def authenticate(self, request): if not 'HTTP_AUTHORIZATION' in request.META: return False if not python_digest.is_digest_credential(request.META['HTTP_AUTHORIZATION']): return False digest_response = python_digest.parse_digest_credentials( request.META['HTTP_AUTHORIZATION']) if not digest_response: _l.debug('authentication failure: supplied digest credentials could not be ' \ 'parsed: "%s".' % request.META['HTTP_AUTHORIZATION']) return False if not digest_response.realm == self.realm: _l.debug('authentication failure: supplied realm "%s" does not match ' \ 'configured realm "%s".' % ( digest_response.realm, self.realm)) return False if not python_digest.validate_nonce(digest_response.nonce, self.secret_key): _l.debug('authentication failure: nonce validation failed.') return False partial_digest = self._account_storage.get_partial_digest(digest_response.username) if not partial_digest: _l.debug('authentication failure: no partial digest available for user "%s".' \ % digest_response.username) return False calculated_request_digest = python_digest.calculate_request_digest( method=request.method, digest_response=digest_response, partial_digest=partial_digest) if not calculated_request_digest == digest_response.response: _l.debug('authentication failure: supplied request digest does not match ' \ 'calculated request digest.') return False if not python_digest.validate_uri(digest_response.uri, request.path): _l.debug('authentication failure: digest authentication uri value "%s" does not ' \ 'match value "%s" from HTTP request line.' % (digest_response.uri, request.path)) return False user = self._account_storage.get_user(digest_response.username) if not self._update_existing_nonce(user, digest_response.nonce, digest_response.nc): if (python_digest.get_nonce_timestamp(digest_response.nonce) + self.timeout < time.time()): _l.debug('authentication failure: attempt to establish a new session with ' \ 'a stale nonce.') return False if not self._store_nonce(user, digest_response.nonce, digest_response.nc): _l.debug('authentication failure: attempt to establish a previously used ' \ 'or nonce count.') return False request.user = user return True
def authenticate(self, request): if not 'HTTP_AUTHORIZATION' in request.META: return False if not python_digest.is_digest_credential(request.META['HTTP_AUTHORIZATION']): return False try: unicode(request.META['HTTP_AUTHORIZATION'], 'utf-8') except UnicodeDecodeError: return False digest_response = python_digest.parse_digest_credentials( request.META['HTTP_AUTHORIZATION']) if not digest_response: _l.debug('authentication failure: supplied digest credentials could not be ' \ 'parsed: "%s".' % request.META['HTTP_AUTHORIZATION']) return False if not digest_response.realm == self.realm: _l.debug('authentication failure: supplied realm "%s" does not match ' \ 'configured realm "%s".' % ( digest_response.realm, self.realm)) return False if not python_digest.validate_nonce(digest_response.nonce, self.secret_key): _l.debug('authentication failure: nonce validation failed.') return False partial_digest = self._account_storage.get_partial_digest(digest_response.username) if not partial_digest: _l.debug('authentication failure: no partial digest available for user "%s".' \ % digest_response.username) return False calculated_request_digest = python_digest.calculate_request_digest( method=request.method, digest_response=digest_response, partial_digest=partial_digest) if not calculated_request_digest == digest_response.response: _l.debug('authentication failure: supplied request digest does not match ' \ 'calculated request digest.') if self.failure_callback: self.failure_callback(request, digest_response.username) return False if not python_digest.validate_uri(digest_response.uri, request.path): _l.debug('authentication failure: digest authentication uri value "%s" does not ' \ 'match value "%s" from HTTP request line.' % (digest_response.uri, request.path)) return False user = self._account_storage.get_user(digest_response.username) if not self._update_existing_nonce(user, digest_response.nonce, digest_response.nc): if (python_digest.get_nonce_timestamp(digest_response.nonce) + self.timeout < time.time()): _l.debug('authentication failure: attempt to establish a new session with ' \ 'a stale nonce.') return False if not self._store_nonce(user, digest_response.nonce, digest_response.nc): _l.debug('authentication failure: attempt to establish a previously used ' \ 'or nonce count.') return False request.user = user return True
