def ValidateParams(username, _uri_access_rights, password, service, authtok,
_uri, _method, _body):
"""Checks whether ValidateRequest has been called with a correct params.
These checks includes:
- username is an obligatory parameter
- either password or authtok is an obligatory parameter
"""
if not username:
raise http.HttpUnauthorized("Username should be provided")
if not service:
raise http.HttpBadRequest("Service should be proivded")
if not password and not authtok:
raise http.HttpUnauthorized("Password or authtok should be provided")
def Authorize(cf,
pam_handle,
uri_access_rights,
uri=None,
method=None,
body=None):
"""Performs authorization via PAM.
Performs two steps:
- initialize environmental variables
- call pam_acct_mgmt
"""
try:
PutPamEnvVariable(cf, pam_handle, PAM_ENV_ACCESS, uri_access_rights)
PutPamEnvVariable(cf, pam_handle, PAM_ENV_URI, uri)
PutPamEnvVariable(cf, pam_handle, PAM_ENV_METHOD, method)
PutPamEnvVariable(cf, pam_handle, PAM_ENV_BODY, body)
ret = cf.pam_acct_mgmt(pam_handle, PAM_SILENT)
if ret != PAM_SUCCESS:
raise http.HttpUnauthorized("Authorization failed")
except:
cf.pam_end(pam_handle, ret)
raise
def Authenticate(cf, pam_handle, authtok=None):
"""Performs authentication via PAM.
Perfroms two steps:
- if authtok is provided then set it with pam_set_item
- call pam_authenticate
"""
try:
authtok_copy = None
if authtok:
authtok_copy = cf.strndup(authtok, len(authtok))
if not authtok_copy:
raise http.HttpInternalServerError("Not enough memory for PAM")
ret = cf.pam_set_item(c.pointer(pam_handle), PAM_AUTHTOK,
authtok_copy)
if ret != PAM_SUCCESS:
raise http.HttpInternalServerError("pam_set_item failed [%d]" %
ret)
ret = cf.pam_authenticate(pam_handle, 0)
if ret == PAM_ABORT:
raise http.HttpInternalServerError(
"pam_authenticate requested abort")
if ret != PAM_SUCCESS:
raise http.HttpUnauthorized("Authentication failed")
except:
cf.pam_end(pam_handle, ret)
raise
finally:
if authtok_copy:
cf.free(authtok_copy)
def ValidateRequest(self, req, handler_access):
"""Checks whether a user can access a resource.
"""
username, password = HttpServerRequestAuthentication \
.ExtractUserPassword(req)
if username is None:
raise http.HttpUnauthorized()
if password is None:
raise http.HttpBadRequest(message=("Basic authentication requires"
" password"))
user = self.user_fn(username) if self.user_fn else self.users.Get(
username)
_, expected_password = HttpServerRequestAuthentication \
.ExtractSchemePassword(password)
if not (user and expected_password == user.password):
# Unknown user or password wrong
return None
if (not handler_access
or set(user.options).intersection(handler_access)):
# Allow access
return username
# Access forbidden
raise http.HttpForbidden()
def ValidateRequest(self, req, handler_access, realm):
"""Checks whether a user can access a resource.
"""
request_username, request_password = HttpServerRequestAuthentication \
.ExtractUserPassword(req)
if request_username is None:
raise http.HttpUnauthorized()
if request_password is None:
raise http.HttpBadRequest(message=("Basic authentication requires"
" password"))
user = self.user_fn(request_username)
if not (user
and HttpServerRequestAuthentication.VerifyBasicAuthPassword(
request_username, request_password, user.password, realm)):
# Unknown user or password wrong
return None
if (not handler_access
or set(user.options).intersection(handler_access)):
# Allow access
return request_username
# Access forbidden
raise http.HttpForbidden()
def PreHandleRequest(self, req):
"""Called before a request is handled.
@type req: L{http.server._HttpServerRequest}
@param req: HTTP request context
"""
# Authentication not required, and no credentials given?
if not (self.AuthenticationRequired(req) or
(req.request_headers
and http.HTTP_AUTHORIZATION in req.request_headers)):
return
realm = self.GetAuthRealm(req)
if not realm:
raise AssertionError("No authentication realm")
# Check "Authorization" header
if self._CheckAuthorization(req):
# User successfully authenticated
return
# Send 401 Unauthorized response
params = {
"realm": realm,
}
# TODO: Support for Digest authentication (RFC2617, section 3).
# TODO: Support for more than one WWW-Authenticate header with the same
# response (RFC2617, section 4.6).
headers = {
http.HTTP_WWW_AUTHENTICATE:
_FormatAuthHeader(HTTP_BASIC_AUTH, params),
}
raise http.HttpUnauthorized(headers=headers)