RedHatTraining/repoze.who.git

Reuse 'DEFAULT_DIGEST' declared in 'repoze.who._auth_tkt'.

Tres Seaver

2016-05-31 275d134e3e157dda6af5661089469c7e8a8b915f

commit \| author \| age
299b4c	1	import datetime
b95a59	2	from codecs import utf_8_decode
CM	3	from codecs import utf_8_encode
2d1f2c	4	import hashlib
0ee58d	5	import os
cd1198	6	import time
4f3525	7	from wsgiref.handlers import _monthname # Locale-independent, RFC-2616
TS	8	from wsgiref.handlers import _weekdayname # Locale-independent, RFC-2616
8729b3	9	try:
J	10	from urllib.parse import urlencode, parse_qsl
	11	except ImportError:
	12	from urllib import urlencode
	13	from urlparse import parse_qsl
b95a59	14
1fa560	15	from zope.interface import implementer
a5b033	16
cb5426	17	from repoze.who.interfaces import IIdentifier
b0f81f	18	from repoze.who.interfaces import IAuthenticator
6919cb	19	from repoze.who._compat import get_cookies
TS	20	import repoze.who._auth_tkt as auth_tkt
9df42f	21	from repoze.who._compat import STRING_TYPES
a5b033	22
4f3525	23	_UTCNOW = None # unit tests can replace
TS	24	def _utcnow(): #pragma NO COVERAGE
	25	if _UTCNOW is not None:
	26	return _UTCNOW
	27	return datetime.datetime.utcnow()
798feb	28
1fa560	29	@implementer(IIdentifier, IAuthenticator)
a5b033	30	class AuthTktCookiePlugin(object):
779caf	31
0fa6f9	32	userid_typename = 'userid_type'
d6fa0a	33	userid_type_decoders = {'int': int,
TS	34	'unicode': lambda x: utf_8_decode(x)[0],
	35	}
779caf	36
d6fa0a	37	userid_type_encoders = {int: ('int', str),
TS	38	}
6919cb	39	try:
TS	40	userid_type_encoders[long] = ('int', str)
	41	except NameError: #pragma NO COVER Python >= 3.0
	42	pass
	43	try:
	44	userid_type_encoders[unicode] = ('unicode',
	45	lambda x: utf_8_encode(x)[0])
	46	except NameError: #pragma NO COVER Python >= 3.0
	47	pass
	48
a5b033	49	def __init__(self, secret, cookie_name='auth_tkt',
cd1198	50	secure=False, include_ip=False,
7483ec	51	timeout=None, reissue_time=None, userid_checker=None,
275d13	52	digest_algo=auth_tkt.DEFAULT_DIGEST):
a5b033	53	self.secret = secret
CM	54	self.cookie_name = cookie_name
	55	self.include_ip = include_ip
	56	self.secure = secure
cd1198	57	if timeout and ( (not reissue_time) or (reissue_time > timeout) ):
CM	58	raise ValueError('When timeout is specified, reissue_time must '
	59	'be set to a lower value')
	60	self.timeout = timeout
	61	self.reissue_time = reissue_time
a6f6dc	62	self.userid_checker = userid_checker
7483ec	63	self.digest_algo = digest_algo
a5b033	64
CM	65	# IIdentifier
	66	def identify(self, environ):
	67	cookies = get_cookies(environ)
	68	cookie = cookies.get(self.cookie_name)
	69
	70	if cookie is None or not cookie.value:
40a968	71	return None
a5b033	72
CM	73	if self.include_ip:
	74	remote_addr = environ['REMOTE_ADDR']
	75	else:
	76	remote_addr = '0.0.0.0'
	77
	78	try:
	79	timestamp, userid, tokens, user_data = auth_tkt.parse_ticket(
7483ec	80	self.secret, cookie.value, remote_addr, self.digest_algo)
a5b033	81	except auth_tkt.BadTicket:
a6f6dc	82	return None
CM	83
cd1198	84	if self.timeout and ( (timestamp + self.timeout) < time.time() ):
40a968	85	return None
779caf	86
0fa6f9	87	user_data_dict = dict(parse_qsl(user_data))
