<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[12134] twext/trunk/twext/who/opendirectory</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.calendarserver.org//changeset/12134">12134</a></dd>
<dt>Author</dt> <dd>sagen@apple.com</dd>
<dt>Date</dt> <dd>2013-12-18 17:23:52 -0800 (Wed, 18 Dec 2013)</dd>
</dl>
<h3>Log Message</h3>
<pre>The beginnings of OD auth</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#twexttrunktwextwhoopendirectoryservicepy">twext/trunk/twext/who/opendirectory/service.py</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#twexttrunktwextwhoopendirectorydigestpy">twext/trunk/twext/who/opendirectory/digest.py</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="twexttrunktwextwhoopendirectorydigestpy"></a>
<div class="addfile"><h4>Added: twext/trunk/twext/who/opendirectory/digest.py (0 => 12134)</h4>
<pre class="diff"><span>
<span class="info">--- twext/trunk/twext/who/opendirectory/digest.py (rev 0)
+++ twext/trunk/twext/who/opendirectory/digest.py 2013-12-19 01:23:52 UTC (rev 12134)
</span><span class="lines">@@ -0,0 +1,115 @@
</span><ins>+#!/usr/bin/env python
+##
+# Copyright (c) 2006-2008 Apple Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##
+
+import md5
+import sha
+
+algorithms = {
+ 'md5': md5.new,
+ 'md5-sess': md5.new,
+ 'sha': sha.new,
+}
+
+# DigestCalcHA1
+def calcHA1(
+ pszAlg,
+ pszUserName,
+ pszRealm,
+ pszPassword,
+ pszNonce,
+ pszCNonce,
+ preHA1=None
+):
+ """
+ @param pszAlg: The name of the algorithm to use to calculate the digest.
+ Currently supported are md5 md5-sess and sha.
+
+ @param pszUserName: The username
+ @param pszRealm: The realm
+ @param pszPassword: The password
+ @param pszNonce: The nonce
+ @param pszCNonce: The cnonce
+
+ @param preHA1: If available this is a str containing a previously
+ calculated HA1 as a hex string. If this is given then the values for
+ pszUserName, pszRealm, and pszPassword are ignored.
+ """
+
+ if (preHA1 and (pszUserName or pszRealm or pszPassword)):
+ raise TypeError(("preHA1 is incompatible with the pszUserName, "
+ "pszRealm, and pszPassword arguments"))
+
+ if preHA1 is None:
+ # We need to calculate the HA1 from the username:realm:password
+ m = algorithms[pszAlg]()
+ m.update(pszUserName)
+ m.update(":")
+ m.update(pszRealm)
+ m.update(":")
+ m.update(pszPassword)
+ HA1 = m.digest()
+ else:
+ # We were given a username:realm:password
+ HA1 = preHA1.decode('hex')
+
+ if pszAlg == "md5-sess":
+ m = algorithms[pszAlg]()
+ m.update(HA1)
+ m.update(":")
+ m.update(pszNonce)
+ m.update(":")
+ m.update(pszCNonce)
+ HA1 = m.digest()
+
+ return HA1.encode('hex')
+
+# DigestCalcResponse
+def calcResponse(
+ HA1,
+ algo,
+ pszNonce,
+ pszNonceCount,
+ pszCNonce,
+ pszQop,
+ pszMethod,
+ pszDigestUri,
+ pszHEntity,
+):
+ m = algorithms[algo]()
+ m.update(pszMethod)
+ m.update(":")
+ m.update(pszDigestUri)
+ if pszQop == "auth-int" or pszQop == "auth-conf":
+ m.update(":")
+ m.update(pszHEntity)
+ HA2 = m.digest().encode('hex')
+
+ m = algorithms[algo]()
+ m.update(HA1)
+ m.update(":")
+ m.update(pszNonce)
+ m.update(":")
+ if pszNonceCount and pszCNonce and pszQop:
+ m.update(pszNonceCount)
+ m.update(":")
+ m.update(pszCNonce)
+ m.update(":")
+ m.update(pszQop)
+ m.update(":")
+ m.update(HA2)
+ respHash = m.digest().encode('hex')
+ return respHash
</ins></span></pre></div>
