コード例 #1
0
ファイル: auth.py プロジェクト: pombreda/UnnaturalCodeFork
    def _checkForAuthorizedKey(self, user_dict, credentials):
        """Check the key data in credentials against the keys found in LP."""
        if credentials.algName == 'ssh-dss':
            wantKeyType = 'DSA'
        elif credentials.algName == 'ssh-rsa':
            wantKeyType = 'RSA'
        else:
            # unknown key type
            return False

        if len(user_dict['keys']) == 0:
            raise UserDisplayedUnauthorizedLogin(
                "Launchpad user %r doesn't have a registered SSH key" %
                credentials.username)

        for keytype, keytext in user_dict['keys']:
            if keytype != wantKeyType:
                continue
            try:
                if keytext.decode('base64') == credentials.blob:
                    return True
            except binascii.Error:
                continue

        raise UnauthorizedLogin(
            "Your SSH key does not match any key registered for Launchpad "
            "user %s" % credentials.username)
コード例 #2
0
    def requestAvatarId(self, token):
        # validate credential signature
        token_info = None
        try:
            token_info = self.validate_and_parse_keystone_token(token)
            log.info(
                'Successful login with Keystone token, extracted data: %s' %
                token_info)
            log.debug('Token: %s' % token)
        except Exception:
            log.debug('Exception while validating Keystone token',
                      exc_info=True)
            log.warning('Authentication failed with Keystone token')
            return defer.fail(UnauthorizedLogin('Invalid credentials'))

        # extract avatar info from the token
        auth = getUtility(IAuthentication)
        oms_user = User(token_info['username'])
        # extract group information from the token
        oms_user.groups.extend(token_info['groups'])
        log.debug('Adding user groups: %s' % ', '.join(token_info['groups']))
        for g in oms_user.groups:
            auth.registerPrincipal(Group(g))
        auth.registerPrincipal(oms_user)
        return defer.succeed(token_info['username'])
コード例 #3
0
 def cbCheckPamUser(self, responses, username, ip):
     """
     """
     for (response, zero) in responses:
         if self.checkUserPass(username, response, ip):
             return defer.succeed(username)
     return defer.fail(UnauthorizedLogin())
コード例 #4
0
 def _srp_auth(self, username, password):
     try:
         auth = yield self._bonafide_auth(username, password)
     except SRPAuthError:
         raise UnauthorizedLogin(
             "User typed wrong password/username combination.")
     returnValue(auth)
コード例 #5
0
ファイル: sipthor.py プロジェクト: FihlaTV/openxcap
 def _checkedPassword(self, matched, username, realm):
     if matched:
         username = username.split('@', 1)[0]
         ## this is the avatar ID
         return "%s@%s" % (username, realm)
     else:
         raise UnauthorizedLogin("Unauthorized login")
コード例 #6
0
ファイル: cred_unix.py プロジェクト: Arshdeep10/scrapy
    def checkSpwd(self, spwd, username, password):
        """
        Obtain the encrypted password for C{username} from the
        Unix shadow password database using L{spwd.getspnam},
        and see if it it matches it matches C{password}.

        @param spwd: Module which provides functions which
                    access to the Unix shadow password database.
        @type pwd: C{module}
        @param username: The user to look up in the Unix password database.
        @type username: L{unicode}/L{str} or L{bytes}
        @param password: The password to compare.
        @type username: L{unicode}/L{str} or L{bytes}
        """
        try:
            if not isinstance(username, StringType):
                username = username.decode('utf-8')
            if getattr(spwd.struct_spwd, "sp_pwdp", None):
                # Python 3
                cryptedPass = spwd.getspnam(username).sp_pwdp
            else:
                # Python 2
                cryptedPass = spwd.getspnam(username).sp_pwd
        except KeyError:
            return defer.fail(UnauthorizedLogin())
        else:
            if verifyCryptedPassword(cryptedPass, password):
                return defer.succeed(username)
コード例 #7
0
ファイル: cred_unix.py プロジェクト: Arshdeep10/scrapy
    def requestAvatarId(self, credentials):
        username, password = credentials.username, credentials.password

        try:
            import pwd
        except ImportError:
            pwd = None

        if pwd is not None:
            checked = self.checkPwd(pwd, username, password)
            if checked is not None:
                return checked

