)3r get_domain_realmr_loggerwarningrr;r6rIlensession_name_regexmatchr1jsontimer$r3 Exception read_textloadsjoinintZ write_textdumpsZ http.cookiesZcookiesZ SimpleCookievalueinforeprdebugrL$send_basic_auth_response_flush_tokenbase64rYrHr#rr0searchgrouplowerr!handle_digest_auth_requestr send_basic_auth_responsehandle_basic_auth_requestr"send_digest_auth_responserget_rfc1123_time)r5rKstart_responserealmZ force_logoutZ force_allowrGZ session_nameZpath_info_splitr1rerfr>Z json_pathZjson_strZ json_datar?Zsaved_client_dataZenviron_client_datahttpZcookieZjwt_from_cookieZaccess_token_cookieZ http_authZlogin_pass_b64rYZ login_pass auth_headerZ auth_matchZ auth_methodrrr__call__s                                  zHTTPAuthenticator.__call__c Cs|j|d|}td|d|d}t|j}dd| d dd dd d}|d d |fd d t t |fdt fdd|dfg|gS)NrMz0!@#!@# 401 Not Authorized for realm '{}' (basic) Basic realm="". HTTP_HOSTrZr401 Not AuthorizedWWW-Authenticatez Content-Typez text/htmlr\r^z Set-Cookiez"access_token=None; path=/; domain=z'; expires=Thu, 02 Jan 2070 00:00:00 GMT)r r_r`rprrto_byteserror_message_401rjrrIstrrbrrz)r5rKr{r|wwwauthheadersbodydomainrrrrqs  ,  z6HTTPAuthenticator.send_basic_auth_response_flush_tokencCsj|j|d|}td|d|d}t|j}|dd|fddtt |fd t fg|gS) NrMz)401 Not Authorized for realm '{}' (basic)rrrrrr\r^) r r_r`rprrrrrrbrrz)r5rKr{r|rrrrrrws    z*HTTPAuthenticator.send_basic_auth_responsecCs|j|d|}|d}d}z|tdd}Wntk rNd}YnXtt|}t|}| dd\}}|j ||||r||d<||d<| ||St d |||||S) NrMrVrAzBasic rZrRrCrBz8Authentication (basic) failed for user '{}', realm '{}'.)r r_rbstriprgrbase64_decodebytesr to_nativerIZbasic_auth_userr6r`rarrw)r5rKr{r|r~Z auth_value user_namepasswordrrrrxs*   z+HTTPAuthenticator.handle_basic_auth_requestc Cs|j|d|}tttddd}t|d}tt}|t|d|d|}t |}d ||} t d || t |j} |dd| fd d tt| fd tfg| gS) NrM rQrZz8Digest realm="{}", nonce="{}", algorithm=MD5, qop="auth"z.401 Not Authorized for realm '{}' (digest): {}rrrr\r^)r r_randomseedhex getrandbitsr rrfrrr`rprrrrbrrz) r5rKr{r|Z serverkeyZetagkeyZtimekeyZ nonce_sourcenoncerrrrrrys<     z+HTTPAuthenticator.send_digest_auth_responsec Cs|j|d|}d}g}i}|dd}|dsPd}|d||j|}|j |} | rt d|| || 7}|D]&} | d } | d d } | || <qd} d |kr|d } | sd}|d | n,d| kr| }| dd} t d|| nd}|dd|krt|d | krt|jr`|ddkr`t dnd}|d|d|kr|d dkrd}|d|d}d|kr|d}nd}|dd}d|krd}|d}|dkrd}|dnd}d|kr|d}nd}|r2d}|d d!|krF|d!}nd}|r^d}|d"d#|krr|d#}nd}|d$|sL|d%}||| ||||||| }|sd}|d&|| n||krLd'|| ||}|jr<|dkr<|d| ||||||| }||kr(t d(|nd}||d)nd}||n|r|d*||jd+krt d,| |d-|nt d.| ||||S||d/<| |d0<|||S)1NrMFrV,r[Tz/HTTP_AUTHORIZATION must start with 'digest': {}z3Fixing auth_header comma-parsing: extend {} with {}rrRrusernamez`username` is empty: {!r}z\\\z8Fixing Windows name with double backslash: '{}' --> '{}'zMissing 'username' in headersr|rPrzRealm mismatch: '{}' algorithmMD5z"Unsupported 'algorithm' in headersurirzExpected 'nonce' in headersqopauthzExpected 'qop' == 'auth'cnoncez-Expected 'cnonce' in headers if qop is passedncz)Expected 'nc' in headers if qop is passedresponsezExpected 'response' in headersrOz+Rejected by DC.digest_auth_user('{}', '{}')z2compute_digest_response('{}', '{}', ...): {} != {}zAhandle_digest_auth_request: HOTFIX: accepting '/' login for '{}'.z (also tried '/' realm)zHeaders: {}z>Authentication (digest) failed for user '{}', realm '{}': {}z z9Authentication (digest) failed for user '{}', realm '{}'.rCrB)r r_rur startswithappendrr.findallr/r`rnreplaceupperrrcompute_digest_responserar(rjryr6)r5rKr{r|Zis_invalid_reqZinvalid_req_reasonsZauth_header_dictZ auth_headersZauth_header_listZauth_header_fixlistr~Zauth_header_keyZauth_header_valueZ req_usernameZreq_username_orgZreq_uriZ req_nonceZ req_has_qopZreq_qopZ req_cnonceZreq_ncZ req_responseZ req_methodZrequired_digestZ warning_msgZ root_digestrrrrvs@                                 z,HTTPAuthenticator.handle_digest_auth_requestc sddfdd} |j||| } | s,dS|d|} |rl| | |d|d|d|d| } n| | |d| } | S)a`Computes digest hash. Calculation of the A1 (HA1) part is delegated to the dc interface method `digest_auth_user()`. Args: realm (str): user_name (str): method (str): WebDAV Request Method uri (str): nonce (str): server generated nonce value cnonce (str): client generated cnonce value qop (str): quality of protection nc (str) (number), nonce counter incremented by client Returns: MD5 hash string or False if user rejected by domain controller cSstt|Sr9)rrr hexdigest)datarrrmd5hsz7HTTPAuthenticator.compute_digest_response..md5hcs|d|S)NrZr)Zsecretrrrrmd5kdsz8HTTPAuthenticator.compute_digest_response..md5kdFrZ)r Zdigest_auth_user)r5r|rmethodrrrrrrKrZA1ZA2resrrrrs  &z)HTTPAuthenticator.compute_digest_response)r* __module__ __qualname____doc__rrr'r:r<r,r-rcrLrrqrwrxryrvr __classcell__rrr8rrzs$ 7 D"Zr)rhashlibrtextwraprwsgidavrrZwsgidav.dc.simple_dcrwsgidav.middlewarerZ wsgidav.utilrr r rrr,rf __docformat__get_module_loggerr*r`rrrrrrsJ