def get_sessions(self): import sqlite3 try: conn = sqlite3.connect(self.filename) conn.row_factory = sqlite3.Row cursor = conn.cursor() cursor.execute(self.sessions_query, [self.username, self.password_used or ""]) data = cursor.fetchone() except sqlite3.DatabaseError as e: log("get_sessions()", exc_info=True) log.error("Error: sqlauth database access problem:") log.error(" %s", e) return None try: uid = parse_uid(data["uid"]) gid = parse_gid(data["gid"]) displays = [] env_options = {} session_options = {} if data["displays"]: displays = [x.strip() for x in str(data[2]).split(",")] if data["env_options"]: env_options = parse_simple_dict(str(data[3]), ";") if data["session_options"]: session_options = parse_simple_dict(str(data[4]), ";") except Exception as e: log("get_sessions() error on row %s", data, exc_info=True) log.error("Error: sqlauth database row parsing problem:") log.error(" %s", e) return None return uid, gid, displays, env_options, session_options
def __init__(self, username, **kwargs): self.tls = bool(int(kwargs.pop("tls", "0"))) self.host = kwargs.pop("host", "localhost") self.cacert = kwargs.pop("cacert", LDAP_CACERTFILE) self.uid = parse_uid(kwargs.pop("uid", None)) self.gid = parse_gid(kwargs.pop("gid", None)) self.tls_version = None self.tls_validate = None if self.tls: import ssl tls_version = kwargs.pop("ssl-version", "TLSv1") tls_validate = kwargs.pop("ssl-validate", "REQUIRED") self.tls_version = getattr(ssl, "PROTOCOL_%s" % tls_version) self.tls_validate = getattr(ssl, "CERT_%s" % tls_validate) default_port = 636 else: default_port = 389 self.port = int(kwargs.pop("port", default_port)) self.authentication = kwargs.pop("authentication", "NTLM").upper() assert self.authentication in ( "SIMPLE", "SASL", "NTLM" ), "invalid authentication mechanism '%s'" % self.authentication username = kwargs.pop("username", username) SysAuthenticatorBase.__init__(self, username, **kwargs) log("ldap auth: host=%s, port=%i, tls=%s", self.host, self.port, self.tls)
def __init__(self, **kwargs): self.service = kwargs.pop("service", "") self.uid = parse_uid(kwargs.pop("uid", None)) self.gid = parse_gid(kwargs.pop("gid", None)) kwargs["prompt"] = kwargs.pop("prompt", "kerberos token") super().__init__(**kwargs) log("kerberos-token auth: service=%r, username=%r", self.service, kwargs.get("username"))
def __init__(self, username, **kwargs): self.service = kwargs.pop("service", "") self.realm = kwargs.pop("realm", "") self.uid = parse_uid(kwargs.pop("uid", None)) self.gid = parse_gid(kwargs.pop("gid", None)) username = kwargs.pop("username", username) SysAuthenticatorBase.__init__(self, username, **kwargs) log("kerberos-password auth: service=%s, realm=%s, username=%s", self.service, self.realm, username)
def __init__(self, username, **kwargs): self.service = kwargs.pop("service", "") self.uid = parse_uid(kwargs.pop("uid", None)) self.gid = parse_gid(kwargs.pop("gid", None)) username = kwargs.pop("username", username) kwargs["prompt"] = kwargs.pop("prompt", "GSS token") SysAuthenticatorBase.__init__(self, username, **kwargs) log("gss auth: service=%s, username=%s", self.service, username)
def db_cursor(self, *sqlargs): db = db_from_uri(self.uri) cursor = db.cursor() cursor.execute(*sqlargs) #keep reference to db so it doesn't get garbage collected just yet: cursor.db = db log("db_cursor(%s)=%s", sqlargs, cursor) return cursor
def __init__(self, **kwargs): self.service = kwargs.pop("service", "") self.realm = kwargs.pop("realm", "") self.uid = parse_uid(kwargs.pop("uid", None)) self.gid = parse_gid(kwargs.pop("gid", None)) super().__init__(**kwargs) log("kerberos-password auth: service=%r, realm=%r, username=%r", self.service, self.realm, kwargs.get("username"))
def exec_database_sql_script(self, cursor_cb, *sqlargs): db = db_from_uri(self.uri) cursor = db.cursor() log("%s.execute%s", cursor, sqlargs) cursor.execute(*sqlargs) if cursor_cb: cursor_cb(cursor) db.commit() return cursor
def exec_database_sql_script(self, cursor_cb, *sqlargs): from sqlalchemy import create_engine #@UnresolvedImport db = create_engine(self.uri) log("%s.execute%s", db, sqlargs) result = db.execute(*sqlargs) log("result=%s", result) if cursor_cb: cursor_cb(result) return result
