def digest_challenge_response(app, qop, algorithm, stale=False):
response = app.make_response('')
response.status_code = 401
# RFC2616 Section4.2: HTTP headers are ASCII. That means
# request.remote_addr was originally ASCII, so I should be able to
# encode it back to ascii. Also, RFC2617 says about nonces: "The
# contents of the nonce are implementation dependent"
nonce = H(
b''.join([
getattr(request, 'remote_addr', u'').encode('ascii'), b':',
str(time.time()).encode('ascii'), b':',
os.urandom(10)
]), "MD5")
opaque = H(os.urandom(10), "MD5")
auth = WWWAuthenticate("digest")
auth.set_digest('*****@*****.**',
nonce,
opaque=opaque,
qop=('auth', 'auth-int') if qop is None else (qop, ),
algorithm=algorithm)
auth.stale = stale
response.headers['WWW-Authenticate'] = auth.to_header()
return response
def digest_auth(qop=None, user='******', passwd='passwd'):
"""Prompts the user for authorization using HTTP Digest auth"""
if qop not in ('auth', 'auth-int'):
qop = None
if 'Authorization' not in request.headers or \
not check_digest_auth(user, passwd) or \
not 'Cookie' in request.headers:
response = app.make_response('')
response.status_code = 401
# RFC2616 Section4.2: HTTP headers are ASCII. That means
# request.remote_addr was originally ASCII, so I should be able to
# encode it back to ascii. Also, RFC2617 says about nonces: "The
# contents of the nonce are implementation dependent"
nonce = H(b''.join([
getattr(request,'remote_addr',u'').encode('ascii'),
b':',
str(time.time()).encode('ascii'),
b':',
os.urandom(10)
]))
opaque = H(os.urandom(10))
auth = WWWAuthenticate("digest")
auth.set_digest('*****@*****.**', nonce, opaque=opaque,
qop=('auth', 'auth-int') if qop is None else (qop, ))
response.headers['WWW-Authenticate'] = auth.to_header()
response.headers['Set-Cookie'] = 'fake=fake_value'
return response
return jsonify(authenticated=True, user=user)
def digest_auth(qop=None, user='******', passwd='passwd'):
"""Prompts the user for authorization using HTTP Digest auth"""
if qop not in ('auth', 'auth-int'):
qop = None
if 'Authorization' not in request.headers or \
not check_digest_auth(user, passwd) or \
not 'Cookie' in request.headers:
response = app.make_response('')
response.status_code = 401
# RFC2616 Section4.2: HTTP headers are ASCII. That means
# request.remote_addr was originally ASCII, so I should be able to
# encode it back to ascii. Also, RFC2617 says about nonces: "The
# contents of the nonce are implementation dependent"
nonce = H(b''.join([
getattr(request,'remote_addr',u'').encode('ascii'),
b':',
str(time.time()).encode('ascii'),
b':',
os.urandom(10)
]))
opaque = H(os.urandom(10))
auth = WWWAuthenticate("digest")
auth.set_digest('*****@*****.**', nonce, opaque=opaque,
qop=('auth', 'auth-int') if qop is None else (qop, ))
response.headers['WWW-Authenticate'] = auth.to_header()
response.headers['Set-Cookie'] = 'fake=fake_value'
return response
return jsonify(authenticated=True, user=user)
def digest_auth(qop=None, user="******", passwd="passwd"):
"""Prompts the user for authorization using HTTP Digest auth"""
if qop not in ("auth", "auth-int"):
qop = None
if not request.headers.get("Authorization"):
response = app.make_response("")
response.status_code = 401
# RFC2616 Section4.2: HTTP headers are ASCII. That means
# request.remote_addr was originally ASCII, so I should be able to
# encode it back to ascii. Also, RFC2617 says about nonces: "The
# contents of the nonce are implementation dependent"
nonce = H(
b"".join(
[
getattr(request, "remote_addr", u"").encode("ascii"),
b":",
str(time.time()).encode("ascii"),
b":",
os.urandom(10),
]
)
)
opaque = H(os.urandom(10))
auth = WWWAuthenticate("digest")
auth.set_digest(
"*****@*****.**", nonce, opaque=opaque, qop=("auth", "auth-int") if qop is None else (qop,)
)
response.headers["WWW-Authenticate"] = auth.to_header()
response.headers["Set-Cookie"] = "fake=fake_value"
return response
elif not (check_digest_auth(user, passwd) and request.headers.get("Cookie")):
return status_code(401)
return jsonify(authenticated=True, user=user)
def digest_auth(qop=None, user='******', passwd='passwd', checkCookie=True):
"""Prompts the user for authorization using HTTP Digest auth"""
if qop not in ('auth', 'auth-int'):
qop = None
try:
remoteAddr = request.remote_addr or u''
authInHeaders = 'Authorization' in request.headers
digestCheck = authInHeaders and request.headers.get(
'Authorization').startswith('Digest ')
authCheck = authInHeaders and digestCheck and check_digest_auth(
user, passwd)
if not all([authInHeaders, digestCheck, authCheck]):
