def __is_prohibited_in_saslgrep(char: str):
if stringprep.in_table_c12(char):
# Non-ASCII space characters
return True
elif stringprep.in_table_c12(char):
# ASCII control characters
return True
elif stringprep.in_table_c21(char):
# Non-ASCII control characters
return True
elif stringprep.in_table_c22(char):
# Private Use characters
return True
elif stringprep.in_table_c3(char):
# Non-character code points
return True
elif stringprep.in_table_c4(char):
# Non-character code points
return True
elif stringprep.in_table_c5(char):
# Surrogate code points
return True
elif stringprep.in_table_c6(char):
# Inappropriate for plain text characters
return True
elif stringprep.in_table_c7(char):
# Inappropriate for canonical representation characters
return True
elif stringprep.in_table_c8(char):
# Change display properties or deprecated characters
return True
elif stringprep.in_table_c9(char):
# Tagging characters
return True
return False
def saslprep(source):
# mapping stage
# - map non-ascii spaces to U+0020 (stringprep C.1.2)
# - strip 'commonly mapped to nothing' chars (stringprep B.1)
data = "".join(" " if in_table_c12(c) else c for c in source
if not in_table_b1(c))
# normalize to KC form
data = unicodedata.normalize("NFKC", data)
if not data:
return ""
# check for invalid bi-directional strings.
# stringprep requires the following:
# - chars in C.8 must be prohibited.
# - if any R/AL chars in string:
# - no L chars allowed in string
# - first and last must be R/AL chars
# this checks if start/end are R/AL chars. if so, prohibited loop
# will forbid all L chars. if not, prohibited loop will forbid all
# R/AL chars instead. in both cases, prohibited loop takes care of C.8.
is_ral_char = in_table_d1
if is_ral_char(data[0]):
if not is_ral_char(data[-1]):
raise ScramException("malformed bidi sequence",
SERVER_ERROR_INVALID_ENCODING)
# forbid L chars within R/AL sequence.
is_forbidden_bidi_char = in_table_d2
else:
# forbid R/AL chars if start not setup correctly; L chars allowed.
is_forbidden_bidi_char = is_ral_char
# check for prohibited output
# stringprep tables A.1, B.1, C.1.2, C.2 - C.9
for c in data:
# check for chars mapping stage should have removed
assert not in_table_b1(c), "failed to strip B.1 in mapping stage"
assert not in_table_c12(c), "failed to replace C.1.2 in mapping stage"
# check for forbidden chars
for f, msg in (
(in_table_a1, "unassigned code points forbidden"),
(in_table_c21_c22, "control characters forbidden"),
(in_table_c3, "private use characters forbidden"),
(in_table_c4, "non-char code points forbidden"),
(in_table_c5, "surrogate codes forbidden"),
(in_table_c6, "non-plaintext chars forbidden"),
(in_table_c7, "non-canonical chars forbidden"),
(in_table_c8, "display-modifying/deprecated chars forbidden"),
(in_table_c9, "tagged characters forbidden"),
(is_forbidden_bidi_char, "forbidden bidi character"),
):
if f(c):
raise ScramException(msg, SERVER_ERROR_INVALID_ENCODING)
return data
def saslprep(s, allow_unassigned = False):
'''
Prepare Unicode string s according to SASLprep: Stringprep Profile for
User Names and Passwords, a.k.a. RFC 4013
If the optional parameter allow_unassigned is set to True,
unassigned codepoints will be allowed. This is recommended for
query terms and other non-storing situations only.
The return value is a Unicode string appropriately prepared.
Disallowed input leads to a ValueError.
'''
if type(s) != type(u''):
raise TypeError("input must be a Unicode string")
# phase 1: mapping
s = u''.join([ stringprep.in_table_c12(ch) and u' ' or ch for ch in unichars(s) if not stringprep.in_table_b1(ch) ])
# phase 2: normalization
s = unicodedata.normalize('NFKC', s)
# phase 3: prohibition
for ch in unichars(s):
if stringprep.in_table_c12(ch):
raise ValueError("prohibited non-ASCII space character")
if stringprep.in_table_c21(ch):
raise ValueError("prohibited ASCII control character")
if stringprep.in_table_c22(ch):
raise ValueError("prohibited non-ASCII control character")
if stringprep.in_table_c3(ch):
raise ValueError("prohibited private use character")
if stringprep.in_table_c4(ch):
raise ValueError("prohibited non-character code point")
if stringprep.in_table_c5(ch):
raise ValueError("prohibited surrogate code point")
if stringprep.in_table_c6(ch):
raise ValueError("prohibited character inappropriate for plain text")
if stringprep.in_table_c7(ch):
raise ValueError("prohibited character inappropriate for canonical representation")
if stringprep.in_table_c8(ch):
raise ValueError("prohibited character changing display properties, or a deprecated character")
if stringprep.in_table_c9(ch):
raise ValueError("prohibited tagging character")
# phase 4: bidi check
bidi_map = ''.join([ stringprep.in_table_d1(ch) and 'r' or stringprep.in_table_d2(ch) and 'l' or 'x' for ch in unichars(s) ])
if 'r' in bidi_map:
if 'l' in bidi_map:
raise ValueError("prohibited mixture of strong left-to-right and right-to-left text")
if bidi_map[0] != 'r' or bidi_map[-1] != 'r':
raise ValueError("string containing right-to-left text must start and end with right-to-left text")
