[CalendarServer-changes] [12134] twext/trunk/twext/who/opendirectory
source_changes at macosforge.org
source_changes at macosforge.org
Wed Mar 12 11:20:18 PDT 2014
Revision: 12134
http://trac.calendarserver.org//changeset/12134
Author: sagen at apple.com
Date: 2013-12-18 17:23:52 -0800 (Wed, 18 Dec 2013)
Log Message:
-----------
The beginnings of OD auth
Modified Paths:
--------------
twext/trunk/twext/who/opendirectory/service.py
Added Paths:
-----------
twext/trunk/twext/who/opendirectory/digest.py
Added: twext/trunk/twext/who/opendirectory/digest.py
===================================================================
--- twext/trunk/twext/who/opendirectory/digest.py (rev 0)
+++ twext/trunk/twext/who/opendirectory/digest.py 2013-12-19 01:23:52 UTC (rev 12134)
@@ -0,0 +1,115 @@
+#!/usr/bin/env python
+##
+# Copyright (c) 2006-2008 Apple Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##
+
+import md5
+import sha
+
+algorithms = {
+ 'md5': md5.new,
+ 'md5-sess': md5.new,
+ 'sha': sha.new,
+}
+
+# DigestCalcHA1
+def calcHA1(
+ pszAlg,
+ pszUserName,
+ pszRealm,
+ pszPassword,
+ pszNonce,
+ pszCNonce,
+ preHA1=None
+):
+ """
+ @param pszAlg: The name of the algorithm to use to calculate the digest.
+ Currently supported are md5 md5-sess and sha.
+
+ @param pszUserName: The username
+ @param pszRealm: The realm
+ @param pszPassword: The password
+ @param pszNonce: The nonce
+ @param pszCNonce: The cnonce
+
+ @param preHA1: If available this is a str containing a previously
+ calculated HA1 as a hex string. If this is given then the values for
+ pszUserName, pszRealm, and pszPassword are ignored.
+ """
+
+ if (preHA1 and (pszUserName or pszRealm or pszPassword)):
+ raise TypeError(("preHA1 is incompatible with the pszUserName, "
+ "pszRealm, and pszPassword arguments"))
+
+ if preHA1 is None:
+ # We need to calculate the HA1 from the username:realm:password
+ m = algorithms[pszAlg]()
+ m.update(pszUserName)
+ m.update(":")
+ m.update(pszRealm)
+ m.update(":")
+ m.update(pszPassword)
+ HA1 = m.digest()
+ else:
+ # We were given a username:realm:password
+ HA1 = preHA1.decode('hex')
+
+ if pszAlg == "md5-sess":
+ m = algorithms[pszAlg]()
+ m.update(HA1)
+ m.update(":")
+ m.update(pszNonce)
+ m.update(":")
+ m.update(pszCNonce)
+ HA1 = m.digest()
+
+ return HA1.encode('hex')
+
+# DigestCalcResponse
+def calcResponse(
+ HA1,
+ algo,
+ pszNonce,
+ pszNonceCount,
+ pszCNonce,
+ pszQop,
+ pszMethod,
+ pszDigestUri,
+ pszHEntity,
+):
+ m = algorithms[algo]()
+ m.update(pszMethod)
+ m.update(":")
+ m.update(pszDigestUri)
+ if pszQop == "auth-int" or pszQop == "auth-conf":
+ m.update(":")
+ m.update(pszHEntity)
+ HA2 = m.digest().encode('hex')
+
+ m = algorithms[algo]()
+ m.update(HA1)
+ m.update(":")
+ m.update(pszNonce)
+ m.update(":")
+ if pszNonceCount and pszCNonce and pszQop:
+ m.update(pszNonceCount)
+ m.update(":")
+ m.update(pszCNonce)
+ m.update(":")
+ m.update(pszQop)
+ m.update(":")
+ m.update(HA2)
+ respHash = m.digest().encode('hex')
+ return respHash
Modified: twext/trunk/twext/who/opendirectory/service.py
===================================================================
--- twext/trunk/twext/who/opendirectory/service.py 2013-12-19 01:23:27 UTC (rev 12133)
+++ twext/trunk/twext/who/opendirectory/service.py 2013-12-19 01:23:52 UTC (rev 12134)
@@ -43,8 +43,19 @@
)
from ..util import iterFlags, ConstantsContainer
+from twisted.cred.checkers import ICredentialsChecker
+from twisted.cred.credentials import IUsernamePassword, IUsernameHashedPassword
+from twisted.cred.error import UnauthorizedLogin
+from zope.interface import implements
+from twisted.internet.defer import inlineCallbacks, returnValue, succeed, fail
+from twisted.web.guard import DigestCredentialFactory
+from twisted.cred.credentials import UsernamePassword, DigestedCredentials
+# For testing:
+from digest import calcResponse, calcHA1
+from getpass import getpass
+
#
# Exceptions
#
@@ -55,7 +66,7 @@
"""
def __init__(self, message, odError):
- super(DirectoryService, self).__init__(message)
+ super(OpenDirectoryError, self).__init__(message)
self.odError = odError
@@ -221,6 +232,10 @@
"""
OpenDirectory directory service.
"""
+
+ implements(ICredentialsChecker)
+ credentialInterfaces = (IUsernamePassword, IUsernameHashedPassword,)
+
log = Logger()
fieldName = ConstantsContainer(chain(
@@ -229,6 +244,7 @@
))
+
def __init__(self, nodeName=ODSearchPath.search.value):
"""
@param nodeName: the OpenDirectory node to query against.
