Context Navigation

← Previous Revision
Latest Revision
Next Revision →
Normal
Revision Log

source: py-scraping/mechanize/_auth.py@ 182

Last change on this file since 182 was 106, checked in by Rick van der Zwet, 15 years ago
Initial commit...
File size: 18.4 KB

Rev	Line
[106]	1	"""HTTP Authentication and Proxy support.
	2
	3	All but HTTPProxyPasswordMgr come from Python 2.5.
	4
	5
	6	Copyright 2006 John J. Lee <jjl@pobox.com>
	7
	8	This code is free software; you can redistribute it and/or modify it under
	9	the terms of the BSD or ZPL 2.1 licenses (see the file COPYING.txt
	10	included with the distribution).
	11
	12	"""
	13
	14	import base64
	15	import copy
	16	import os
	17	import posixpath
	18	import random
	19	import re
	20	import time
	21	import urlparse
	22
	23	try:
	24	import hashlib
	25	except ImportError:
	26	import md5
	27	import sha
	28	def sha1_digest(bytes):
	29	return sha.new(bytes).hexdigest()
	30	def md5_digest(bytes):
	31	return md5.new(bytes).hexdigest()
	32	else:
	33	def sha1_digest(bytes):
	34	return hashlib.sha1(bytes).hexdigest()
	35	def md5_digest(bytes):
	36	return hashlib.md5(bytes).hexdigest()
	37
	38	from urllib2 import BaseHandler, HTTPError, parse_keqv_list, parse_http_list
	39	from urllib import getproxies, unquote, splittype, splituser, splitpasswd, \
	40	splitport
	41
	42
	43	def _parse_proxy(proxy):
	44	"""Return (scheme, user, password, host/port) given a URL or an authority.
	45
	46	If a URL is supplied, it must have an authority (host:port) component.
	47	According to RFC 3986, having an authority component means the URL must
	48	have two slashes after the scheme:
	49
	50	>>> _parse_proxy('file:/ftp.example.com/')
	51	Traceback (most recent call last):
	52	ValueError: proxy URL with no authority: 'file:/ftp.example.com/'
	53
	54	The first three items of the returned tuple may be None.
	55
	56	Examples of authority parsing:
	57
	58	>>> _parse_proxy('proxy.example.com')
	59	(None, None, None, 'proxy.example.com')
	60	>>> _parse_proxy('proxy.example.com:3128')
	61	(None, None, None, 'proxy.example.com:3128')
	62
	63	The authority component may optionally include userinfo (assumed to be
	64	username:password):
	65
	66	>>> _parse_proxy('joe:password@proxy.example.com')
	67	(None, 'joe', 'password', 'proxy.example.com')
	68	>>> _parse_proxy('joe:password@proxy.example.com:3128')
	69	(None, 'joe', 'password', 'proxy.example.com:3128')
	70
	71	Same examples, but with URLs instead:
	72
	73	>>> _parse_proxy('http://proxy.example.com/')
	74	('http', None, None, 'proxy.example.com')
	75	>>> _parse_proxy('http://proxy.example.com:3128/')
	76	('http', None, None, 'proxy.example.com:3128')
	77	>>> _parse_proxy('http://joe:password@proxy.example.com/')
	78	('http', 'joe', 'password', 'proxy.example.com')
	79	>>> _parse_proxy('http://joe:password@proxy.example.com:3128')
	80	('http', 'joe', 'password', 'proxy.example.com:3128')
	81
	82	Everything after the authority is ignored:
	83
	84	>>> _parse_proxy('ftp://joe:password@proxy.example.com/rubbish:3128')
	85	('ftp', 'joe', 'password', 'proxy.example.com')
	86
	87	Test for no trailing '/' case:
	88
	89	>>> _parse_proxy('http://joe:password@proxy.example.com')
	90	('http', 'joe', 'password', 'proxy.example.com')
	91
	92	"""
	93	scheme, r_scheme = splittype(proxy)
	94	if not r_scheme.startswith("/"):
	95	# authority
	96	scheme = None
	97	authority = proxy
	98	else:
	99	# URL
	100	if not r_scheme.startswith("//"):
	101	raise ValueError("proxy URL with no authority: %r" % proxy)
	102	# We have an authority, so for RFC 3986-compliant URLs (by ss 3.
