def get_sessions(self):
import sqlite3
try:
conn = sqlite3.connect(self.filename)
conn.row_factory = sqlite3.Row
cursor = conn.cursor()
cursor.execute(self.sessions_query,
[self.username, self.password_used or ""])
data = cursor.fetchone()
except sqlite3.DatabaseError as e:
log("get_sessions()", exc_info=True)
log.error("Error: sqlauth database access problem:")
log.error(" %s", e)
return None
try:
uid = parse_uid(data["uid"])
gid = parse_gid(data["gid"])
displays = []
env_options = {}
session_options = {}
if data["displays"]:
displays = [x.strip() for x in str(data[2]).split(",")]
if data["env_options"]:
env_options = parse_simple_dict(str(data[3]), ";")
if data["session_options"]:
session_options = parse_simple_dict(str(data[4]), ";")
except Exception as e:
log("get_sessions() error on row %s", data, exc_info=True)
log.error("Error: sqlauth database row parsing problem:")
log.error(" %s", e)
return None
return uid, gid, displays, env_options, session_options
def __init__(self, username, **kwargs):
self.tls = bool(int(kwargs.pop("tls", "0")))
self.host = kwargs.pop("host", "localhost")
self.cacert = kwargs.pop("cacert", LDAP_CACERTFILE)
self.uid = parse_uid(kwargs.pop("uid", None))
self.gid = parse_gid(kwargs.pop("gid", None))
self.tls_version = None
self.tls_validate = None
if self.tls:
import ssl
tls_version = kwargs.pop("ssl-version", "TLSv1")
tls_validate = kwargs.pop("ssl-validate", "REQUIRED")
self.tls_version = getattr(ssl, "PROTOCOL_%s" % tls_version)
self.tls_validate = getattr(ssl, "CERT_%s" % tls_validate)
default_port = 636
else:
default_port = 389
self.port = int(kwargs.pop("port", default_port))
self.authentication = kwargs.pop("authentication", "NTLM").upper()
assert self.authentication in (
"SIMPLE", "SASL", "NTLM"
), "invalid authentication mechanism '%s'" % self.authentication
username = kwargs.pop("username", username)
SysAuthenticatorBase.__init__(self, username, **kwargs)
log("ldap auth: host=%s, port=%i, tls=%s", self.host, self.port,
self.tls)
def __init__(self, **kwargs):
self.service = kwargs.pop("service", "")
self.uid = parse_uid(kwargs.pop("uid", None))
self.gid = parse_gid(kwargs.pop("gid", None))
kwargs["prompt"] = kwargs.pop("prompt", "kerberos token")
super().__init__(**kwargs)
log("kerberos-token auth: service=%r, username=%r", self.service, kwargs.get("username"))
def __init__(self, username, **kwargs):
self.service = kwargs.pop("service", "")
self.realm = kwargs.pop("realm", "")
self.uid = parse_uid(kwargs.pop("uid", None))
self.gid = parse_gid(kwargs.pop("gid", None))
username = kwargs.pop("username", username)
SysAuthenticatorBase.__init__(self, username, **kwargs)
log("kerberos-password auth: service=%s, realm=%s, username=%s", self.service, self.realm, username)
def __init__(self, username, **kwargs):
self.service = kwargs.pop("service", "")
self.uid = parse_uid(kwargs.pop("uid", None))
self.gid = parse_gid(kwargs.pop("gid", None))
username = kwargs.pop("username", username)
kwargs["prompt"] = kwargs.pop("prompt", "GSS token")
SysAuthenticatorBase.__init__(self, username, **kwargs)
log("gss auth: service=%s, username=%s", self.service, username)
def db_cursor(self, *sqlargs):
db = db_from_uri(self.uri)
cursor = db.cursor()
