pike.auth

Source Code for Module pike.auth

1 # 2 # Copyright (c) 2016, Dell Technologies 3 # All rights reserved. 4 # 5 # Redistribution and use in source and binary forms, with or without 6 # modification, are permitted provided that the following conditions are met: 7 # 8 # 1. Redistributions of source code must retain the above copyright notice, 9 # this list of conditions and the following disclaimer. 10 # 2. Redistributions in binary form must reproduce the above copyright notice, 11 # this list of conditions and the following disclaimer in the documentation 12 # and/or other materials provided with the distribution. 13 # 14 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 15 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 18 # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 19 # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 20 # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 21 # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 22 # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 23 # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 24 # POSSIBILITY OF SUCH DAMAGE. 25 # 26 # Module Name: 27 # 28 # auth.py 29 # 30 # Abstract: 31 # 32 # Authentication Plugins for Pike 33 # 34 # Authors: Masen Furer (masen.furer@dell.com) 35 # 36 37 """ 38 Authentication Plugins for Pike 39 40 This module contains wrappers around external authentication mechanisms and APIs. 41 """ 42 43 44 import array 45 try: 46 import kerberos 47 except ImportError: 48 kerberos = None 49 try: 50 import ntlm 51 except ImportError: 52 ntlm = None 53 54

55 -def split_credentials(creds):

56 user, password = creds.split('%') 57 if '\\' in user: 58 domain, user = user.split('\\') 59 else: 60 domain = "NONE" 61 return (domain, user, password)

62 63

64 -class KerberosProvider(object):

65 - def __init__(self, conn, creds=None):

66 if creds: 67 domain, user, password = split_credentials(creds) 68 (self.result, 69 self.context) = kerberos.authGSSClientInit( 70 "cifs/" + conn.server, 71 gssmech=2, 72 user=user, 73 password=password, 74 domain=domain) 75 else: 76 (self.result, 77 self.context) = kerberos.authGSSClientInit("cifs/" + conn.server, 78 gssmech=1)

79

80 - def step(self, sec_buf):

81 self.result = kerberos.authGSSClientStep( 82 self.context, 83 sec_buf.tostring()) 84 if self.result == 0: 85 return (array.array( 86 'B', 87 kerberos.authGSSClientResponse(self.context)), 88 None) 89 else: 90 kerberos.authGSSClientSessionKey(self.context) 91 return (None, 92 array.array('B', 93 kerberos.authGSSClientResponse(self.context)[:16]))

94

95 - def username(self):

96 return kerberos.authGSSClientUserName(self.context)

97 98

99 -class NtlmProvider(object):

100 - def __init__(self, conn, creds):

101 self.authenticator = ntlm.NtlmAuthenticator(*split_credentials(creds))

102

103 - def step(self, sec_buf):

104 if self.authenticator.negotiate_message is None: 105 return (self.authenticator.negotiate(), None) 106 elif self.authenticator.challenge_message is None: 107 self.authenticator.authenticate(sec_buf) 108 return (self.authenticator.authenticate_buffer, self.authenticator.exported_session_key)

109

110 - def username(self):

111 return '{0}\{1}'.format(self.authenticator.domain, self.authenticator.username)

112