<a id="twexttrunktwextwhoopendirectoryservicepy"></a>
<div class="modfile"><h4>Modified: twext/trunk/twext/who/opendirectory/service.py (12133 => 12134)</h4>
<pre class="diff"><span>
<span class="info">--- twext/trunk/twext/who/opendirectory/service.py 2013-12-19 01:23:27 UTC (rev 12133)
+++ twext/trunk/twext/who/opendirectory/service.py 2013-12-19 01:23:52 UTC (rev 12134)
</span><span class="lines">@@ -43,8 +43,19 @@
</span><span class="cx"> )
</span><span class="cx"> from ..util import iterFlags, ConstantsContainer
</span><span class="cx">
</span><ins>+from twisted.cred.checkers import ICredentialsChecker
+from twisted.cred.credentials import IUsernamePassword, IUsernameHashedPassword
+from twisted.cred.error import UnauthorizedLogin
</ins><span class="cx">
</span><ins>+from zope.interface import implements
+from twisted.internet.defer import inlineCallbacks, returnValue, succeed, fail
+from twisted.web.guard import DigestCredentialFactory
+from twisted.cred.credentials import UsernamePassword, DigestedCredentials
</ins><span class="cx">
</span><ins>+# For testing:
+from digest import calcResponse, calcHA1
+from getpass import getpass
+
</ins><span class="cx"> #
</span><span class="cx"> # Exceptions
</span><span class="cx"> #
</span><span class="lines">@@ -55,7 +66,7 @@
</span><span class="cx"> """
</span><span class="cx">
</span><span class="cx"> def __init__(self, message, odError):
</span><del>- super(DirectoryService, self).__init__(message)
</del><ins>+ super(OpenDirectoryError, self).__init__(message)
</ins><span class="cx"> self.odError = odError
</span><span class="cx">
</span><span class="cx">
</span><span class="lines">@@ -221,6 +232,10 @@
</span><span class="cx"> """
</span><span class="cx"> OpenDirectory directory service.
</span><span class="cx"> """
</span><ins>+
+ implements(ICredentialsChecker)
+ credentialInterfaces = (IUsernamePassword, IUsernameHashedPassword,)
+
</ins><span class="cx"> log = Logger()
</span><span class="cx">
</span><span class="cx"> fieldName = ConstantsContainer(chain(
</span><span class="lines">@@ -229,6 +244,7 @@
</span><span class="cx"> ))
</span><span class="cx">
</span><span class="cx">
</span><ins>+
</ins><span class="cx"> def __init__(self, nodeName=ODSearchPath.search.value):
</span><span class="cx"> """
</span><span class="cx"> @param nodeName: the OpenDirectory node to query against.
</span><span class="lines">@@ -573,7 +589,94 @@
</span><span class="cx"> )
</span><span class="cx">
</span><span class="cx">
</span><ins>+ def _getUserRecord(self, username):
+ """
+ Fetch the OD record for a given user.
</ins><span class="cx">
</span><ins>+ @return: ODRecord, or None
+ """
+ record, error = self.node.recordWithRecordType_name_attributes_error_(
+ ODRecordType.user.value, username, None, None
+ )
+ if error:
+ self.log.error(
+ "Error while executing OpenDirectory query: {error}",
+ error=error
+ )
+ raise OpenDirectoryQueryError("Could not look up user",
+ error
+ )
+
+ return record
+
+
+ def requestAvatarId(self, credentials):
+ """
+ Authenticate the credentials against OpenDirectory and return the
+ corresponding DirectoryRecord or fail with UnauthorizedLogin if
+ the credentials are not valid.
+
+ @param: credentials: the credentials to authenticate.
+ @type: credentials: either UsernamePassword or DigestedCredentials
+
+ @return: Deferred which fires with DirectoryRecord.
