def _test_hmac_auth(self, mod_name, password, **kwargs):
for test_password in (password, "somethingelse"):
a = self._init_auth(mod_name, **kwargs)
assert a.requires_challenge()
assert a.get_passwords()
salt, mac = a.get_challenge(
[x for x in get_digests() if x.startswith("hmac")])
assert salt
assert mac.startswith("hmac"), "invalid mac: %s" % mac
client_salt = strtobytes(uuid.uuid4().hex + uuid.uuid4().hex)
salt_digest = a.choose_salt_digest(get_digests())
auth_salt = strtobytes(gendigest(salt_digest, client_salt, salt))
digestmod = get_digest_module(mac)
verify = hmac.HMAC(strtobytes(test_password),
auth_salt,
digestmod=digestmod).hexdigest()
passed = a.authenticate(verify, client_salt)
assert passed == (
test_password == password
), "expected authentication to %s with %s vs %s" % ([
"fail", "succeed"
][test_password == password], test_password, password)
assert not a.authenticate(
verify, client_salt
), "should not be able to athenticate again with the same values"
def main(argv):
#pylint: disable=import-outside-toplevel
from xpra.platform import program_context
with program_context("Kerberos-Token-Auth",
"Kerberos Token Authentication"):
if len(argv) != 3:
sys.stderr.write("%s invalid arguments\n" % argv[0])
sys.stderr.write("usage: %s username token\n" % argv[0])
return 1
username = argv[1]
token = argv[2]
kwargs = {"username": username}
a = Authenticator(**kwargs)
server_salt, digest = a.get_challenge(["xor"])
salt_digest = a.choose_salt_digest(get_digests())
assert digest == "xor"
client_salt = get_salt(len(server_salt))
combined_salt = gendigest(salt_digest, client_salt, server_salt)
response = xor(token, combined_salt)
caps = typedict({
"challenge_response": response,
"challenge_client_salt": client_salt,
})
a.authenticate(caps)
return 0
def main(argv):
from xpra.util import xor
from xpra.net.digest import get_salt, get_digests, gendigest
from xpra.platform import program_context
with program_context("LDAP-Password-Auth", "LDAP-Password-Authentication"):
for x in list(argv):
if x in ("-v", "--verbose"):
enable_debug_for("auth")
argv.remove(x)
if len(argv) not in (3,4,5,6,7):
sys.stderr.write("%s invalid arguments\n" % argv[0])
sys.stderr.write("usage: %s username password [host] [port] [tls] [username_format]\n" % argv[0])
return 1
username = argv[1]
password = argv[2]
kwargs = {}
if len(argv)>=4:
kwargs["host"] = argv[3]
if len(argv)>=5:
kwargs["port"] = argv[4]
if len(argv)>=6:
kwargs["tls"] = argv[5]
if len(argv)>=7:
kwargs["username_format"] = argv[6]
a = Authenticator(username, **kwargs)
server_salt, digest = a.get_challenge(["xor"])
salt_digest = a.choose_salt_digest(get_digests())
assert digest=="xor"
client_salt = get_salt(len(server_salt))
combined_salt = gendigest(salt_digest, client_salt, server_salt)
response = xor(password, combined_salt)
r = a.authenticate(response, client_salt)
print("success: %s" % r)
return int(not r)
def main(argv):
#pylint: disable=import-outside-toplevel
from xpra.platform import program_context
with program_context("GSS-Auth", "GSS-Authentication"):
if len(argv) != 3:
sys.stderr.write("%s invalid arguments\n" % argv[0])
sys.stderr.write("usage: %s username token\n" % argv[0])
return 1
username = argv[1]
token = argv[2]
kwargs = {"username": username}
a = Authenticator(**kwargs)
server_salt, digest = a.get_challenge(["gss"])
salt_digest = a.choose_salt_digest(get_digests())
assert digest.startswith("gss:"), "unexpected digest %r" % digest
client_salt = get_salt(len(server_salt))
