| blob | ad7c6eba7c90ff4f6438d2a40e651685b7418ee6 |
1 """
2 This module defines functions to implement HTTP Digest Authentication (:rfc:`2617`).
3 This has full compliance with 'Digest' and 'Basic' authentication methods. In
4 'Digest' it supports both MD5 and MD5-sess algorithms.
6 Usage:
7 First use 'doAuth' to request the client authentication for a
8 certain resource. You should send an httplib.UNAUTHORIZED response to the
9 client so he knows he has to authenticate itself.
11 Then use 'parseAuthorization' to retrieve the 'auth_map' used in
12 'checkResponse'.
14 To use 'checkResponse' you must have already verified the password associated
15 with the 'username' key in 'auth_map' dict. Then you use the 'checkResponse'
16 function to verify if the password matches the one sent by the client.
18 SUPPORTED_ALGORITHM - list of supported 'Digest' algorithms
19 SUPPORTED_QOP - list of supported 'Digest' 'qop'.
20 """
24 Peter van Kampen for its recipe which implement most of Digest authentication:
25 http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/302378
26 """
29 Copyright (c) 2005, Tiago Cogumbreiro <cogumbreiro@users.sf.net>
30 All rights reserved.
32 Redistribution and use in source and binary forms, with or without modification,
33 are permitted provided that the following conditions are met:
35 * Redistributions of source code must retain the above copyright notice,
36 this list of conditions and the following disclaimer.
37 * Redistributions in binary form must reproduce the above copyright notice,
38 this list of conditions and the following disclaimer in the documentation
39 and/or other materials provided with the distribution.
40 * Neither the name of Sylvain Hellegouarch nor the names of his contributors
41 may be used to endorse or promote products derived from this software
42 without specific prior written permission.
44 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
45 ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
46 WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
47 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
48 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
49 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
50 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
51 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
52 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
53 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
54 """
60 ################################################################################
61 import time
73 ################################################################################
74 # doAuth
75 #
76 DIGEST_AUTH_ENCODERS = {
79 # SHA: lambda val: sha.new(ntob(val)).hexdigest (),
80 }
83 """This is an auxaliary function that calculates 'nonce' value. It is used
84 to handle sessions."""
98 """Challenges the client for a Digest authentication."""
108 )
111 """Challengenes the client for a Basic authentication."""
117 """'doAuth' function returns the challenge string b giving priority over
118 Digest and fallback to Basic authentication when the browser doesn't
119 support the first one.
121 This should be set in the HTTP header under the key 'WWW-Authenticate'."""
126 ################################################################################
127 # Parse authorization parameters
128 #
130 # Convert the auth params to a dict
134 # Now validate the params
136 # Check for required parameters
140 return None
142 # If qop is sent then cnonce and nc MUST be present
145 return None
147 # If qop is not sent, neither cnonce nor nc can be present
150 return None
152 return params
159 AUTH_SCHEMES = {
162 }
165 """parseAuthorization will convert the value of the 'Authorization' key in
166 the HTTP header to a map itself. If the parsing fails 'None' is returned.
167 """
169 global AUTH_SCHEMES
178 return
182 return params
185 ################################################################################
186 # Check provided response for a valid password
187 #
189 """
190 If the "algorithm" directive's value is "MD5-sess", then A1
191 [the session key] is calculated only once - on the first request by the
192 client following receipt of a WWW-Authenticate challenge from the server.
194 This creates a 'session key' for the authentication of subsequent
195 requests and responses which is different for each "authentication
196 session", thus limiting the amount of material hashed with any one
197 key.
199 Because the server need only use the hash of the user
200 credentials in order to create the A1 value, this construction could
201 be used in conjunction with a third party authentication service so
202 that the web server would not need the actual password value. The
203 specification of such a protocol is beyond the scope of this
204 specification.
205 """
208 params_copy = {}
220 # If the "algorithm" directive's value is "MD5" or is
221 # unspecified, then A1 is:
222 # A1 = unq(username-value) ":" unq(realm-value) ":" passwd
227 # This is A1 if qop is set
228 # A1 = H( unq(username-value) ":" unq(realm-value) ":" passwd )
229 # ":" unq(nonce-value) ":" unq(cnonce-value)
235 # If the "qop" directive's value is "auth" or is unspecified, then A2 is:
236 # A2 = Method ":" digest-uri-value
242 # If the "qop" value is "auth-int", then A2 is:
243 # A2 = Method ":" digest-uri-value ":" H(entity-body)
248 method,
251 )
257 """
258 Generates a response respecting the algorithm defined in RFC 2617
259 """
260 params = auth_map
277 # If the "qop" value is "auth" or "auth-int":
278 # request-digest = <"> < KD ( H(A1), unq(nonce-value)
279 # ":" nc-value
280 # ":" unq(cnonce-value)
281 # ":" unq(qop-value)
282 # ":" H(A2)
283 # ) <">
289 H_A2,
290 )
292 # If the "qop" directive is not present (this construction is
293 # for compatibility with RFC 2069):
294 # request-digest =
295 # <"> < KD ( H(A1), unq(nonce-value) ":" H(A2) ) > <">
301 """This function is used to verify the response given by the client when
302 he tries to authenticate.
303 Optional arguments:
304 entity_body - when 'qop' is set to 'auth-int' you MUST provide the
305 raw data you are going to send to the client (usually the
306 HTML page.
307 request_uri - the uri from the request line compared with the 'uri'
308 directive of the authorization map. They must represent
309 the same resource (unused at this time).
310 """
313 return False
320 # Note that the Basic response doesn't provide the realm value so we cannot
321 # test it
327 AUTH_RESPONSES = {
330 }
333 """'checkResponse' compares the auth_map with the password and optionally
334 other arguments that each implementation might need.
336 If the response is of type 'Basic' then the function has the following
337 signature::
339 checkBasicResponse (auth_map, password) -> bool
341 If the response is of type 'Digest' then the function has the following
342 signature::
344 checkDigestResponse (auth_map, password, method = 'GET', A1 = None) -> bool
346 The 'A1' argument is only used in MD5_SESS algorithm based responses.
347 Check md5SessionKey() for more info.
348 """