Beispiel #1
0
    def check_auth_publickey(self, username, key):
        """Public key auth against usermap"""
        offered = None

        if hit_rate_limit(configuration, "sftp-key", self.client_addr[0],
                          username, max_fails=10):
            logger.warning("Rate limiting login from %s" % self.client_addr[0])
        elif self.allow_publickey and self.users.has_key(username):
            # list of User login objects for username
            entries = self.users[username]
            offered = key.get_base64()
            for entry in entries:
                if entry.public_key is not None:
                    # TODO: Add ssh tunneling on resource frontends
                    #       before enforcing ip check
                    # and \
                    # (entry.ip_addr is None or 
                    #  entry.ip_addr == self.client_addr[0]):

                    allowed = entry.public_key.get_base64()
                    self.logger.debug("Public key check for %s" % username)
                    if allowed == offered:
                        self.logger.info("Public key match for %s" % username)
                        self.authenticated_user = username
                        update_rate_limit(configuration, "sftp-key",
                                          self.client_addr[0], username, True)
                        return paramiko.AUTH_SUCCESSFUL
        err_msg = 'Public key authentication failed for %s:\n%s' % \
                  (username, offered)
        self.logger.error(err_msg)
        print err_msg
        update_rate_limit(configuration, "sftp-key", self.client_addr[0],
                          username, False)
        return paramiko.AUTH_FAILED
Beispiel #2
0
 def doLogin(self):
     """Login handler"""
     if 'submit' in self.query:
         if 'user' in self.query:
             self.user = self.query['user']
         else:
             self.clearUser()
         if 'password' in self.query:
             self.password = self.query['password']
         else:
             self.password = None
         if not hit_rate_limit(configuration, "openid",
                               self.client_address[0], self.user) and \
                               self.checkLogin(self.user, self.password):
             if not self.query['success_to']:
                 self.query['success_to'] = '%s/id/' % self.server.base_url
             print "doLogin succeded: redirect to %s" % self.query['success_to']
             self.redirect(self.query['success_to'])
             update_rate_limit(configuration, "openid",
                               self.client_address[0], self.user, True)
         else:
             # TODO: Login failed - is this correct behaviour?
             print "doLogin failed for %s!" % self.user
             # print "doLogin full query: %s" % self.query
             self.clearUser()
             self.redirect(self.query['success_to'])
             update_rate_limit(configuration, "openid",
                               self.client_address[0], self.user, False)
     elif 'cancel' in self.query:
         self.redirect(self.query['fail_to'])
     else:
         assert 0, 'strange login %r' % (self.query,)
Beispiel #3
0
 def _check_auth_publickey(self, username, key):
     """Verify supplied username and public key against user DB"""
     offered = None
     if hit_rate_limit(configuration, "davs", self.client_address[0],
                       username):
         logger.warning("Rate limiting login from %s" % \
                        self.client_address[0])
     elif self.users.has_key(username):
         # list of User login objects for username
         entries = self.users[username]
         offered = key.get_base64()
         for entry in entries:
             if entry.public_key is not None:
                 allowed = entry.public_key.get_base64()
                 logger.debug("Public key check for %s" % username)
                 if allowed == offered:
                     logger.info("Public key match for %s" % username)
                     self.authenticated_user = username
                     update_rate_limit(configuration, "davs",
                                       self.client_address[0], username,
                                       True)
                     return True
     update_rate_limit(configuration, "davs", self.client_address[0],
                       username, False)                    
     return False
Beispiel #4
0
 def getRealmUserPassword(self, realmname, username, environ):
     """Return the password for the given username for the realm.
     
     Used for digest authentication.
     """
     #print "DEBUG: env in getRealmUserPassword: %s" % environ
     addr = _get_addr(environ)
     self._expire_rate_limit()
     #logger.info("refresh user %s" % username)
     update_users(configuration, self.userMap, username)
     #logger.info("in getRealmUserPassword from %s" % addr)
     if hit_rate_limit(configuration, "davs", addr, username):
         logger.warning("Rate limiting login from %s" % addr)
         password = None
     else:
         digest = super(MiGWsgiDAVDomainController,
                         self).getRealmUserPassword(realmname, username,
                                                    environ)
         #logger.info("found digest %s" % digest)
         try:
             _, _, _, payload = digest.split("$")
             #logger.info("found payload %s" % payload)
             unscrambled = unscramble_digest(configuration.site_digest_salt,
                                             payload)
             _, _, password = unscrambled.split(":")
             #logger.info("found password")
         except Exception, exc:
             logger.error("failed to extract digest password: %s" % exc)
             password = None
Beispiel #5
0
    def validate_authentication(self, username, password, handler):
        """Password auth against usermap.

        Please note that we take serious steps to secure against password
        cracking, but that it _may_ still be possible to achieve with a big
        effort.

        Paranoid users / grid owners should not enable password access in the
        first place!
        """
        logger.debug("Authenticating %s" % username)
        self.update_logins(username)
        
        offered = None
        if hit_rate_limit(configuration, "ftps", handler.remote_ip, username):
            logger.warning("Rate limiting login from %s" % handler.remote_ip)
        elif 'password' in configuration.user_ftps_auth and \
               self.has_user(username):
            # list of User login objects for username
            entries = [self.user_table[username]]
            offered = password
            for entry in entries:
                if entry['pwd'] is not None:
                    allowed = entry['pwd']
                    logger.debug("Password check for %s" % username)
                    if check_password_hash(offered, allowed):
                        logger.info("Authenticated %s" % username)
                        self.authenticated_user = username
                        update_rate_limit(configuration, "ftps",
                                          handler.remote_ip, username, True)
                        return True
        err_msg = "Password authentication failed for %s" % username
        logger.error(err_msg)
        print err_msg
        self.authenticated_user = None
        update_rate_limit(configuration, "ftps", handler.remote_ip, username,
                          False)
        # Must raise AuthenticationFailed exception since version 1.0.0 instead
        # of returning bool
        raise AuthenticationFailed(err_msg)
Beispiel #6
0
    def check_auth_password(self, username, password):
        """Password auth against usermap.