# phase 5: unassigned check
if not allow_unassigned:
for ch in unichars(s):
if stringprep.in_table_a1(ch):
raise ValueError("prohibited unassigned code point")
return s
def saslprep( foo, errors='strict' ):
if isinstance( foo, str ):
foo = foo.decode( 'us-ascii' )
ofoo = u''
for x in foo:
if stringprep.in_table_c12( x ):
ofoo += ' '
elif not stringprep.in_table_b1( x ):
ofoo += x
foo = unicodedata.normalize( 'NFKC', ofoo )
ofoo = u''
first_is_randal = False
if len(foo):
first_is_randal = stringprep.in_table_d1( foo[0] )
if first_is_randal:
if not stringprep.in_table_d1( foo[-1] ):
raise UnicodeError, "Section 6.3 [end]"
for x in range(len(foo)):
if errors=='strict' and stringprep.in_table_a1( foo[x] ):
raise UnicodeError, "Unassigned Codepoint"
if stringprep.in_table_c12( foo[x] ):
raise UnicodeError, "In table C.1.2"
if stringprep.in_table_c21( foo[x] ):
raise UnicodeError, "In table C.2.1"
if stringprep.in_table_c22( foo[x] ):
raise UnicodeError, "In table C.2.2"
if stringprep.in_table_c3( foo[x] ):
raise UnicodeError, "In table C.3"
if stringprep.in_table_c4( foo[x] ):
raise UnicodeError, "In table C.4"
if stringprep.in_table_c5( foo[x] ):
raise UnicodeError, "In table C.5"
if stringprep.in_table_c6( foo[x] ):
raise UnicodeError, "In table C.6"
if stringprep.in_table_c7( foo[x] ):
raise UnicodeError, "In table C.7"
if stringprep.in_table_c8( foo[x] ):
raise UnicodeError, "In table C.8"
if stringprep.in_table_c9( foo[x] ):
raise UnicodeError, "In table C.9"
if x:
if first_is_randal and stringprep.in_table_d2( foo[x] ):
raise UnicodeError, "Section 6.2"
if not first_is_randal and x!=(len(foo)-1) and stringprep.in_table_d1( foo[x] ):
raise UnicodeError, "Section 6.3"
else:
first = False
return foo
def normalize_unicode_string(a_string):
"""normalizes a unicode string according to rfc4013
Normalization of a unicode string according to rfc4013: The SASLprep profile
of the "stringprep" algorithm.
Normalization Unicode equivalence is the specification by the Unicode
character encoding standard that some sequences of code points represent
essentially the same character.
This method normalizes using the Normalization Form Compatibility
Composition (NFKC), as described in rfc4013 2.2.
Returns:
Normalized unicode string according to rfc4013.
"""
# Per rfc4013 2.1. Mapping
# non-ASCII space characters [StringPrep, C.1.2] are mapped to ' ' (U+0020)
# "commonly mapped to nothing" characters [StringPrep, B.1] are mapped to ''
nstr_list = [
u' ' if in_table_c12(char) else u'' if in_table_b1(char) else char
for char in a_string
]
nstr = u''.join(nstr_list)
# Per rfc4013 2.2. Use NFKC Normalization Form Compatibility Composition
# Characters are decomposed by compatibility, then recomposed by canonical
# equivalence.
nstr = unicodedata.normalize('NFKC', nstr)
if not nstr:
# Normilization results in empty string.
return u''
return nstr
def nodeprep(u):
chars = list(unicode(u))
i = 0
while i < len(chars):
c = chars[i]
# map to nothing
if stringprep.in_table_b1(c):
del chars[i]
else:
# case fold
chars[i] = stringprep.map_table_b2(c)
i += 1
# NFKC
chars = stringprep.unicodedata.normalize("NFKC", "".join(chars))
for c in chars:
if (stringprep.in_table_c11(c) or
stringprep.in_table_c12(c) or
stringprep.in_table_c21(c) or
stringprep.in_table_c22(c) or
stringprep.in_table_c3(c) or
stringprep.in_table_c4(c) or
stringprep.in_table_c5(c) or
stringprep.in_table_c6(c) or
stringprep.in_table_c7(c) or
stringprep.in_table_c8(c) or
stringprep.in_table_c9(c) or
c in "\"&'/:<>@"):
raise UnicodeError("Invalid node character")
bidi(chars)
return chars
def resourceprep(res):
chars = list(unicode(res))
i = 0
while i < len(chars):
c = chars[i]
# map to nothing
if stringprep.in_table_b1(c):
del chars[i]
else:
i += 1
# NFKC
chars = stringprep.unicodedata.normalize("NFKC", "".join(chars))
for c in chars:
if (stringprep.in_table_c12(c) or
stringprep.in_table_c21(c) or
stringprep.in_table_c22(c) or
stringprep.in_table_c3(c) or
stringprep.in_table_c4(c) or
stringprep.in_table_c5(c) or
stringprep.in_table_c6(c) or
stringprep.in_table_c7(c) or
stringprep.in_table_c8(c) or
stringprep.in_table_c9(c)):
raise UnicodeError("Invalid node character")
bidi(chars)
return chars
def nameprep(label):
newlabel = []
for c in label:
if stringprep.in_table_b1(c):
continue
newlabel.append(stringprep.map_table_b2(c))
label = u''.join(newlabel)
label = unicodedata.normalize('NFKC', label)
for c in label:
if stringprep.in_table_c12(c) or stringprep.in_table_c22(
c) or stringprep.in_table_c3(c) or stringprep.in_table_c4(
c) or stringprep.in_table_c5(c) or stringprep.in_table_c6(
c) or stringprep.in_table_c7(
c) or stringprep.in_table_c8(
c) or stringprep.in_table_c9(c):
raise UnicodeError('Invalid character %r' % c)
RandAL = map(stringprep.in_table_d1, label)
for c in RandAL:
if c:
if filter(stringprep.in_table_d2, label):
raise UnicodeError('Violation of BIDI requirement 2')
if not RandAL[0] or not RandAL[-1]:
raise UnicodeError('Violation of BIDI requirement 3')
return label
def sasl_prep(text):
"""
Performs a SASL-PREP on the string to ensure it is SASL-compatible.