def authenticate(self, request): """ Base authentication method, all checks here """ if not request.headers.get('authorization'): return False if not python_digest.is_digest_credential( request.headers.get('authorization')): return False digest_response = python_digest.parse_digest_credentials( request.headers.get('authorization')) if not digest_response: log.debug('authentication failure: supplied digest credentials' ' could not be parsed: "%s".' % request.headers.get('authorization')) return False if not digest_response.username: return False if not digest_response.realm == self.realm: log.debug('authentication failure: supplied realm "%s"' 'does not match configured realm "%s".' % (digest_response.realm, self.realm)) return False if not python_digest.validate_nonce( digest_response.nonce, self.secret_key): log.debug('authentication failure: nonce validation failed.') return False partial_digest = self._account_storage.get_partial_digest( digest_response.username) if not partial_digest: log.debug('authentication failure: no partial digest available' ' for user "%s".' % digest_response.username) return False calculated_request_digest = python_digest.calculate_request_digest( method=request.method, digest_response=digest_response, partial_digest=partial_digest) if not calculated_request_digest == digest_response.response: log.debug('authentication failure: supplied request digest' 'does not match calculated request digest.') return False if not python_digest.validate_uri( digest_response.uri, urllib.parse.unquote(request.path)): log.debug('authentication failure: digest authentication uri value' '"%s" does not match value "%s" from HTTP' 'request line.' % (digest_response.uri, request.path)) return False if not self._account_storage.is_admin(digest_response.username): log.debug('authentication failure: user not in operator admin.') return False if hasattr(request,'session') and request.session.data.nonce != digest_response.nonce: if (int(python_digest.get_nonce_timestamp(digest_response.nonce)) + self.timeout < time.time()): log.debug('authentication failure: attempt to establish' ' a new session with a stale nonce.') return False if not self._store_nonce(digest_response.nonce, request): log.debug('authentication failure: attempt to establish' ' a previously used or nonce count.') return False request.user = self._account_storage.get_by_login( digest_response.username) return True
def checkUserId(self, requestedUid=None, anonymous=False): if ('Authorization' not in self.__req.headers): self.__setAuthenticate() raise AuthError('User#auth need user Authentification', 401, 20) #XXX check header validity http_authorization_header = self.__req.headers['Authorization'] digest_response = python_digest.parse_digest_credentials( http_authorization_header) if digest_response is None: self.__setAuthenticate() raise AuthError('User#Auth need digest authentification', 401, 21) if digest_response.uri != self.__req.path_qs: self.__setAuthenticate() raise AuthError('User#Auth invalid uri', 403, 22) if (anonymous is True and digest_response.username.lower() != "anonymous") or \ (anonymous is False and digest_response.username.lower() == "anonymous"): self.__setAuthenticate() raise AuthError('User#Auth forbidden', 403, 23) if python_digest.validate_nonce( digest_response.nonce, self.__cfg.get('nonce_secret') ) is not True: self.__setAuthenticate(True) raise AuthError('User#auth invalid nonce', 401, 24) #fetch user obj = users.Factory.get(digest_response.username) if not obj: self.__setAuthenticate() raise AuthError('User#auth unknown user', 404, 25) if obj.activate == 0: self.__setAuthenticate() raise AuthError('User#auth unactivated user', 403, 26) expected_request_digest = python_digest \ .calculate_request_digest( self.__req.method, obj.digest, digest_response) #nonce lifetime delta = time.time( ) - python_digest.get_nonce_timestamp(digest_response.nonce) if delta > self.__cfg.get('nonce_ttl'): self.__setAuthenticate(True) raise AuthError('User#auth nonce expired', 401, 27) #grab session sessId = hashlib.sha1( digest_response.nonce.encode('utf-8')).hexdigest() prevRequest = storage.Memcache().get(sessId, 'session') #if not, check memcache status if not prevRequest: try: storage.Memcache().checkAlive() self.__setAuthenticate(True) raise AuthError('User#auth nonce expired', 401, 28) except storage.MemcacheError: raise AuthError('Service unavailable', 503, 2) #Check nc: if not prevRequest or prevRequest['nc'] >= digest_response.nc: self.__setAuthenticate(True) raise AuthError('User#auth invalid nonce count', 401, 29) #check opaque if prevRequest['opaque'] != digest_response.opaque: self.__setAuthenticate(True) raise AuthError('User#auth invalid opaque', 401, 30) #check digest response if expected_request_digest != digest_response.response: self.__setAuthenticate() raise AuthError('User#auth invalid credentials', 401, 31) #store nonce count self.__storeSession(sessId, digest_response.opaque, digest_response.nc) if anonymous is False: self.__resp.headers['X-Lxxl-User-Token'] = str(obj.getToken()) self.__resp.headers['X-Lxxl-User-id'] = str(obj.uid) self.__resp.headers['X-Lxxl-User-Relation'] = "1" return True