def db_cursor(self, *sqlargs): from sqlalchemy import create_engine #@UnresolvedImport db = create_engine(self.uri) cursor = db.cursor() cursor.execute(*sqlargs) #keep reference to db so it doesn't get garbage collected just yet: cursor.db = db log("db_cursor(%s)=%s", sqlargs, cursor) return cursor
def check(username, password, service=PAM_AUTH_SERVICE): log("pam check(%s, [..])", username) from xpra.server.pam import pam_session #@UnresolvedImport session = pam_session(username, password, service) if not session.start(password): return False success = session.authenticate() if success: session.close() return success
def exec_database_sql_script(self, cursor_cb, *sqlargs): import sqlite3 #pylint: disable=import-outside-toplevel db = sqlite3.connect(self.uri) cursor = db.cursor() log("%s.execute%s", cursor, sqlargs) cursor.execute(*sqlargs) if cursor_cb: cursor_cb(cursor) db.commit() return cursor
def check(username, password): log("pam check(%s, [..])", username) from xpra.server.pam import pam_session session = pam_session(username, password, "login") if not session.start(password): return False success = session.authenticate() if success: session.close() return success
def command_timedout(self): proc = self.proc log("exec auth.command_timedout() proc=%s", proc) self.timeout_event = True self.timer = None if proc: try: proc.terminate() except: log("error trying to terminate exec auth process %s", proc, exc_info=True)
def exec_database_sql_script(self, cursor_cb, *sqlargs): import sqlite3 db = sqlite3.connect(self.uri) cursor = db.cursor() log("%s.execute%s", cursor, sqlargs) cursor.execute(*sqlargs) if cursor_cb: cursor_cb(cursor) db.commit() return cursor
def authenticate(self, username, password): auth_class = self.get_authenticator_class() a = auth_class(username, self.uri) passwords = a.get_passwords() assert passwords log("authenticate: got %i passwords", len(passwords)) assert password in passwords a.password_used = password sessions = a.get_sessions() assert sessions, "no sessions found" log("sql authentication success, found sessions: %s", sessions)
def db_cursor(self, *sqlargs): if not os.path.exists(self.filename): log.error("Error: sqlauth cannot find the database file '%s'", self.filename) return None import sqlite3 db = sqlite3.connect(self.filename) db.row_factory = sqlite3.Row cursor = db.cursor() cursor.execute(*sqlargs) log("db_cursor(%s)=%s", sqlargs, cursor) return cursor
def db_from_uri(uri): d = url_path_to_dict(uri) log("settings for uri=%s : %s", uri, d) import mysql.connector as mysql #@UnresolvedImport db = mysql.connect( host = d.get("host", "localhost"), #port = int(d.get("port", 3306)), user = d.get("user", ""), passwd = d.get("password", ""), database = (d.get("path") or "").lstrip("/") or "xpra", ) return db
def __init__(self, username, **kwargs): def ipop(k): try: return int(kwargs.pop(k, 0)) except ValueError: return 0 self.service = kwargs.pop("service", "") self.uid = parse_uid(kwargs.pop("uid", None)) self.gid = parse_gid(kwargs.pop("gid", None)) username = kwargs.pop("username", username) kwargs["prompt"] = kwargs.pop("prompt", "kerberos token") SysAuthenticatorBase.__init__(self, username, **kwargs) log("kerberos-token auth: service=%s, username=%s", self.service, username)
def pam_conv_password(self, auth, query_list, *args): try: resp = [] for i in range(len(query_list)): query, pam_type = query_list[i] if pam_type == PAM.PAM_PROMPT_ECHO_ON or pam_type == PAM.PAM_PROMPT_ECHO_OFF: resp.append((self.password, 0)) elif pam_type == PAM_PROMPT_ERROR_MSG or pam_type == PAM_PROMPT_TEXT_INFO: log("pam_conf_password: ERROR/INFO: '%s'", query) resp.append(('', 0)) else: log.error("pam_conf_password unknown type: '%s'", pam_type) except Exception, e: log.error("pam_conv_password error: %s", e)