	103	# and 3.3.), path is empty or starts with '/'
	104	end = r_scheme.find("/", 2)
	105	if end == -1:
	106	end = None
	107	authority = r_scheme[2:end]
	108	userinfo, hostport = splituser(authority)
	109	if userinfo is not None:
	110	user, password = splitpasswd(userinfo)
	111	else:
	112	user = password = None
	113	return scheme, user, password, hostport
	114
	115	class ProxyHandler(BaseHandler):
	116	# Proxies must be in front
	117	handler_order = 100
	118
	119	def __init__(self, proxies=None):
	120	if proxies is None:
	121	proxies = getproxies()
	122	assert hasattr(proxies, 'has_key'), "proxies must be a mapping"
	123	self.proxies = proxies
	124	for type, url in proxies.items():
	125	setattr(self, '%s_open' % type,
	126	lambda r, proxy=url, type=type, meth=self.proxy_open: \
	127	meth(r, proxy, type))
	128
	129	def proxy_open(self, req, proxy, type):
	130	orig_type = req.get_type()
	131	proxy_type, user, password, hostport = _parse_proxy(proxy)
	132	if proxy_type is None:
	133	proxy_type = orig_type
	134	if user and password:
	135	user_pass = '%s:%s' % (unquote(user), unquote(password))
	136	creds = base64.encodestring(user_pass).strip()
	137	req.add_header('Proxy-authorization', 'Basic ' + creds)
	138	hostport = unquote(hostport)
	139	req.set_proxy(hostport, proxy_type)
	140	if orig_type == proxy_type:
	141	# let other handlers take care of it
	142	return None
	143	else:
	144	# need to start over, because the other handlers don't
	145	# grok the proxy's URL type
	146	# e.g. if we have a constructor arg proxies like so:
	147	# {'http': 'ftp://proxy.example.com'}, we may end up turning
	148	# a request for http://acme.example.com/a into one for
	149	# ftp://proxy.example.com/a
	150	return self.parent.open(req)
	151
	152	class HTTPPasswordMgr:
	153
	154	def __init__(self):
	155	self.passwd = {}
	156
	157	def add_password(self, realm, uri, user, passwd):
	158	# uri could be a single URI or a sequence
	159	if isinstance(uri, basestring):
	160	uri = [uri]
	161	if not realm in self.passwd:
	162	self.passwd[realm] = {}
	163	for default_port in True, False:
	164	reduced_uri = tuple(
	165	[self.reduce_uri(u, default_port) for u in uri])
	166	self.passwd[realm][reduced_uri] = (user, passwd)
	167
	168	def find_user_password(self, realm, authuri):
	169	domains = self.passwd.get(realm, {})
	170	for default_port in True, False:
	171	reduced_authuri = self.reduce_uri(authuri, default_port)
	172	for uris, authinfo in domains.iteritems():
	173	for uri in uris:
	174	if self.is_suburi(uri, reduced_authuri):
	175	return authinfo
	176	return None, None
	177
	178	def reduce_uri(self, uri, default_port=True):
	179	"""Accept authority or URI and extract only the authority and path."""
	180	# note HTTP URLs do not have a userinfo component
	181	parts = urlparse.urlsplit(uri)
	182	if parts[1]:
	183	# URI
	184	scheme = parts[0]
	185	authority = parts[1]
	186	path = parts[2] or '/'
	187	else:
	188	# host or host:port
	189	scheme = None
	190	authority = uri
	191	path = '/'
	192	host, port = splitport(authority)
	193	if default_port and port is None and scheme is not None:
	194	dport = {"http": 80,
	195	"https": 443,
	196	}.get(scheme)
	197	if dport is not None:
	198	authority = "%s:%d" % (host, dport)
	199	return authority, path
	200
	201	def is_suburi(self, base, test):
	202	"""Check if test is below base in a URI tree
	203
	204	Both args must be URIs in reduced form.
	205	"""
	206	if base == test:
	207	return True
	208	if base[0] != test[0]:
	209	return False
	210	common = posixpath.commonprefix((base[1], test[1]))
	211	if len(common) == len(base[1]):
	212	return True
	213	return False
	214
	215
	216	class HTTPPasswordMgrWithDefaultRealm(HTTPPasswordMgr):
	217
	218	def find_user_password(self, realm, authuri):
	219	user, password = HTTPPasswordMgr.find_user_password(self, realm,
	220	authuri)
	221	if user is not None:
	222	return user, password
	223	return HTTPPasswordMgr.find_user_password(self, None, authuri)
	224
	225
	226	class AbstractBasicAuthHandler:
	227
	228	rx = re.compile('[ \t]([^ \t]+)[ \t]+realm="([^"])"', re.I)
	229
	230	# XXX there can actually be multiple auth-schemes in a
	231	# www-authenticate header. should probably be a lot more careful
	232	# in parsing them to extract multiple alternatives
	233
	234	def __init__(self, password_mgr=None):
	235	if password_mgr is None:
	236	password_mgr = HTTPPasswordMgr()
	237	self.passwd = password_mgr
	238	self.add_password = self.passwd.add_password
	239
