#!/usr/bin/env python2.5 """ This module contains an C{AuthDigestMiddleware} for authenticating HTTP requests using the method described in RFC2617. The credentials are to be provided using an C{AuthTokenGenerator} or a compatible instance. Furthermore digest authentication has to preserve some state across requests, more specifically nonces. There are three different C{NonceStoreBase} implementations for different needs. While the C{StatelessNonceStore} has minimal requirements it only prevents replay attacks in a limited way. If the WSGI server uses threading or a single process the C{MemoryNonceStore} can be used. If that is not possible the nonces can be stored in a DBAPI2 compatible database using C{DBAPI2NonceStore}. """ __all__ = [] import random try: from hashlib import md5 except ImportError: from md5 import md5 import binascii import base64 import time sysrand = random.SystemRandom() def gen_rand_str(bytes=33): """ Generates a string of random base64 characters. @param bytes: is the number of random 8bit values to be used >>> gen_rand_str() != gen_rand_str() True """ randnum = sysrand.getrandbits(bytes*8) randstr = ("%%0%dX" % (2*bytes)) % randnum randstr = binascii.unhexlify(randstr) randstr = base64.encodestring(randstr).strip() return randstr def parse_digest_response(data, ret=None): """internal @raises ValueError: >>> parse_digest_response('foo=bar') {'foo': 'bar'} >>> parse_digest_response('foo="bar"') {'foo': 'bar'} >>> sorted(parse_digest_response('foo="bar=qux",spam=egg').items()) [('foo', 'bar=qux'), ('spam', 'egg')] >>> try: ... parse_digest_response('spam') ... except ValueError: ... print("ValueError") ValueError >>> try: ... parse_digest_response('spam="egg"error') ... except ValueError: ... print("ValueError") ValueError """ if ret is None: ret = {} data = data.strip() key, rest = data.split('=', 1) # raises ValueError if rest.startswith('"'): rest = rest[1:] value, rest = rest.split('"', 1) # raises ValueError if not rest: ret[key] = value return ret if rest[0] != ',': raise ValueError("invalid digest response") rest = rest[1:] else: if ',' not in rest: ret[key] = rest return ret value, rest = rest.split(',' , 1) ret[key] = value return parse_digest_response(rest, ret) class AuthenticationRequired(Exception): """ Internal Exception class that is thrown inside L{AuthDigestMiddleware}, but not visible to other code. """ __all__.append("AuthTokenGenerator") class AuthTokenGenerator: """Generates authentification tokens for L{AuthDigestMiddleware}. The interface consists of beeing callable with a username and having a realm attribute being a string.""" def __init__(self, realm, getpass): """ @type realm: str @param realm: is a string according to RFC2617. @type getpass: str -> (str or None) @param getpass: this function is called with a username and password is expected as result. C{None} may be used as an invalid password. An example for getpass would be C{{username: password}.get}. """ self.realm = realm self.getpass = getpass def __call__(self, username, algo="md5"): """Generates an authentification token from a username. @type username: str @rtype: str or None """ assert algo.lower() in ["md5", "md5-sess"] password = self.getpass(username) if password is None: return None a1 = "%s:%s:%s" % (username, self.realm, password) return md5(a1).hexdigest() __all__.append("NonceStoreBase") class NonceStoreBase: """Nonce storage interface.""" def __init__(self): pass def newnonce(self, ident=None): """ This method is to be overriden and should return new nonces. @type ident: str @param ident: is an identifier to be associated with this nonce @rtype: str """ raise NotImplementedError def checknonce(self, nonce, count=1, ident=None): """ This method is to be overridden and should do a check for whether the given nonce is valid as being used count times. @type nonce: str @type count: int @param count: indicates how often the nonce has been used (including this check) @type ident: str @param ident: it is also checked that the nonce was associated to this identifier when given @rtype: bool """ raise NotImplementedError def format_time(seconds): """ internal method formatting a unix time to a fixed-length string @type seconds: float @rtype: str """ # the overflow will happen about 2112 return "%013X" % int(seconds * 1000000) __all__.append("StatelessNonceStore") class StatelessNonceStore(NonceStoreBase): """ This is a stateless nonce storage that cannot check the usage count for a nonce and thus cannot protect against replay attacks. It however can make it difficult by posing