# RFC2616 Section4.2: HTTP headers are ASCII. That means
# request.remote_addr was originally ASCII, so I should be able to
# encode it back to ascii. Also, RFC2617 says about nonces: "The
# contents of the nonce are implementation dependent"
nonce = H(b':'.join([
remoteAddr.encode('ascii'),
str(time.time()).encode('ascii'),
os.urandom(10)
]))
opaque = H(os.urandom(10))
response = app.make_response(
jsonify(authenticated=False,
user=user,
authInHeaders=authInHeaders,
digestCheck=digestCheck,
authCheck=authCheck,
headers=dict(request.headers)))
response.status_code = 401
auth = WWWAuthenticate("digest")
auth.set_digest('*****@*****.**',
nonce,
opaque=opaque,
qop=('auth', 'auth-int') if qop is None else
(qop, ))
response.headers['WWW-Authenticate'] = auth.to_header()
if checkCookie is True:
response.headers['Set-Cookie'] = 'auth=%s' % remoteAddr
return response
elif checkCookie is True and request.cookies.get('auth') != remoteAddr:
# check for auth challange cookie per https://github.com/Runscope/httpbin/issues/124
response = app.make_response(
'Missing the cookie set in the 401 response. '
'This client seems broken. To bypass this check use the digest-auth-nocookie route.'
)
response.status_code = 403
return response
except Exception as e:
response = app.make_response('Error: %s' % str(e))
response.status_code = 500
return response
return jsonify(authenticated=True, user=user)
def test_unauthorized_www_authenticate():
basic = WWWAuthenticate()
basic.set_basic("test")
digest = WWWAuthenticate()
digest.set_digest("test", "test")
exc = exceptions.Unauthorized(www_authenticate=basic)
h = dict(exc.get_headers({}))
assert h['WWW-Authenticate'] == str(basic)
exc = exceptions.Unauthorized(www_authenticate=[digest, basic])
h = dict(exc.get_headers({}))
assert h['WWW-Authenticate'] == ', '.join((str(digest), str(basic)))
def test_unauthorized_www_authenticate():
basic = WWWAuthenticate()
basic.set_basic("test")
digest = WWWAuthenticate()
digest.set_digest("test", "test")
exc = exceptions.Unauthorized(www_authenticate=basic)
h = dict(exc.get_headers({}))
assert h["WWW-Authenticate"] == str(basic)
exc = exceptions.Unauthorized(www_authenticate=[digest, basic])
h = dict(exc.get_headers({}))
assert h["WWW-Authenticate"] == ", ".join((str(digest), str(basic)))
def test_unauthorized_www_authenticate():
basic = WWWAuthenticate()
basic.set_basic("test")
digest = WWWAuthenticate()
digest.set_digest("test", "test")
exc = exceptions.Unauthorized(www_authenticate=basic)
h = Headers(exc.get_headers({}))
assert h["WWW-Authenticate"] == str(basic)
exc = exceptions.Unauthorized(www_authenticate=[digest, basic])
h = Headers(exc.get_headers({}))
assert h.get_all("WWW-Authenticate") == [str(digest), str(basic)]
exc = exceptions.Unauthorized()
h = Headers(exc.get_headers({}))
assert "WWW-Authenticate" not in h
def digest_auth(qop=None, user='******', passwd='passwd', checkCookie=True):
"""Prompts the user for authorization using HTTP Digest auth"""
if qop not in ('auth', 'auth-int'):
qop = None
try:
remoteAddr = request.remote_addr or u''
authInHeaders = 'Authorization' in request.headers
digestCheck = authInHeaders and request.headers.get('Authorization').startswith('Digest ')
authCheck = authInHeaders and digestCheck and check_digest_auth(user, passwd)
if not all([authInHeaders, digestCheck, authCheck]):
# RFC2616 Section4.2: HTTP headers are ASCII. That means
# request.remote_addr was originally ASCII, so I should be able to
# encode it back to ascii. Also, RFC2617 says about nonces: "The
# contents of the nonce are implementation dependent"
nonce = H(b':'.join([
remoteAddr.encode('ascii'),
str(time.time()).encode('ascii'),
os.urandom(10)
]))
opaque = H(os.urandom(10))
response = app.make_response(jsonify(
authenticated=False, user=user, authInHeaders=authInHeaders,
digestCheck=digestCheck, authCheck=authCheck,
headers=dict(request.headers)))
response.status_code = 401
auth = WWWAuthenticate("digest")
auth.set_digest('*****@*****.**', nonce, opaque=opaque,
qop=('auth', 'auth-int') if qop is None else (qop, ))
response.headers['WWW-Authenticate'] = auth.to_header()
if checkCookie is True:
response.headers['Set-Cookie'] = 'auth=%s' % remoteAddr
return response
elif checkCookie is True and request.cookies.get('auth') != remoteAddr:
# check for auth challange cookie per https://github.com/Runscope/httpbin/issues/124
response = app.make_response('Missing the cookie set in the 401 response. '
'This client seems broken. To bypass this check use the digest-auth-nocookie route.')