cursor.execute(*sqlargs)
#keep reference to db so it doesn't get garbage collected just yet:
cursor.db = db
log("db_cursor(%s)=%s", sqlargs, cursor)
return cursor
def __init__(self, **kwargs):
self.service = kwargs.pop("service", "")
self.realm = kwargs.pop("realm", "")
self.uid = parse_uid(kwargs.pop("uid", None))
self.gid = parse_gid(kwargs.pop("gid", None))
super().__init__(**kwargs)
log("kerberos-password auth: service=%r, realm=%r, username=%r",
self.service, self.realm, kwargs.get("username"))
def exec_database_sql_script(self, cursor_cb, *sqlargs):
db = db_from_uri(self.uri)
cursor = db.cursor()
log("%s.execute%s", cursor, sqlargs)
cursor.execute(*sqlargs)
if cursor_cb:
cursor_cb(cursor)
db.commit()
return cursor
def exec_database_sql_script(self, cursor_cb, *sqlargs):
from sqlalchemy import create_engine #@UnresolvedImport
db = create_engine(self.uri)
log("%s.execute%s", db, sqlargs)
result = db.execute(*sqlargs)
log("result=%s", result)
if cursor_cb:
cursor_cb(result)
return result
def db_cursor(self, *sqlargs):
from sqlalchemy import create_engine #@UnresolvedImport
db = create_engine(self.uri)
cursor = db.cursor()
cursor.execute(*sqlargs)
#keep reference to db so it doesn't get garbage collected just yet:
cursor.db = db
log("db_cursor(%s)=%s", sqlargs, cursor)
return cursor
def check(username, password, service=PAM_AUTH_SERVICE):
log("pam check(%s, [..])", username)
from xpra.server.pam import pam_session #@UnresolvedImport
session = pam_session(username, password, service)
if not session.start(password):
return False
success = session.authenticate()
if success:
session.close()
return success
def exec_database_sql_script(self, cursor_cb, *sqlargs):
import sqlite3 #pylint: disable=import-outside-toplevel
db = sqlite3.connect(self.uri)
cursor = db.cursor()
log("%s.execute%s", cursor, sqlargs)
cursor.execute(*sqlargs)
if cursor_cb:
cursor_cb(cursor)
db.commit()
return cursor
def check(username, password):
log("pam check(%s, [..])", username)
from xpra.server.pam import pam_session
session = pam_session(username, password, "login")
if not session.start(password):
return False
success = session.authenticate()
if success:
session.close()
return success
def command_timedout(self):
proc = self.proc
log("exec auth.command_timedout() proc=%s", proc)
self.timeout_event = True
self.timer = None
if proc:
try:
proc.terminate()
except:
log("error trying to terminate exec auth process %s", proc, exc_info=True)
def exec_database_sql_script(self, cursor_cb, *sqlargs):
import sqlite3
db = sqlite3.connect(self.uri)
cursor = db.cursor()
log("%s.execute%s", cursor, sqlargs)
cursor.execute(*sqlargs)
if cursor_cb:
cursor_cb(cursor)
db.commit()
return cursor
def authenticate(self, username, password):
auth_class = self.get_authenticator_class()
a = auth_class(username, self.uri)
passwords = a.get_passwords()
assert passwords
log("authenticate: got %i passwords", len(passwords))
assert password in passwords
a.password_used = password
sessions = a.get_sessions()
assert sessions, "no sessions found"
log("sql authentication success, found sessions: %s", sessions)
def db_cursor(self, *sqlargs):
if not os.path.exists(self.filename):
log.error("Error: sqlauth cannot find the database file '%s'", self.filename)
