1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
|
"""passlib.apache - apache password support
.. todo::
support htpasswd context
needs ldap_sha1 support
detect when crypt should be used, and what ones.
.. todo::
support htdigest context
.. todo::
support reading / writing htpasswd & htdigest files using this module.
references -
http://httpd.apache.org/docs/2.2/misc/password_encryptions.html
http://httpd.apache.org/docs/2.0/programs/htpasswd.html
NOTE: htdigest format is md5(user ":" realm ":" passwd).hexdigest()
file format is "user:realm:hash"
"""
#=========================================================
#imports
#=========================================================
from __future__ import with_statement
#core
from hashlib import md5
import logging; log = logging.getLogger(__name__)
import os
#site
#libs
from passlib.context import CryptContext
#pkg
#local
__all__ = [
]
#=========================================================
#common helpers
#=========================================================
class _CommonFile(object):
"helper for HtpasswdFile / HtdigestFile"
#NOTE: 'path' is a property so that mtime is wiped if path is changed.
_path = None
def _get_path(self):
return self._path
def _set_path(self, path):
if path != self._path:
self.mtime = 0
self._path = path
path = property(_get_path, _set_path)
def __init__(self, path=None, autoload=True):
self.path = path
##if autoload == "exists":
## autoload = bool(path and os.path.exists(path))
if autoload and path:
self.load()
##elif raw:
## self._load_lines(raw.split("\n"))
else:
self._entry_order = []
self._entry_map = {}
def load(self, force=True):
"""load entries from file
:param force:
if ``True`` (the default), always loads state from file.
if ``False``, only loads state if file has been modified since last load.
:raises IOError: if file not found
:returns: ``False`` if ``force=False`` and no load performed; otherwise ``True``.
"""
path = self.path
if not path:
raise RuntimeError, "no load path specified"
if not force and self.mtime and self.mtime == os.path.getmtime(path):
return False
with file(path, "rU") as fh:
self.mtime = os.path.getmtime(path)
self._load_lines(fh)
return True
def _load_lines(self, lines):
pl = self._parse_line
entry_order = self._entry_order = []
entry_map = self._entry_map = {}
for line in lines:
key, value = pl(line)
if key in entry_map:
#XXX: should we use data from first entry, or last entry?
# going w/ first entry for now.
continue
entry_order.append(key)
entry_map[key] = value
#subclass: _parse_line(line) -> (key, hash)
def save(self):
"save entries to file"
if not self.path:
raise RuntimeError, "no save path specified"
rl = self._render_line
entry_order = self._entry_order
entry_map = self._entry_map
assert len(entry_order) == len(entry_map), "internal error in entry list"
with file(self.path, "wb") as fh:
fh.writelines(rl(key, entry_map[key]) for key in entry_order)
self.mtime = os.path.getmtime(self.path)
def to_string(self):
"export whole database as a string"
rl = self._render_line
entry_order = self._entry_order
entry_map = self._entry_map
assert len(entry_order) == len(entry_map), "internal error in entry list"
return "".join(rl(key, entry_map[key]) for key in entry_order)
#subclass: _render_line(entry) -> line
def _update_key(self, key, value):
entry_map = self._entry_map
if key in entry_map:
entry_map[key] = value
return True
else:
self._entry_order.append(key)
entry_map[key] = value
return False
def _delete_key(self, key):
entry_map = self._entry_map
if key in entry_map:
del entry_map[key]
self._entry_order.remove(key)
return True
else:
return False
invalid_chars = ":\n\r\t\x00"
def _validate_user(self, user):
if len(user) > 255:
raise ValueError, "user must be at most 255 characters: %r" % (user,)
ic = self.invalid_chars
if any(c in ic for c in user):
raise ValueError, "user contains invalid characters: %r" % (user,)
return True
def _validate_realm(self, realm):
if len(realm) > 255:
raise ValueError, "realm must be at most 255 characters: %r" % (realm,)
ic = self.invalid_chars
if any(c in ic for c in realm):
raise ValueError, "realm contains invalid characters: %r" % (realm,)
return True
#FIXME: htpasswd doc sez passwords limited to 255 chars under Windows & MPE,
# longer ones are truncated.
#=========================================================
#htpasswd editing
#=========================================================
#FIXME: apr_md5_crypt technically the default only for windows, netware and tpf.
#TODO: find out if htpasswd's "crypt" mode is crypt *call* or just des_crypt implementation.
htpasswd_context = CryptContext([
"apr_md5_crypt", #man page notes supported everywhere, default on Windows, Netware, TPF
"des_crypt", #man page notes server does NOT support this on Windows, Netware, TPF
"ldap_sha1", #man page notes only for transitioning <-> ldap
"plaintext" # man page notes server ONLY supports this on Windows, Netware, TPF
])
class HtpasswdFile(_CommonFile):
"""class for reading & writing Htpasswd files.
:arg path: path to htpasswd file to load from / save to (required)
:param default:
optionally specify default scheme to use when encoding new passwords.
