Changeset 172

Timestamp:

12/16/06 05:10:56 (2 years ago)

Author:

sylvain

Message:

* Added support for hashed passwords (md5)
* Fixed static content handling

Files:

• oss/httpauthfilter/example.py (added)
• oss/httpauthfilter/httpauth.py (modified) (10 diffs)
• oss/httpauthfilter/httpauthfilter.py (modified) (10 diffs)
• oss/httpauthfilter/static (added)
• oss/httpauthfilter/static/test.js (added)
• oss/httpauthfilter/test.py (added)

oss/httpauthfilter/httpauth.py

@@ -22 +22 @@
-__version__ = 1, 0, 0
-__author__ = "Tiago Cogumbreiro <cogumbreiro@users.sf.net>"
+__contributors__ = ['Sylvain Hellegouarch', 'Peter Russell']
-__credits__ = """
-    Peter van Kampen for its recipe which implement most of Digest authentication:
@@ -39 +40 @@
-      this list of conditions and the following disclaimer in the documentation 
-      and/or other materials provided with the distribution.
-Sylvain Hellegouarch
+Tiago Cogumbreiro
-      may be used to endorse or promote products derived from this software 
-      without specific prior written permission.
@@ -210 +211 @@
-    return _A1 (params_copy, password)
-
-
+, password_is_hashed=False
-    algorithm = params.get ("algorithm", MD5)
-    H = DIGEST_AUTH_ENCODERS[algorithm]
-
-    if algorithm == MD5:
-        # If the "algorithm" directive's value is "MD5" or is
@@ -221 +221 @@
-
-    elif algorithm == MD5_SESS:
-
-        # This is A1 if qop is set
-        # A1 = H( unq(username-value) ":" unq(realm-value) ":" passwd )
-        #         ":" unq(nonce-value) ":" unq(cnonce-value)
-
+
+
+
+
+
-        return "%s:%s:%s" % (h_a1, params["nonce"], params["cnonce"])
-
@@ -251 +254 @@
-        raise NotImplementedError ("The 'qop' method is unknown: %s" % qop)
-
-
+
+
-    """
-    Generates a response respecting the algorithm defined in RFC 2617
@@ -268 +272 @@
-    if algorithm == MD5_SESS and A1 is not None:
-        H_A1 = H(A1)
+    elif password_is_hashed and algorithm == MD5:
+        H_A1 = password
-    else:
-
+, password_is_hashed
-
-    if qop == "auth" or aop == "auth-int":
@@ -296 +302 @@
-    return KD(H_A1, request)
-
-
+
+
-    """This function is used to verify the response given by the client when
-    he tries to authenticate.
@@ -305 +312 @@
-    """
-
-
+
+
-
-    return response == auth_map["response"]
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
-AUTH_RESPONSES = {
-    "basic": _checkBasicResponse,
@@ -317 +333 @@
-}
-
-
+password_is_hashed=False, 
-    """'checkResponse' compares the auth_map with the password and optionally
-    other arguments that each implementation might need.
-    
+    If the password_is_hashed flag is set, then the password is stored
+    as an md5 hash.
+ 
-    If the response is of type 'Basic' then the function has the following
-    signature:
-    
-
+
+
-    
-    If the response is of type 'Digest' then the function has the following
-    signature:
-    
-
+
+
-    
-    The 'A1' argument is only used in MD5_SESS algorithm based responses.
@@ -336 +357 @@
-    global AUTH_RESPONSES
-    checker = AUTH_RESPONSES[auth_map["auth_scheme"]]
-
+password_is_hashed,
- 