        try:
            import spwd
        except ImportError:
            spwd = None

        if spwd is not None:
            checked = self.checkSpwd(spwd, username, password)
            if checked is not None:
                return checked
        # TODO: check_pam?
        # TODO: check_shadow?
        return defer.fail(UnauthorizedLogin())
コード例 #8
0
 def requestAvatarId(self, credentials):
     """See `ICredentialsChecker`."""
     if credentials.username == self.username:
         matched = yield credentials.checkPassword(self.password)
         if matched:
             returnValue(credentials.username)
     raise UnauthorizedLogin(credentials.username)
コード例 #9
0
ファイル: server.py プロジェクト: ljchang/rql_download
    def requestAvatarId(self, credentials):
        """ Get the avatar id.

        Parameters
        ----------
        credentials: (mandatory)
            something which implements one of the interfaces in
            self.credentialInterfaces.

        Returns
        -------
        out:
            a Deferred which will fire a string which identifies an avatar,
            an empty tuple to specify an authenticated anonymous user
            (provided as checkers.ANONYMOUS) or fire a
            Failure(UnauthorizedLogin). Alternatively, return the result itself.
        """
        try:
            session_ids = []
            for repo in self.cw_repositories:
                session_ids.append(
                    repo.connect(credentials.username,
                                 password=credentials.password))
        except:
            logging.exception("Failed to get connection for user {0}".format(
                credentials.username))
            return defer.fail(UnauthorizedLogin("Invalid user/password"))
        else:
            return defer.succeed((credentials.username, session_ids))
コード例 #10
0
ファイル: userauth.py プロジェクト: ling-1/GETAiqiyiDanmu
    def auth_publickey(self, packet):
        """
        Public key authentication.  Payload::
            byte has signature
            string algorithm name
            string key blob
            [string signature] (if has signature is True)

        Create a SSHPublicKey credential and verify it using our portal.
        """
        hasSig = ord(packet[0:1])
        algName, blob, rest = getNS(packet[1:], 2)

        try:
            pubKey = keys.Key.fromString(blob)
        except keys.BadKeyError:
            error = "Unsupported key type {} or bad key".format(
                algName.decode("ascii"))
            self._log.error(error)
            return defer.fail(UnauthorizedLogin(error))

        signature = hasSig and getNS(rest)[0] or None
        if hasSig:
            b = (NS(self.transport.sessionID) + bytes(
                (MSG_USERAUTH_REQUEST, )) + NS(self.user) +
                 NS(self.nextService) + NS(b"publickey") + bytes(
                     (hasSig, )) + NS(pubKey.sshType()) + NS(blob))
            c = credentials.SSHPrivateKey(self.user, algName, blob, b,
                                          signature)
            return self.portal.login(c, None, interfaces.IConchUser)
        else:
            c = credentials.SSHPrivateKey(self.user, algName, blob, None, None)
            return self.portal.login(c, None,
                                     interfaces.IConchUser).addErrback(
                                         self._ebCheckKey, packet[1:])
コード例 #11
0
    def authenticateUserPASS(self, user, password):
        """
        Perform authentication for a username/password login.

        Override the default lookup scheme to allow virtual domains.

        @type user: L{bytes}
        @param user: The name of the user attempting to log in.

        @type password: L{bytes}
        @param password: The password to authenticate with.

        @rtype: L{Deferred} which successfully results in 3-L{tuple} of
            (L{IMailbox <pop3.IMailbox>}, L{IMailbox <pop3.IMailbox>}
            provider, no-argument callable)
        @return: A deferred which fires when authentication is complete.
            If successful, it returns an L{IMailbox <pop3.IMailbox>} interface,
            a mailbox and a logout function. If authentication fails, the
            deferred fails with an L{UnauthorizedLogin
            <twisted.cred.error.UnauthorizedLogin>} error.
        """
        user, domain = self.lookupDomain(user)
        try:
            portal = self.service.lookupPortal(domain)
        except KeyError:
            return defer.fail(UnauthorizedLogin())
        else:
            return portal.login(UsernamePassword(user, password), None,
                                pop3.IMailbox)
コード例 #12
0
    def validate_and_parse_keystone_token(self, cms_token):
        """Validate Keystone CMS token.