Must be one of ``None``, ``"apr_md5_crypt"``, ``"des_crypt"``, ``"ldap_sha1"``, ``"plaintext"``.
If no value is specified, this class currently uses ``apr_md5_crypt`` when creating new passwords.
:param autoload:
if ``True`` (the default), :meth:`load` will be automatically called
by constructor.
Set to ``False`` to disable automatic loading (primarily used when
creating new htdigest file).
Loading & Saving
================
.. automethod:: load
.. automethod:: save
.. automethod:: to_string
Inspection
================
.. automethod:: users
.. automethod:: verify
Modification
================
.. automethod:: update
.. automethod:: delete
.. note::
All of the methods in this class enforce some data validation
on the ``user`` parameter:
they will raise a :exc:`ValueError` if the string
contains one of the forbidden characters ``:\\r\\n\\t\\x00``,
or is longer than 255 characters.
"""
def __init__(self, path=None, default=None, **kwds):
self.context = htpasswd_context
if default:
self.context = self.context.replace(default=default)
super(HtpasswdFile, self).__init__(path, **kwds)
def _parse_line(self, line):
#should be user, hash
return line.rstrip().split(":")
def _render_line(self, user, hash):
return "%s:%s\n" % (user, hash)
def users(self):
"return list of all users in file"
return list(self._entry_order)
def update(self, user, password):
"""update password for user; adds user if needed.
:returns: ``True`` if existing user was updated, ``False`` if user added.
"""
self._validate_user(user)
hash = self.context.encrypt(password)
return self._update_key(user, hash)
def delete(self, user):
"""delete user's entry.
:returns: ``True`` if user deleted, ``False`` if user not found.
"""
self._validate_user(user)
return self._delete_key(user)
def verify(self, user, password):
"""verify password for specified user.
:returns:
* ``None`` if user not found
* ``False`` if password does not match
* ``True`` if password matches.
"""
self._validate_user(user)
hash = self._entry_map.get(user)
if hash is None:
return None
else:
return self.context.verify(password, hash)
#TODO: support migration from deprecated hashes
#=========================================================
#htdigest editing
#=========================================================
class HtdigestFile(_CommonFile):
"""class for reading & writing Htdigest files
:arg path: path to htpasswd file to load from / save to (required)
:param autoload:
if ``True`` (the default), :meth:`load` will be automatically called
by constructor.
Set to ``False`` to disable automatic loading (primarily used when
creating new htdigest file).
Loading & Saving
================
.. automethod:: load
.. automethod:: save
.. automethod:: to_string
Inspection
==========
.. automethod:: realms
.. automethod:: users
.. automethod:: find
.. automethod:: verify
Modification
============
.. automethod:: update
.. automethod:: delete
.. automethod:: delete_realm
.. note::
All of the methods in this class enforce some data validation
on the ``user`` and ``realm`` parameters:
they will raise a :exc:`ValueError` if either string
contains one of the forbidden characters ``:\\r\\n\\t\\x00``,
or is longer than 255 characters.
"""
def _parse_line(self, line):
user, realm, hash = line.rstrip().split(":")
return (user, realm), hash
def _render_line(self, key, hash):
return "%s:%s:%s\n" % (key[0], key[1], hash)
def realms(self):
"return all realms listed in file"
return list(set(key[1] for key in self._entry_order))
def users(self, realm):
"return list of all users within specified realm"
return [ key[0] for key in self._entry_order if key[1] == realm ]
def update(self, user, realm, password):
"""update password for user under specified realm; adding user if needed
:returns: ``True`` if existing user was updated, ``False`` if user added.
"""
self._validate_user(user)
self._validate_realm(realm)
key = (user,realm)
hash = md5("%s:%s:%s" % (user,realm,password)).hexdigest()
return self._update_key(key, hash)
def delete(self, user, realm):
"""delete user's entry for specified realm.
:returns: ``True`` if user deleted, ``False`` if user not found in realm.
"""
self._validate_user(user)
self._validate_realm(realm)
return self._delete_key((user,realm))
def delete_realm(self, realm):
"""delete all users for specified realm
:returns: number of users deleted
"""
self._validate_realm(realm)
keys = [
key for key in self._entry_map
if key[1] == realm
]
for key in keys:
self._delete_key(key)
return len(keys)
def find(self, user, realm):
"""return digest hash for specified user+realm; returns ``None`` if not found"""
self._validate_user(user)
self._validate_realm(realm)
return self._entry_map.get((user,realm))
def verify(self, user, realm, password):
"""verify password for specified user + realm.
:returns:
* ``None`` if user not found
* ``False`` if password does not match
* ``True`` if password matches.
"""
self._validate_user(user)
self._validate_realm(realm)
hash = self._entry_map.get((user,realm))
if hash is None:
return None
return hash == md5("%s:%s:%s" % (user,realm,password)).hexdigest()
#=========================================================
# eof
#=========================================================
|