return None
import sqlite3
db = sqlite3.connect(self.filename)
db.row_factory = sqlite3.Row
cursor = db.cursor()
cursor.execute(*sqlargs)
log("db_cursor(%s)=%s", sqlargs, cursor)
return cursor
def db_from_uri(uri):
d = url_path_to_dict(uri)
log("settings for uri=%s : %s", uri, d)
import mysql.connector as mysql #@UnresolvedImport
db = mysql.connect(
host = d.get("host", "localhost"),
#port = int(d.get("port", 3306)),
user = d.get("user", ""),
passwd = d.get("password", ""),
database = (d.get("path") or "").lstrip("/") or "xpra",
)
return db
def __init__(self, username, **kwargs):
def ipop(k):
try:
return int(kwargs.pop(k, 0))
except ValueError:
return 0
self.service = kwargs.pop("service", "")
self.uid = parse_uid(kwargs.pop("uid", None))
self.gid = parse_gid(kwargs.pop("gid", None))
username = kwargs.pop("username", username)
kwargs["prompt"] = kwargs.pop("prompt", "kerberos token")
SysAuthenticatorBase.__init__(self, username, **kwargs)
log("kerberos-token auth: service=%s, username=%s", self.service, username)
def pam_conv_password(self, auth, query_list, *args):
try:
resp = []
for i in range(len(query_list)):
query, pam_type = query_list[i]
if pam_type == PAM.PAM_PROMPT_ECHO_ON or pam_type == PAM.PAM_PROMPT_ECHO_OFF:
resp.append((self.password, 0))
elif pam_type == PAM_PROMPT_ERROR_MSG or pam_type == PAM_PROMPT_TEXT_INFO:
log("pam_conf_password: ERROR/INFO: '%s'", query)
resp.append(('', 0))
else:
log.error("pam_conf_password unknown type: '%s'", pam_type)
except Exception, e:
log.error("pam_conv_password error: %s", e)
def pam_conv_password(self, auth, query_list, *args):
try:
resp = []
for i in range(len(query_list)):
query, pam_type = query_list[i]
if pam_type == PAM.PAM_PROMPT_ECHO_ON or pam_type == PAM.PAM_PROMPT_ECHO_OFF:
resp.append((self.password, 0))
elif pam_type == PAM.PAM_PROMPT_ERROR_MSG or pam_type == PAM.PAM_PROMPT_TEXT_INFO:
log("pam_conf_password: ERROR/INFO: '%s'", query)
resp.append(('', 0))
else:
log.error("pam_conf_password unknown type: '%s'", pam_type)
except Exception, e:
log.error("pam_conv_password error: %s", e)
def authenticate_check(self,
challenge_response: str,
client_salt: str = None) -> bool:
log("authenticate_check(%s, %s)", repr(challenge_response),
repr(client_salt))
user_presence, counter = struct.unpack(
b">BI",
strtobytes(challenge_response)[:5])
sig = strtobytes(challenge_response[5:])
log("u2f user_presence=%s, counter=%s, signature=%s", user_presence,
counter, hexstr(sig))
app_param = sha256(self.app_id.encode('utf8')).digest()
server_challenge_b64 = base64.urlsafe_b64encode(self.salt).decode()
server_challenge_b64 = server_challenge_b64.rstrip('=')
log("challenge_b64(%s)=%s", repr(self.salt), server_challenge_b64)
client_data = {
"challenge": server_challenge_b64,
"origin": client_salt,
"typ": "navigator.id.getAssertion",
}
client_param = sha256(
json.dumps(client_data, sort_keys=True).encode('utf8')).digest()
param = app_param + \
struct.pack(b'>B', user_presence) + \
struct.pack(b'>I', counter) + \
client_param
#check all the public keys:
#pylint: disable=import-outside-toplevel
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import ec
errors = {}
for origin, public_key in self.public_keys.items():