@@ -573,7 +589,94 @@
)
+ def _getUserRecord(self, username):
+ """
+ Fetch the OD record for a given user.
+ @return: ODRecord, or None
+ """
+ record, error = self.node.recordWithRecordType_name_attributes_error_(
+ ODRecordType.user.value, username, None, None
+ )
+ if error:
+ self.log.error(
+ "Error while executing OpenDirectory query: {error}",
+ error=error
+ )
+ raise OpenDirectoryQueryError("Could not look up user",
+ error
+ )
+
+ return record
+
+
+ def requestAvatarId(self, credentials):
+ """
+ Authenticate the credentials against OpenDirectory and return the
+ corresponding DirectoryRecord or fail with UnauthorizedLogin if
+ the credentials are not valid.
+
+ @param: credentials: the credentials to authenticate.
+ @type: credentials: either UsernamePassword or DigestedCredentials
+
+ @return: Deferred which fires with DirectoryRecord.
+ """
+
+ record = self._getUserRecord(credentials.username)
+
+ if record is not None:
+
+ if isinstance(credentials, UsernamePassword):
+ result, error = record.verifyPassword_error_(
+ credentials.password, None
+ )
+ if not error and result:
+ return succeed(self._adaptODRecord(record))
+ # return succeed(credentials.username)
+
+ elif isinstance(credentials, DigestedCredentials):
+ try:
+ if "algorithm" not in credentials.fields:
+ credentials.fields["algorithm"] = "md5"
+ challenge = 'Digest realm="%(realm)s", nonce="%(nonce)s", algorithm=%(algorithm)s' % credentials.fields
+ response = credentials.fields["response"]
+ except KeyError as e:
+ self.log.error(
+ "Error authenticating against OpenDirectory : "
+ "missing digest response field: {field} "
+ "in: {fields}", field=e, fields=credentials.fields
+ )
+ return fail(UnauthorizedLogin())
+
+ result, m1, m2, error = record.verifyExtendedWithAuthenticationType_authenticationItems_continueItems_context_error_(
+ "dsAuthMethodStandard:dsAuthNodeDIGEST-MD5",
+ [
+ credentials.username,
+ challenge,
+ response,
+ credentials.method,
+ ],
+ None, None, None
+ )
+
+ if not error and result:
+ # return succeed(credentials.username)
+ return succeed(self._adaptODRecord(record))
+
+ return fail(UnauthorizedLogin())
+
+
+class CustomDigestCredentialFactory(DigestCredentialFactory):
+ """
+ DigestCredentialFactory without qop, to interop with OD.
+ """
+
+ def getChallenge(self, address):
+ result = DigestCredentialFactory.getChallenge(self, address)
+ del result["qop"]
+ return result
+
+
class DirectoryRecord(BaseDirectoryRecord):
"""
OpenDirectory directory record.
@@ -603,6 +706,7 @@
+
if __name__ == "__main__":
import sys
@@ -656,3 +760,70 @@
for record in service.recordsFromExpression(compoundExpression):
print(record.description())
print()
+
+
+ @inlineCallbacks
+ def testAuth(username, password):
+
+ # Authenticate using simple password
+
+ creds = UsernamePassword(username, password)
+ try:
+ id = yield service.requestAvatarId(creds)
+ print("OK via UsernamePassword, avatarID: {id}".format(id=id))
+ print(" {name}".format(name=id.fullNames))
+ except UnauthorizedLogin:
+ print("Via UsernamePassword, could not authenticate")
+
+ print()
+
+ # Authenticate using Digest
+
+ algorithm = "md5" # "md5-sess"
+ cnonce = "/rrD6TqPA3lHRmg+fw/vyU6oWoQgzK7h9yWrsCmv/lE="
+ entity = "00000000000000000000000000000000"
+ method = "GET"
+ nc = "00000001"
+ nonce = "128446648710842461101646794502"
+ qop = None
+ realm = "host.example.com"
+ uri = "http://host.example.com"
+
+ responseHash = calcResponse(
+ calcHA1(
+ algorithm.lower(), username, realm, password, nonce, cnonce
+ ),
+ algorithm.lower(), nonce, nc, cnonce, qop, method, uri, entity
+ )
+
+ response = (
+ 'Digest username="{username}", uri="{uri}", response={hash}'.format(
+ username=username, uri=uri, hash=responseHash
+ )
+ )
+
+ fields = {
+ "realm" : realm,
+ "nonce" : nonce,
+ "response" : response,
+ "algorithm" : algorithm,
+ }
+
+ creds = DigestedCredentials(username, method, realm, fields)
+
+ try:
+ id = yield service.requestAvatarId(creds)
+ print("OK via DigestedCredentials, avatarID: {id}".format(id=id))
+ print(" {name}".format(name=id.fullNames))
+ except UnauthorizedLogin:
+ print("Via DigestedCredentials, could not authenticate")
+
+ # Conditionally run testAuth()
+
+ response = raw_input("Test authentication (y/n)? ")
+ if response == "y":
+ username = raw_input("Username: ")
+ if username:
+ password = getpass()
+ if password:
+ testAuth(username, password)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20140312/2305a751/attachment.html>
More information about the calendarserver-changes
mailing list