genshi/mirror: examples/trac/trac/web/auth.py annotate

annotate examples/trac/trac/web/auth.py @ 39:93b4dcbafd7b trunk

Copy Trac to main branch.

author	cmlenz
date	Mon, 03 Jul 2006 18:53:27 +0000
parents
children

rev	line source
39 93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	1 # -- coding: utf-8 --
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	2 #
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	3 # Copyright (C) 2003-2005 Edgewall Software
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	4 # Copyright (C) 2003-2005 Jonas Borgström <jonas@edgewall.com>
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	5 # All rights reserved.
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	6 #
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	7 # This software is licensed as described in the file COPYING, which
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	8 # you should have received as part of this distribution. The terms
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	9 # are also available at http://trac.edgewall.com/license.html.
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	10 #
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	11 # This software consists of voluntary contributions made by many
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	12 # individuals. For the exact contribution history, see the revision
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	13 # history and logs, available at http://projects.edgewall.com/trac/.
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	14 #
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	15 # Author: Jonas Borgström <jonas@edgewall.com>
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	16
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	17 try:
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	18 from base64 import b64decode
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	19 except ImportError:
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	20 from base64 import decodestring as b64decode
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	21 import md5
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	22 import re
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	23 import sys
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	24 import time
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	25 import urllib2
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	26
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	27 from trac.config import BoolOption
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	28 from trac.core import *
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	29 from trac.web.api import IAuthenticator, IRequestHandler
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	30 from trac.web.chrome import INavigationContributor
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	31 from trac.util import hex_entropy, md5crypt
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	32 from trac.util.markup import escape, html
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	33
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	34
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	35 class LoginModule(Component):
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	36 """Implements user authentication based on HTTP authentication provided by
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	37 the web-server, combined with cookies for communicating the login
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	38 information across the whole site.
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	39
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	40 This mechanism expects that the web-server is setup so that a request to the
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	41 path '/login' requires authentication (such as Basic or Digest). The login
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	42 name is then stored in the database and associated with a unique key that
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	43 gets passed back to the user agent using the 'trac_auth' cookie. This cookie
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	44 is used to identify the user in subsequent requests to non-protected
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	45 resources.
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	46 """
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	47
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	48 implements(IAuthenticator, INavigationContributor, IRequestHandler)
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	49
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	50 check_ip = BoolOption('trac', 'check_auth_ip', 'true',
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	51 """Whether the IP address of the user should be checked for
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	52 authentication (''since 0.9'').""")
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	53
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	54 ignore_case = BoolOption('trac', 'ignore_auth_case', 'false',
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	55 """Whether case should be ignored for login names (''since 0.9'').""")
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	56
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	57 # IAuthenticator methods
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	58
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	59 def authenticate(self, req):
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	60 authname = None
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	61 if req.remote_user:
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	62 authname = req.remote_user
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	63 elif req.incookie.has_key('trac_auth'):
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	64 authname = self._get_name_for_cookie(req, req.incookie['trac_auth'])
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	65
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	66 if not authname:
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	67 return None
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	68
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	69 if self.ignore_case:
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	70 authname = authname.lower()
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	71
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	72 return authname
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	73
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	74 # INavigationContributor methods
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	75
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	76 def get_active_navigation_item(self, req):
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	77 return 'login'
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	78
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	79 def get_navigation_items(self, req):
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	80 if req.authname and req.authname != 'anonymous':
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	81 yield ('metanav', 'login', 'logged in as %s' % req.authname)
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	82 yield ('metanav', 'logout',
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	83 html.A('Logout', href=req.href.logout()))
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	84 else:
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	85 yield ('metanav', 'login',
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	86 html.A('Login', href=req.href.login()))
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	87
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	88 # IRequestHandler methods
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	89
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	90 def match_request(self, req):
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	91 return re.match('/(login\|logout)/?', req.path_info)
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	92
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	93 def process_request(self, req):
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	94 if req.path_info.startswith('/login'):
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	95 self._do_login(req)
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	96 elif req.path_info.startswith('/logout'):
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	97 self._do_logout(req)
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	98 self._redirect_back(req)
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	99
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	100 # Internal methods
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	101
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	102 def _do_login(self, req):
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	103 """Log the remote user in.
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	104
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	105 This function expects to be called when the remote user name is
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	106 available. The user name is inserted into the `auth_cookie` table and a
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	107 cookie identifying the user on subsequent requests is sent back to the