        Partially taken from Keystone's common/cms.py module."""
        signing_cert_file_name = get_config().get('keystone',
                                                  'signing_cert_file_name')
        ca_file_name = get_config().get('keystone', 'ca_file_name')
        openssl_cmd = get_config().get('keystone', 'openssl_cmd')
        process = subprocess.Popen([
            openssl_cmd, "cms", "-verify", "-certfile", signing_cert_file_name,
            "-CAfile", ca_file_name, "-inform", "PEM", "-nosmimecap",
            "-nodetach", "-nocerts", "-noattr"
        ],
                                   stdin=subprocess.PIPE,
                                   stdout=subprocess.PIPE,
                                   stderr=subprocess.PIPE)
        output, err = process.communicate(self.token_to_cms(cms_token))
        retcode = process.poll()
        if retcode:
            log.info('Token validation has failed, return code: %s' % retcode)
            raise UnauthorizedLogin()
        token_info = json.loads(output)
        #print json.dumps(token_info, sort_keys=True,
        #          indent=4, separators=(',', ': '))
        res = {
            'username': str(token_info['access']['user']['username']),
            'groups': [str(token_info['access']['token']['tenant']['name'])]
        }
        return res
コード例 #13
0
    def requestAvatarId(self, credentials):
	l = ldap.initialize(self.lserver)
	l.set_option(ldap.OPT_REFERRALS, 0)
	l.protocol_version = 3

	filter = "(&(objectClass=posixAccount)(uid="+credentials.username+"))"
	groupFilter = '(&(cn='+self.group+')(memberUid=' +credentials.username+'))'

#	return defer.succeed(credentials.username)
	#1. get user cn
	results = l.search_s(self.base_dn, self.scope, filter)
	for dn,entry in results:
	    dn = str(dn)

    	#2. check auth
	l.simple_bind_s(dn, credentials.password)

    	#3. check group
	results = l.search_s(self.base_dn, self.scope, groupFilter)

	if len(results) > 0:
	    return defer.succeed(credentials.username)

        # Something went wrong. Simply fail authentication
        return defer.fail(UnauthorizedLogin("unable to verify password"))        
コード例 #14
0
 def _ebRequestAvatarId(self, f):
     if not f.check(UnauthorizedLogin):
         _log.error(
             "Unauthorized login due to internal error: {error}", error=f.value
         )
         return failure.Failure(UnauthorizedLogin("unable to get avatar id"))
     return f
コード例 #15
0
    def authenticateUserAPOP(self, user, digest):
        """
        Perform APOP authentication.

        Override the default lookup scheme to allow virtual domains.

        @type user: L{bytes}
        @param user: The name of the user attempting to log in.

        @type digest: L{bytes}
        @param digest: The challenge response.

        @rtype: L{Deferred} which successfully results in 3-L{tuple} of
            (L{IMailbox <pop3.IMailbox>}, L{IMailbox <pop3.IMailbox>}
            provider, no-argument callable)
        @return: A deferred which fires when authentication is complete.
            If successful, it returns an L{IMailbox <pop3.IMailbox>} interface,
            a mailbox and a logout function. If authentication fails, the
            deferred fails with an L{UnauthorizedLogin
            <twisted.cred.error.UnauthorizedLogin>} error.
        """
        user, domain = self.lookupDomain(user)
        try:
            portal = self.service.lookupPortal(domain)
        except KeyError:
            return defer.fail(UnauthorizedLogin())
        else:
            return portal.login(pop3.APOPCredentials(self.magic, user, digest),
                                None, pop3.IMailbox)
コード例 #16
0
ファイル: checkers.py プロジェクト: kusoof/wprof
 def _cbRequestAvatarId(self, validKey, credentials):
     if not validKey:
         return failure.Failure(UnauthorizedLogin())
     if not credentials.signature:
         return failure.Failure(error.ValidPublicKey())
     else:
         try:
             pubKey = keys.getPublicKeyObject(data=credentials.blob)
             if keys.verifySignature(pubKey, credentials.signature,
                                     credentials.sigData):
                 return credentials.username
         except:  # any error should be treated as a failed login
             f = failure.Failure()
             log.err()
             return f
     return failure.Failure(UnauthorizedLogin())
コード例 #17
0
ファイル: cred_unix.py プロジェクト: Arshdeep10/scrapy
    def checkPwd(self, pwd, username, password):
        """
        Obtain the encrypted password for C{username} from the Unix password
        database using L{pwd.getpwnam}, and see if it it matches it matches
        C{password}.

