/
credential.py
450 lines (328 loc) · 14.9 KB
/
credential.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
##############################################################################
#
# Copyright (c) 2008 Zope Foundation and Contributors.
# All Rights Reserved.
#
# This software is subject to the provisions of the Zope Public License,
# Version 2.1 (ZPL). A copy of the ZPL should accompany this distribution.
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED
# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS
# FOR A PARTICULAR PURPOSE.
#
##############################################################################
"""
$Id:$
"""
__docformat__ = "reStructuredText"
import base64
import transaction
import persistent
import six
import zope.interface
from zope.publisher.interfaces.http import IHTTPRequest
from zope.session.interfaces import ISession
from zope.traversing.browser.absoluteurl import absoluteURL
from zope.site import hooks
from zope.container import contained
from z3c.authenticator import interfaces
@zope.interface.implementer(interfaces.IHTTPBasicAuthCredentialsPlugin)
class HTTPBasicAuthCredentialsPlugin(persistent.Persistent,
contained.Contained):
realm = 'Zope Application Management'
protocol = 'http auth'
def extractCredentials(self, request):
"""Extracts HTTP basic auth credentials from a request.
First we need to create a request that contains some credentials.
>>> from zope.publisher.browser import TestRequest
>>> request = TestRequest(
... environ={'HTTP_AUTHORIZATION': u'Basic bWdyOm1ncnB3'})
Now create the plugin and get the credentials.
>>> plugin = HTTPBasicAuthCredentialsPlugin()
>>> sorted(plugin.extractCredentials(request).items())
[('login', 'mgr'), ('password', 'mgrpw')]
Make sure we return `None`, if no authentication header has been
specified.
>>> print(plugin.extractCredentials(TestRequest()))
None
Also, this plugin can *only* handle basic authentication.
>>> request = TestRequest(environ={'HTTP_AUTHORIZATION': 'foo bar'})
>>> print(plugin.extractCredentials(TestRequest()))
None
This plugin only works with HTTP requests.
>>> from zope.publisher.base import TestRequest
>>> print(plugin.extractCredentials(TestRequest('/')))
None
"""
if not IHTTPRequest.providedBy(request):
return None
if request._auth:
if request._auth.lower().startswith(u'basic '):
credentials = request._auth.split()[-1]
if isinstance(credentials, six.text_type):
credentials = credentials.encode('utf-8')
login, password = base64.decodestring(credentials).split(b':')
return {'login': login.decode('utf-8'),
'password': password.decode('utf-8')}
return None
def challenge(self, request):
"""Issues an HTTP basic auth challenge for credentials.
The challenge is issued by setting the appropriate response headers.
To illustrate, we'll create a plugin:
>>> plugin = HTTPBasicAuthCredentialsPlugin()
The plugin adds its challenge to the HTTP response.
>>> from zope.publisher.browser import TestRequest
>>> request = TestRequest()
>>> response = request.response
>>> plugin.challenge(request)
True
>>> response._status
401
>>> response.getHeader('WWW-Authenticate', literal=True)
'basic realm="Zope Application Management"'
Notice that the realm is quoted, as per RFC 2617.
The plugin only works with HTTP requests.
>>> from zope.publisher.base import TestRequest
>>> request = TestRequest('/')
>>> response = request.response
>>> print(plugin.challenge(request))
False
"""
if not IHTTPRequest.providedBy(request):
return False
request.response.setHeader("WWW-Authenticate",
'basic realm="%s"' % self.realm,
literal=True)
request.response.setStatus(401)
return True
def logout(self, request):
"""Always returns False as logout is not supported by basic auth.
>>> plugin = HTTPBasicAuthCredentialsPlugin()
>>> from zope.publisher.browser import TestRequest
>>> plugin.logout(TestRequest())
False
"""
return False
@zope.interface.implementer(interfaces.ISessionCredentials)
class SessionCredentials(object):
"""Credentials class for use with sessions.