combined_salt = gendigest(salt_digest, client_salt, server_salt)
response = gendigest(digest, token, combined_salt)
caps = typedict({
"challenge_response": response,
"challenge_client_salt": client_salt,
})
r = a.authenticate(caps)
print("success: %s" % bool(r))
return r
def main(argv):
from xpra.platform import program_context
with program_context("Kerberos-Password-Auth",
"Kerberos-Password-Authentication"):
if len(argv) not in (3, 4, 5):
sys.stderr.write("%s invalid arguments\n" % argv[0])
sys.stderr.write(
"usage: %s username password [service [realm]]\n" % argv[0])
return 1
username = argv[1]
password = argv[2]
kwargs = {"username": username}
if len(argv) >= 4:
kwargs["service"] = argv[3]
if len(argv) == 5:
kwargs["realm"] = argv[4]
a = Authenticator(**kwargs)
server_salt, digest = a.get_challenge(["xor"])
salt_digest = a.choose_salt_digest(get_digests())
assert digest == "xor"
client_salt = get_salt(len(server_salt))
combined_salt = gendigest(salt_digest, client_salt, server_salt)
response = xor(password, combined_salt)
caps = typedict({
"challenge_response": response,
"challenge_client_salt": client_salt,
})
a.authenticate(caps)
return 0
def test_allow(self):
a = self._init_auth("allow")
assert a.requires_challenge()
assert a.get_challenge(get_digests())
assert not a.get_passwords()
for x in (None, "bar"):
assert a.authenticate(x, "")
assert a.authenticate("", x)
def test_none(self):
a = self._init_auth("none")
assert not a.requires_challenge()
assert a.get_challenge(get_digests()) is None
assert not a.get_password()
for x in (None, "bar"):
assert self.capsauth(a, x, "")
assert self.capsauth(a, "", x)
def test_reject(self):
a = self._init_auth("reject")
assert a.requires_challenge()
c, mac = a.get_challenge(get_digests())
assert c and mac
assert not a.get_sessions()
assert not a.get_passwords()
for x in (None, "bar"):
assert not a.authenticate(x, c)
assert not a.authenticate(x, x)
def _test_file_auth(self, mod_name, genauthdata, display_count=0):
#no file, no go:
a = self._init_auth(mod_name)
assert a.requires_challenge()
p = a.get_passwords()
assert not p, "got passwords from %s: %s" % (a, p)
#challenge twice is a fail
assert a.get_challenge(get_digests())
assert not a.get_challenge(get_digests())
assert not a.get_challenge(get_digests())
for muck in (0, 1):
with TempFileContext(prefix=mod_name) as context:
f = context.file
filename = context.filename
with f:
a = self._init_auth(mod_name, filename=filename)
password, filedata = genauthdata(a)
#print("saving password file data='%s' to '%s'" % (filedata, filename))
f.write(strtobytes(filedata))
f.flush()
assert a.requires_challenge()
salt, mac = a.get_challenge(get_digests())
assert salt
assert mac in get_digests()
assert mac != "xor"
password = strtobytes(password)
client_salt = strtobytes(uuid.uuid4().hex +
uuid.uuid4().hex)[:len(salt)]
salt_digest = a.choose_salt_digest(get_digests())
assert salt_digest
auth_salt = strtobytes(
gendigest(salt_digest, client_salt, salt))
if muck == 0:
digestmod = get_digest_module(mac)
verify = hmac.HMAC(password,
auth_salt,
digestmod=digestmod).hexdigest()
assert a.authenticate(
verify, client_salt), "%s failed" % a.authenticate
if display_count > 0:
sessions = a.get_sessions()
assert len(sessions) >= 3
displays = sessions[2]
assert len(
displays
) == display_count, "expected %i displays but got %i : %s" % (
display_count, len(sessions), sessions)
assert not a.authenticate(
verify, client_salt), "authenticated twice!"
