Ejemplo n.º 1
0
def ValidateParams(username, _uri_access_rights, password, service, authtok,
                   _uri, _method, _body):
    """Checks whether ValidateRequest has been called with a correct params.

  These checks includes:
    - username is an obligatory parameter
    - either password or authtok is an obligatory parameter

  """
    if not username:
        raise http.HttpUnauthorized("Username should be provided")
    if not service:
        raise http.HttpBadRequest("Service should be proivded")
    if not password and not authtok:
        raise http.HttpUnauthorized("Password or authtok should be provided")
Ejemplo n.º 2
0
def Authorize(cf,
              pam_handle,
              uri_access_rights,
              uri=None,
              method=None,
              body=None):
    """Performs authorization via PAM.

  Performs two steps:
    - initialize environmental variables
    - call pam_acct_mgmt

  """
    try:
        PutPamEnvVariable(cf, pam_handle, PAM_ENV_ACCESS, uri_access_rights)
        PutPamEnvVariable(cf, pam_handle, PAM_ENV_URI, uri)
        PutPamEnvVariable(cf, pam_handle, PAM_ENV_METHOD, method)
        PutPamEnvVariable(cf, pam_handle, PAM_ENV_BODY, body)

        ret = cf.pam_acct_mgmt(pam_handle, PAM_SILENT)
        if ret != PAM_SUCCESS:
            raise http.HttpUnauthorized("Authorization failed")
    except:
        cf.pam_end(pam_handle, ret)
        raise
Ejemplo n.º 3
0
def Authenticate(cf, pam_handle, authtok=None):
    """Performs authentication via PAM.

  Perfroms two steps:
    - if authtok is provided then set it with pam_set_item
    - call pam_authenticate

  """
    try:
        authtok_copy = None
        if authtok:
            authtok_copy = cf.strndup(authtok, len(authtok))
            if not authtok_copy:
                raise http.HttpInternalServerError("Not enough memory for PAM")
            ret = cf.pam_set_item(c.pointer(pam_handle), PAM_AUTHTOK,
                                  authtok_copy)
            if ret != PAM_SUCCESS:
                raise http.HttpInternalServerError("pam_set_item failed [%d]" %
                                                   ret)

        ret = cf.pam_authenticate(pam_handle, 0)
        if ret == PAM_ABORT:
            raise http.HttpInternalServerError(
                "pam_authenticate requested abort")
        if ret != PAM_SUCCESS:
            raise http.HttpUnauthorized("Authentication failed")
    except:
        cf.pam_end(pam_handle, ret)
        raise
    finally:
        if authtok_copy:
            cf.free(authtok_copy)
Ejemplo n.º 4
0
    def ValidateRequest(self, req, handler_access):
        """Checks whether a user can access a resource.

    """
        username, password = HttpServerRequestAuthentication \
                               .ExtractUserPassword(req)
        if username is None:
            raise http.HttpUnauthorized()
        if password is None:
            raise http.HttpBadRequest(message=("Basic authentication requires"
                                               " password"))

        user = self.user_fn(username) if self.user_fn else self.users.Get(
            username)
        _, expected_password = HttpServerRequestAuthentication \
                                 .ExtractSchemePassword(password)
        if not (user and expected_password == user.password):
            # Unknown user or password wrong
            return None

        if (not handler_access
                or set(user.options).intersection(handler_access)):
            # Allow access
            return username

        # Access forbidden
        raise http.HttpForbidden()
Ejemplo n.º 5
0
    def ValidateRequest(self, req, handler_access, realm):
        """Checks whether a user can access a resource.

    """
        request_username, request_password = HttpServerRequestAuthentication \
                                               .ExtractUserPassword(req)
        if request_username is None:
            raise http.HttpUnauthorized()
        if request_password is None:
            raise http.HttpBadRequest(message=("Basic authentication requires"
                                               " password"))

        user = self.user_fn(request_username)
        if not (user
                and HttpServerRequestAuthentication.VerifyBasicAuthPassword(
                    request_username, request_password, user.password, realm)):
            # Unknown user or password wrong
            return None

        if (not handler_access
                or set(user.options).intersection(handler_access)):
            # Allow access
            return request_username

        # Access forbidden
        raise http.HttpForbidden()
Ejemplo n.º 6
0
    def PreHandleRequest(self, req):
        """Called before a request is handled.

    @type req: L{http.server._HttpServerRequest}
    @param req: HTTP request context

    """
        # Authentication not required, and no credentials given?
        if not (self.AuthenticationRequired(req) or
                (req.request_headers
                 and http.HTTP_AUTHORIZATION in req.request_headers)):
            return

        realm = self.GetAuthRealm(req)

        if not realm:
            raise AssertionError("No authentication realm")

        # Check "Authorization" header
        if self._CheckAuthorization(req):
            # User successfully authenticated
            return

        # Send 401 Unauthorized response
        params = {
            "realm": realm,
        }

        # TODO: Support for Digest authentication (RFC2617, section 3).
        # TODO: Support for more than one WWW-Authenticate header with the same
        # response (RFC2617, section 4.6).
        headers = {
            http.HTTP_WWW_AUTHENTICATE:
            _FormatAuthHeader(HTTP_BASIC_AUTH, params),
        }

        raise http.HttpUnauthorized(headers=headers)