JV	88	userid_type = user_data_dict.get(self.userid_typename)
	89	if userid_type:
	90	decoder = self.userid_type_decoders.get(userid_type)
	91	if decoder:
	92	userid = decoder(userid)
a5b033	93
CM	94	environ['REMOTE_USER_TOKENS'] = tokens
	95	environ['REMOTE_USER_DATA'] = user_data
	96	environ['AUTH_TYPE'] = 'cookie'
56d0c5	97
a5b033	98	identity = {}
CM	99	identity['timestamp'] = timestamp
b0f81f	100	identity['repoze.who.plugins.auth_tkt.userid'] = userid
a5b033	101	identity['tokens'] = tokens
0fa6f9	102	identity['userdata'] = user_data_dict
a5b033	103	return identity
519300	104
CM	105	# IIdentifier
	106	def forget(self, environ, identity):
	107	# return a set of expires Set-Cookie headers
798feb	108	return self._get_cookies(environ, 'INVALID', 0)
a5b033	109
CM	110	# IIdentifier
	111	def remember(self, environ, identity):
	112	if self.include_ip:
	113	remote_addr = environ['REMOTE_ADDR']
	114	else:
	115	remote_addr = '0.0.0.0'
	116
	117	cookies = get_cookies(environ)
	118	old_cookie = cookies.get(self.cookie_name)
	119	existing = cookies.get(self.cookie_name)
	120	old_cookie_value = getattr(existing, 'value', None)
299b4c	121	max_age = identity.get('max_age', None)
a5b033	122
fc9a88	123	timestamp, userid, tokens, userdata = None, '', (), ''
a5b033	124
CM	125	if old_cookie_value:
	126	try:
	127	timestamp,userid,tokens,userdata = auth_tkt.parse_ticket(
7483ec	128	self.secret, old_cookie_value, remote_addr,
DT	129	self.digest_algo)
a5b033	130	except auth_tkt.BadTicket:
CM	131	pass
fc9a88	132	tokens = tuple(tokens)
a5b033	133
cb5426	134	who_userid = identity['repoze.who.userid']
fc9a88	135	who_tokens = tuple(identity.get('tokens', ()))
0fa6f9	136	who_userdata_dict = identity.get('userdata', {})
779caf	137
CM	138	encoding_data = self.userid_type_encoders.get(type(who_userid))
	139	if encoding_data:
	140	encoding, encoder = encoding_data
	141	who_userid = encoder(who_userid)
0fa6f9	142	who_userdata_dict[self.userid_typename] = encoding
JV	143
	144	who_userdata = urlencode(who_userdata_dict)
	145
a5b033	146	old_data = (userid, tokens, userdata)
cb5426	147	new_data = (who_userid, who_tokens, who_userdata)
a5b033	148
cd1198	149	if old_data != new_data or (self.reissue_time and
CM	150	( (timestamp + self.reissue_time) < time.time() )):
a5b033	151	ticket = auth_tkt.AuthTicket(
CM	152	self.secret,
cb5426	153	who_userid,
a5b033	154	remote_addr,
cb5426	155	tokens=who_tokens,
CM	156	user_data=who_userdata,
a5b033	157	cookie_name=self.cookie_name,
7483ec	158	secure=self.secure,
DT	159	digest_algo=self.digest_algo)
a5b033	160	new_cookie_value = ticket.cookie_value()
519300	161
a5b033	162	if old_cookie_value != new_cookie_value:
519300	163	# return a set of Set-Cookie headers
299b4c	164	return self._get_cookies(environ, new_cookie_value, max_age)
a5b033	165
b0f81f	166	# IAuthenticator
TS	167	def authenticate(self, environ, identity):
	168	userid = identity.get('repoze.who.plugins.auth_tkt.userid')
	169	if userid is None:
	170	return None
	171	if self.userid_checker and not self.userid_checker(userid):
	172	return None
	173	identity['repoze.who.userid'] = userid
	174	return userid
