[wrw.git] / wrw / auth.py

import binascii, hashlib, threading, time
from . import resp, proto

class unauthorized(resp.httperror):
    def __init__(self, challenge, message=None, detail=None):
        super().__init__(401, message, detail)
        if isinstance(challenge, str):
            challenge = [challenge]
        self.challenge = challenge

    def handle(self, req):
        for challenge in self.challenge:
            req.ohead.add("WWW-Authenticate", challenge)
        return super().handle(req)

class forbidden(resp.httperror):
    def __init__(self, message=None, detail=None):
        super().__init__(403, message, detail)

def parsemech(req):
    h = req.ihead.get("Authorization", None)
    if h is None:
        return None, None
    p = h.find(" ")
    if p < 0:
        return None, None
    return h[:p].strip().lower(), h[p + 1:].strip()

def parsebasic(req):
    mech, data = parsemech(req)
    if mech != "basic":
        return None, None
    try:
        raw = proto.unb64(data)
    except binascii.Error:
        return None, None
    try:
        raw = raw.decode("utf-8")
    except UnicodeError:
        raw = raw.decode("latin1")
    p = raw.find(":")
    if p < 0:
        return None, None
    return raw[:p], raw[p + 1:]

class basiccache(object):
    cachetime = 300

    def __init__(self, realm, authfn=None):
        self._lock = threading.Lock()
        self._cache = {}
        self.realm = realm
        if authfn is not None:
            self.auth = authfn

    def _obscure(self, nm, pw):
        dig = hashlib.sha256()
        dig.update(self.realm.encode("utf-8"))
        dig.update(nm.encode("utf-8"))
        dig.update(pw.encode("utf-8"))
        return dig.digest()

    def check(self, req):
        nm, pw = parsebasic(req)
        if nm is None:
            raise unauthorized("Basic Realm=\"%s\"" % self.realm)
        pwh = self._obscure(nm, pw)
        now = time.time()
        with self._lock:
            if (nm, pwh) in self._cache:
                lock, atime, res, resob = self._cache[nm, pwh]
                if now - atime < self.cachetime:
                    if res == "s":
                        return resob
                    elif res == "f":
                        raise resob
            else:
                lock = threading.Lock()
                self._cache[nm, pwh] = (lock, now, None, None)
        with lock:
            try:
                ret = self.auth(req, nm, pw)
            except forbidden as exc:
                with self._lock:
                    self._cache[nm, pwh] = (lock, now, "f", exc)
                raise
            if ret is None:
                raise forbidden()
            with self._lock:
                self._cache[nm, pwh] = (lock, now, "s", ret)
            return ret

    def auth(self, req, nm, pw):
        raise Exception("authentication function neither supplied nor overridden")
Commit	Line	Data
	1	import binascii, hashlib, threading, time
	2	from . import resp, proto
	3
	4	class unauthorized(resp.httperror):
	5	def __init__(self, challenge, message=None, detail=None):
	6	super().__init__(401, message, detail)
	7	if isinstance(challenge, str):
	8	challenge = [challenge]
	9	self.challenge = challenge
	10
	11	def handle(self, req):
	12	for challenge in self.challenge:
	13	req.ohead.add("WWW-Authenticate", challenge)
	14	return super().handle(req)
	15
	16	class forbidden(resp.httperror):
	17	def __init__(self, message=None, detail=None):
	18	super().__init__(403, message, detail)
	19
	20	def parsemech(req):
	21	h = req.ihead.get("Authorization", None)
	22	if h is None:
	23	return None, None
	24	p = h.find(" ")
	25	if p < 0:
	26	return None, None
	27	return h[:p].strip().lower(), h[p + 1:].strip()
	28
	29	def parsebasic(req):
	30	mech, data = parsemech(req)
	31	if mech != "basic":
	32	return None, None
	33	try:
	34	raw = proto.unb64(data)
	35	except binascii.Error:
	36	return None, None
	37	try:
	38	raw = raw.decode("utf-8")
	39	except UnicodeError:
	40	raw = raw.decode("latin1")
	41	p = raw.find(":")
	42	if p < 0:
	43	return None, None
	44	return raw[:p], raw[p + 1:]
	45
	46	class basiccache(object):
	47	cachetime = 300
	48
	49	def __init__(self, realm, authfn=None):
	50	self._lock = threading.Lock()
	51	self._cache = {}
	52	self.realm = realm
	53	if authfn is not None:
	54	self.auth = authfn
	55
	56	def _obscure(self, nm, pw):
	57	dig = hashlib.sha256()
	58	dig.update(self.realm.encode("utf-8"))
	59	dig.update(nm.encode("utf-8"))
	60	dig.update(pw.encode("utf-8"))
	61	return dig.digest()
	62
	63	def check(self, req):
	64	nm, pw = parsebasic(req)
	65	if nm is None:
	66	raise unauthorized("Basic Realm=\"%s\"" % self.realm)
	67	pwh = self._obscure(nm, pw)
	68	now = time.time()
	69	with self._lock:
	70	if (nm, pwh) in self._cache:
	71	lock, atime, res, resob = self._cache[nm, pwh]
	72	if now - atime < self.cachetime:
	73	if res == "s":
	74	return resob
	75	elif res == "f":
	76	raise resob
	77	else:
	78	lock = threading.Lock()
	79	self._cache[nm, pwh] = (lock, now, None, None)
	80	with lock:
	81	try:
	82	ret = self.auth(req, nm, pw)
	83	except forbidden as exc:
	84	with self._lock:
	85	self._cache[nm, pwh] = (lock, now, "f", exc)
	86	raise
	87	if ret is None:
	88	raise forbidden()
	89	with self._lock:
	90	self._cache[nm, pwh] = (lock, now, "s", ret)
	91	return ret
	92
	93	def auth(self, req, nm, pw):
	94	raise Exception("authentication function neither supplied nor overridden")