oss/httpauthfilter/httpauthfilter.py

@@ -1 @@
-
+
+
+
+
+
+
-Copyright (c) 2005, Sylvain Hellegouarch
-Copyright (c) 2005, Tiago Cogumbreiro <cogumbreiro@users.sf.net>
+"""
-
+__license__ = """
-All rights reserved.
-
@@ -30 +37 @@
-
-"""
+16/12/2006 - Added Peter Russell patch to support pre-hashed passwords
+             so that now you can store hashed values instead of clear text
+           - Should have also fixed the staticfilter case
-10/04/2006 - Refactored the filter
-30/12/2005 - Fixed to match lower cases attributes used by CherryPy
@@ -36 +46 @@
-06/12/2005 - Updated to match CherryPy 2.2.0-beta revision 862 (Sylvain)
-"""
+
+# This version has been test against CherryPy 2.2.2 RC2
-
-#
@@ -60 +72 @@
-    maxReplay - allows you to set how many times the same Digest authentification value can be used from a given user agent
-        defaults to 0 which dismiss the replay checker 
-
+
+
+
+
-        handy if you want to retrieve your users from a database for instance
-    cppasswordPath - path of the file maintaining the user:password tuples.
-        you can leave it to None when using retrieveUsersFunc
-    """
-
+
+
+
+
-        self.cppasswordPath = cppasswordPath
-        self.cppasswordLastModified = None
@@ -76 +94 @@
-        if retrieveUsersFunc is None:
-            self.retrieveUsersFunc = self._loadAuthorizedUsers
+        self.storeHashedCredentials = storeHashedCredentials
+        if self.storeHashedCredentials == True:
+            self.storeRealmsWithPasswords = True
+        else:
+            self.storeRealmsWithPasswords = storeRealmsWithPasswords
-
-    def _loadAuthorizedUsers(self):
@@ -83 +106 @@
-            cppassword = file(self.cppasswordPath, 'rb')
-            for line in cppassword:
-
-
+
+
+
+
+
+
+
+
+
-            cppassword.close()
-        return self.users
@@ -98 +128 @@
-            # Parse the header
-            ah = httpauth.parseAuthorization(cherrypy.request.headerMap['Authorization'])
-
-            # someone might try to trick us with a request we can't understand
-            # let's ditch the request
@@ -104 +133 @@
-                raise cherrypy.HTTPError(400, 'Bad Request')
-            else:
+                # If we are dealing with hashed credentials, we need
+                # the realm to be in the auth_map for basic authentication.
+                if self.storeHashedCredentials and not 'realm' in ah:
+                    ah['realm'] = self.realm
+
-                # the nc token of the Digest authentification
-                # allows a server to check for attack replay by setting a
@@ -122 +156 @@
-                # Is the user authorized?
-                password = self.retrieveUsersFunc().get(ah["username"], None)
-
-
+
+
+
+
+
+
-                    # yeah the user is authorized
-                    cherrypy.request.isAuthorized = True
-cherrypy.request.method.upper()
-Tru
+method not
+Fals
-
-    def before_main(self):
+        # this should make this filter to work fine with static content as well
+        if cherrypy.config.get('static_filter.on', False) is False:
+            cherrypy.request.execute_main = True
-        if not cherrypy.request.isAuthorized:
-            cherrypy.request.execute_main = True
-            cherrypy.response.status = '401 Unauthorized'
-            cherrypy.request.object_path = self.unauthorizedPath
@@ -140 +180 @@
-            cherrypy.response.header_list.append(('WWW-Authenticate', httpauth.basicAuth(self.realm)))
-            
-if __name__ == '__main__':
-
-    def retrieveAuthUsers():
-        return {'test':'test'}
-    
-    class Son:
-        def index(self):
-            '''Protected by the filter above'''
-            return "Hello son!"
-        index.exposed = True
-
-        def hello(self, name):
-            return "Hello %s" % (name, )
-        hello.exposed = True
-
-    class Admin:
-        _cp_filters = [ HttpAuthFilter(realm='localhost',
-                                       privateKey='duh!',
-                                       unauthorizedPath='/admin/unauthorized',
-                                       retrieveUsersFunc=retrieveAuthUsers) ]
-
-        def __init__(self):
-            self.son = Son()
-            
-        def index(self):
-            '''Only available once the user is authenticated'''
-            return "Hello there!"
-        index.exposed = True
-
-        def unauthorized(self, *args, **kwargs):
-            '''Must be declared at the same level where you defined the filter'''
-            return "You are not authorized to access that page"
-        unauthorized.exposed = True
-
-    class Root:
-        def __init__(self):
