B `E@sddlZddlZddlmZmZddlmZddlZddlZddl Z ddl m Z m Z ddlZddlmZddlmZddlmZmZddlmZmZdd lmZmZmZmZmZed Z Gd d d Z!eeGd dde!Z"eeGddde!Z#eeGddde!Z$ddZ%ddZ&GdddZ'Gddde(Z)d/ddZ*d0ddZ+d d!Z,Gd"d#d#Z-eeGd$d%d%e!Z.Gd&d'd'Z/eeGd(d)d)e!Z0ed*d+d,gZ1d-d.Z2dS)1N) utf_8_decode utf_8_encode) namedtuple)quoteunquote) CookieProfile) implementer) AuthenticatedEveryone)IAuthenticationPolicy IDebugLogger)SimpleSerializerascii_bytes_strings_differtext_z^[A-Za-z][A-Za-z0-9+_-]*$c@s8eZdZdZdZdZddZddZdd Zd d Z dS) CallbackAuthenticationPolicyz Abstract class FNcCsH|jt}|rD|j}|jd|j}|d|}||d|dS)N.z: )registryZ queryUtilityr __class__ __module____name__debug)selfmsg methodnamerequestloggercls classnamer ^/home/kop/projects/devel/pgwui/test_venv/lib/python3.7/site-packages/pyramid/authentication.py_log s   z!CallbackAuthenticationPolicy._logcCs|ttfkrd}|S)N)r r )rZprincidr r r!_clean_principal(s z-CallbackAuthenticationPolicy._clean_principalcCs|j}||}|dkr.|o(|dd|dS||dkrV|oP|d|d|dS|jdkr||ov|d|fd||S|||}|dk r|o|d||fd||S|o|dd|dS)a*Return the authenticated userid or ``None``. If no callback is registered, this will be the same as ``unauthenticated_userid``. If a ``callback`` is registered, this will return the userid if and only if the callback returns a value that is not ``None``. Nz, ``tokens=``. Return a list of headers which will set appropriate cookies on the response. )rPr8)rrr'r9r r r!r8sz$AuthTktAuthenticationPolicy.remembercCs |j|S)z9 A list of headers which will delete appropriate cookies.)rPr:)rrr r r!r:sz"AuthTktAuthenticationPolicy.forget)Nr/FFNNNr?FTFr@FNrA)rrr,r-r1r%r8r:r r r r!r>s($  r>cCstt|ddS)N )base64 b64encoderstripreplace)vr r r!rWsrWcCstt|S)N)rV b64decoder)rZr r r!r[sr[c@s*eZdZdZddd Zd d Zd d ZdS) AuthTicketa This class represents an authentication token. You must pass in the shared secret, the userid, and the IP address. Optionally you can include tokens (a list of strings, representing role names), 'user_data', which is arbitrary data available for your own use in later scripts. Lastly, you can override the cookie name and timestamp. Once you provide all the arguments, use .cookie_value() to generate the appropriate authentication ticket. Usage:: token = AuthTicket('sharedsecret', 'username', os.environ['REMOTE_ADDR'], tokens=['admin']) val = token.cookie_value() r Nr/Fmd5c CsT||_||_||_d||_||_|dkr8t|_n||_||_||_ | |_ dS)N,) rQr'ipjointokens user_datatime_modtimerBrCrK) rrQr'r`rbrcrerBrCrKr r r!r1s   zAuthTicket.__init__cCs"t|j|j|j|j|j|j|jS)N)calculate_digestr`rerQr'rbrcrK)rr r r!digestszAuthTicket.digestcCs@d|t|jt|jf}|jr2||jd7}||j7}|S)Nz %s%08x%s!!)rgintrerr'rbrc)rrZr r r! cookie_values  zAuthTicket.cookie_value)r r]Nr/Fr^)rrr,r-r1rgrjr r r r!r\s  r\c@seZdZdZdddZdS) BadTicketz Exception raised when a ticket can't be parsed. If we get far enough to determine what the expected digest should have been, expected is set. This should not be shown by default, but can be useful for debugging. NcCs||_t||dS)N)expected Exceptionr1)rrrlr r r!r1szBadTicket.__init__)N)rrr,r-r1r r r r!rksrkr^c Cs"t|d}t|jd}|d|}yt|||dd}Wn.tk rr}ztd|Wdd}~XYnXy ||dddd\}} Wntk rtd YnXt |}d| kr| dd\} } nd } | } t ||||| | |} t | |r td | |fd | d } ||| | fS)z Parse the ticket, returning (timestamp, userid, tokens, user_data). If the ticket cannot be parsed, a ``BadTicket`` exception will be raised with an explanation. "Nz"Timestamp is not a hex integer: %srhzuserid is not followed by !r]zDigest signature is not correct)rlr_) rrXhashlibnew digest_sizeri ValueErrorrksplitrrfr) rQticketr`rKrurg timestamper'datarbrcrlr r r! parse_tickets.    