"""
normalized_chars = []
for c in text:
if stringprep.in_table_c12(c):
continue
if stringprep.in_table_c21(c):
continue
if stringprep.in_table_c22(c):
continue
if stringprep.in_table_c3(c):
continue
if stringprep.in_table_c4(c):
continue
if stringprep.in_table_c5(c):
continue
if stringprep.in_table_c6(c):
continue
if stringprep.in_table_c7(c):
continue
if stringprep.in_table_c8(c):
continue
if stringprep.in_table_c9(c):
continue
normalized_chars.append(c)
return "".join(normalized_chars)
def nodeprep(u):
chars = list(six.text_type(u))
i = 0
while i < len(chars):
c = chars[i]
# map to nothing
if stringprep.in_table_b1(c):
del chars[i]
else:
# case fold
chars[i] = stringprep.map_table_b2(c)
i += 1
# NFKC
chars = stringprep.unicodedata.normalize("NFKC", "".join(chars))
for c in chars:
if (stringprep.in_table_c11(c) or stringprep.in_table_c12(c)
or stringprep.in_table_c21(c) or stringprep.in_table_c22(c)
or stringprep.in_table_c3(c) or stringprep.in_table_c4(c)
or stringprep.in_table_c5(c) or stringprep.in_table_c6(c)
or stringprep.in_table_c7(c) or stringprep.in_table_c8(c)
or stringprep.in_table_c9(c) or c in "\"&'/:<>@"):
raise UnicodeError("Invalid node character")
bidi(chars)
return chars
def sals_stringprep(string):
"""
TODO: implements bidirectional checks https://tools.ietf.org/html/rfc3454#section-6
"""
new_string = []
for x in string:
if stringprep.in_table_c12(x):
new_string.append(' ')
elif stringprep.in_table_b1(x):
continue
elif stringprep.in_table_c12(x) or stringprep.in_table_c21_c22(x) or stringprep.in_table_c3(x)\
or stringprep.in_table_c4(x) or stringprep.in_table_c5(x) or stringprep.in_table_c6(x)\
or stringprep.in_table_c7(x) or stringprep.in_table_c8(x) or stringprep.in_table_c9(x):
raise PDFGenericError("Invalid input character in password.")
else:
new_string.append(x)
return unicodedata.normalize('NFKC', "".join(c for c in new_string))
def _map_saslprep(s):
"""Map stringprep table B.1 to nothing and C.1.2 to ASCII space"""
r = []
for c in s:
if stringprep.in_table_c12(c):
r.append(' ')
elif not stringprep.in_table_b1(c):
r.append(c)
return ''.join(r)
def _map_saslprep(s):
"""Map stringprep table B.1 to nothing and C.1.2 to ASCII space"""
r = []
for c in s:
if stringprep.in_table_c12(c):
r.append(' ')
elif not stringprep.in_table_b1(c):
r.append(c)
return ''.join(r)
def c12_mapping(char):
"""Do mapping of RFC 3454 C.1.2 space characters to ' '.
:Parameters:
- `char`: Unicode character to map.
:returns: u" " if there is `char` code in the table, `None` otherwise.
"""
if stringprep.in_table_c12(char):
return u" "
else:
return None
def c12_mapping(char):
"""Do mapping of RFC 3454 C.1.2 space characters to ' '.
:Parameters:
- `char`: Unicode character to map.
:returns: u" " if there is `char` code in the table, `None` otherwise.
"""
if stringprep.in_table_c12(char):
return u" "
else:
return None
def _process(self, value):
for code in force_text(value):
# TODO: Is this long enough?
if stringprep.in_table_c12(code) or stringprep.in_table_c21_c22(code) or \
stringprep.in_table_c3(code) or stringprep.in_table_c4(code) or \
stringprep.in_table_c5(code) or stringprep.in_table_c6(code) or \
stringprep.in_table_c7(code) or stringprep.in_table_c8(code) or \
stringprep.in_table_c9(code):
self.invalid = False
if stringprep.in_table_d1(code):
self.r_and_al_cat = True
if stringprep.in_table_d2(code):
self.l_cat = True
def _process(self, value):
for code in force_text(value):
# TODO: Is this long enough?
if stringprep.in_table_c12(code) or stringprep.in_table_c21_c22(code) or \
stringprep.in_table_c3(code) or stringprep.in_table_c4(code) or \
stringprep.in_table_c5(code) or stringprep.in_table_c6(code) or \
stringprep.in_table_c7(code) or stringprep.in_table_c8(code) or \
stringprep.in_table_c9(code):
self.invalid = False
if stringprep.in_table_d1(code):
self.r_and_al_cat = True
if stringprep.in_table_d2(code):
self.l_cat = True
def _saslprep_do_mapping(chars):
"""
Perform the stringprep mapping step of SASLprep. Operates in-place on a
list of unicode characters provided in `chars`.
"""
i = 0
while i < len(chars):
c = chars[i]
if stringprep.in_table_c12(c):
chars[i] = "\u0020"
elif stringprep.in_table_b1(c):
del chars[i]
continue
i += 1
def _saslprep_do_mapping(chars):
"""
Perform the stringprep mapping step of SASLprep. Operates in-place on a
list of unicode characters provided in `chars`.
"""
i = 0
while i < len(chars):
c = chars[i]
if stringprep.in_table_c12(c):
chars[i] = "\u0020"
elif stringprep.in_table_b1(c):
del chars[i]
continue
i += 1
def nameprep(label):
# Map
newlabel = []
for c in label:
if stringprep.in_table_b1(c):
# Map to nothing
continue
newlabel.append(stringprep.map_table_b2(c))
label = "".join(newlabel)
# Normalize
label = unicodedata.normalize("NFKC", label)
# Prohibit
for c in label:
if (
stringprep.in_table_c12(c)
or stringprep.in_table_c22(c)
or stringprep.in_table_c3(c)
or stringprep.in_table_c4(c)
or stringprep.in_table_c5(c)
or stringprep.in_table_c6(c)
or stringprep.in_table_c7(c)
or stringprep.in_table_c8(c)
or stringprep.in_table_c9(c)
):
raise UnicodeError("Invalid character %r" % c)
# Check bidi
RandAL = [stringprep.in_table_d1(x) for x in label]
for c in RandAL:
if c:
# There is a RandAL char in the string. Must perform further
# tests:
# 1) The characters in section 5.8 MUST be prohibited.
# This is table C.8, which was already checked
# 2) If a string contains any RandALCat character, the string
# MUST NOT contain any LCat character.
if any(stringprep.in_table_d2(x) for x in label):
raise UnicodeError("Violation of BIDI requirement 2")
# 3) If a string contains any RandALCat character, a
# RandALCat character MUST be the first character of the
# string, and a RandALCat character MUST be the last
# character of the string.
if not RandAL[0] or not RandAL[-1]:
raise UnicodeError("Violation of BIDI requirement 3")
return label
def resource_validator(name):
"""Check the *name* of a resource for some really bad characters that shouldn't be used
anywhere in RestAuth.
