<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[4684] PyOpenDirectory/branches/users/gaya/addigestauth/test_auth.py</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.macosforge.org/projects/calendarserver/changeset/4684">4684</a></dd>
<dt>Author</dt> <dd>gaya@apple.com</dd>
<dt>Date</dt> <dd>2009-10-30 12:03:05 -0700 (Fri, 30 Oct 2009)</dd>
</dl>

<h3>Log Message</h3>
<pre>make digest tests work with AD and with standard qops</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#PyOpenDirectorybranchesusersgayaaddigestauthtest_authpy">PyOpenDirectory/branches/users/gaya/addigestauth/test_auth.py</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="PyOpenDirectorybranchesusersgayaaddigestauthtest_authpy"></a>
<div class="modfile"><h4>Modified: PyOpenDirectory/branches/users/gaya/addigestauth/test_auth.py (4683 => 4684)</h4>
<pre class="diff"><span>
<span class="info">--- PyOpenDirectory/branches/users/gaya/addigestauth/test_auth.py        2009-10-30 19:00:17 UTC (rev 4683)
+++ PyOpenDirectory/branches/users/gaya/addigestauth/test_auth.py        2009-10-30 19:03:05 UTC (rev 4684)
</span><span class="lines">@@ -20,6 +20,7 @@
</span><span class="cx"> import dsattributes
</span><span class="cx"> import md5
</span><span class="cx"> import sha
</span><ins>+import shlex
</ins><span class="cx"> 
</span><span class="cx"> algorithms = {
</span><span class="cx">     'md5': md5.new,
</span><span class="lines">@@ -96,7 +97,7 @@
</span><span class="cx">     m.update(pszMethod)
</span><span class="cx">     m.update(&quot;:&quot;)
</span><span class="cx">     m.update(pszDigestUri)
</span><del>-    if pszQop == &quot;auth-int&quot;:
</del><ins>+    if pszQop == &quot;auth-int&quot; or pszQop == &quot;auth-conf&quot;:
</ins><span class="cx">         m.update(&quot;:&quot;)
</span><span class="cx">         m.update(pszHEntity)
</span><span class="cx">     HA2 = m.digest().encode('hex')
</span><span class="lines">@@ -120,16 +121,20 @@
</span><span class="cx"> 
</span><span class="cx"> attempts = 100
</span><span class="cx"> 
</span><del>-realm = &quot;/Search&quot;
-nonce = &quot;128446648710842461101646794502&quot;
-nc = &quot;00000001&quot;
-cnonce = &quot;0a4f113b12345&quot;
-uri = &quot;/principals/&quot;
-method = &quot;GET&quot;
</del><span class="cx"> 
</span><span class="cx"> def doAuthDigest(username, password, qop, algorithm):
</span><span class="cx">     failures = 0
</span><span class="cx">     
</span><ins>+    realm = &quot;host.example.com&quot;
+    nonce = &quot;128446648710842461101646794502&quot;
+    nc = &quot;00000001&quot;
+    cnonce = &quot;/rrD6TqPA3lHRmg+fw/vyU6oWoQgzK7h9yWrsCmv/lE=&quot;
+    uri = &quot;http://host.example.com&quot;
+    method = &quot;GET&quot;
+    entity = &quot;00000000000000000000000000000000&quot;
+    cipher = &quot;rc4&quot;
+    maxbuf = &quot;65536&quot;
+
</ins><span class="cx">     result = opendirectory.queryRecordsWithAttribute_list(
</span><span class="cx">         od,
</span><span class="cx">         dsattributes.kDSNAttrRecordName,
</span><span class="lines">@@ -144,48 +149,105 @@
</span><span class="cx">     nodename = result[0][1][dsattributes.kDSNAttrMetaNodeLocation]
</span><span class="cx">     
</span><span class="cx">     print( '    User node= &quot;%s&quot;' % nodename)
</span><del>-    if nodename.startswith(&quot;/Active Directory/&quot;):
-
-        challenge = opendirectory.getDigestMD5ChallengeFromActiveDirectory(od, nodename)
-        response = &quot;bogus&quot;
-        print &quot;    Challenge: %s&quot; % (challenge,)
-        print &quot;    Response:  %s&quot; % (response, )
</del><ins>+    adUser = nodename.startswith(&quot;/Active Directory/&quot;)
</ins><span class="cx">         
</span><del>-        for _ignore_x in xrange(attempts):
-            success = opendirectory.authenticateUserDigestToActiveDirectory(
-                od, 
-                nodename,
-                username,