        @param pwd: Module which provides functions which
                    access to the Unix password database.
        @type pwd: C{module}
        @param username: The user to look up in the Unix password database.
        @type username: L{unicode}/L{str} or L{bytes}
        @param password: The password to compare.
        @type username: L{unicode}/L{str} or L{bytes}
        """
        try:
            if not isinstance(username, StringType):
                username = username.decode('utf-8')
            cryptedPass = pwd.getpwnam(username).pw_passwd
        except KeyError:
            return defer.fail(UnauthorizedLogin())
        else:
            if cryptedPass in ('*', 'x'):
                # Allow checkSpwd to take over
                return None
            elif verifyCryptedPassword(cryptedPass, password):
                return defer.succeed(username)
コード例 #18
0
 def clean_username(self, username):
     if '@' not in username:
         return username
     extracted_username = self.extract_username(username)
     if self.username_with_domain(extracted_username) == username:
         return extracted_username
     raise UnauthorizedLogin('User typed a wrong domain.')
コード例 #19
0
    def requestAvatarId(self, credentials):
        credentials = IPrincipalCredentials(credentials)

        if credentials.authnPrincipal is None:
            raise UnauthorizedLogin(
                "No such user: {user}".format(
                    user=credentials.credentials.username
                )
        )

        # See if record is enabledForLogin
        if not credentials.authnPrincipal.record.isLoginEnabled():
            raise UnauthorizedLogin(
                "User not allowed to log in: {user}".format(
                    user=credentials.credentials.username
                )
            )

        # Handle Kerberos as a separate behavior
        try:
            from twistedcaldav.authkerb import NegotiateCredentials
        except ImportError:
            NegotiateCredentials = None

        if NegotiateCredentials and isinstance(credentials.credentials,
                                               NegotiateCredentials):
            # If we get here with Kerberos, then authentication has already succeeded
            returnValue(
                (
                    credentials.authnPrincipal,
                    credentials.authzPrincipal,
                )
            )
        else:
            if (yield credentials.authnPrincipal.record.verifyCredentials(credentials.credentials)):
                returnValue(
                    (
                        credentials.authnPrincipal,
                        credentials.authzPrincipal,
                    )
                )
            else:
                raise UnauthorizedLogin(
                    "Incorrect credentials for user: {user}".format(
                        user=credentials.credentials.username
                    )
                )
コード例 #20
0
 def requestAvatarId(self, credentials):
     matched = self.passwords.get(credentials.username.decode('ascii'),
                                  None)
     if matched and matched == crypt.crypt(
             credentials.password.decode('ascii'), matched[:2]):
         return succeed(credentials.username)
     else:
         return fail(UnauthorizedLogin("Invalid username or password"))
コード例 #21
0
 def requestAvatarId(self, credentials):
     try:
         sessionid = self.repo.connect(credentials.username,
                                       password=credentials.password)
     except Exception, exc:
         logging.exception('failed to get connection for user %s',
                           credentials.username)
         return defer.fail(UnauthorizedLogin("invalid password"))
コード例 #22
0
ファイル: cred.py プロジェクト: rrosajp/bitmask-dev
 def requestAvatarId(self, credentials):
     if self.service is None:
         raise NotImplementedError(
             "this checker has not defined its service name")
     username, password = credentials.username, credentials.password
     d = self.checkSoledadToken(username, password, self.service)
     d.addErrback(lambda f: defer.fail(UnauthorizedLogin()))
     return d
コード例 #23
0
    def sendDisconnect(self, reason, desc):
        log.debug('sending transport disconnect [%s]' % reason)
        transport.SSHClientTransport.sendDisconnect(self, reason, desc)

        # Tell the factory we had an unauthorized login exception
        if reason == 14:
            log.debug('login failure, telling the factory about it')
            self.factory.resetConnection(UnauthorizedLogin())
コード例 #24
0
ファイル: web_login.py プロジェクト: bopopescu/PyHouse
 def checkSpwd(self, spwd, username, password):
     try:
         cryptedPass = spwd.getspnam(username)[1]
     except KeyError:
         return defer.fail(UnauthorizedLogin())
     else:
         if verifyCryptedPassword(cryptedPass, password):
             return defer.succeed(username)
コード例 #25
0
    def sendDisconnect(self, reason, desc):
        log.debug('sending transport disconnect [%s]' % reason)
        transport.SSHClientTransport.sendDisconnect(self, reason, desc)