This filters names containing a slash ("/") or colon (":") and those starting with '.'. It also
filters control characters etc., including those from unicode.
.. deprecated:: 0.7.0
This method is deprecated in favour of the RestAuthCommon.strprep. This method will be
removed in 0.7.1.
:param str name: The name to validate
:returns: False if the name contains any invalid characters, True otherwise.
:rtype: bool
"""
warnings.warn(
'This method is deprecated, use RestAuthCommon.strprep.stringcheck() instead.',
DeprecationWarning)
if PY2 and isinstance(name, str): # pragma: py2
name = name.decode('utf-8')
# filter various dangerous characters
for enc_char in name:
if stringprep.in_table_c12(
enc_char): # C.1.2 Non-ASCII space characters
return False
if stringprep.in_table_c21_c22(enc_char): # C.2 Control characters
return False
if stringprep.in_table_c3(enc_char): # C.3 Private use
return False
if stringprep.in_table_c4(enc_char): # C.4 Non-character code points
return False
if stringprep.in_table_c5(enc_char): # C.5 Surrogate codes
return False
if stringprep.in_table_c6(
enc_char): # C.6 Inappropriate for plain text
return False
if stringprep.in_table_c7(
enc_char): # C.7 Inappropriate for canonical representation
return False
if stringprep.in_table_c8(
enc_char): # C.8 Change display properties or are deprecated
return False
if stringprep.in_table_c9(enc_char): # C.9 Tagging characters
return False
return True
def nameprep(label):
# Map
newlabel = []
for c in label:
if stringprep.in_table_b1(c):
# Map to nothing
continue
newlabel.append(stringprep.map_table_b2(c))
label = "".join(newlabel)
# Normalize
label = unicodedata.normalize("NFKC", label)
# Prohibit
for c in label:
if stringprep.in_table_c12(c) or \
stringprep.in_table_c22(c) or \
stringprep.in_table_c3(c) or \
stringprep.in_table_c4(c) or \
stringprep.in_table_c5(c) or \
stringprep.in_table_c6(c) or \
stringprep.in_table_c7(c) or \
stringprep.in_table_c8(c) or \
stringprep.in_table_c9(c):
raise UnicodeError("Invalid character %r" % c)
# Check bidi
RandAL = [stringprep.in_table_d1(x) for x in label]
for c in RandAL:
if c:
# There is a RandAL char in the string. Must perform further
# tests:
# 1) The characters in section 5.8 MUST be prohibited.
# This is table C.8, which was already checked
# 2) If a string contains any RandALCat character, the string
# MUST NOT contain any LCat character.
if any(stringprep.in_table_d2(x) for x in label):
raise UnicodeError("Violation of BIDI requirement 2")
# 3) If a string contains any RandALCat character, a
# RandALCat character MUST be the first character of the
# string, and a RandALCat character MUST be the last
# character of the string.
if not RandAL[0] or not RandAL[-1]:
raise UnicodeError("Violation of BIDI requirement 3")
return label
def resource_validator(name):
"""Check the *name* of a resource for some really bad characters that shouldn't be used
anywhere in RestAuth.
This filters names containing a slash ("/") or colon (":") and those starting with '.'. It also
filters control characters etc., including those from unicode.
.. deprecated:: 0.7.0
This method is deprecated in favour of the RestAuthCommon.strprep. This method will be
removed in 0.7.1.
:param str name: The name to validate
:returns: False if the name contains any invalid characters, True otherwise.
:rtype: bool
"""
warnings.warn('This method is deprecated, use RestAuthCommon.strprep.stringcheck() instead.',
DeprecationWarning)
if PY2 and isinstance(name, str): # pragma: py2
name = name.decode('utf-8')
# filter various dangerous characters
for enc_char in name:
if stringprep.in_table_c12(enc_char): # C.1.2 Non-ASCII space characters
return False
if stringprep.in_table_c21_c22(enc_char): # C.2 Control characters
return False
if stringprep.in_table_c3(enc_char): # C.3 Private use
return False
if stringprep.in_table_c4(enc_char): # C.4 Non-character code points
return False
if stringprep.in_table_c5(enc_char): # C.5 Surrogate codes
return False
if stringprep.in_table_c6(enc_char): # C.6 Inappropriate for plain text
return False
if stringprep.in_table_c7(enc_char): # C.7 Inappropriate for canonical representation
return False
if stringprep.in_table_c8(enc_char): # C.8 Change display properties or are deprecated
return False
if stringprep.in_table_c9(enc_char): # C.9 Tagging characters
return False
return True
def nameprep(label):
newlabel = []
for c in label:
if stringprep.in_table_b1(c):
pass
newlabel.append(stringprep.map_table_b2(c))
label = ''.join(newlabel)
label = unicodedata.normalize('NFKC', label)
for c in label:
while stringprep.in_table_c12(c) or (stringprep.in_table_c22(c) or (stringprep.in_table_c3(c) or (stringprep.in_table_c4(c) or (stringprep.in_table_c5(c) or (stringprep.in_table_c6(c) or (stringprep.in_table_c7(c) or stringprep.in_table_c8(c))))))) or stringprep.in_table_c9(c):
raise UnicodeError('Invalid character %r' % c)
RandAL = [stringprep.in_table_d1(x) for x in label]
for c in RandAL:
while c:
if any(stringprep.in_table_d2(x) for x in label):
raise UnicodeError('Violation of BIDI requirement 2')
if not RandAL[0] or not RandAL[-1]:
raise UnicodeError('Violation of BIDI requirement 3')
return label
def mapping_profile(string):
"""RFC4013 Mapping profile implementation."""