	175
	176	def _get_cookies(self, environ, value, max_age=None):
	177	if max_age is not None:
15e365	178	max_age = int(max_age)
4f3525	179	later = _utcnow() + datetime.timedelta(seconds=max_age)
b0f81f	180	# Wdy, DD-Mon-YY HH:MM:SS GMT
4f3525	181	expires = "%s, %02d %3s %4d %02d:%02d:%02d GMT" % (
TS	182	_weekdayname[later.weekday()],
	183	later.day,
	184	_monthname[later.month],
	185	later.year,
	186	later.hour,
	187	later.minute,
	188	later.second,
	189	)
b0f81f	190	# the Expires header is required at least for IE7 (IE7 does
TS	191	# not respect Max-Age)
	192	max_age = "; Max-Age=%s; Expires=%s" % (max_age, expires)
	193	else:
	194	max_age = ''
	195
d7e647	196	secure = ''
BS	197	if self.secure:
3b5782	198	secure = '; secure; HttpOnly'
d7e647	199
b0f81f	200	cur_domain = environ.get('HTTP_HOST', environ.get('SERVER_NAME'))
7f9907	201	cur_domain = cur_domain.split(':')[0] # drop port
b0f81f	202	wild_domain = '.' + cur_domain
TS	203	cookies = [
d7e647	204	('Set-Cookie', '%s="%s"; Path=/%s%s' % (
BS	205	self.cookie_name, value, max_age, secure)),
	206	('Set-Cookie', '%s="%s"; Path=/; Domain=%s%s%s' % (
	207	self.cookie_name, value, cur_domain, max_age, secure)),
	208	('Set-Cookie', '%s="%s"; Path=/; Domain=%s%s%s' % (
	209	self.cookie_name, value, wild_domain, max_age, secure))
b0f81f	210	]
TS	211	return cookies
	212
a5b033	213	def __repr__(self):
394ea6	214	return '<%s %s>' % (self.__class__.__name__,
TS	215	id(self)) #pragma NO COVERAGE
a5b033	216
515c69	217	def _bool(value):
9df42f	218	if isinstance(value, STRING_TYPES):
515c69	219	return value.lower() in ('yes', 'true', '1')
TS	220	return value
	221
	222	def make_plugin(secret=None,
0ee58d	223	secretfile=None,
a5b033	224	cookie_name='auth_tkt',
0ee58d	225	secure=False,
TS	226	include_ip=False,
cd1198	227	timeout=None,
CM	228	reissue_time=None,
a6f6dc	229	userid_checker=None,
275d13	230	digest_algo=auth_tkt.DEFAULT_DIGEST,
0ee58d	231	):
a6f6dc	232	from repoze.who.utils import resolveDotted
0ee58d	233	if (secret is None and secretfile is None):
TS	234	raise ValueError("One of 'secret' or 'secretfile' must not be None.")
	235	if (secret is not None and secretfile is not None):
	236	raise ValueError("Specify only one of 'secret' or 'secretfile'.")
	237	if secretfile:
	238	secretfile = os.path.abspath(os.path.expanduser(secretfile))
	239	if not os.path.exists(secretfile):
	240	raise ValueError("No such 'secretfile': %s" % secretfile)
c272ce	241	with open(secretfile) as f:
TS	242	secret = f.read().strip()
cd1198	243	if timeout:
CM	244	timeout = int(timeout)
	245	if reissue_time:
	246	reissue_time = int(reissue_time)
a6f6dc	247	if userid_checker is not None:
CM	248	userid_checker = resolveDotted(userid_checker)
7483ec	249	if isinstance(digest_algo, str):
DT	250	try:
	251	digest_algo = getattr(hashlib, digest_algo)
	252	except AttributeError:
	253	raise ValueError("No such 'digest_algo': %s" % digest_algo)
	254
cd1198	255	plugin = AuthTktCookiePlugin(secret,
CM	256	cookie_name,
	257	_bool(secure),
	258	_bool(include_ip),
	259	timeout,
	260	reissue_time,
a6f6dc	261	userid_checker,
7483ec	262	digest_algo,
cd1198	263	)
a5b033	264	return plugin
CM	265