-            self.admin = Admin()
-            
-        def index(self):
-            return "hey how you doing?"
-        index.exposed = True
-
-    conf = {'global': { 'log_debug_info_filter.on': False,
-                        'autoreload.on': False,
-                        'server.log_to_screen': False,}}
-    cherrypy.tree.mount(Root(), '/', conf=conf)
-    
-    from cherrypy.test import helper
-
-    class HttpAuthFilter(helper.CPWebCase):
-
-        def testBasicAuth(self):
-            self.getPage('/admin/')
-            self.assertStatus('401 Unauthorized')
-            self.assertHeader("WWW-Authenticate", 'Basic realm="localhost"')
-            self.assertBody("You are not authorized to access that page")
-
-            # make sure we keep getting that response as long as we haven't
-            # given the authentification token
-            self.getPage('/admin/')
-            self.assertStatus('401 Unauthorized')
-            self.assertHeader("WWW-Authenticate", 'Basic realm="localhost"')
-
-            # right show our ID
-            self.getPage('/admin/', [('Authorization', 'Basic dGVzdDp0ZXN0')])
-            self.assertStatus('200 OK')
-
-            # should work also through the tree below the admin instance
-            self.getPage('/admin/son/', [('Authorization', 'Basic dGVzdDp0ZXN0')])
-            self.assertStatus('200 OK')
-
-            # should forbid us again
-            self.getPage('/admin/')
-            self.assertStatus('401 Unauthorized')
-            self.assertHeader("WWW-Authenticate", 'Basic realm="localhost"')
-            self.assertBody("You are not authorized to access that page")
-
-        def testDigestAuth(self):
-            self.getPage('/admin/')
-            self.assertStatus('401 Unauthorized')
-            self.assertHeader("WWW-Authenticate") 
-            self.assertBody("You are not authorized to access that page")
-
-            # the filter returns two WWW-Authenticate
-            # the digest auth should be the first one though
-            lowkey = "www-authenticate"
-            value = None
-            for k, v in self.headers:
-                if k.lower() == lowkey:
-                    if v.startswith("Digest"):
-                        value = v
-                        break
-            
-            if value is None:
-                self._handlewebError("Digest authentification scheme was not found")
-
-            # the digest algorithm uses a timestamp
-            # so we need to parse the response ourself because we can't hardcode
-            # the expected value
-            if value:
-                value = value[7:]
-                items = value.split(', ')
-                tokens = {}
-                for item in items:
-                    key, value = item.split('=')
-                    tokens[key.lower()] = value
-
-                missing_msg = "%s is missing"
-                bad_value_msg = "'%s' was expecting '%s' but found '%s'"
-                nonce = None
-                if 'realm' not in tokens:
-                    self._handlewebError(missing_msg % 'realm')
-                elif tokens['realm'] != '"localhost"':
-                    self._handlewebError(bad_value_msg % ('realm', '"localhost"', tokens['realm']))
-                if 'nonce' not in tokens:
-                    self._handlewebError(missing_msg % 'nonce')
-                else:
-                    nonce = tokens['nonce'].strip('"')
-                if 'algorithm' not in tokens:
-                    self._handlewebError(missing_msg % 'algorithm')
-                elif tokens['algorithm'] != '"MD5"':
-                    self._handlewebError(bad_value_msg % ('algorithm', '"MD5"', tokens['algorithm']))
-                if 'qop' not in tokens:
-                    self._handlewebError(missing_msg % 'qop')
-                elif tokens['qop'] != '"auth"':
-                    self._handlewebError(bad_value_msg % ('qop', '"auth"', tokens['qop']))
-
-                # now let's see if what 
-                base_auth = 'Digest username="test", realm="localhost", nonce="%s", uri="/admin/", algorithm=MD5, response="%s", qop=auth, nc=%s, cnonce="1522e61005789929"'
-
-                auth = base_auth % (nonce, '', '00000001')
-                
-                params = httpauth.parseAuthorization(auth)
-                response = httpauth._computeDigestResponse(params, 'test')
-
-                auth = base_auth % (nonce, response, '00000001')
-                self.getPage('/admin/', [('Authorization', auth)])
-                self.assertStatus('200 OK')
-                
-    #helper.testmain()
-    cherrypy.server.start()