# Regarding RFC4013,
# This profile specifies:
# - non-ASCII space characters [StringPrep, C.1.2] that can be
# mapped to SPACE (U+0020), and
# - the "commonly mapped to nothing" characters [StringPrep, B.1]
# that can be mapped to nothing.
tmp = []
for c in string:
# If not the "commonly mapped to nothing"
if not in_table_b1(c):
if in_table_c12(c):
# map non-ASCII space characters
# (that can be mapped) to Unicode space
tmp.append(u' ')
else:
tmp.append(c)
return u"".join(tmp)
def nameprep(label):
newlabel = []
for c in label:
if stringprep.in_table_b1(c):
continue
newlabel.append(stringprep.map_table_b2(c))
label = u''.join(newlabel)
label = unicodedata.normalize('NFKC', label)
for c in label:
if stringprep.in_table_c12(c) or stringprep.in_table_c22(c) or stringprep.in_table_c3(c) or stringprep.in_table_c4(c) or stringprep.in_table_c5(c) or stringprep.in_table_c6(c) or stringprep.in_table_c7(c) or stringprep.in_table_c8(c) or stringprep.in_table_c9(c):
raise UnicodeError('Invalid character %r' % c)
RandAL = map(stringprep.in_table_d1, label)
for c in RandAL:
if c:
if filter(stringprep.in_table_d2, label):
raise UnicodeError('Violation of BIDI requirement 2')
if not RandAL[0] or not RandAL[-1]:
raise UnicodeError('Violation of BIDI requirement 3')
return label
def sasl_prep(data):
"""
implement SASLPrep profile as per RFC4013:
it defines the "SASLprep" profile of the "stringprep" algorithm [StringPrep].
The profile is designed for use in Simple Authentication and Security
Layer ([SASL]) mechanisms, such as [PLAIN], [CRAM-MD5], and
[DIGEST-MD5]. It may be applicable where simple user names and
passwords are used. This profile is not intended for use in
preparing identity strings that are not simple user names (e.g.,
email addresses, domain names, distinguished names), or where
identity or password strings that are not character data, or require
different handling (e.g., case folding).
"""
# mapping
prepared_data = ''
for c in data:
if stringprep.in_table_c12(c):
# non-ASCII space characters [StringPrep, C.1.2] that can be mapped to SPACE (U+0020)
prepared_data += ' '
elif stringprep.in_table_b1(c):
# the "commonly mapped to nothing" characters [StringPrep, B.1] that can be mapped to nothing.
pass
else:
prepared_data += c
# normalizing
# This profile specifies using Unicode normalization form KC
# The repertoire is Unicode 3.2 as per RFC 4013 (2)
prepared_data = unicode32.normalize('NFKC', prepared_data)
if not prepared_data:
raise LDAPSASLPrepError('SASLprep error: unable to normalize string')
# prohibit
for c in prepared_data:
if stringprep.in_table_c12(c):
# Non-ASCII space characters [StringPrep, C.1.2]
raise LDAPSASLPrepError('SASLprep error: non-ASCII space character present')
elif stringprep.in_table_c21(c):
# ASCII control characters [StringPrep, C.2.1]
raise LDAPSASLPrepError('SASLprep error: ASCII control character present')
elif stringprep.in_table_c22(c):
# Non-ASCII control characters [StringPrep, C.2.2]
raise LDAPSASLPrepError('SASLprep error: non-ASCII control character present')
elif stringprep.in_table_c3(c):
# Private Use characters [StringPrep, C.3]
raise LDAPSASLPrepError('SASLprep error: private character present')
elif stringprep.in_table_c4(c):
# Non-character code points [StringPrep, C.4]
raise LDAPSASLPrepError('SASLprep error: non-character code point present')
elif stringprep.in_table_c5(c):
# Surrogate code points [StringPrep, C.5]
raise LDAPSASLPrepError('SASLprep error: surrogate code point present')
elif stringprep.in_table_c6(c):
# Inappropriate for plain text characters [StringPrep, C.6]
raise LDAPSASLPrepError('SASLprep error: inappropriate for plain text character present')
elif stringprep.in_table_c7(c):
# Inappropriate for canonical representation characters [StringPrep, C.7]
raise LDAPSASLPrepError('SASLprep error: inappropriate for canonical representation character present')
elif stringprep.in_table_c8(c):
# Change display properties or deprecated characters [StringPrep, C.8]
raise LDAPSASLPrepError('SASLprep error: change display property or deprecated character present')
elif stringprep.in_table_c9(c):
# Tagging characters [StringPrep, C.9]
raise LDAPSASLPrepError('SASLprep error: tagging character present')
# check bidi
# if a string contains any r_and_al_cat character, the string MUST NOT contain any l_cat character.
flag_r_and_al_cat = False
flag_l_cat = False
for c in prepared_data:
if stringprep.in_table_d1(c):
flag_r_and_al_cat = True
elif stringprep.in_table_d2(c):
flag_l_cat = True
if flag_r_and_al_cat and flag_l_cat:
raise LDAPSASLPrepError('SASLprep error: string cannot contain (R or AL) and L bidirectional chars')
# If a string contains any r_and_al_cat character, a r_and_al_cat character MUST be the first character of the string
# and a r_and_al_cat character MUST be the last character of the string.
if flag_r_and_al_cat and not stringprep.in_table_d1(prepared_data[0]) and not stringprep.in_table_d2(prepared_data[-1]):
raise LDAPSASLPrepError('r_and_al_cat character present, must be first and last character of the string')
return prepared_data
def c12_mapping(char):
return ' ' if stringprep.in_table_c12(char) else None
def saslprep(text, strict=True):
"""
Return a processed version of the given string, using the SASLPrep
profile of stringprep.