        Please note that we take serious steps to secure against password
        cracking, but that it _may_ still be possible to achieve with a big
        effort.

        Paranoid users / grid owners should not enable password access in the
        first place!
        """
        offered = None
        if hit_rate_limit(configuration, "sftp-pw", self.client_addr[0],
                          username):
            logger.warning("Rate limiting login from %s" % self.client_addr[0])
        elif self.allow_password and self.users.has_key(username):
            # list of User login objects for username
            entries = self.users[username]
            offered = password
            for entry in entries:
                if entry.password is not None:
                    # TODO: Add ssh tunneling on resource frontends
                    #       before enforcing ip check
                    # and \
                    #(entry.ip_addr is None or
                    # entry.ip_addr == self.client_addr[0]):

                    allowed = entry.password
                    self.logger.debug("Password check for %s" % username)
                    if check_password_hash(offered, allowed):
                        self.logger.info("Authenticated %s" % username)
                        self.authenticated_user = username
                        update_rate_limit(configuration, "sftp-pw",
                                          self.client_addr[0], username, True)
                        return paramiko.AUTH_SUCCESSFUL
        err_msg = "Password authentication failed for %s" % username
        self.logger.error(err_msg)
        print err_msg
        update_rate_limit(configuration, "sftp-pw", self.client_addr[0],
                          username, False)
        return paramiko.AUTH_FAILED
Beispiel #7
0
 def authDomainUser(self, realmname, username, password, environ):
     """Returns True if this username/password pair is valid for the realm,
     False otherwise. Used for basic authentication.
     
     We explicitly compare against saved hash rather than password value.
     """
     #print "DEBUG: env in authDomainUser: %s" % environ
     addr = _get_addr(environ)
     self._expire_rate_limit()
     #logger.info("refresh user %s" % username)
     update_users(configuration, self.userMap, username)
     #logger.info("in authDomainUser from %s" % addr)
     success = False
     if hit_rate_limit(configuration, "davs", addr, username):
         logger.warning("Rate limiting login from %s" % addr)
     elif self._check_auth_password(addr, realmname, username, password):
         logger.info("Accepted login for %s from %s" % (username, addr))
         success = True
     else:
         logger.warning("Invalid login for %s from %s" % (username, addr))
     update_rate_limit(configuration, "davs", addr, username, success)
     logger.info("valid digest user %s" % username)
     return success
Beispiel #8
0
 def _check_auth_password(self, username, password):
     """Verify supplied username and password against user DB"""
     offered = None
     if hit_rate_limit(configuration, "davs", self.client_address[0],
                       username):
         logger.warning("Rate limiting login from %s" % \
                        self.client_address[0])
     elif self.users.has_key(username):
         # list of User login objects for username
         entries = self.users[username]
         offered = password
         for entry in entries:
             if entry.password is not None:
                 allowed = entry.password
                 logger.debug("Password check for %s" % username)
                 if check_password_hash(offered, allowed):
                     self.authenticated_user = username
                     update_rate_limit(configuration, "davs",
                                       self.client_address[0], username,
                                       True)
                     return True
     update_rate_limit(configuration, "davs", self.client_address[0],
                       username, False)
     return False
Beispiel #9
0
    def handleAllow(self, query):
        """Handle requests to allow authentication:
        Must verify user is already logged in or validate username/password
        pair against user DB.
        """
        request = self.server.lastCheckIDRequest.get(self.user)

        print "handleAllow with last request %s from user %s" % \
              (request, self.user)
        # print "DEBUG: full query %s" % query

        # Old IE 8 does not send contents of submit buttons thus only the
        # fields login_as and password are set with the allow requests. We
        # manually add a yes here if so to avoid the else case.
        if not 'yes' in query and not 'no' in query:
            query['yes'] = 'yes'
        
        if 'yes' in query:
            if 'login_as' in query:
                self.user = self.query['login_as']
                #print "handleAllow set user %s" % self.user
            elif 'identifier' in query:
                self.user = self.query['identifier']

            if request.idSelect():
                # Do any ID expansion to a specified format
                if configuration.daemon_conf['expandusername']:
                    user_id = lookup_full_identity(query.get('identifier', ''))
                else:
                    user_id = query.get('identifier', '')
                identity = self.server.base_url + 'id/' + user_id
            else:
                identity = request.identity

            print "handleAllow with identity %s" % identity

            if 'password' in self.query:
                print "setting password"
                self.password = self.query['password']
            else:
                print "no password in query"
                self.password = None

            if not hit_rate_limit(configuration, "openid",
                                  self.client_address[0], self.user) and \
                                  self.checkLogin(self.user, self.password):
                print "handleAllow validated login %s" % identity
                trust_root = request.trust_root
                if self.query.get('remember', 'no') == 'yes':
                    self.server.approved[(identity, trust_root)] = 'always'

                print "handleAllow approving login %s" % identity
                response = self.approved(request, identity)
                update_rate_limit(configuration, "openid",
                                  self.client_address[0], self.user, True)
            else:
                print "handleAllow rejected login %s" % identity
                self.clearUser()
                response = self.rejected(request, identity)    
                update_rate_limit(configuration, "openid",
                                  self.client_address[0], self.user, False)
        elif 'no' in query:
            response = request.answer(False)

        else:
            assert False, 'strange allow post.  %r' % (query,)

        self.displayResponse(response)