def pam_conv_password(self, auth, query_list, *args): try: resp = [] for i in range(len(query_list)): query, pam_type = query_list[i] if pam_type == PAM.PAM_PROMPT_ECHO_ON or pam_type == PAM.PAM_PROMPT_ECHO_OFF: resp.append((self.password, 0)) elif pam_type == PAM.PAM_PROMPT_ERROR_MSG or pam_type == PAM.PAM_PROMPT_TEXT_INFO: log("pam_conf_password: ERROR/INFO: '%s'", query) resp.append(('', 0)) else: log.error("pam_conf_password unknown type: '%s'", pam_type) except Exception, e: log.error("pam_conv_password error: %s", e)
def authenticate_check(self, challenge_response: str, client_salt: str = None) -> bool: log("authenticate_check(%s, %s)", repr(challenge_response), repr(client_salt)) user_presence, counter = struct.unpack( b">BI", strtobytes(challenge_response)[:5]) sig = strtobytes(challenge_response[5:]) log("u2f user_presence=%s, counter=%s, signature=%s", user_presence, counter, hexstr(sig)) app_param = sha256(self.app_id.encode('utf8')).digest() server_challenge_b64 = base64.urlsafe_b64encode(self.salt).decode() server_challenge_b64 = server_challenge_b64.rstrip('=') log("challenge_b64(%s)=%s", repr(self.salt), server_challenge_b64) client_data = { "challenge": server_challenge_b64, "origin": client_salt, "typ": "navigator.id.getAssertion", } client_param = sha256( json.dumps(client_data, sort_keys=True).encode('utf8')).digest() param = app_param + \ struct.pack(b'>B', user_presence) + \ struct.pack(b'>I', counter) + \ client_param #check all the public keys: #pylint: disable=import-outside-toplevel from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives.asymmetric import ec errors = {} for origin, public_key in self.public_keys.items(): verifier = public_key.verifier(sig, ec.ECDSA(hashes.SHA256())) verifier.update(param) try: verifier.verify() log("ECDSA SHA256 verification passed for '%s'", origin) return True except Exception as e: log("authenticate failed for '%s' / %s", origin, public_key, exc_info=True) errors[origin] = str(e) or type(e) log.error("Error: authentication failed,") log.error(" checked against %i key%s", len(self.public_keys), engs(self.public_keys)) for origin, error in errors.items(): log.error(" '%s': %s", origin, error) return False
def __init__(self, username, **kwargs): log("exec.Authenticator(%s, %s)", username, kwargs) self.command = kwargs.pop("command", "") self.timeout = kwargs.pop("timeout", TIMEOUT) self.timer = None self.proc = None self.timeout_event = False if not self.command: #try to find the default auth_dialog executable: from xpra.platform.paths import get_libexec_dir libexec = get_libexec_dir() xpralibexec = os.path.join(libexec, "xpra") log("libexec=%s, xpralibexec=%s", libexec, xpralibexec) if os.path.exists(xpralibexec) and os.path.isdir(xpralibexec): libexec = xpralibexec auth_dialog = os.path.join(libexec, "auth_dialog") if EXECUTABLE_EXTENSION: #ie: add ".exe" on MS Windows auth_dialog += ".%s" % EXECUTABLE_EXTENSION log("auth_dialog=%s", auth_dialog) if os.path.exists(auth_dialog): self.command = auth_dialog assert self.command, "exec authentication module is not configured correctly: no command specified" connection = kwargs.get("connection") log("exec connection info: %s", connection) assert connection, "connection object is missing" self.connection_str = str(connection) SysAuthenticator.__init__(self, username, **kwargs)
def check(username, password): log("PAM check(%s, [..])", username) auth = PAM.pam() auth.start(PAM_SERVICE) auth.set_item(PAM.PAM_USER, username) conv = PAM_conv(password) auth.set_item(PAM.PAM_CONV, conv.pam_conv_password) try: auth.authenticate() return True #auth.acct_mgmt() except PAM.error, resp: log.error("PAM.authenticate() error: %s", resp) return False
def check(self, token) -> bool: log("check(%r)", token) assert self.challenge_sent try: if WIN32: import winkerberos as kerberos #@UnresolvedImport @UnusedImport else: import kerberos #@UnresolvedImport @Reimport except ImportError as e: log("check(..)", exc_info=True) log.warn("Warning: cannot use kerberos token authentication:") log.warn(" %s", e) return False v, ctx = kerberos.authGSSServerInit(self.service) if v != 1: log.error( "Error: kerberos GSS server init failed for service '%s'", self.service) return False try: r = kerberos.authGSSServerStep(ctx, token) log("kerberos auth server step result: %s", r == 1) if r != 1: return False targetname = kerberos.authGSSServerTargetName(ctx) #response = kerberos.authGSSServerResponse(ctx) principal = kerberos.authGSSServerUserName(ctx) #ie: user1@LOCALDOMAIN #maybe we should validate the realm? log("kerberos targetname=%s, principal=%s", targetname, principal) return True finally: kerberos.authGSSServerClean(ctx)