:param text: The string to process, in UTF-8.
:param strict: If ``True``, prevent the use of unassigned code points.
"""
if sys.version_info < (3, 0):
if type(text) == str:
text = text.decode("utf-8")
# Mapping:
#
# - non-ASCII space characters [StringPrep, C.1.2] that can be
# mapped to SPACE (U+0020), and
#
# - the 'commonly mapped to nothing' characters [StringPrep, B.1]
# that can be mapped to nothing.
buffer = ""
for char in text:
if stringprep.in_table_c12(char):
buffer += " "
elif not stringprep.in_table_b1(char):
buffer += char
# Normalization using form KC
text = unicodedata.normalize("NFKC", buffer)
# Check for bidirectional string
buffer = ""
first_is_randal = False
if text:
first_is_randal = stringprep.in_table_d1(text[0])
if first_is_randal and not stringprep.in_table_d1(text[-1]):
raise SASLPrepFailure("Section 6.3 [end]")
# Check for prohibited characters
for x in range(len(text)):
if strict and stringprep.in_table_a1(text[x]):
raise SASLPrepFailure("Unassigned Codepoint")
if stringprep.in_table_c12(text[x]):
raise SASLPrepFailure("In table C.1.2")
if stringprep.in_table_c21(text[x]):
raise SASLPrepFailure("In table C.2.1")
if stringprep.in_table_c22(text[x]):
raise SASLPrepFailure("In table C.2.2")
if stringprep.in_table_c3(text[x]):
raise SASLPrepFailure("In table C.3")
if stringprep.in_table_c4(text[x]):
raise SASLPrepFailure("In table C.4")
if stringprep.in_table_c5(text[x]):
raise SASLPrepFailure("In table C.5")
if stringprep.in_table_c6(text[x]):
raise SASLPrepFailure("In table C.6")
if stringprep.in_table_c7(text[x]):
raise SASLPrepFailure("In table C.7")
if stringprep.in_table_c8(text[x]):
raise SASLPrepFailure("In table C.8")
if stringprep.in_table_c9(text[x]):
raise SASLPrepFailure("In table C.9")
if x:
if first_is_randal and stringprep.in_table_d2(text[x]):
raise SASLPrepFailure("Section 6.2")
if not first_is_randal and x != len(text) - 1 and stringprep.in_table_d1(text[x]):
raise SASLPrepFailure("Section 6.3")
return text
def __is_non_ascii_space_character(char: str):
return stringprep.in_table_c12(char)
def saslprep(text, strict=True):
"""
Return a processed version of the given string, using the SASLPrep
profile of stringprep.
:param text: The string to process, in UTF-8.
:param strict: If ``True``, prevent the use of unassigned code points.
"""
if sys.version_info < (3, 0):
if type(text) == str:
text = text.decode('utf-8')
# Mapping:
#
# - non-ASCII space characters [StringPrep, C.1.2] that can be
# mapped to SPACE (U+0020), and
#
# - the 'commonly mapped to nothing' characters [StringPrep, B.1]
# that can be mapped to nothing.
buffer = ''
for char in text:
if stringprep.in_table_c12(char):
buffer += ' '
elif not stringprep.in_table_b1(char):
buffer += char
# Normalization using form KC
text = unicodedata.normalize('NFKC', buffer)
# Check for bidirectional string
buffer = ''
first_is_randal = False
if text:
first_is_randal = stringprep.in_table_d1(text[0])
if first_is_randal and not stringprep.in_table_d1(text[-1]):
raise SASLPrepFailure('Section 6.3 [end]')
# Check for prohibited characters
for x in range(len(text)):
if strict and stringprep.in_table_a1(text[x]):
raise SASLPrepFailure('Unassigned Codepoint')
if stringprep.in_table_c12(text[x]):
raise SASLPrepFailure('In table C.1.2')
if stringprep.in_table_c21(text[x]):
raise SASLPrepFailure('In table C.2.1')
if stringprep.in_table_c22(text[x]):
raise SASLPrepFailure('In table C.2.2')
if stringprep.in_table_c3(text[x]):
raise SASLPrepFailure('In table C.3')
if stringprep.in_table_c4(text[x]):
raise SASLPrepFailure('In table C.4')
if stringprep.in_table_c5(text[x]):
raise SASLPrepFailure('In table C.5')
if stringprep.in_table_c6(text[x]):
raise SASLPrepFailure('In table C.6')
if stringprep.in_table_c7(text[x]):
raise SASLPrepFailure('In table C.7')
if stringprep.in_table_c8(text[x]):
raise SASLPrepFailure('In table C.8')
if stringprep.in_table_c9(text[x]):
raise SASLPrepFailure('In table C.9')
if x:
if first_is_randal and stringprep.in_table_d2(text[x]):
raise SASLPrepFailure('Section 6.2')
if not first_is_randal and \
x != len(text) - 1 and \
stringprep.in_table_d1(text[x]):
raise SASLPrepFailure('Section 6.3')
return text
def sasl_prep(data):
"""
implement SASLPrep profile as per RFC4013:
it defines the "SASLprep" profile of the "stringprep" algorithm [StringPrep].
The profile is designed for use in Simple Authentication and Security
Layer ([SASL]) mechanisms, such as [PLAIN], [CRAM-MD5], and
[DIGEST-MD5]. It may be applicable where simple user names and
passwords are used. This profile is not intended for use in
preparing identity strings that are not simple user names (e.g.,
email addresses, domain names, distinguished names), or where
identity or password strings that are not character data, or require
different handling (e.g., case folding).