+ """
+
+ record = self._getUserRecord(credentials.username)
+
+ if record is not None:
+
+ if isinstance(credentials, UsernamePassword):
+ result, error = record.verifyPassword_error_(
+ credentials.password, None
+ )
+ if not error and result:
+ return succeed(self._adaptODRecord(record))
+ # return succeed(credentials.username)
+
+ elif isinstance(credentials, DigestedCredentials):
+ try:
+ if "algorithm" not in credentials.fields:
+ credentials.fields["algorithm"] = "md5"
+ challenge = 'Digest realm="%(realm)s", nonce="%(nonce)s", algorithm=%(algorithm)s' % credentials.fields
+ response = credentials.fields["response"]
+ except KeyError as e:
+ self.log.error(
+ "Error authenticating against OpenDirectory : "
+ "missing digest response field: {field} "
+ "in: {fields}", field=e, fields=credentials.fields
+ )
+ return fail(UnauthorizedLogin())
+
+ result, m1, m2, error = record.verifyExtendedWithAuthenticationType_authenticationItems_continueItems_context_error_(
+ "dsAuthMethodStandard:dsAuthNodeDIGEST-MD5",
+ [
+ credentials.username,
+ challenge,
+ response,
+ credentials.method,
+ ],
+ None, None, None
+ )
+
+ if not error and result:
+ # return succeed(credentials.username)
+ return succeed(self._adaptODRecord(record))
+
+ return fail(UnauthorizedLogin())
+
+
+class CustomDigestCredentialFactory(DigestCredentialFactory):
+ """
+ DigestCredentialFactory without qop, to interop with OD.
+ """
+
+ def getChallenge(self, address):
+ result = DigestCredentialFactory.getChallenge(self, address)
+ del result["qop"]
+ return result
+
+
</ins><span class="cx"> class DirectoryRecord(BaseDirectoryRecord):
</span><span class="cx"> """
</span><span class="cx"> OpenDirectory directory record.
</span><span class="lines">@@ -603,6 +706,7 @@
</span><span class="cx">
</span><span class="cx">
</span><span class="cx">
</span><ins>+
</ins><span class="cx"> if __name__ == "__main__":
</span><span class="cx"> import sys
</span><span class="cx">
</span><span class="lines">@@ -656,3 +760,70 @@
</span><span class="cx"> for record in service.recordsFromExpression(compoundExpression):
</span><span class="cx"> print(record.description())
</span><span class="cx"> print()
</span><ins>+
+
+ @inlineCallbacks
+ def testAuth(username, password):
+
+ # Authenticate using simple password
+
+ creds = UsernamePassword(username, password)
+ try:
+ id = yield service.requestAvatarId(creds)
+ print("OK via UsernamePassword, avatarID: {id}".format(id=id))
+ print(" {name}".format(name=id.fullNames))
+ except UnauthorizedLogin:
+ print("Via UsernamePassword, could not authenticate")
+
+ print()
+
+ # Authenticate using Digest
+
+ algorithm = "md5" # "md5-sess"
+ cnonce = "/rrD6TqPA3lHRmg+fw/vyU6oWoQgzK7h9yWrsCmv/lE="
+ entity = "00000000000000000000000000000000"
+ method = "GET"
+ nc = "00000001"
+ nonce = "128446648710842461101646794502"
+ qop = None
+ realm = "host.example.com"
+ uri = "http://host.example.com"
+
+ responseHash = calcResponse(
+ calcHA1(
+ algorithm.lower(), username, realm, password, nonce, cnonce
+ ),
+ algorithm.lower(), nonce, nc, cnonce, qop, method, uri, entity
+ )
+
+ response = (
+ 'Digest username="{username}", uri="{uri}", response={hash}'.format(
+ username=username, uri=uri, hash=responseHash
+ )
+ )
+
+ fields = {
+ "realm" : realm,
+ "nonce" : nonce,
+ "response" : response,
+ "algorithm" : algorithm,
+ }
+
+ creds = DigestedCredentials(username, method, realm, fields)
+
+ try:
+ id = yield service.requestAvatarId(creds)
+ print("OK via DigestedCredentials, avatarID: {id}".format(id=id))
+ print(" {name}".format(name=id.fullNames))
+ except UnauthorizedLogin:
+ print("Via DigestedCredentials, could not authenticate")
+
+ # Conditionally run testAuth()
+
+ response = raw_input("Test authentication (y/n)? ")
+ if response == "y":
+ username = raw_input("Username: ")
+ if username:
+ password = getpass()
+ if password:
+ testAuth(username, password)
</ins></span></pre>
</div>
</div>
</body>
</html>