def __init__(self, username, **kwargs): def ipop(k): try: return int(kwargs.pop(k, 0)) except ValueError: return 0 self.service = kwargs.pop("service", "") self.uid = ipop("uid") self.gid = ipop("gid") username = kwargs.pop("username", username) kwargs["prompt"] = kwargs.pop("prompt", "GSS token") SysAuthenticatorBase.__init__(self, username, **kwargs) log("gss auth: service=%s, username=%s", self.service, username)
def __init__(self, username, **kwargs): self.tls = bool(int(kwargs.pop("tls", "0"))) self.host = kwargs.pop("host", "localhost") self.cacert = kwargs.pop("cacert", LDAP_CACERTFILE) self.encoding = kwargs.pop("encoding", LDAP_ENCODING) if self.tls: default_port = 636 else: default_port = 389 self.port = int(kwargs.pop("port", default_port)) self.username_format = kwargs.pop("username_format", "cn=%username, o=%domain") #self.username_format = kwargs.pop("username_format", "%username@%domain") SysAuthenticatorBase.__init__(self, username, **kwargs) log("ldap auth: host=%s, port=%i, tls=%s, username_format=%s, cacert=%s, encoding=%s", self.host, self.port, self.tls, self.username_format, self.cacert, self.encoding)
def __init__(self, **kwargs): log("peercred.Authenticator(%s)", kwargs) self.uid = -1 self.gid = -1 self.peercred_check = False if not POSIX: log.warn("Warning: peercred authentication is not supported on %s", os.name) return connection = kwargs.get("connection", None) uids = kwargs.pop("uid", "") gids = kwargs.pop("gid", "") allow_owner = kwargs.pop("allow-owner", "yes").lower() in TRUE_OPTIONS self.check_peercred(connection, uids, gids, allow_owner) super().__init__(**kwargs)
def check_host(peername, host): libwrap = CDLL(LIBWRAP) assert libwrap hosts_ctl = libwrap.hosts_ctl hosts_ctl.argtypes = [c_char_p, c_char_p, c_char_p, c_char_p] hosts_ctl.restype = c_int log("check_host(%s, %s)", peername, host) #name = c_char_p(username) c_host = c_char_p(strtobytes(host)) c_peername = c_char_p(strtobytes(peername)) #v = hosts_ctl(prg, c_host, unknown, unknown) v = hosts_ctl(prg, c_peername, c_host, unknown) log("hosts_ctl%s=%s", (PRG_NAME, peername, host, UNKNOWN), v) return bool(v)
def check(self, token): log("check(%s)", repr(token)) assert self.challenge_sent try: from gssapi import creds as gsscreds from gssapi import sec_contexts as gssctx except ImportError as e: log("check(..)", exc_info=True) log.warn("Warning: cannot use gss authentication:") log.warn(" %s", e) return False server_creds = gsscreds.Credentials(usage='accept') server_ctx = gssctx.SecurityContext(creds=server_creds) server_ctx.step(token) return server_ctx.complete
def exec_database_sql_script(cursor_cb, filename, *sqlargs): log("exec_database_sql_script%s", (cursor_cb, filename, sqlargs)) try: conn = sqlite3.connect(filename) cursor = conn.cursor() cursor.execute(*sqlargs) if cursor_cb: cursor_cb(cursor) conn.commit() conn.close() return 0 except sqlite3.DatabaseError as e: log.error("Error: database access problem:") log.error(" %s", e) return 1
def check(username, password): log("pam check(%s, [..])", username) return pam.authenticate(username, password)
auth.start(PAM_SERVICE) auth.set_item(PAM.PAM_USER, username) conv = PAM_conv(password) auth.set_item(PAM.PAM_CONV, conv.pam_conv_password) try: auth.authenticate() return True #auth.acct_mgmt() except PAM.error as resp: log.error("PAM.authenticate() error: %s", resp) return False except Exception as e: log.error("PAM.authenticate() internal error: %s", e) return False except Exception as e: log("PAM module not available: %s", e) try: from xpra.server.auth import pam assert pam def check(username, password): log("pam check(%s, [..])", username) return pam.authenticate(username, password) except: log("pam module not available: %s", e) if check is None: raise ImportError("cannot use pam_auth without a pam python module")