"""
# mapping
prepared_data = ''
for c in data:
if stringprep.in_table_c12(c):
# non-ASCII space characters [StringPrep, C.1.2] that can be mapped to SPACE (U+0020)
prepared_data += ' '
elif stringprep.in_table_b1(c):
# the "commonly mapped to nothing" characters [StringPrep, B.1] that can be mapped to nothing.
pass
else:
prepared_data += c
# normalizing
# This profile specifies using Unicode normalization form KC
# The repertoire is Unicode 3.2 as per RFC 4013 (2)
prepared_data = unicode32.normalize('NFKC', prepared_data)
if not prepared_data:
raise LDAPSASLPrepError('SASLprep error: unable to normalize string')
# prohibit
for c in prepared_data:
if stringprep.in_table_c12(c):
# Non-ASCII space characters [StringPrep, C.1.2]
raise LDAPSASLPrepError('SASLprep error: non-ASCII space character present')
elif stringprep.in_table_c21(c):
# ASCII control characters [StringPrep, C.2.1]
raise LDAPSASLPrepError('SASLprep error: ASCII control character present')
elif stringprep.in_table_c22(c):
# Non-ASCII control characters [StringPrep, C.2.2]
raise LDAPSASLPrepError('SASLprep error: non-ASCII control character present')
elif stringprep.in_table_c3(c):
# Private Use characters [StringPrep, C.3]
raise LDAPSASLPrepError('SASLprep error: private character present')
elif stringprep.in_table_c4(c):
# Non-character code points [StringPrep, C.4]
raise LDAPSASLPrepError('SASLprep error: non-character code point present')
elif stringprep.in_table_c5(c):
# Surrogate code points [StringPrep, C.5]
raise LDAPSASLPrepError('SASLprep error: surrogate code point present')
elif stringprep.in_table_c6(c):
# Inappropriate for plain text characters [StringPrep, C.6]
raise LDAPSASLPrepError('SASLprep error: inappropriate for plain text character present')
elif stringprep.in_table_c7(c):
# Inappropriate for canonical representation characters [StringPrep, C.7]
raise LDAPSASLPrepError('SASLprep error: inappropriate for canonical representation character present')
elif stringprep.in_table_c8(c):
# Change display properties or deprecated characters [StringPrep, C.8]
raise LDAPSASLPrepError('SASLprep error: change display property or deprecated character present')
elif stringprep.in_table_c9(c):
# Tagging characters [StringPrep, C.9]
raise LDAPSASLPrepError('SASLprep error: tagging character present')
# check bidi
# if a string contains any r_and_al_cat character, the string MUST NOT contain any l_cat character.
flag_r_and_al_cat = False
flag_l_cat = False
for c in prepared_data:
if stringprep.in_table_d1(c):
flag_r_and_al_cat = True
elif stringprep.in_table_d2(c):
flag_l_cat = True
if flag_r_and_al_cat and flag_l_cat:
raise LDAPSASLPrepError('SASLprep error: string cannot contain (R or AL) and L bidirectional chars')
# If a string contains any r_and_al_cat character, a r_and_al_cat character MUST be the first character of the string
# and a r_and_al_cat character MUST be the last character of the string.
if flag_r_and_al_cat and not stringprep.in_table_d1(prepared_data[0]) and not stringprep.in_table_d2(prepared_data[-1]):
raise LDAPSASLPrepError('r_and_al_cat character present, must be first and last character of the string')
return prepared_data
def c12_mapping(char):
"""Map non-ASCII whitespace to spaces."""
return ' ' if stringprep.in_table_c12(char) else None
def prohibited_output_profile(string):
"""RFC4013 Prohibited output profile implementation."""
# Implements:
# RFC4013, 2.3. Prohibited Output.
# This profile specifies the following characters as prohibited input:
# - Non-ASCII space characters [StringPrep, C.1.2]
# - ASCII control characters [StringPrep, C.2.1]
# - Non-ASCII control characters [StringPrep, C.2.2]
# - Private Use characters [StringPrep, C.3]
# - Non-character code points [StringPrep, C.4]
# - Surrogate code points [StringPrep, C.5]
# - Inappropriate for plain text characters [StringPrep, C.6]
# - Inappropriate for canonical representation characters [StringPrep, C.7]
# - Change display properties or deprecated characters [StringPrep, C.8]
# - Tagging characters [StringPrep, C.9]
# RFC4013, 2.4. Bidirectional Characters.
# RFC4013, 2.5. Unassigned Code Points.
# Determine how to handle bidirectional characters (RFC3454):
if is_ral_string(string):
# If a string contains any RandALCat characters,
# The string MUST NOT contain any LCat character:
is_prohibited_bidi_ch = in_table_d2
bidi_table = 'D.2'
else:
# Forbid RandALCat characters in LCat string:
is_prohibited_bidi_ch = in_table_d1
bidi_table = 'D.1'
RFC = 'RFC4013'
for c in string:
# RFC4013 2.3. Prohibited Output:
if in_table_c12(c):
raise ValueError('%s: prohibited non-ASCII space characters '
'that cannot be replaced (C.1.2).' % RFC)
if in_table_c21_c22(c):
raise ValueError('%s: prohibited control characters (C.2.1).' %
RFC)
if in_table_c3(c):
raise ValueError('%s: prohibited private Use characters (C.3).' %
RFC)
if in_table_c4(c):
raise ValueError(
'%s: prohibited non-character code points (C.4).' % RFC)
if in_table_c5(c):
raise ValueError('%s: prohibited surrogate code points (C.5).' %
RFC)
if in_table_c6(c):
raise ValueError('%s: prohibited inappropriate for plain text '
'characters (C.6).' % RFC)
if in_table_c7(c):
raise ValueError('%s: prohibited inappropriate for canonical '
'representation characters (C.7).' % RFC)
if in_table_c8(c):
raise ValueError('%s: prohibited change display properties / '
'deprecated characters (C.8).' % RFC)
if in_table_c9(c):
raise ValueError('%s: prohibited tagging characters (C.9).' % RFC)
# RFC4013, 2.4. Bidirectional Characters:
if is_prohibited_bidi_ch(c):
raise ValueError('%s: prohibited bidi characters (%s).' %
(RFC, bidi_table))
# RFC4013, 2.5. Unassigned Code Points:
if in_table_a1(c):
raise ValueError('%s: prohibited unassigned code points (A.1).' %
RFC)
def saslprep(s, allow_unassigned=False):
'''
Prepare Unicode string s according to SASLprep: Stringprep Profile for
User Names and Passwords, a.k.a. RFC 4013
If the optional parameter allow_unassigned is set to True,
unassigned codepoints will be allowed. This is recommended for
query terms and other non-storing situations only.