r|c Cst|d}t|d}t|d}t|d}t|}d|krT|tt|}t|}n t||}||||d|d||} t|} | t| || S)Nzutf-8:)rrsrtstrriencode_ip_timestampupdate hexdigest) r`ryrQr'rbrcrKZhash_objZ ip_timestamprgZ hash_obj2r r r!rfs        rfc Cshdtttt|d}t|}|d@d?|d@d?|d@d?|d @f}dtt|}t||S) Nr]rl~irqirp)ramapchrrirwr)r`ryZip_charsttsZts_charsr r r!r+s    rc @seZdZdZeeZeZeZdZe dddddddZ e de fe d d dfe d d dfiZ dddZdddZddZddZd ddZdS)!rOa A helper class for security policies that obtains data from an "auth ticket" cookie. Constructor Arguments ``secret`` The secret (a string) used for auth_tkt cookie signing. This value should be unique across all values provided to Pyramid for various subsystem secrets (see :ref:`admonishment_against_secret_sharing`). Required. ``cookie_name`` Default: ``auth_tkt``. The cookie name used (string). Optional. ``secure`` Default: ``False``. Only send the cookie back over a secure conn. Optional. ``include_ip`` Default: ``False``. Make the requesting IP address part of the authentication data in the cookie. Optional. For IPv6 this option is not recommended. The ``mod_auth_tkt`` specification does not specify how to handle IPv6 addresses, so using this option in combination with IPv6 addresses may cause an incompatible cookie. It ties the authentication ticket to that individual's IPv6 address. ``timeout`` Default: ``None``. Maximum number of seconds which a newly issued ticket will be considered valid. After this amount of time, the ticket will expire (effectively logging the user out). If this value is ``None``, the ticket never expires. Optional. ``reissue_time`` Default: ``None``. If this parameter is set, it represents the number of seconds that must pass before an authentication token cookie is automatically reissued as the result of a request which requires authentication. The duration is measured as the number of seconds since the last auth_tkt cookie was issued and 'now'. If this value is ``0``, a new ticket cookie will be reissued on every request which requires authentication. A good rule of thumb: if you want auto-expired cookies based on inactivity: set the ``timeout`` value to 1200 (20 mins) and set the ``reissue_time`` value to perhaps a tenth of the ``timeout`` value (120 or 2 mins). It's nonsensical to set the ``timeout`` value lower than the ``reissue_time`` value, as the ticket will never be reissued if so. However, such a configuration is not explicitly prevented. Optional. ``max_age`` Default: ``None``. The max age of the auth_tkt cookie, in seconds. This differs from ``timeout`` inasmuch as ``timeout`` represents the lifetime of the ticket contained in the cookie, while this value represents the lifetime of the cookie itself. When this value is set, the cookie's ``Max-Age`` and ``Expires`` settings will be set, allowing the auth_tkt cookie to last between browser sessions. It is typically nonsensical to set this to a value that is lower than ``timeout`` or ``reissue_time``, although it is not explicitly prevented. Optional. ``path`` Default: ``/``. The path for which the auth_tkt cookie is valid. May be desirable if the application only serves part of a domain. Optional. ``http_only`` Default: ``False``. Hide cookie from JavaScript by setting the HttpOnly flag. Not honored by all browsers. Optional. ``wild_domain`` Default: ``True``. An auth_tkt cookie will be generated for the wildcard domain. If your site is hosted as ``example.com`` this will make the cookie available for sites underneath ``example.com`` such as ``www.example.com``. Optional. ``parent_domain`` Default: ``False``. An auth_tkt cookie will be generated for the parent domain of the current site. For example if your site is hosted under ``www.example.com`` a cookie will be generated for ``.example.com``. This can be useful if you have multiple sites sharing the same domain. This option supercedes the ``wild_domain`` option. Optional. ``domain`` Default: ``None``. If provided the auth_tkt cookie will only be set for this domain. This option is not compatible with ``wild_domain`` and ``parent_domain``. Optional. ``hashalg`` Default: ``sha512`` (the literal string). Any hash algorithm supported by Python's ``hashlib.new()`` function can be used as the ``hashalg``. Cookies generated by different instances of AuthTktAuthenticationPolicy using different ``hashalg`` options are not compatible. Switching the ``hashalg`` will imply that all existing users with a valid cookie will be required to re-login. Optional. ``debug`` Default: ``False``. If ``debug`` is ``True``, log messages to the Pyramid debug logger about the results of various authentication steps. The output from debugging is useful for reporting to maillist or IRC channels when asking for support. Optional. ``samesite`` Default: ``'Lax'``. The 'samesite' option of the session cookie. Set the value to ``None`` to turn off the samesite option. Optional. .. versionchanged:: 2.0 The default ``hashalg`` was changed from ``md5`` to ``sha512``. NcCs t|dS)Nr)r)xr r r!rUzAuthTktCookieHelper.cCstt|dS)Nr)rr[)rr r r!rrUcCst|S)N)r[)rr r r!rrU)riunicode b64unicodeb64strrircCstt|dS)Nr)rWr)rr r r!rrUrcCst|S)N)rW)rr r r!rrUr/Fr?Tr@rAc Cst||||| t|d|_||_||_||_||_|dkr>|nt||_|dkrT|nt||_ |dkrj|nt||_ | |_ | |_ | |_ | |_dS)N)rBrCrGhttponlyrI serializerrN)rr cookie_profilerQrBrCrDrirErFrGrJrLrMrK)rrQrBrCrDrErFrGrHrIrJrKrLrMrNr r r!r1s& zAuthTktCookieHelper.__init__c Cs|jr|j}n<|j}|jr:|ddkr:|ddd}n|jrF|}nd}||}d|gi}|dk rn||d<|j|f|}|S)NrrrdomainsrG)rMrLcountrwrJrZ get_headers) rrvaluerGrMZ cur_domainZprofiler9headersr r r! _get_cookiess  z AuthTktCookieHelper._get_cookiescs|j}|j|j}|dkr dS|jr0|d}nd}y ||j|||j\}}}}Wn|jk rjdSX|j } | dkrt } |j r||j | krdSd} | d} xDtd| D]6} | | r| t| d} |j| }|r||}qW|jdk }|rXt|dsX| ||jkrXttd|}|j|||j|dfdd }||d |_||d <||d <d |d<i}||d<||d<||d<||d<|S)zxReturn a dictionary with authentication information, or ``None`` if no valid auth_tkt is attached to ``request``N REMOTE_ADDRz0.0.0.0z userid_type:|_authtkt_reissued)rGrbcs0t|ds,x D]\}}|j||fqWdS)N_authtkt_reissue_revoked)hasattrZ headerlistr))rresponsekrZ)rr r!reissue_authtktIs z5AuthTktCookieHelper.identify..reissue_authtktTZREMOTE_USER_TOKENSZREMOTE_USER_DATArPZ AUTH_TYPEryr'rbZuserdata)r2cookiesr3rBrDr|rQrKrknowrdrerErwfilter startswithlenuserid_type_decodersrFrlistr8rGZadd_response_callbackr)rrr2rP remote_addrryr'rbrcrZuserid_typenameZuser_data_infoZdatumZ userid_typedecoderZreissuerr7r )rr!rRsV        zAuthTktCookieHelper.identifycCsd|_||dS)zReturn a set of expires Set-Cookie headers, which will destroy any existing auth_tkt cookie when attached to a responseTN)rr)rrr r r!r:\szAuthTktCookieHelper.forgetr c CsZ|dkr|jnt|}|j}|jr,|d}nd}d}|jt|}|rR|\} } n.td t|t |jt \} } t |}| |}d| }g} xr|D]j} t | t ry t | } Wn"tk rtd| fYnXt | t rt| std| f| | qWt| }t|dr"d |_|j|j|||||j|j|jd } | }||||S) aReturn a set of Set-Cookie headers; when set into a response, these headers will represent a valid authentication ticket. ``max_age`` The max age of the auth_tkt cookie, in seconds. When this value is set, the cookie's ``Max-Age`` and ``Expires`` settings will be set, allowing the auth_tkt cookie to last between browser sessions. If this value is ``None``, the ``max_age`` value provided to the helper itself will be used as the ``max_age`` value. Default: ``None``. ``tokens`` A sequence of strings that will be placed into the auth_tkt tokens field. Each string in the sequence must be of the Python ``str`` type and must match the regex ``^[A-Za-z][A-Za-z0-9+_-]*$``. Tokens are available in the returned identity when an auth_tkt is found in the request and unpacked. Default: ``()``. Nrz0.0.0.0r]zuserid is of type {}, and is not supported by the AuthTktAuthenticationPolicy. Explicitly converting to string and storing as base64. Subsequent requests will receive a string as the userid, it will not be decoded back to the type provided.zuserid_type:%szInvalid token %rrT)rbrcrBrCrK)rGrir2rDuserid_type_encodersr3typewarningswarnformatRuntimeWarningr isinstancerUnicodeEncodeErrorrv VALID_TOKENmatchr)tuplerrr\rQrBrCrKrjr)rrr'rGrbr2rrcZ encoding_dataencodingencoderZ new_tokenstokenrxrjr r r!r8bsR       zAuthTktCookieHelper.remember) r/FFNNNFr?Tr@FNrA)N)Nr )rrr,r- staticmethodr|r\rkrrirrbytesrr1rrRr:r8r r r r!rO8s<    DrOc@s2eZdZdZd ddZddZd d Zd d ZdS)SessionAuthenticationPolicya0A :app:`Pyramid` authentication policy which gets its data from the configured :term:`session`. For this authentication policy to work, you will have to follow the instructions in the :ref:`sessions_chapter` to configure a :term:`session factory`. Constructor Arguments ``prefix`` A prefix used when storing the authentication parameters in the session. Defaults to 'auth.'. Optional. ``callback`` Default: ``None``. A callback passed the userid and the request, expected to return ``None`` if the userid doesn't exist or a sequence of principal identifiers (possibly empty) if the user does exist. If ``callback`` is ``None``, the userid will be assumed to exist with no principals. Optional. ``debug`` Default: ``False``. If ``debug`` is ``True``, log messages to the Pyramid debug logger about the results of various authentication steps. The output from debugging is useful for reporting to maillist or IRC channels when asking for support. auth.NFcCs||_||_t||_dS)N)r&rSessionAuthenticationHelperhelper)rprefixr&rr r r!r1sz$SessionAuthenticationPolicy.__init__cKs|jj||f|S)z Store a userid in the session.)rr8)rrr'r9r r r!r8sz$SessionAuthenticationPolicy.remembercCs |j|S)z+ Remove the stored userid from the session.)rr:)rrr r r!r:sz"SessionAuthenticationPolicy.forgetcCs |j|S)N)rr$)rrr r r!r%sz2SessionAuthenticationPolicy.unauthenticated_userid)rNF)rrr,r-r1r8r:r%r r r r!rs  rc@s2eZdZdZd ddZddZddZd d Zd S) raA helper for use with a :term:`security policy` which stores user data in the configured :term:`session`. Constructor Arguments ``prefix`` A prefix used when storing the authentication parameters in the session. Defaults to 'auth.'. Optional. auth.cCs|d|_dS)Nr') userid_key)rrr r r!r1sz$SessionAuthenticationHelper.