def validate(username, password, domain=""): auth_info = username, domain, password ca = ClientAuth("NTLM", auth_info=auth_info) sa = ServerAuth("NTLM") data = err = None while err != 0: err, data = ca.authorize(data) err, data = sa.authorize(data)
def __init__(self, host, delegate_creds): super().__init__(host) flags = ISC_REQ_MUTUAL_AUTH | ISC_REQ_INTEGRITY if delegate_creds: flags |= ISC_REQ_DELEGATE try: self._ctx = ClientAuth('Kerberos', targetspn=self._host, scflags=flags) except SSPIError as exc: raise GSSError(1, 1, details=exc.strerror) from None self._init_token = self.step(None)
def http_error_401(self, req, fp, code, msg, headers): supported_schemes = [ s.strip() for s in headers.get("WWW-Authenticate", "").split(",") ] #dns_domain = os.environ['USERDNSDOMAIN'] dns_domain = 'tranquilit.local' if ('Negotiate' in supported_schemes): try: ca = ClientAuth("Kerberos", targetspn='HTTP/%s@%s' % (req.host.split(':')[0], dns_domain), auth_info=None) out_buf = ca.authorize(None)[1] data = out_buf[0].Buffer auth = encodestring(data).replace("\012", "") req.add_header('Authorization', 'Negotiate' + ' ' + auth) return self.parent.open(req) except: if ('Kerberos' not in supported_schemes): # if we can not fall back to NTLM, report error raise
def open_url(host, url): h = http.client.HTTPConnection(host) # h.set_debuglevel(9) h.putrequest('GET', url) h.endheaders() resp = h.getresponse() print("Initial response is", resp.status, resp.reason) body = resp.read() if resp.status == 302: # object moved url = "/" + resp.msg["location"] resp.close() h.putrequest('GET', url) h.endheaders() resp = h.getresponse() print("After redirect response is", resp.status, resp.reason) if options.show_headers: print("Initial response headers:") for name, val in list(resp.msg.items()): print(" %s: %s" % (name, val)) if options.show_body: print(body) if resp.status == 401: # 401: Unauthorized - here is where the real work starts auth_info = None if options.user or options.domain or options.password: auth_info = options.user, options.domain, options.password ca = ClientAuth("NTLM", auth_info=auth_info) auth_scheme = ca.pkg_info['Name'] data = None while 1: err, out_buf = ca.authorize(data) data = out_buf[0].Buffer # Encode it as base64 as required by HTTP auth = encodestring(data).replace("\012", "") h.putrequest('GET', url) h.putheader('Authorization', auth_scheme + ' ' + auth) h.putheader('Content-Length', '0') h.endheaders() resp = h.getresponse() if options.show_headers: print("Token dance headers:") for name, val in list(resp.msg.items()): print(" %s: %s" % (name, val)) if err == 0: break else: if resp.status != 401: print("Eeek - got response", resp.status) cl = resp.msg.get("content-length") if cl: print(repr(resp.read(int(cl)))) else: print("no content!") assert resp.status == 401, resp.status assert not resp.will_close, "NTLM is per-connection - must not close" schemes = [ s.strip() for s in resp.msg.get("WWW-Authenticate", "").split(",") ] for scheme in schemes: if scheme.startswith(auth_scheme): data = decodestring(scheme[len(auth_scheme) + 1:]) break else: print("Could not find scheme '%s' in schemes %r" % (auth_scheme, schemes)) break resp.read() print("Final response status is", resp.status, resp.reason) if resp.status == 200: # Worked! # Check we can read it again without re-authenticating. if resp.will_close: print( "EEEK - response will close, but NTLM is per connection - it must stay open" ) body = resp.read() if options.show_body: print("Final response body:") print(body) h.putrequest('GET', url) h.endheaders() resp = h.getresponse() print("Second fetch response is", resp.status, resp.reason) if options.show_headers: print("Second response headers:") for name, val in list(resp.msg.items()): print(" %s: %s" % (name, val)) resp.read(int(resp.msg.get("content-length", 0))) elif resp.status == 500: print("Error text") print(resp.read()) else: if options.show_body: cl = resp.msg.get("content-length") print(resp.read(int(cl)))