verifier = public_key.verifier(sig, ec.ECDSA(hashes.SHA256()))
verifier.update(param)
try:
verifier.verify()
log("ECDSA SHA256 verification passed for '%s'", origin)
return True
except Exception as e:
log("authenticate failed for '%s' / %s",
origin,
public_key,
exc_info=True)
errors[origin] = str(e) or type(e)
log.error("Error: authentication failed,")
log.error(" checked against %i key%s", len(self.public_keys),
engs(self.public_keys))
for origin, error in errors.items():
log.error(" '%s': %s", origin, error)
return False
def __init__(self, username, **kwargs):
log("exec.Authenticator(%s, %s)", username, kwargs)
self.command = kwargs.pop("command", "")
self.timeout = kwargs.pop("timeout", TIMEOUT)
self.timer = None
self.proc = None
self.timeout_event = False
if not self.command:
#try to find the default auth_dialog executable:
from xpra.platform.paths import get_libexec_dir
libexec = get_libexec_dir()
xpralibexec = os.path.join(libexec, "xpra")
log("libexec=%s, xpralibexec=%s", libexec, xpralibexec)
if os.path.exists(xpralibexec) and os.path.isdir(xpralibexec):
libexec = xpralibexec
auth_dialog = os.path.join(libexec, "auth_dialog")
if EXECUTABLE_EXTENSION:
#ie: add ".exe" on MS Windows
auth_dialog += ".%s" % EXECUTABLE_EXTENSION
log("auth_dialog=%s", auth_dialog)
if os.path.exists(auth_dialog):
self.command = auth_dialog
assert self.command, "exec authentication module is not configured correctly: no command specified"
connection = kwargs.get("connection")
log("exec connection info: %s", connection)
assert connection, "connection object is missing"
self.connection_str = str(connection)
SysAuthenticator.__init__(self, username, **kwargs)
def check(username, password):
log("PAM check(%s, [..])", username)
auth = PAM.pam()
auth.start(PAM_SERVICE)
auth.set_item(PAM.PAM_USER, username)
conv = PAM_conv(password)
auth.set_item(PAM.PAM_CONV, conv.pam_conv_password)
try:
auth.authenticate()
return True
#auth.acct_mgmt()
except PAM.error, resp:
log.error("PAM.authenticate() error: %s", resp)
return False
def check(username, password):
log("PAM check(%s, [..])", username)
auth = PAM.pam()
auth.start(PAM_SERVICE)
auth.set_item(PAM.PAM_USER, username)
conv = PAM_conv(password)
auth.set_item(PAM.PAM_CONV, conv.pam_conv_password)
try:
auth.authenticate()
return True
#auth.acct_mgmt()
except PAM.error, resp:
log.error("PAM.authenticate() error: %s", resp)
return False
def check(self, token) -> bool:
log("check(%r)", token)
assert self.challenge_sent
try:
if WIN32:
import winkerberos as kerberos #@UnresolvedImport @UnusedImport
else:
import kerberos #@UnresolvedImport @Reimport
except ImportError as e:
log("check(..)", exc_info=True)
log.warn("Warning: cannot use kerberos token authentication:")
log.warn(" %s", e)
return False
v, ctx = kerberos.authGSSServerInit(self.service)
if v != 1:
log.error(
"Error: kerberos GSS server init failed for service '%s'",
self.service)
return False
try:
r = kerberos.authGSSServerStep(ctx, token)
log("kerberos auth server step result: %s", r == 1)
if r != 1:
return False
targetname = kerberos.authGSSServerTargetName(ctx)
#response = kerberos.authGSSServerResponse(ctx)
principal = kerberos.authGSSServerUserName(ctx)
#ie: user1@LOCALDOMAIN
#maybe we should validate the realm?