passwords = a.get_passwords()
assert len(
passwords
) == 1, "expected just one password in file, got %i" % len(
passwords)
assert password in passwords
elif muck == 1:
for verify in ("whatever", None, "bad"):
assert not a.authenticate(verify, client_salt)
return a
def test_all_digests(self):
for digest in get_digests():
if digest.startswith("hmac"):
m = get_digest_module(digest)
assert m is not None, "digest module not found for '%s'" % digest
salt = get_salt(32)
password = "******"
d = gendigest(digest, password, salt)
assert d is not None
assert not verify_digest(digest, None, salt, d)
assert not verify_digest(digest, password, None, d)
assert not verify_digest(digest, password, salt, None)
assert not verify_digest(digest, password, salt, d[:-1])
assert verify_digest(digest, password, salt, d)
def test_reject(self):
a = self._init_auth("reject")
assert a.requires_challenge()
c, mac = a.get_challenge(get_digests())
assert a.get_uid() == -1
assert a.get_gid() == -1
assert a.get_password() is None
assert c and mac
assert not a.get_sessions()
assert not a.get_passwords()
assert a.choose_salt_digest("xor") == "xor"
for x in (None, "bar"):
assert not self.capsauth(a, x, c)
assert not self.capsauth(a, x, x)
def _test_module(self, module):
a = self._init_auth(module)
assert a
if a.requires_challenge():
challenge = a.get_challenge(get_digests())
assert challenge
a = self._init_auth(module)
assert a
if a.requires_challenge():
try:
challenge = a.get_challenge(["invalid-digest"])
except Exception:
pass
else:
assert challenge is None
def get_network_caps() -> dict:
from xpra.net.digest import get_digests
from xpra.net.crypto import get_crypto_caps
from xpra.net.compression import get_enabled_compressors, get_compression_caps
from xpra.net.packet_encoding import get_enabled_encoders, get_packet_encoding_caps
digests = get_digests()
#"hmac" is the legacy name, "xor" and "des" should not be used for salt:
salt_digests = tuple(x for x in digests if x not in ("hmac", "xor", "des"))
caps = {
"digest": digests,
"salt-digest": salt_digests,
"compressors": get_enabled_compressors(),
"encoders": get_enabled_encoders(),
}
caps.update(get_crypto_caps())
caps.update(get_compression_caps())
caps.update(get_packet_encoding_caps())
return caps
def main(argv):
from xpra.platform import program_context
with program_context("GSS-Auth", "GSS-Authentication"):
if len(argv) != 3:
sys.stderr.write("%s invalid arguments\n" % argv[0])
sys.stderr.write("usage: %s username token\n" % argv[0])
return 1
username = argv[1]
token = argv[2]
kwargs = {}
a = Authenticator(username, **kwargs)
server_salt, digest = a.get_challenge(["xor"])
salt_digest = a.choose_salt_digest(get_digests())
assert digest == "xor"
client_salt = get_salt(len(server_salt))
combined_salt = gendigest(salt_digest, client_salt, server_salt)
response = xor(token, combined_salt)
a.authenticate(response, client_salt)
return 0
def main(argv):
#pylint: disable=import-outside-toplevel
from xpra.net.digest import get_salt, get_digests, gendigest
from xpra.platform import program_context
with program_context("LDAP-Password-Auth", "LDAP-Password-Authentication"):
for x in list(argv):
if x in ("-v", "--verbose"):
enable_debug_for("auth")
argv.remove(x)
if len(argv) not in (3, 4, 5, 6, 7):
sys.stderr.write("%s invalid arguments\n" % argv[0])
sys.stderr.write(
"usage: %s username password [host] [port] [tls] [username_format]\n"
% argv[0])
return 1
username = argv[1]
password = argv[2]
kwargs = {"username": username}
if len(argv) >= 4:
kwargs["host"] = argv[3]
if len(argv) >= 5:
kwargs["port"] = argv[4]
if len(argv) >= 6:
kwargs["tls"] = argv[5]
if len(argv) >= 7:
kwargs["username_format"] = argv[6]
a = Authenticator(**kwargs)
server_salt, digest = a.get_challenge(["xor"])
salt_digest = a.choose_salt_digest(get_digests())
assert digest == "xor"
client_salt = get_salt(len(server_salt))
combined_salt = gendigest(salt_digest, client_salt, server_salt)
assert digest == "xor"
response = gendigest(digest, password, combined_salt)
caps = typedict({
"challenge_response": response,
"challenge_client_salt": client_salt,
})
r = a.authenticate(caps)
print("success: %s" % bool(r))
return int(not r)
def get_network_caps():
try:
from xpra.platform.features import MMAP_SUPPORTED
except:
MMAP_SUPPORTED = False
from xpra.net.digest import get_digests
from xpra.net.crypto import get_crypto_caps
from xpra.net.compression import get_enabled_compressors, get_compression_caps
from xpra.net.packet_encoding import get_enabled_encoders, get_packet_encoding_caps
digests = get_digests()
#"hmac" is the legacy name, "xor" and "des" should not be used for salt:
salt_digests = [x for x in digests if x not in ("hmac", "xor", "des")]
caps = {
"digest" : digests,
"salt-digest" : salt_digests,
"compressors" : get_enabled_compressors(),
"encoders" : get_enabled_encoders(),
"mmap" : MMAP_SUPPORTED,
}
caps.update(get_crypto_caps())
caps.update(get_compression_caps())
caps.update(get_packet_encoding_caps())
return caps