response.status_code = 403
return response
except Exception as e:
response = app.make_response('Error: %s' % str(e))
response.status_code = 500
return response
return jsonify(authenticated=True, user=user)
def digest_auth(qop=None, user="******", passwd="passwd"):
"""Prompts the user for authorization using HTTP Digest auth"""
if qop not in ("auth", "auth-int"):
qop = None
if not request.headers.get("Authorization"):
response = app.make_response("")
response.status_code = 401
nonce = H("%s:%d:%s" % (request.remote_addr, time.time(), os.urandom(10)))
opaque = H(os.urandom(10))
auth = WWWAuthenticate("digest")
auth.set_digest(
"*****@*****.**", nonce, opaque=opaque, qop=("auth", "auth-int") if qop is None else (qop,)
)
response.headers["WWW-Authenticate"] = auth.to_header()
return response
elif not check_digest_auth(user, passwd):
return status_code(401)
return jsonify(authenticated=True, user=user)
def digest_auth(qop=None, user='******', passwd='passwd'):
"""Prompts the user for authorization using HTTP Digest auth"""
if qop not in ('auth', 'auth-int'):
qop = None
if not request.headers.get('Authorization'):
response = app.make_response('')
response.status_code = 401
nonce = H("%s:%d:%s" % (request.remote_addr,
time.time(),
os.urandom(10)))
opaque = H(os.urandom(10))
auth = WWWAuthenticate("digest")
auth.set_digest('*****@*****.**', nonce, opaque=opaque,
qop=('auth', 'auth-int') if qop is None else (qop, ))
response.headers['WWW-Authenticate'] = auth.to_header()
return response
elif not check_digest_auth(user, passwd):
return status_code(403)
return jsonify(authenticated=True, user=user)
def digest_auth(qop=None, user='******', passwd='passwd'):
"""Prompts the user for authorization using HTTP Digest auth"""
if qop not in ('auth', 'auth-int'):
qop = None
if not request.headers.get('Authorization'):
response = app.make_response('')
response.status_code = 401
nonce = H("%s:%d:%s" % (request.remote_addr,
time.time(),
os.urandom(10)))
opaque = H(os.urandom(10))
auth = WWWAuthenticate("digest")
auth.set_digest('*****@*****.**', nonce, opaque=opaque,
qop=('auth', 'auth-int') if qop is None else (qop, ))
response.headers['WWW-Authenticate'] = auth.to_header()
return response
elif not check_digest_auth(user, passwd):
return status_code(403)
return dict(authenticated=True, user=user)
def digest_challenge_response(app, qop, algorithm, stale = False):
response = app.make_response('')
response.status_code = 401
# RFC2616 Section4.2: HTTP headers are ASCII. That means
# request.remote_addr was originally ASCII, so I should be able to
# encode it back to ascii. Also, RFC2617 says about nonces: "The
# contents of the nonce are implementation dependent"
nonce = H(b''.join([
getattr(request, 'remote_addr', u'').encode('ascii'),
b':',
str(time.time()).encode('ascii'),
b':',
os.urandom(10)
]), algorithm)
opaque = H(os.urandom(10), algorithm)
auth = WWWAuthenticate("digest")
auth.set_digest('*****@*****.**', nonce, opaque=opaque,
qop=('auth', 'auth-int') if qop is None else (qop,), algorithm=algorithm)
auth.stale = stale
response.headers['WWW-Authenticate'] = auth.to_header()
return response