log("kerberos targetname=%s, principal=%s", targetname, principal)
return True
finally:
kerberos.authGSSServerClean(ctx)
def __init__(self, username, **kwargs):
def ipop(k):
try:
return int(kwargs.pop(k, 0))
except ValueError:
return 0
self.service = kwargs.pop("service", "")
self.uid = ipop("uid")
self.gid = ipop("gid")
username = kwargs.pop("username", username)
kwargs["prompt"] = kwargs.pop("prompt", "GSS token")
SysAuthenticatorBase.__init__(self, username, **kwargs)
log("gss auth: service=%s, username=%s", self.service, username)
def __init__(self, username, **kwargs):
self.tls = bool(int(kwargs.pop("tls", "0")))
self.host = kwargs.pop("host", "localhost")
self.cacert = kwargs.pop("cacert", LDAP_CACERTFILE)
self.encoding = kwargs.pop("encoding", LDAP_ENCODING)
if self.tls:
default_port = 636
else:
default_port = 389
self.port = int(kwargs.pop("port", default_port))
self.username_format = kwargs.pop("username_format", "cn=%username, o=%domain")
#self.username_format = kwargs.pop("username_format", "%username@%domain")
SysAuthenticatorBase.__init__(self, username, **kwargs)
log("ldap auth: host=%s, port=%i, tls=%s, username_format=%s, cacert=%s, encoding=%s",
self.host, self.port, self.tls, self.username_format, self.cacert, self.encoding)
def __init__(self, **kwargs):
log("peercred.Authenticator(%s)", kwargs)
self.uid = -1
self.gid = -1
self.peercred_check = False
if not POSIX:
log.warn("Warning: peercred authentication is not supported on %s",
os.name)
return
connection = kwargs.get("connection", None)
uids = kwargs.pop("uid", "")
gids = kwargs.pop("gid", "")
allow_owner = kwargs.pop("allow-owner", "yes").lower() in TRUE_OPTIONS
self.check_peercred(connection, uids, gids, allow_owner)
super().__init__(**kwargs)
def check_host(peername, host):
libwrap = CDLL(LIBWRAP)
assert libwrap
hosts_ctl = libwrap.hosts_ctl
hosts_ctl.argtypes = [c_char_p, c_char_p, c_char_p, c_char_p]
hosts_ctl.restype = c_int
log("check_host(%s, %s)", peername, host)
#name = c_char_p(username)
c_host = c_char_p(strtobytes(host))
c_peername = c_char_p(strtobytes(peername))
#v = hosts_ctl(prg, c_host, unknown, unknown)
v = hosts_ctl(prg, c_peername, c_host, unknown)
log("hosts_ctl%s=%s", (PRG_NAME, peername, host, UNKNOWN), v)
return bool(v)
def check(self, token):
log("check(%s)", repr(token))
assert self.challenge_sent
try:
from gssapi import creds as gsscreds
from gssapi import sec_contexts as gssctx
except ImportError as e:
log("check(..)", exc_info=True)
log.warn("Warning: cannot use gss authentication:")
log.warn(" %s", e)
return False
server_creds = gsscreds.Credentials(usage='accept')
server_ctx = gssctx.SecurityContext(creds=server_creds)
server_ctx.step(token)
return server_ctx.complete
def exec_database_sql_script(cursor_cb, filename, *sqlargs):
log("exec_database_sql_script%s", (cursor_cb, filename, sqlargs))
try:
conn = sqlite3.connect(filename)
cursor = conn.cursor()
cursor.execute(*sqlargs)
if cursor_cb:
cursor_cb(cursor)
conn.commit()
conn.close()
return 0
except sqlite3.DatabaseError as e:
log.error("Error: database access problem:")
log.error(" %s", e)
return 1
def check(username, password):
log("pam check(%s, [..])", username)
return pam.authenticate(username, password)
auth.start(PAM_SERVICE)
auth.set_item(PAM.PAM_USER, username)
conv = PAM_conv(password)
auth.set_item(PAM.PAM_CONV, conv.pam_conv_password)
try:
auth.authenticate()
return True
#auth.acct_mgmt()
except PAM.error as resp:
log.error("PAM.authenticate() error: %s", resp)
return False
except Exception as e:
log.error("PAM.authenticate() internal error: %s", e)
return False
except Exception as e:
log("PAM module not available: %s", e)
try:
from xpra.server.auth import pam
assert pam
def check(username, password):
log("pam check(%s, [..])", username)
return pam.authenticate(username, password)
except:
log("pam module not available: %s", e)
if check is None:
raise ImportError("cannot use pam_auth without a pam python module")
