/usr/lib/python2.7/dist-packages/repoze/who/plugins/auth_tkt.py is in python-repoze.who 2.2-3.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 | import datetime
from codecs import utf_8_decode
from codecs import utf_8_encode
import os
import time
from zope.interface import implementer
from repoze.who.interfaces import IIdentifier
from repoze.who.interfaces import IAuthenticator
from repoze.who._compat import get_cookies
import repoze.who._auth_tkt as auth_tkt
from repoze.who._compat import STRING_TYPES
from repoze.who._compat import u
_NOW_TESTING = None # unit tests can replace
def _now(): #pragma NO COVERAGE
if _NOW_TESTING is not None:
return _NOW_TESTING
return datetime.datetime.now()
@implementer(IIdentifier, IAuthenticator)
class AuthTktCookiePlugin(object):
userid_type_decoders = {'int': int,
'unicode': lambda x: utf_8_decode(x)[0],
}
userid_type_encoders = {int: ('int', str),
}
try:
userid_type_encoders[long] = ('int', str)
except NameError: #pragma NO COVER Python >= 3.0
pass
try:
userid_type_encoders[unicode] = ('unicode',
lambda x: utf_8_encode(x)[0])
except NameError: #pragma NO COVER Python >= 3.0
pass
def __init__(self, secret, cookie_name='auth_tkt',
secure=False, include_ip=False,
timeout=None, reissue_time=None, userid_checker=None):
self.secret = secret
self.cookie_name = cookie_name
self.include_ip = include_ip
self.secure = secure
if timeout and ( (not reissue_time) or (reissue_time > timeout) ):
raise ValueError('When timeout is specified, reissue_time must '
'be set to a lower value')
self.timeout = timeout
self.reissue_time = reissue_time
self.userid_checker = userid_checker
# IIdentifier
def identify(self, environ):
cookies = get_cookies(environ)
cookie = cookies.get(self.cookie_name)
if cookie is None or not cookie.value:
return None
if self.include_ip:
remote_addr = environ['REMOTE_ADDR']
else:
remote_addr = '0.0.0.0'
try:
timestamp, userid, tokens, user_data = auth_tkt.parse_ticket(
self.secret, cookie.value, remote_addr)
except auth_tkt.BadTicket:
return None
if self.timeout and ( (timestamp + self.timeout) < time.time() ):
return None
userid_typename = 'userid_type:'
user_data_info = user_data.split('|')
for datum in filter(None, user_data_info):
if datum.startswith(userid_typename):
userid_type = datum[len(userid_typename):]
decoder = self.userid_type_decoders.get(userid_type)
if decoder:
userid = decoder(userid)
environ['REMOTE_USER_TOKENS'] = tokens
environ['REMOTE_USER_DATA'] = user_data
environ['AUTH_TYPE'] = 'cookie'
identity = {}
identity['timestamp'] = timestamp
identity['repoze.who.plugins.auth_tkt.userid'] = userid
identity['tokens'] = tokens
identity['userdata'] = user_data
return identity
# IIdentifier
def forget(self, environ, identity):
# return a set of expires Set-Cookie headers
return self._get_cookies(environ, 'INVALID', 0)
# IIdentifier
def remember(self, environ, identity):
if self.include_ip:
remote_addr = environ['REMOTE_ADDR']
else:
remote_addr = '0.0.0.0'
cookies = get_cookies(environ)
old_cookie = cookies.get(self.cookie_name)
existing = cookies.get(self.cookie_name)
old_cookie_value = getattr(existing, 'value', None)
max_age = identity.get('max_age', None)
timestamp, userid, tokens, userdata = None, '', (), ''
if old_cookie_value:
try:
timestamp,userid,tokens,userdata = auth_tkt.parse_ticket(
self.secret, old_cookie_value, remote_addr)
except auth_tkt.BadTicket:
pass
tokens = tuple(tokens)
who_userid = identity['repoze.who.userid']
who_tokens = tuple(identity.get('tokens', ()))
who_userdata = identity.get('userdata', '')
encoding_data = self.userid_type_encoders.get(type(who_userid))
if encoding_data:
encoding, encoder = encoding_data
who_userid = encoder(who_userid)
# XXX we are discarding the userdata passed in the identity?
who_userdata = 'userid_type:%s' % encoding
old_data = (userid, tokens, userdata)
new_data = (who_userid, who_tokens, who_userdata)
if old_data != new_data or (self.reissue_time and
( (timestamp + self.reissue_time) < time.time() )):
ticket = auth_tkt.AuthTicket(
self.secret,
who_userid,
remote_addr,
tokens=who_tokens,
user_data=who_userdata,
cookie_name=self.cookie_name,
secure=self.secure)
new_cookie_value = ticket.cookie_value()
if old_cookie_value != new_cookie_value:
# return a set of Set-Cookie headers
return self._get_cookies(environ, new_cookie_value, max_age)
# IAuthenticator
def authenticate(self, environ, identity):
userid = identity.get('repoze.who.plugins.auth_tkt.userid')
if userid is None:
return None
if self.userid_checker and not self.userid_checker(userid):
return None
identity['repoze.who.userid'] = userid
return userid
def _get_cookies(self, environ, value, max_age=None):
if max_age is not None:
max_age = int(max_age)
later = _now() + datetime.timedelta(seconds=max_age)
# Wdy, DD-Mon-YY HH:MM:SS GMT
expires = later.strftime('%a, %d %b %Y %H:%M:%S')
# the Expires header is *required* at least for IE7 (IE7 does
# not respect Max-Age)
max_age = "; Max-Age=%s; Expires=%s" % (max_age, expires)
else:
max_age = ''
secure = ''
if self.secure:
secure = '; secure; HttpOnly'
cur_domain = environ.get('HTTP_HOST', environ.get('SERVER_NAME'))
cur_domain = cur_domain.split(':')[0] # drop port
wild_domain = '.' + cur_domain
cookies = [
('Set-Cookie', '%s="%s"; Path=/%s%s' % (
self.cookie_name, value, max_age, secure)),
('Set-Cookie', '%s="%s"; Path=/; Domain=%s%s%s' % (
self.cookie_name, value, cur_domain, max_age, secure)),
('Set-Cookie', '%s="%s"; Path=/; Domain=%s%s%s' % (
self.cookie_name, value, wild_domain, max_age, secure))
]
return cookies
def __repr__(self):
return '<%s %s>' % (self.__class__.__name__,
id(self)) #pragma NO COVERAGE
def _bool(value):
if isinstance(value, STRING_TYPES):
return value.lower() in ('yes', 'true', '1')
return value
def make_plugin(secret=None,
secretfile=None,
cookie_name='auth_tkt',
secure=False,
include_ip=False,
timeout=None,
reissue_time=None,
userid_checker=None,
):
from repoze.who.utils import resolveDotted
if (secret is None and secretfile is None):
raise ValueError("One of 'secret' or 'secretfile' must not be None.")
if (secret is not None and secretfile is not None):
raise ValueError("Specify only one of 'secret' or 'secretfile'.")
if secretfile:
secretfile = os.path.abspath(os.path.expanduser(secretfile))
if not os.path.exists(secretfile):
raise ValueError("No such 'secretfile': %s" % secretfile)
with open(secretfile) as f:
secret = f.read().strip()
if timeout:
timeout = int(timeout)
if reissue_time:
reissue_time = int(reissue_time)
if userid_checker is not None:
userid_checker = resolveDotted(userid_checker)
plugin = AuthTktCookiePlugin(secret,
cookie_name,
_bool(secure),
_bool(include_ip),
timeout,
reissue_time,
userid_checker,
)
return plugin
|