A session credential is created with a login and a password:
>>> cred = SessionCredentials('scott', 'tiger')
Logins are read using getLogin:
>>> cred.getLogin()
'scott'
and passwords with getPassword:
>>> cred.getPassword()
'tiger'
"""
def __init__(self, login, password):
self.login = login
self.password = password
def getLogin(self): return self.login
def getPassword(self): return self.password
def __str__(self): return self.getLogin() + ':' + self.getPassword()
@zope.interface.implementer(interfaces.ISessionCredentialsPlugin)
class SessionCredentialsPlugin(persistent.Persistent, contained.Contained):
"""A credentials plugin that uses Zope sessions to get/store credentials.
To illustrate how a session plugin works, we'll first setup some session
machinery:
>>> from z3c.authenticator.testing import sessionSetUp
>>> sessionSetUp()
This lets us retrieve the same session info from any test request, which
simulates what happens when a user submits a session ID as a cookie.
We also need a session plugin:
>>> plugin = SessionCredentialsPlugin()
A session plugin uses an ISession component to store the last set of
credentials it gets from a request. Credentials can be retrieved from
subsequent requests using the session-stored credentials.
If the given extractCredentials argument doesn't provide IHTTPRequest the
result will always be None:
>>> print(plugin.extractCredentials(None))
None
Our test environment is initially configured without credentials:
>>> from zope.publisher.browser import TestRequest
>>> request = TestRequest()
>>> print(plugin.extractCredentials(request))
None
We must explicitly provide credentials once so the plugin can store
them in a session:
>>> request = TestRequest(form=dict(login='scott', password='tiger'))
>>> sorted(plugin.extractCredentials(request).items())
[('login', 'scott'), ('password', 'tiger')]
Subsequent requests now have access to the credentials even if they're
not explicitly in the request:
>>> sorted(plugin.extractCredentials(request).items())
[('login', 'scott'), ('password', 'tiger')]
We can always provide new credentials explicitly in the request:
>>> sorted(plugin.extractCredentials(TestRequest(
... login='harry', password='hirsch')).items())
[('login', 'harry'), ('password', 'hirsch')]
and these will be used on subsequent requests:
>>> sorted(plugin.extractCredentials(TestRequest()).items())
[('login', 'harry'), ('password', 'hirsch')]
We can also change the fields from which the credentials are extracted:
>>> plugin.loginfield = "my_new_login_field"
>>> plugin.passwordfield = "my_new_password_field"
Now we build a request that uses the new fields:
>>> request = TestRequest(my_new_login_field='luke',
... my_new_password_field='the_force')
The plugin now extracts the credentials information from these new fields:
>>> sorted(plugin.extractCredentials(request).items())
[('login', 'luke'), ('password', 'the_force')]
We can also set prefixes for the fields from which the credentials are
extracted:
>>> plugin.loginfield = "login"
>>> plugin.passwordfield = "password"
>>> plugin.prefixes = ['form.widgets.']
Now we build a request that uses the new fields. Note that we need a
browser request which provides a form for this test since we can't setup
our prefixes.
>>> from zope.publisher.browser import TestRequest
>>> request = TestRequest(form={'form.widgets.login':'harry',
... 'form.widgets.password':'potter'})
The plugin now extracts the credentials information from these new fields:
>>> sorted(plugin.extractCredentials(request).items())
[('login', 'harry'), ('password', 'potter')]
Finally, we clear the session credentials using the logout method.
If the given logout argument doesn't provide IHTTPRequest the
result will always be False:
>>> plugin.logout(None)
False
Now try to logout with the correct argument:
>>> plugin.logout(TestRequest())
True
After logout we can not logaout again:
>>> print(plugin.extractCredentials(TestRequest()))
None
"""
challengeProtocol = None
prefixes = []
loginpagename = 'loginForm.html'
loginfield = 'login'
passwordfield = 'password'
def extractCredentials(self, request):
"""Extracts credentials from a session if they exist."""
if not IHTTPRequest.providedBy(request):
return None
session = ISession(request, None)
sessionData = session.get('z3c.authenticator.credential.session')
login = request.get(self.loginfield, None)
password = request.get(self.passwordfield, None)
# support z3c.form prefixes
for prefix in self.prefixes:
login = request.get(prefix + self.loginfield, login)
password = request.get(prefix + self.passwordfield, password)
credentials = None
if login and password:
credentials = SessionCredentials(login, password)
elif not sessionData:
return None
sessionData = session['z3c.authenticator.credential.session']
if credentials:
sessionData['credentials'] = credentials
else:
credentials = sessionData.get('credentials', None)
if not credentials:
return None
return {'login': credentials.getLogin(),
'password': credentials.getPassword()}
def challenge(self, request):
"""Challenges by redirecting to a login form.