-                response,
-            )
</del><ins>+    for _ignore_x in xrange(attempts):
+        if adUser:
+    
+            challenge = opendirectory.getDigestMD5ChallengeFromActiveDirectory(od, nodename)
+            if not challenge:
+                print &quot;Failed to get Active Directory challenge for user: %s&quot; % (username,)
+                return
+            # parse challenge
+            
+            l = shlex.shlex(challenge)
+            l.wordchars = l.wordchars + &quot;_-&quot;
+            l.whitespace = l.whitespace + &quot;=,&quot;
+            auth = {}
+            while 1:
+                k = l.get_token()
+                if not k: 
+                    break
+                v = l.get_token()
+                if not v: 
+                    break
+                v = v.strip('&quot;') # this strip is kind of a hack, should remove matched leading and trailing double quotes
+                       
+                auth[k.strip()] = v.strip()
+                    
+            # get expected response parameters from challenge
+            nonce = auth[&quot;nonce&quot;]
+            #nonce = &quot;+Upgraded+v17fa28b0e0cb4c483144a0d568259ca0102de13e7b48ff9261cfa9748b93f83cc09d8ee50638c6d9794e1b4f8485a7dee&quot;
</ins><span class="cx">         
</span><del>-            if not success:
-                failures += 1
-    else:
-    
</del><ins>+            if auth.get(&quot;digest-uri&quot;, False):
+                uri = auth[&quot;digest-uri&quot;]
+                
+            qopstr = auth.get(&quot;qop&quot;, False)
+            if qopstr:
+                qops = qopstr.split(&quot;,&quot;)
+                if &quot;auth-conf&quot; in qops:
+                    qop = &quot;auth-conf&quot;
+                elif &quot;auth-int&quot; in qops:
+                    qop = &quot;auth-int&quot;
+                elif &quot;quth&quot; in qops:
+                    qop = &quot;auth&quot;
+                else:
+                    qop = qops[0]
+                    
+            if auth.get(&quot;realm&quot;, False):
+                realm = auth[&quot;realm&quot;]
+            if auth.get(&quot;algorithm&quot;, False):
+                algorithm = auth[&quot;algorithm&quot;]
+            
+            cipherstr = auth.get(&quot;cipher&quot;, False)
+            if cipherstr:
+                ciphers = cipherstr.split(&quot;,&quot;)
+                if &quot;rc4&quot; in ciphers:
+                    cipher = &quot;rc4&quot;
+                else:
+                    cipher = ciphers[0]
+            
+            if auth.get(&quot;maxbuf&quot;, False):
+                maxbuf = auth[&quot;maxbuf&quot;]
+                
+            method = &quot;AUTHENTICATE&quot;
+                
+        else:
+            
+            if qop:
+                challenge = 'realm=&quot;%s&quot;, nonce=&quot;%s&quot;, algorithm=%s, qop=&quot;%s&quot;' % (realm, nonce, algorithm, qop,)
+            else:
+                challenge = 'realm=&quot;%s&quot;, nonce=&quot;%s&quot;, algorithm=%s' % (realm, nonce, algorithm,)
+        
+        
</ins><span class="cx">         expected = calcResponse(
</span><span class="cx">                     calcHA1(algorithm, username, realm, password, nonce, cnonce),
</span><del>-                    algorithm, nonce, nc, cnonce, qop, method, uri, None
</del><ins>+                    algorithm, nonce, nc, cnonce, qop, method, uri, entity
</ins><span class="cx">                 )
</span><del>-        #print expected
</del><span class="cx">         
</span><span class="cx">         if qop:
</span><del>-            challenge = 'Digest realm=&quot;%s&quot;, nonce=&quot;%s&quot;, algorithm=%s, qop=&quot;%s&quot;' % (realm, nonce, algorithm, qop,)
</del><ins>+            response = ('username=&quot;%s&quot;,realm=&quot;%s&quot;,algorithm=%s,'
+                    'nonce=&quot;%s&quot;,cnonce=&quot;%s&quot;,nc=%s,qop=%s,'