__init__cKs||j|j<gS)z Store a userid in the session.)sessionr)rrr'r9r r r!r8s z$SessionAuthenticationHelper.remembercKs|j|jkr|j|j=gS)z+ Remove the stored userid from the session.)rr)rrr9r r r!r:s  z"SessionAuthenticationHelper.forgetcCs|j|jS)z Return the stored userid.)rr3r)rrr r r!r$sz0SessionAuthenticationHelper.authenticated_useridN)r)rrr,r-r1r8r:r$r r r r!rs   rc@s:eZdZdZdddZddZdd Zd d Zd d ZdS)BasicAuthAuthenticationPolicyaA :app:`Pyramid` authentication policy which uses HTTP standard basic authentication protocol to authenticate users. To use this policy you will need to provide a callback which checks the supplied user credentials against your source of login data. Constructor Arguments ``check`` A callback function passed a username, password and request, in that order as positional arguments. Expected to return ``None`` if the userid doesn't exist or a sequence of principal identifiers (possibly empty) if the user does exist. ``realm`` Default: ``"Realm"``. The Basic Auth Realm string. Usually displayed to the user by the browser in the login dialog. ``debug`` Default: ``False``. If ``debug`` is ``True``, log messages to the Pyramid debug logger about the results of various authentication steps. The output from debugging is useful for reporting to maillist or IRC channels when asking for support. **Issuing a challenge** Regular browsers will not send username/password credentials unless they first receive a challenge from the server. The following recipe will register a view that will send a Basic Auth challenge to the user whenever there is an attempt to call a view which results in a Forbidden response:: from pyramid.httpexceptions import HTTPUnauthorized from pyramid.security import forget from pyramid.view import forbidden_view_config @forbidden_view_config() def forbidden_view(request): if request.authenticated_userid is None: response = HTTPUnauthorized() response.headers.update(forget(request)) return response return HTTPForbidden() RealmFcCs||_||_||_dS)N)checkrealmr)rrrrr r r!r11sz&BasicAuthAuthenticationPolicy.__init__cCst|}|r|jSdS)z= The userid parsed from the ``Authorization`` request header.N)extract_http_basic_credentialsusername)rr credentialsr r r!r%6sz4BasicAuthAuthenticationPolicy.unauthenticated_useridcKsgS)zA no-op. Basic authentication does not provide a protocol for remembering the user. Credentials are sent on every request. r )rrr'r9r r r!r8<sz&BasicAuthAuthenticationPolicy.remembercCsdd|jfgS)zsReturns challenge headers. This should be attached to a response to indicate that credentials are required.zWWW-AuthenticatezBasic realm="%s")r)rrr r r!r:Csz$BasicAuthAuthenticationPolicy.forgetcCs&t|}|r"|\}}||||SdS)N)rr)rrrrpasswordr r r!r&Hsz&BasicAuthAuthenticationPolicy.callbackN)rF) rrr,r-r1r%r8r:r&r r r r!rs . rHTTPBasicCredentialsrrc Cs|jd}|sdSy|dd\}}Wntk r<dSX|dkrNdSyt|}Wnttj fk rxdSXy| d}Wnt k r| d}YnXy|dd\}}Wntk rdSXt ||S) zA helper function for extraction of HTTP Basic credentials from a given :term:`request`. Returns a :class:`.HTTPBasicCredentials` 2-tuple with ``username`` and ``password`` attributes or ``None`` if no credentials could be found. AuthorizationN rrbasiczutf-8zlatin-1r}) rr3rwrvlowerr[rX TypeErrorbinasciiErrordecodeUnicodeDecodeErrorr)r authorizationZauthmethauthZ authbytesrrr r r!rXs,  r)r^)r^)3rVrcodecsrr collectionsrrsrererd urllib.parserrrZ webob.cookiesrZzope.interfacerZpyramid.authorizationr r Zpyramid.interfacesr r Z pyramid.utilr rrrrcompilerrr.r;r>rWr[r\rmrkr|rfrrOrrrrrr r r r!sT    E4`A ,  {/ Q