        # Tell the factory we had an unauthorized login exception
        if reason == transport.DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE:
            self.factory.resetConnection(
                UnauthorizedLogin('Authentication Failure'))
コード例 #26
0
ファイル: __init__.py プロジェクト: alexeyzotov/authkerb
 def requestAvatarId(self, credentials):
     if not credentials.username:
         if self.allow_anonymous:
             return defer.succeed(credentials.username)
         
         return defer.fail(UnauthorizedLogin())
     
     return deferToThread(self.checkPassword, credentials)
コード例 #27
0
 def requestAvatarId(self, creds):
     if creds.blob == keys.Key.fromString(keydata.publicRSA_openssh).blob():
         if creds.signature is not None:
             obj = keys.Key.fromString(creds.blob)
             if obj.verify(creds.signature, creds.sigData):
                 return creds.username
         else:
             raise ValidPublicKey()
     raise UnauthorizedLogin()
コード例 #28
0
ファイル: objshssh.py プロジェクト: iapyeh/objsh
 def _err(reason, _deferred):
     if _deferred.called: return  ##maybe has timeout
     log.msg('Warning! LDAP connection problem %s' % reason)
     reason.trap(
         ldaperrors.LDAPInvalidCredentials,
         # this happens with slapd 2.1.30 when binding
         # with DN but no password
         ldaperrors.LDAPUnwillingToPerform)
     _deferred.errback(UnauthorizedLogin('LDAP connection problem'))
コード例 #29
0
    def requestAvatarId(self, credentials):
        twunnel.logger.log(
            3, "trace: SSHPrivateKeyCredentialsChecker.requestAvatarId")

        if len(self.configuration["REMOTE_PROXY_SERVER"]["ACCOUNTS"]) == 0:
            return defer.succeed(-1)

        if not credentials.signature:
            return defer.fail(ValidPublicKey())

        i = 0
        while i < len(self.configuration["REMOTE_PROXY_SERVER"]["ACCOUNTS"]):
            if self.configuration["REMOTE_PROXY_SERVER"]["ACCOUNTS"][i][
                    "NAME"] == credentials.username:
                j = 0
                while j < len(self.configuration["REMOTE_PROXY_SERVER"]
                              ["ACCOUNTS"][i]["KEYS"]):
                    if self.configuration["REMOTE_PROXY_SERVER"]["ACCOUNTS"][
                            i]["KEYS"][j]["PUBLIC"]["FILE"] != "":
                        key = keys.Key.fromFile(
                            self.configuration["REMOTE_PROXY_SERVER"]
                            ["ACCOUNTS"][i]["KEYS"][j]["PUBLIC"]["FILE"],
                            passphrase=str(
                                self.configuration["REMOTE_PROXY_SERVER"]
                                ["ACCOUNTS"][i]["KEYS"][j]["PUBLIC"]
                                ["PASSPHRASE"]))

                        if key.blob() == credentials.blob:
                            if key.verify(credentials.signature,
                                          credentials.sigData):
                                return defer.succeed(i)

                    j = j + 1

                twunnel.logger.log(1, "ERROR_ACCOUNT_KEYS_PUBLIC")

                return defer.fail(
                    UnauthorizedLogin("ERROR_ACCOUNT_KEYS_PUBLIC"))

            i = i + 1

        twunnel.logger.log(1, "ERROR_ACCOUNT_NAME")

        return defer.fail(UnauthorizedLogin("ERROR_ACCOUNT_NAME"))
コード例 #30
0
 def requestAvatarId(self, credentials):
     if hasattr(credentials, 'password'):
         if self.checkUserPass(credentials.username, credentials.password):
             return defer.succeed(credentials.username)
         else:
             return defer.fail(UnauthorizedLogin())
     elif hasattr(credentials, 'pamConversion'):
         return self.checkPamUser(credentials.username,
                                  credentials.pamConversion)
     return defer.fail(UnhandledCredentials())