The return value is a Unicode string appropriately prepared.
Disallowed input leads to a ValueError.
'''
if type(s) != type(u''):
raise TypeError("input must be a Unicode string")
# phase 1: mapping
s = u''.join([
stringprep.in_table_c12(ch) and u' ' or ch for ch in unichars(s)
if not stringprep.in_table_b1(ch)
])
# phase 2: normalization
s = unicodedata.normalize('NFKC', s)
# phase 3: prohibition
for ch in unichars(s):
if stringprep.in_table_c12(ch):
raise ValueError("prohibited non-ASCII space character")
if stringprep.in_table_c21(ch):
raise ValueError("prohibited ASCII control character")
if stringprep.in_table_c22(ch):
raise ValueError("prohibited non-ASCII control character")
if stringprep.in_table_c3(ch):
raise ValueError("prohibited private use character")
if stringprep.in_table_c4(ch):
raise ValueError("prohibited non-character code point")
if stringprep.in_table_c5(ch):
raise ValueError("prohibited surrogate code point")
if stringprep.in_table_c6(ch):
raise ValueError(
"prohibited character inappropriate for plain text")
if stringprep.in_table_c7(ch):
raise ValueError(
"prohibited character inappropriate for canonical representation"
)
if stringprep.in_table_c8(ch):
raise ValueError(
"prohibited character changing display properties, or a deprecated character"
)
if stringprep.in_table_c9(ch):
raise ValueError("prohibited tagging character")
# phase 4: bidi check
bidi_map = ''.join([
stringprep.in_table_d1(ch) and 'r'
or stringprep.in_table_d2(ch) and 'l' or 'x' for ch in unichars(s)
])
if 'r' in bidi_map:
if 'l' in bidi_map:
raise ValueError(
"prohibited mixture of strong left-to-right and right-to-left text"
)
if bidi_map[0] != 'r' or bidi_map[-1] != 'r':
raise ValueError(
"string containing right-to-left text must start and end with right-to-left text"
)
# phase 5: unassigned check
if not allow_unassigned:
for ch in unichars(s):
if stringprep.in_table_a1(ch):
raise ValueError("prohibited unassigned code point")
return s
def _normalize_password(self, password):
"""Normalize the password using PostgreSQL-flavored SASLprep. For reference:
https://git.postgresql.org/gitweb/?p=postgresql.git;a=blob;f=src/common/saslprep.c
using the `pg_saslprep` function
Implementation borrowed from asyncpg implementation:
https://github.com/MagicStack/asyncpg/blob/master/asyncpg/protocol/scram.pyx#L263
"""
normalized_password = password
# if the password is an ASCII string or fails to encode as an UTF8
# string, we can return
try:
normalized_password.encode("ascii")
except UnicodeEncodeError:
pass
else:
return normalized_password
# Step 1 of SASLPrep: Map. Per the algorithm, we map non-ascii space
# characters to ASCII spaces (\x20 or \u0020, but we will use ' ') and
# commonly mapped to nothing characters are removed
# Table C.1.2 -- non-ASCII spaces
# Table B.1 -- "Commonly mapped to nothing"
normalized_password = u"".join(
[' ' if stringprep.in_table_c12(c) else c
for c in normalized_password if not stringprep.in_table_b1(c)])
# If at this point the password is empty, PostgreSQL uses the original
# password
if not normalized_password:
return password
# Step 2 of SASLPrep: Normalize. Normalize the password using the
# Unicode normalization algorithm to NFKC form
normalized_password = unicodedata.normalize('NFKC', normalized_password)
# If the password is not empty, PostgreSQL uses the original password
if not normalized_password:
return password
# Step 3 of SASLPrep: Prohobited characters. If PostgreSQL detects any
# of the prohibited characters in SASLPrep, it will use the original
# password
# We also include "unassigned code points" in the prohibited character
# category as PostgreSQL does the same
for c in normalized_password:
if any([in_prohibited_table(c) for in_prohibited_table in
self.SASLPREP_PROHIBITED]):
return password
# Step 4 of SASLPrep: Bi-directional characters. PostgreSQL follows the
# rules for bi-directional characters laid on in RFC3454 Sec. 6 which
# are:
# 1. Characters in RFC 3454 Sec 5.8 are prohibited (C.8)
# 2. If a string contains a RandALCat character, it cannot containy any
# LCat character
# 3. If the string contains any RandALCat character, an RandALCat
# character must be the first and last character of the string
# RandALCat characters are found in table D.1, whereas LCat are in D.2
if any([stringprep.in_table_d1(c) for c in normalized_password]):
# if the first character or the last character are not in D.1,
# return the original password
if not (stringprep.in_table_d1(normalized_password[0]) and
stringprep.in_table_d1(normalized_password[-1])):
return password
# if any characters are in D.2, use the original password
if any([stringprep.in_table_d2(c) for c in normalized_password]):
return password
# return the normalized password
return normalized_password
def c12_mapping(char):
"""Map non-ASCII whitespace to spaces."""
return ' ' if stringprep.in_table_c12(char) else None
def doMappingSpaceChars(char):
if stringprep.in_table_c12(char):
return u' '
return char
def doMappingSpaceChars(char):
if stringprep.in_table_c12(char):
return u' '
return char
def update_event(self, inp=-1):
self.set_output_val(0, stringprep.in_table_c12(self.input(0)))