To illustrate how a session plugin works, we'll first setup some session
machinery:
>>> from z3c.authenticator.testing import sessionSetUp
>>> sessionSetUp()
and we'll create a test request:
>>> from zope.publisher.browser import TestRequest
>>> request = TestRequest()
and confirm its response's initial status and 'location' header:
>>> request.response.getStatus()
599
>>> request.response.getHeader('location')
When we issue a challenge using a session plugin:
>>> plugin = SessionCredentialsPlugin()
>>> plugin.challenge(request)
True
we get a redirect:
>>> request.response.getStatus()
302
>>> request.response.getHeader('location')
'http://127.0.0.1/@@loginForm.html'
and the camefrom session contains the camefrom url which is our
application root by default:
>>> session = ISession(request, None)
>>> sessionData = session['z3c.authenticator.credential.session']
>>> sessionData['camefrom']
'/'
The plugin redirects to the page defined by the loginpagename
attribute:
>>> plugin.loginpagename = 'mylogin.html'
>>> plugin.challenge(request)
True
>>> request.response.getHeader('location')
'http://127.0.0.1/@@mylogin.html'
and the camefrom session contains the camefrom url which is our
application root by default:
>>> session = ISession(request, None)
>>> sessionData = session['z3c.authenticator.credential.session']
>>> sessionData['camefrom']
'/'
It also provides the request URL as a 'camefrom' GET style parameter.
To illustrate, we'll pretend we've traversed a couple names:
>>> env = {
... 'REQUEST_URI': '/foo/bar/folder/page%201.html?q=value',
... 'QUERY_STRING': 'q=value'
... }
>>> request = TestRequest(environ=env)
>>> request._traversed_names = [u'foo', u'bar']
>>> request._traversal_stack = [u'page 1.html', u'folder']
>>> request['REQUEST_URI']
'/foo/bar/folder/page%201.html?q=value'
When we challenge:
>>> plugin.challenge(request)
True
We see the url points to the login form URL:
>>> request.response.getHeader('location') # doctest: +ELLIPSIS
'http://127.0.0.1/@@mylogin.html'
and the camefrom session contains the camefrom url:
>>> session = ISession(request, None)
>>> sessionData = session['z3c.authenticator.credential.session']
>>> sessionData['camefrom']
u'/foo/bar/folder/page%201.html?q=value'
If the given challenge argument doesn't provide IHTTPRequest the
result will always be False:
>>> plugin.challenge(None)
False
This can be used by the login form to redirect the user back to the
originating URL upon successful authentication.
"""
if not IHTTPRequest.providedBy(request):
return False
site = hooks.getSite()
# We need the traversal stack to complete the 'camefrom' parameter
stack = request.getTraversalStack()
stack.reverse()
# Better to add the query string, if present
query = request.get('QUERY_STRING')
camefrom = '/'.join([request.getURL(path_only=True)] + stack)
if query:
camefrom = camefrom + '?' + query
url = '%s/@@%s' % (absoluteURL(site, request), self.loginpagename)
# only redirect to the login form
request.response.redirect(url)
# and store the camefrom url into a session variable, then this url
# should not get exposed in the login form url.
session = ISession(request, None)
sessionData = session['z3c.authenticator.credential.session']
# XXX: this might be problematic with non-ASCII html page names
sessionData['camefrom'] = camefrom.replace(' ', '%20')
return True
def logout(self, request):
"""Performs logout by clearing session data credentials."""
if not IHTTPRequest.providedBy(request):
return False
sessionData = ISession(request)['z3c.authenticator.credential.session']
sessionData['credentials'] = None
sessionData['camefrom'] = None
transaction.commit()
return True