def connect(self, host, user=None, password=None, passthrough=False, trace_file=None, sock_timeout=None): """Opens a session to a VC/ESX server with the given credentials: @host: is the server's hostname or address. If the web service uses another protocol or port than the default, you must use the full service URL (e.g. http://myhost:8888/sdk) @user: (optional) username to connect with @password: (optional) password to authenticate the session @passthrough: (optional) use Windows session credentials or MIT Kerberos credentials to connect. User should provide user/password pair OR set passthrough to True @trace_file: (optional) a file path to log SOAP requests and responses @sock_timeout: (optional) only for python >= 2.6, sets the connection timeout for sockets, in python 2.5 you'll have to use socket.setdefaulttimeout(secs) to change the global setting. """ if (((user is None or password is None) and not passthrough) or ((user is not None or password is not None) and passthrough)): raise TypeError("connect() takes user/password pair OR passthrough=True") self.__user = user self.__password = password #Generate server's URL if not isinstance(host, basestring): raise VIException("'host' should be a string with the ESX/VC url." ,FaultTypes.PARAMETER_ERROR) elif (host.lower().startswith('http://') or host.lower().startswith('https://')): server_url = host.lower() else: server_url = 'https://%s/sdk' % host try: #get the server's proxy locator = VI.VimServiceLocator() args = {'url':server_url} if trace_file: trace=open(trace_file, 'w') args['tracefile'] = trace if sock_timeout and sys.version_info >= (2, 6): args['transdict'] = {'timeout':sock_timeout} self._proxy = locator.getVimPortType(**args) for header, value in self.__initial_headers.iteritems(): self._proxy.binding.AddHeader(header, value) #get service content from service instance request = VI.RetrieveServiceContentRequestMsg() mor_service_instance = request.new__this('ServiceInstance') mor_service_instance.set_attribute_type(MORTypes.ServiceInstance) request.set_element__this(mor_service_instance) self._do_service_content = self._proxy.RetrieveServiceContent( request)._returnval self.__server_type = self._do_service_content.About.Name self.__api_version = self._do_service_content.About.ApiVersion self.__api_type = self._do_service_content.About.ApiType if not passthrough: #login with user/password request = VI.LoginRequestMsg() mor_session_manager = request.new__this( self._do_service_content.SessionManager) mor_session_manager.set_attribute_type(MORTypes.SessionManager) request.set_element__this(mor_session_manager) request.set_element_userName(user) request.set_element_password(password) self.__session = self._proxy.Login(request)._returnval self.__logged = True else: fqdn, aliases, addrs = gethostbyaddr(urlparse(server_url).netloc) if os.name == 'nt': #login with Windows session credentials try: from sspi import ClientAuth except ImportError: raise ImportError("To enable passthrough authentication please"\ " install pywin32 (available for Windows only)") spn = "host/%s" % fqdn client = ClientAuth("Kerberos", targetspn=spn) def get_token(serverToken=None): if serverToken is not None: serverToken = b64decode(serverToken) err, bufs = client.authorize(serverToken) return b64encode(bufs[0].Buffer) else: #login with MIT Kerberos credentials try: import kerberos except ImportError: raise ImportError("To enable passthrough authentication please"\ " install python bindings for kerberos") spn = "host@%s" % fqdn flags = kerberos.GSS_C_INTEG_FLAG|kerberos.GSS_C_SEQUENCE_FLAG|\ kerberos.GSS_C_REPLAY_FLAG|kerberos.GSS_C_CONF_FLAG errc, client = kerberos.authGSSClientInit(spn, gssflags=flags) def get_token(serverToken=''): cres = kerberos.authGSSClientStep(client, serverToken) return kerberos.authGSSClientResponse(client) token = get_token() while not self.__logged: try: request = VI.LoginBySSPIRequestMsg() mor_session_manager = request.new__this( self._do_service_content.SessionManager) mor_session_manager.set_attribute_type(MORTypes.SessionManager) request.set_element__this(mor_session_manager) request.set_element_base64Token(token) self.__session = self._proxy.LoginBySSPI(request)._returnval self.__logged = True except (VI.ZSI.FaultException), e: if e.fault.string == "fault.SSPIChallenge.summary": serverToken = e.fault.detail[0].Base64Token token = get_token(serverToken) else: raise e except (VI.ZSI.FaultException), e: raise VIApiException(e)