Changeset Navigation

← Previous Changeset
Next Changeset →

Changeset 1354

Timestamp:

09/11/06 14:53:21

Author:

lawouach

Message:

Digest and basic auth can now take a callable which must return a dict with user credentials so that it can fetch those from a database for instance.

Basic takes also an encrypt parameter which must be a callable that will encrypt the password sent back the user-agent. So that passwords can be stored encrypted on the server.

Files:

trunk/cherrypy/lib/auth.py (modified) (4 diffs)
trunk/cherrypy/lib/httpauth.py (modified) (4 diffs)
trunk/cherrypy/test/test_httpauth.py (modified) (3 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

trunk/cherrypy/lib/auth.py

r1353	r1354
4	4
5	5
6		def check_auth(users):
	6	def check_auth(users, encrypt=None):
7	7	"""If an authorization header contains credentials, return True, else False."""
8	8	if 'authorization' in cherrypy.request.headers:
…	…
11	11	if ah is None:
12	12	raise cherrypy.HTTPError(400, 'Bad Request')
13
	13
	14	if not encrypt:
	15	encrypt = lambda x: x
	16
	17	if callable(users):
	18	users = users() # expect it to return a dictionary
	19
	20	if not isinstance(users, dict):
	21	raise ValueError, "Authentication users must be passed contained in a dictionary"
	22
14	23	# fetch the user password
15	24	password = users.get(ah["username"], None)
…	…
17	26	# validate the authorization by re-computing it here
18	27	# and compare it with what the user-agent provided
19		if checkResponse(ah, password, method=cherrypy.request.method):
	28	if checkResponse(ah, password, method=cherrypy.request.method, encrypt=encrypt):
20	29	return True
21	30
22	31	return False
23	32
24		def basic_auth(realm, users):
	33	def basic_auth(realm, users, encrypt=None):
25	34	"""If auth fails, raise 401 with a basic authentication header.
26	35
27	36	realm: a string containing the authentication realm.
28		users: a dict of the form: {username: password}.
	37	users: a dict of the form: {username: password} or a callable returning a dict.
	38	encrypt: callable used to encrypt the password returned from the user-agent.
29	39	"""
30		if check_auth(users):
	40	if check_auth(users, encrypt):
31	41	return
32	42
…	…
40	50
41	51	realm: a string containing the authentication realm.
42		users: a dict of the form: {username: password}.
	52	users: a dict of the form: {username: password} or a callable returning a dict.
43	53	"""
44	54	if check_auth(users):

trunk/cherrypy/lib/httpauth.py

r1352	r1354
296	296	return KD(H_A1, request)
297	297
298		def _checkDigestResponse(auth_map, password, method = "GET", A1 = None,**kwargs):
	298	def _checkDigestResponse(auth_map, password, method = "GET", A1 = None, **kwargs):
299	299	"""This function is used to verify the response given by the client when
300	300	he tries to authenticate.
…	…
309	309	return response == auth_map["response"]
310	310
311		def _checkBasicResponse (auth_map, password, method='GET', **kwargs):
312		return ~~auth_map["password"]~~ == password
	311	def _checkBasicResponse (auth_map, password, method='GET', encrypt=None, **kwargs):
	312	return encrypt(auth_map["password"]) == password
313	313
314	314	AUTH_RESPONSES = {
…	…
317	317	}
318	318
319		def checkResponse (auth_map, password, method = "GET", **kwargs):
	319	def checkResponse (auth_map, password, method = "GET", encrypt=None, **kwargs):
320	320	"""'checkResponse' compares the auth_map with the password and optionally
321	321	other arguments that each implementation might need.
…	…
336	336	global AUTH_RESPONSES
337	337	checker = AUTH_RESPONSES[auth_map["auth_scheme"]]
338		return checker (auth_map, password, method, **kwargs)
	338	return checker (auth_map, password, method=method, encrypt=encrypt, **kwargs)
339	339
340	340

trunk/cherrypy/test/test_httpauth.py

r1351	r1354
1	1	from cherrypy.test import test
2	2	test.prefer_parent_path()
	3
	4	import md5
3	5
4	6	import cherrypy
…	…
21	23	index.exposed = True
22	24
	25	def md5_encrypt(data):
	26	return md5.new(data).hexdigest()
	27
	28	def fetch_users():
	29	return {'test': 'test'}
	30
23	31	conf = {'/digest': {'tools.digestauth.on': True,
24	32	'tools.digestauth.realm': 'localhost',
25		'tools.digestauth.users': ~~{'test': 'test'}~~},
	33	'tools.digestauth.users': fetch_users},
26	34	'/basic': {'tools.basicauth.on': True,
27	35	'tools.basicauth.realm': 'localhost',
28		'tools.basicauth.users': {'test': 'test'}}}
	36	'tools.basicauth.users': {'test': md5_encrypt('test')},
	37	'tools.basicauth.encrypt': md5_encrypt}}
29	38	root = Root()
30	39	root.digest = DigestProtected()
…	…
97	106
98	107	# now let's see if what
99		base_auth = 'Digest username="test", realm="localhost", nonce="%s", uri="/digest/", algorithm=MD5, response="%s", qop=auth, nc=%s, cnonce="1522e61005789929"'
	108	base_auth = 'Digest username="test", realm="localhost", nonce="%s", uri="/digest/", algorithm=MD5, response="%s", qop=auth, nc=%s, cnonce="1522e61005789929"'
100	109
101		auth = base_auth % (nonce, '', '00000001')
	110	auth = base_auth % (nonce, '', '00000001')
102	111
103		params = httpauth.parseAuthorization(auth)
104		response = httpauth._computeDigestResponse(params, 'test')
	112	params = httpauth.parseAuthorization(auth)
	113	response = httpauth._computeDigestResponse(params, 'test')
	114
	115	auth = base_auth % (nonce, response, '00000001')
	116	self.getPage('/digest/', [('Authorization', auth)])
	117	self.assertStatus('200 OK')
	118	self.assertBody('This is protected by Digest auth.')
105	119
106		~~auth = base_auth % (nonce, response, '00000001')~~
107		~~self.getPage('/digest/', [('Authorization', auth)])~~
108		~~self.assertStatus('200 OK')~~
109		~~self.assertBody('This is protected by Digest auth.')~~
110
111	120	if __name__ == "__main__":
112	121	setup_server()