def ValidateParams(username, _uri_access_rights, password, service, authtok, _uri, _method, _body): """Checks whether ValidateRequest has been called with a correct params. These checks includes: - username is an obligatory parameter - either password or authtok is an obligatory parameter """ if not username: raise http.HttpUnauthorized("Username should be provided") if not service: raise http.HttpBadRequest("Service should be proivded") if not password and not authtok: raise http.HttpUnauthorized("Password or authtok should be provided")
def Authorize(cf, pam_handle, uri_access_rights, uri=None, method=None, body=None): """Performs authorization via PAM. Performs two steps: - initialize environmental variables - call pam_acct_mgmt """ try: PutPamEnvVariable(cf, pam_handle, PAM_ENV_ACCESS, uri_access_rights) PutPamEnvVariable(cf, pam_handle, PAM_ENV_URI, uri) PutPamEnvVariable(cf, pam_handle, PAM_ENV_METHOD, method) PutPamEnvVariable(cf, pam_handle, PAM_ENV_BODY, body) ret = cf.pam_acct_mgmt(pam_handle, PAM_SILENT) if ret != PAM_SUCCESS: raise http.HttpUnauthorized("Authorization failed") except: cf.pam_end(pam_handle, ret) raise
def Authenticate(cf, pam_handle, authtok=None): """Performs authentication via PAM. Perfroms two steps: - if authtok is provided then set it with pam_set_item - call pam_authenticate """ try: authtok_copy = None if authtok: authtok_copy = cf.strndup(authtok, len(authtok)) if not authtok_copy: raise http.HttpInternalServerError("Not enough memory for PAM") ret = cf.pam_set_item(c.pointer(pam_handle), PAM_AUTHTOK, authtok_copy) if ret != PAM_SUCCESS: raise http.HttpInternalServerError("pam_set_item failed [%d]" % ret) ret = cf.pam_authenticate(pam_handle, 0) if ret == PAM_ABORT: raise http.HttpInternalServerError( "pam_authenticate requested abort") if ret != PAM_SUCCESS: raise http.HttpUnauthorized("Authentication failed") except: cf.pam_end(pam_handle, ret) raise finally: if authtok_copy: cf.free(authtok_copy)
def ValidateRequest(self, req, handler_access): """Checks whether a user can access a resource. """ username, password = HttpServerRequestAuthentication \ .ExtractUserPassword(req) if username is None: raise http.HttpUnauthorized() if password is None: raise http.HttpBadRequest(message=("Basic authentication requires" " password")) user = self.user_fn(username) if self.user_fn else self.users.Get( username) _, expected_password = HttpServerRequestAuthentication \ .ExtractSchemePassword(password) if not (user and expected_password == user.password): # Unknown user or password wrong return None if (not handler_access or set(user.options).intersection(handler_access)): # Allow access return username # Access forbidden raise http.HttpForbidden()
def ValidateRequest(self, req, handler_access, realm): """Checks whether a user can access a resource. """ request_username, request_password = HttpServerRequestAuthentication \ .ExtractUserPassword(req) if request_username is None: raise http.HttpUnauthorized() if request_password is None: raise http.HttpBadRequest(message=("Basic authentication requires" " password")) user = self.user_fn(request_username) if not (user and HttpServerRequestAuthentication.VerifyBasicAuthPassword( request_username, request_password, user.password, realm)): # Unknown user or password wrong return None if (not handler_access or set(user.options).intersection(handler_access)): # Allow access return request_username # Access forbidden raise http.HttpForbidden()
def PreHandleRequest(self, req): """Called before a request is handled. @type req: L{http.server._HttpServerRequest} @param req: HTTP request context """ # Authentication not required, and no credentials given? if not (self.AuthenticationRequired(req) or (req.request_headers and http.HTTP_AUTHORIZATION in req.request_headers)): return realm = self.GetAuthRealm(req) if not realm: raise AssertionError("No authentication realm") # Check "Authorization" header if self._CheckAuthorization(req): # User successfully authenticated return # Send 401 Unauthorized response params = { "realm": realm, } # TODO: Support for Digest authentication (RFC2617, section 3). # TODO: Support for more than one WWW-Authenticate header with the same # response (RFC2617, section 4.6). headers = { http.HTTP_WWW_AUTHENTICATE: _FormatAuthHeader(HTTP_BASIC_AUTH, params), } raise http.HttpUnauthorized(headers=headers)