+                    'cipher=%s,maxbuf=%s,digest-uri=&quot;%s&quot;,response=%s' % (username, realm, algorithm,
+                                                                              nonce, cnonce, nc, qop, 
+                                                                              cipher, maxbuf, uri, expected ))
</ins><span class="cx">         else:
</span><del>-            challenge = 'Digest realm=&quot;%s&quot;, nonce=&quot;%s&quot;, algorithm=%s' % (realm, nonce, algorithm,)
-        if qop:
</del><span class="cx">             response = ('Digest username=&quot;%s&quot;, realm=&quot;%s&quot;, '
</span><span class="cx">                     'nonce=&quot;%s&quot;, digest-uri=&quot;%s&quot;, '
</span><del>-                    'response=%s, algorithm=%s, cnonce=&quot;%s&quot;, qop=%s, nc=%s' % (username, realm, nonce, uri, expected, algorithm, cnonce, qop, nc, ))
-        else:
-            response = ('Digest username=&quot;%s&quot;, realm=&quot;%s&quot;, '
-                    'nonce=&quot;%s&quot;, digest-uri=&quot;%s&quot;, '
</del><span class="cx">                     'response=%s, algorithm=%s' % (username, realm, nonce, uri, expected, algorithm, ))
</span><span class="cx">         
</span><span class="cx">         print &quot;    Challenge: %s&quot; % (challenge,)
</span><span class="cx">         print &quot;    Response:  %s&quot; % (response, )
</span><del>-        
-        for _ignore_x in xrange(attempts):
</del><ins>+
+    
+        if adUser:
+            success = opendirectory.authenticateUserDigestToActiveDirectory(
+                od, 
+                nodename,
+                username,
+                response,
+            )
+        else:
</ins><span class="cx">             success = opendirectory.authenticateUserDigest(
</span><span class="cx">                 od, 
</span><span class="cx">                 nodename,
</span><span class="lines">@@ -194,9 +256,9 @@
</span><span class="cx">                 response,
</span><span class="cx">                 method
</span><span class="cx">             )
</span><del>-        
-            if not success:
-                failures += 1
</del><ins>+             
+        if not success:
+            failures += 1
</ins><span class="cx">     
</span><span class="cx">     print &quot;\n%d failures out of %d attempts for Digest.\n\n&quot; % (failures, attempts)
</span><span class="cx"> 
</span><span class="lines">@@ -228,14 +290,32 @@
</span><span class="cx">             failures += 1
</span><span class="cx">     
</span><span class="cx">     print &quot;\n%d failures out of %d attempts for Basic.\n\n&quot; % (failures, attempts)
</span><del>-
</del><ins>+&quot;&quot;&quot;
</ins><span class="cx"> search = raw_input(&quot;DS search path: &quot;)
</span><span class="cx"> user = raw_input(&quot;User: &quot;)
</span><span class="cx"> pswd = getpass(&quot;Password: &quot;)
</span><span class="cx"> attempts = int(raw_input(&quot;Number of attempts: &quot;))
</span><ins>+&quot;&quot;&quot;
</ins><span class="cx"> 
</span><ins>+# to test, bind your client to Active Directory that contains the user specified below
+
+search = &quot;/Search&quot;
+user = &quot;servicetest&quot;
+pswd = &quot;pass&quot;
+attempts = 10
+
</ins><span class="cx"> od = opendirectory.odInit(search)
</span><span class="cx"> 
</span><span class="cx"> doAuthBasic(user, pswd)
</span><span class="cx"> doAuthDigest(user, pswd, None, &quot;md5&quot;)
</span><span class="cx"> 
</span><ins>+# to test, bind your client to an Open Directory master that contains the user specified below
+
+user = &quot;testuser&quot;
+pswd = &quot;test&quot;
+doAuthBasic(user, pswd)
+doAuthDigest(user, pswd, None, &quot;md5&quot;)
+doAuthDigest(user, pswd, &quot;auth-int&quot;, &quot;md5&quot;)
+doAuthDigest(user, pswd, &quot;auth-int&quot;, &quot;md5-sess&quot;)
+doAuthDigest(user, pswd, &quot;auth-conf&quot;, &quot;md5-sess&quot;)
+
</ins></span></pre>
</div>
</div>

</body>
</html>