a timeout on nonces and making it difficult to forge nonces. This nonce store is usable with L{scgi.forkpool}. >>> s = StatelessNonceStore() >>> n = s.newnonce() >>> s.checknonce("spam") False >>> s.checknonce(n) True >>> s.checknonce(n) True >>> s.checknonce(n.rsplit(':', 1)[0] + "bad hash") False """ def __init__(self, maxage=300, secret=None): """ @type maxage: int @param maxage: is the number of seconds a nonce may be valid. Choosing a large value may result in more memory usage whereas a smaller value results in more requests. Defaults to 5 minutes. @type secret: str @param secret: if not given, a secret is generated and is therefore shared after forks. Knowing this secret permits creating nonces. """ NonceStoreBase.__init__(self) self.maxage = maxage if secret: self.server_secret = secret else: self.server_secret = gen_rand_str() def newnonce(self, ident=None): """ Generates a new nonce string. @type ident: None or str @rtype: str """ nonce_time = format_time(time.time()) nonce_value = gen_rand_str() token = "%s:%s:%s" % (nonce_time, nonce_value, self.server_secret) if ident is not None: token = "%s:%s" % (token, ident) token = md5(token).hexdigest() return "%s:%s:%s" % (nonce_time, nonce_value, token) def checknonce(self, nonce, count=1, ident=None): """ Do a check for whether the provided string is a nonce and increase usage count on returning True. @type nonce: str @type count: int @type ident: None or str @rtype: bool """ if count != 1: return False try: nonce_time, nonce_value, nonce_hash = nonce.split(':') except ValueError: return False token = "%s:%s:%s" % (nonce_time, nonce_value, self.server_secret) if ident is not None: token = "%s:%s" % (token, ident) token = md5(token).hexdigest() if token != nonce_hash: return False if nonce_time < format_time(time.time() - self.maxage): return False return True __all__.append("MemoryNonceStore") class MemoryNonceStore(NonceStoreBase): """ Simple in-memory mechanism to store nonces. >>> s = MemoryNonceStore(maxuses=1) >>> n = s.newnonce() >>> s.checknonce("spam") False >>> s.checknonce(n) True >>> s.checknonce(n) False """ def __init__(self, maxage=300, maxuses=5): """ @type maxage: int @param maxage: is the number of seconds a nonce may be valid. Choosing a large value may result in more memory usage whereas a smaller value results in more requests. Defaults to 5 minutes. @type maxuses: int @param maxuses: is the number of times a nonce may be used (with different nc values). A value of 1 makes nonces usable exactly once resulting in more requests. Defaults to 5. """ NonceStoreBase.__init__(self) self.maxage = maxage self.maxuses = maxuses self.nonces = [] # [(creation_time, nonce_value, useage_count)] # as [(float, str, int)] self.server_secret = gen_rand_str() def _cleanup(self): """internal methods cleaning list of valid nonces""" old = format_time(time.time() - self.maxage) while self.nonces and self.nonces[0][0] < old: self.nonces.pop(0) def newnonce(self, ident=None): """ Generates a new nonce string. @type ident: None or str @rtype: str """ self._cleanup() # avoid growing self.nonces nonce_time = format_time(time.time()) nonce_value = gen_rand_str() self.nonces.append((nonce_time, nonce_value, 1)) token = "%s:%s:%s" % (nonce_time, nonce_value, self.server_secret) if ident is not None: token = "%s:%s" % (token, ident) token = md5(token).hexdigest() return "%s:%s:%s" % (nonce_time, nonce_value, token) def checknonce(self, nonce, count=1, ident=None): """ Do a check for whether the provided string is a nonce and increase usage count on returning True. @type nonce: str @type count: int @type ident: None or str @rtype: bool """ try: nonce_time, nonce_value, nonce_hash = nonce.split(':') except ValueError: return False token = "%s:%s:%s" % (nonce_time, nonce_value, self.server_secret) if ident is not None: token = "%s:%s" % (token, ident) token = md5(token).hexdigest() if token != nonce_hash: return False self._cleanup() # avoid stale nonces # searching nonce_time lower, upper = 0, len(self.nonces) - 1 while lower < upper: mid = (lower + upper) // 2 if nonce_time <= self.nonces[mid][0]: upper = mid else: lower = mid + 1 if len(self.nonces) <= lower: return False (nt, nv, uses) = self.nonces[lower] if nt != nonce_time or nv != nonce_value: return False if count != uses: del self.nonces[lower] return False if uses >= self.maxuses: del self.nonces[lower] else: self.nonces[lower] = (nt, nv, uses+1) return True __all__.append("LazyDBAPI2Opener") class LazyDBAPI2Opener: """ Connects to database on first request. Otherwise it behaves