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	108 client.
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	109
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	110 If the Authenticator was created with `ignore_case` set to true, then
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	111 the authentication name passed from the web server in req.remote_user
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	112 will be converted to lower case before being used. This is to avoid
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	113 problems on installations authenticating against Windows which is not
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	114 case sensitive regarding user names and domain names
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	115 """
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	116 assert req.remote_user, 'Authentication information not available.'
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	117
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	118 remote_user = req.remote_user
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	119 if self.ignore_case:
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	120 remote_user = remote_user.lower()
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	121
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	122 assert req.authname in ('anonymous', remote_user), \
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	123 'Already logged in as %s.' % req.authname
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	124
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	125 cookie = hex_entropy()
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	126 db = self.env.get_db_cnx()
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	127 cursor = db.cursor()
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	128 cursor.execute("INSERT INTO auth_cookie (cookie,name,ipnr,time) "
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	129 "VALUES (%s, %s, %s, %s)", (cookie, remote_user,
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	130 req.remote_addr, int(time.time())))
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	131 db.commit()
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	132
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	133 req.authname = remote_user
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	134 req.outcookie['trac_auth'] = cookie
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	135 req.outcookie['trac_auth']['path'] = req.href()
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	136
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	137 def _do_logout(self, req):
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	138 """Log the user out.
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	139
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	140 Simply deletes the corresponding record from the auth_cookie table.
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	141 """
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	142 if req.authname == 'anonymous':
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	143 # Not logged in
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	144 return
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	145
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	146 # While deleting this cookie we also take the opportunity to delete
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	147 # cookies older than 10 days
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	148 db = self.env.get_db_cnx()
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	149 cursor = db.cursor()
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	150 cursor.execute("DELETE FROM auth_cookie WHERE name=%s OR time < %s",
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	151 (req.authname, int(time.time()) - 86400 * 10))
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	152 db.commit()
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	153 self._expire_cookie(req)
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	154
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	155 def _expire_cookie(self, req):
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	156 """Instruct the user agent to drop the auth cookie by setting the
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	157 "expires" property to a date in the past.
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	158 """
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	159 req.outcookie['trac_auth'] = ''
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	160 req.outcookie['trac_auth']['path'] = req.href()
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	161 req.outcookie['trac_auth']['expires'] = -10000
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	162
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	163 def _get_name_for_cookie(self, req, cookie):
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	164 db = self.env.get_db_cnx()
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	165 cursor = db.cursor()
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	166 if self.check_ip:
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	167 cursor.execute("SELECT name FROM auth_cookie "
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	168 "WHERE cookie=%s AND ipnr=%s",
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	169 (cookie.value, req.remote_addr))
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	170 else:
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	171 cursor.execute("SELECT name FROM auth_cookie WHERE cookie=%s",
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	172 (cookie.value,))
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	173 row = cursor.fetchone()
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	174 if not row:
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	175 # The cookie is invalid (or has been purged from the database), so
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	176 # tell the user agent to drop it as it is invalid
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	177 self._expire_cookie(req)
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	178 return None
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	179
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	180 return row[0]
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	181
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	182 def _redirect_back(self, req):
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	183 """Redirect the user back to the URL she came from."""
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	184 referer = req.get_header('Referer')
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	185 if referer and not referer.startswith(req.base_url):
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	186 # only redirect to referer if it is from the same site
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	187 referer = None
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	188 req.redirect(referer or req.abs_href())
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	189
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	190
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	191 class HTTPAuthentication(object):
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	192
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	193 def do_auth(self, environ, start_response):
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	194 raise NotImplementedError
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	195
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	196
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	197 class BasicAuthentication(HTTPAuthentication):
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	198
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	199 def __init__(self, htpasswd, realm):
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	200 self.hash = {}
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	201 self.realm = realm
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	202 try:
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	203 import crypt
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	204 self.crypt = crypt.crypt
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	205 except ImportError:
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	206 self.crypt = None
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	207 self.load(htpasswd)
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	208
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	209 def load(self, filename):
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	210 fd = open(filename, 'r')
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	211 for line in fd:
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	212 u, h = line.strip().split(':')
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	213 if '$' in h or self.crypt:
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	214 self.hash[u] = h
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	215 else:
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	216 print >>sys.stderr, 'Warning: cannot parse password for ' \
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	217 'user "%s" without the "crypt" module' % u
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	218
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	219 if self.hash == {}:
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	220 print >> sys.stderr, "Warning: found no users in file:", filename
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	221
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	222 def test(self, user, password):
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	223 the_hash = self.hash.get(user)
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	224 if the_hash is None:
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	225 return False
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	226
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	227 if not '$' in the_hash:
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	228 return self.crypt(password, the_hash[:2]) == the_hash
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	229
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	230 magic, salt = the_hash[1:].split('$')[:2]
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	231 magic = '$' + magic + '$'
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	232 return md5crypt(password, salt, magic) == the_hash
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	233
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	234 def do_auth(self, environ, start_response):
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	235 header = environ.get('HTTP_AUTHORIZATION')
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	236 if header and header.startswith('Basic'):
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	237 auth = b64decode(header[6:]).split(':')
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	238 if len(auth) == 2:
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	239 user, password = auth
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	240 if self.test(user, password):
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	241 return user
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	242
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	243 start_response('401 Unauthorized',
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	244 [('WWW-Authenticate', 'Basic realm="%s"'
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	245 % self.realm)])('')
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	246
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	247
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	248 class DigestAuthentication(HTTPAuthentication):
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	249 """A simple HTTP digest authentication implementation (RFC 2617)."""
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	250
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	251 MAX_NONCES = 100
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	252
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	253 def __init__(self, htdigest, realm):
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	254 self.active_nonces = []
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	255 self.hash = {}
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	256 self.realm = realm
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	257 self.load_htdigest(htdigest, realm)
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	258
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	259 def load_htdigest(self, filename, realm):
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	260 """Load account information from apache style htdigest files, only
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	261 users from the specified realm are used
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	262 """
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	263 fd = open(filename, 'r')
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	264 for line in fd.readlines():
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	265 u, r, a1 = line.strip().split(':')
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	266 if r == realm:
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	267 self.hash[u] = a1
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	268 if self.hash == {}:
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	269 print >> sys.stderr, "Warning: found no users in realm:", realm
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	270
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	271 def parse_auth_header(self, authorization):
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	272 values = {}
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	273 for value in urllib2.parse_http_list(authorization):
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	274 n, v = value.split('=', 1)
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	275 if v[0] == '"' and v[-1] == '"':
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	276 values[n] = v[1:-1]
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	277 else:
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	278 values[n] = v
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	279 return values
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	280
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	281 def send_auth_request(self, environ, start_response, stale='false'):
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	282 """Send a digest challange to the browser. Record used nonces
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	283 to avoid replay attacks.
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	284 """
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	285 nonce = hex_entropy()
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	286 self.active_nonces.append(nonce)
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	287 if len(self.active_nonces) > self.MAX_NONCES:
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	288 self.active_nonces = self.active_nonces[-self.MAX_NONCES:]
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	289 start_response('401 Unauthorized',
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	290 [('WWW-Authenticate',
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	291 'Digest realm="%s", nonce="%s", qop="auth", stale="%s"'
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	292 % (self.realm, nonce, stale))])('')
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	293
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	294 def do_auth(self, environ, start_response):
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	295 header = environ.get('HTTP_AUTHORIZATION')
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	296 if not header or not header.startswith('Digest'):
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	297 self.send_auth_request(environ, start_response)
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	298 return None
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	299
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	300 auth = self.parse_auth_header(header[7:])
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	301 required_keys = ['username', 'realm', 'nonce', 'uri', 'response',
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	302 'nc', 'cnonce']
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	303 # Invalid response?
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	304 for key in required_keys:
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	305 if not auth.has_key(key):
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	306 self.send_auth_request(environ, start_response)
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	307 return None
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	308 # Unknown user?
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	309 if not self.hash.has_key(auth['username']):
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	310 self.send_auth_request(environ, start_response)
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	311 return None
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	312
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	313 kd = lambda x: md5.md5(':'.join(x)).hexdigest()
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	314 a1 = self.hash[auth['username']]
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	315 a2 = kd([environ['REQUEST_METHOD'], auth['uri']])
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	316 # Is the response correct?
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	317 correct = kd([a1, auth['nonce'], auth['nc'],
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	318 auth['cnonce'], auth['qop'], a2])
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	319 if auth['response'] != correct:
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	320 self.send_auth_request(environ, start_response)
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	321 return None
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	322 # Is the nonce active, if not ask the client to use a new one
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	323 if not auth['nonce'] in self.active_nonces:
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	324 self.send_auth_request(environ, start_response, stale='true')
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	325 return None
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	326 self.active_nonces.remove(auth['nonce'])
93b4dcbafd7b Copy Trac to main branch. cmlenz parents: diff changeset	327 return auth['username']

Mercurial > genshi > mirror

annotate examples/trac/trac/web/auth.py @ 39:93b4dcbafd7b trunk