like a dbapi2 connection. This may be usefull in combination with scgi.forkpool, because this way each worker child opens a new database connection when the first request is to be answered. """ def __init__(self, function, *args, **kwargs): """ The database will be connected on the first method call. This is done by calling the given function with the remaining parameters. @param function: is the function that connects to the database """ self._function = function self._args = args self._kwargs = kwargs self._dbhandle = None def _getdbhandle(self): """Returns an open database connection. Open if necessary.""" if self._dbhandle is None: self._dbhandle = self._function(*self._args, **self._kwargs) self._function = self._args = self._kwargs = None return self._dbhandle def cursor(self): """dbapi2""" return self._getdbhandle().cursor() def commit(self): """dbapi2""" return self._getdbhandle().commit() def rollback(self): """dbapi2""" return self._getdbhandle().rollback() def close(self): """dbapi2""" return self._getdbhandle().close() __all__.append("DBAPI2NonceStore") class DBAPI2NonceStore(NonceStoreBase): """ A dbapi2-backed nonce store implementation suitable for usage with forking wsgi servers such as scgi.forkpool. >>> import sqlite3 >>> db = sqlite3.connect(":memory:") >>> db.cursor().execute("CREATE TABLE nonces (key, value);") and None >>> db.commit() and None >>> s = DBAPI2NonceStore(db, maxuses=1) >>> n = s.newnonce() >>> s.checknonce("spam") False >>> s.checknonce(n) True >>> s.checknonce(n) False """ def __init__(self, dbhandle, maxage=300, maxuses=5, table="nonces"): """ @param dbhandle: is a dbapi2 connection @type maxage: int @param maxage: is the number of seconds a nonce may be valid. Choosing a large value may result in more memory usage whereas a smaller value results in more requests. Defaults to 5 minutes. @type maxuses: int @param maxuses: is the number of times a nonce may be used (with different nc values). A value of 1 makes nonces usable exactly once resulting in more requests. Defaults to 5. """ NonceStoreBase.__init__(self) self.dbhandle = dbhandle self.maxage = maxage self.maxuses = maxuses self.table = table self.server_secret = gen_rand_str() def _cleanup(self, cur): """internal methods cleaning list of valid nonces""" old = format_time(time.time() - self.maxage) cur.execute("DELETE FROM %s WHERE key < '%s:';" % (self.table, old)) def newnonce(self, ident=None): """ Generates a new nonce string. @rtype: str """ nonce_time = format_time(time.time()) nonce_value = gen_rand_str() dbkey = "%s:%s" % (nonce_time, nonce_value) cur = self.dbhandle.cursor() self._cleanup(cur) # avoid growing database cur.execute("INSERT INTO %s VALUES ('%s', '1');" % (self.table, dbkey)) self.dbhandle.commit() token = "%s:%s" % (dbkey, self.server_secret) if ident is not None: token = "%s:%s" % (token, ident) token = md5(token).hexdigest() return "%s:%s:%s" % (nonce_time, nonce_value, token) def checknonce(self, nonce, count=1, ident=None): """ Do a check for whether the provided string is a nonce and increase usage count on returning True. @type nonce: str @type count: int @rtype: bool """ try: nonce_time, nonce_value, nonce_hash = nonce.split(':') except ValueError: return False if not nonce_time.isalnum() or not nonce_value.replace("+", ""). \ replace("/", "").replace("=", "").isalnum(): return False token = "%s:%s:%s" % (nonce_time, nonce_value, self.server_secret) if ident is not None: token = "%s:%s" % (token, ident) token = md5(token).hexdigest() if token != nonce_hash: return False if nonce_time < format_time(time.time() - self.maxage): return False cur = self.dbhandle.cursor() #self._cleanup(cur) # avoid growing database dbkey = "%s:%s" % (nonce_time, nonce_value) cur.execute("SELECT value FROM %s WHERE key = '%s';" % (self.table, dbkey)) uses = cur.fetchone() if uses is None: self.dbhandle.commit() return False uses = int(uses[0]) if count != uses: cur.execute("DELETE FROM %s WHERE key = '%s';" % (self.table, dbkey)) self.dbhandle.commit() return False if uses >= self.maxuses: cur.execute("DELETE FROM %s WHERE key = '%s';" % (self.table, dbkey)) else: cur.execute("UPDATE %s SET value = '%d' WHERE key = '%s';" % (self.table, uses + 1, dbkey)) self.dbhandle.commit() return True __all__.append("AuthDigestMiddleware") class AuthDigestMiddleware: """Middleware partly implementing RFC2617. (md5-sess was omited) Upon successful authentication the environ dict will be extended by a REMOTE_USER key before being passed to the wrapped application.""" algorithms = {"md5": lambda data: md5(data).hexdigest()} def __init__(self, app, gentoken, maxage=300, maxuses=5, store=None): """ @param app: is the wsgi application to be served with authentification. @type gentoken: str -> (str or None) @param gentoken: has to have the same functionality and interface as the L{AuthTokenGenerator} class. @type maxage: int @param maxage: deprecated, see L{MemoryNonceStore} or L{StatelessNonceStore} @type maxuses: int @param maxuses: deprecated, see L{MemoryNonceStore} @type store: L{NonceStoreBase} @param store: a nonce storage implementation object. Usage of this parameter will override maxage and maxuses. """ self.app = app self.gentoken = gentoken if store is None: self.noncestore = MemoryNonceStore(maxage, maxuses) else: assert hasattr(store, "newnonce") assert hasattr(store, "checknonce") self.noncestore = store def __call__(self, environ, start_response): """wsgi interface""" try: auth = environ["HTTP_AUTHORIZATION"] # raises KeyError method, rest = auth.split(' ', 1) # raises ValueError if method.lower() != "digest": raise AuthenticationRequired credentials = parse_digest_response(rest) # raises ValueError ### Check algorithm field credentials["algorithm"] = credentials.get("algorithm", "md5").lower() if not credentials["algorithm"] in self.algorithms: raise AuthenticationRequired ### Check uri field # Doing this by stripping known parts from the passed uri field # until something trivial remains, as the uri cannot be # reconstructed from the environment exactly. uri = credentials["uri"] # raises KeyError if "QUERY_STRING" in environ and environ["QUERY_STRING"]: if not uri.endswith(environ["QUERY_STRING"]): raise AuthenticationRequired uri = uri[:-len(environ["QUERY_STRING"])] if "SCRIPT_NAME" in environ: if not uri.startswith(environ["SCRIPT_NAME"]): raise AuthenticationRequired uri = uri[len(environ["SCRIPT_NAME"]):] if "PATH_INFO" in environ: if not uri.startswith(environ["PATH_INFO"]): raise AuthenticationRequired uri = uri[len(environ["PATH_INFO"]):] if uri not in ('', '?'): raise AuthenticationRequired del uri if ("username" not in credentials or "nonce" not in credentials or "response" not in credentials or "qop" in credentials and ( credentials["qop"] != "auth" or "nc" not in credentials or credentials["nc"].lower().strip("0123456789abcdef") or "cnonce" not in credentials)): raise AuthenticationRequired noncecount = 1 if credentials.get("qop") is not None: # raises ValueError noncecount = int(credentials["nc"], 16) if not self.noncestore.checknonce(credentials["nonce"], noncecount): return self.authorization_required(environ, start_response, stale=True) # stale nonce! # raises KeyError, ValueError response = self.auth_response(credentials, environ["REQUEST_METHOD"]) if response != credentials["response"]: raise AuthenticationRequired except (KeyError, ValueError, AuthenticationRequired): return self.authorization_required(environ, start_response) else: environ["REMOTE_USER"] = credentials["username"] def modified_start_response(status, headers, exc_info=None): digest = dict(nextnonce=self.noncestore.newnonce()) if "qop" in credentials: digest["qop"] = "auth" digest["cnonce"] = credentials["cnonce"] # no KeyError digest["rspauth"] = self.auth_response(credentials, "") challenge = ", ".join(map('%s="%s"'.__mod__, digest.items())) headers.append(("Authentication-Info", challenge)) return start_response(status, headers, exc_info) return self.app(environ, modified_start_response) def auth_response(self, credentials, reqmethod): """internal method generating authentication tokens @raises KeyError: @raises ValueError: """ username = credentials["username"] algo = credentials["algorithm"] uri = credentials["uri"] nonce = credentials["nonce"] a1h = self.gentoken(username, algo) if a1h is None: raise ValueError a2h = self.algorithms[algo]("%s:%s" % (reqmethod, uri)) qop = credentials.get("qop", None) if qop is None: dig = ":".join((a1h, nonce, a2h)) else: if qop != "auth": raise ValueError # raises KeyError dig = ":".join((a1h, nonce, credentials["nc"], credentials["cnonce"], qop, a2h)) return self.algorithms[algo](dig) def authorization_required(self, environ, start_response, stale=False): """internal method implementing wsgi interface, serving 401 page""" digest = dict(nonce=self.noncestore.newnonce(), realm=self.gentoken.realm, algorithm="md5", qop="auth") if stale: digest["stale"] = "TRUE" challenge = ", ".join(map('%s="%s"'.__mod__, digest.items())) status = "401 Not authorized" headers = [("Content-type", "text/html"), ("WWW-Authenticate", "Digest %s" % challenge)] data = "