	240	def http_error_auth_reqed(self, authreq, host, req, headers):
	241	# host may be an authority (without userinfo) or a URL with an
	242	# authority
	243	# XXX could be multiple headers
	244	authreq = headers.get(authreq, None)
	245	if authreq:
	246	mo = AbstractBasicAuthHandler.rx.search(authreq)
	247	if mo:
	248	scheme, realm = mo.groups()
	249	if scheme.lower() == 'basic':
	250	return self.retry_http_basic_auth(host, req, realm)
	251
	252	def retry_http_basic_auth(self, host, req, realm):
	253	user, pw = self.passwd.find_user_password(realm, host)
	254	if pw is not None:
	255	raw = "%s:%s" % (user, pw)
	256	auth = 'Basic %s' % base64.encodestring(raw).strip()
	257	if req.headers.get(self.auth_header, None) == auth:
	258	return None
	259	newreq = copy.copy(req)
	260	newreq.add_header(self.auth_header, auth)
	261	newreq.visit = False
	262	return self.parent.open(newreq)
	263	else:
	264	return None
	265
	266
	267	class HTTPBasicAuthHandler(AbstractBasicAuthHandler, BaseHandler):
	268
	269	auth_header = 'Authorization'
	270
	271	def http_error_401(self, req, fp, code, msg, headers):
	272	url = req.get_full_url()
	273	return self.http_error_auth_reqed('www-authenticate',
	274	url, req, headers)
	275
	276
	277	class ProxyBasicAuthHandler(AbstractBasicAuthHandler, BaseHandler):
	278
	279	auth_header = 'Proxy-authorization'
	280
	281	def http_error_407(self, req, fp, code, msg, headers):
	282	# http_error_auth_reqed requires that there is no userinfo component in
	283	# authority. Assume there isn't one, since urllib2 does not (and
	284	# should not, RFC 3986 s. 3.2.1) support requests for URLs containing
	285	# userinfo.
	286	authority = req.get_host()
	287	return self.http_error_auth_reqed('proxy-authenticate',
	288	authority, req, headers)
	289
	290
	291	def randombytes(n):
	292	"""Return n random bytes."""
	293	# Use /dev/urandom if it is available. Fall back to random module
	294	# if not. It might be worthwhile to extend this function to use
	295	# other platform-specific mechanisms for getting random bytes.
	296	if os.path.exists("/dev/urandom"):
	297	f = open("/dev/urandom")
	298	s = f.read(n)
	299	f.close()
	300	return s
	301	else:
	302	L = [chr(random.randrange(0, 256)) for i in range(n)]
	303	return "".join(L)
	304
	305	class AbstractDigestAuthHandler:
	306	# Digest authentication is specified in RFC 2617.
	307
	308	# XXX The client does not inspect the Authentication-Info header
	309	# in a successful response.
	310
	311	# XXX It should be possible to test this implementation against
	312	# a mock server that just generates a static set of challenges.
	313
	314	# XXX qop="auth-int" supports is shaky
	315
	316	def __init__(self, passwd=None):
	317	if passwd is None:
	318	passwd = HTTPPasswordMgr()
	319	self.passwd = passwd
	320	self.add_password = self.passwd.add_password
	321	self.retried = 0
	322	self.nonce_count = 0
	323
	324	def reset_retry_count(self):
	325	self.retried = 0
	326
	327	def http_error_auth_reqed(self, auth_header, host, req, headers):
	328	authreq = headers.get(auth_header, None)
	329	if self.retried > 5:
	330	# Don't fail endlessly - if we failed once, we'll probably
	331	# fail a second time. Hm. Unless the Password Manager is
	332	# prompting for the information. Crap. This isn't great
	333	# but it's better than the current 'repeat until recursion
	334	# depth exceeded' approach <wink>
	335	raise HTTPError(req.get_full_url(), 401, "digest auth failed",
	336	headers, None)
	337	else:
	338	self.retried += 1
	339	if authreq:
	340	scheme = authreq.split()[0]
	341	if scheme.lower() == 'digest':
	342	return self.retry_http_digest_auth(req, authreq)
	343
	344	def retry_http_digest_auth(self, req, auth):
	345	token, challenge = auth.split(' ', 1)
	346	chal = parse_keqv_list(parse_http_list(challenge))
	347	auth = self.get_authorization(req, chal)
	348	if auth:
	349	auth_val = 'Digest %s' % auth
	350	if req.headers.get(self.auth_header, None) == auth_val:
	351	return None
	352	newreq = copy.copy(req)
	353	newreq.add_unredirected_header(self.auth_header, auth_val)
	354	newreq.visit = False
	355	return self.parent.open(newreq)
	356
	357	def get_cnonce(self, nonce):
	358	# The cnonce-value is an opaque
	359	# quoted string value provided by the client and used by both client
	360	# and server to avoid chosen plaintext attacks, to provide mutual
	361	# authentication, and to provide some message integrity protection.
	362	# This isn't a fabulous effort, but it's probably Good Enough.
	363	dig = sha1_digest("%s:%s:%s:%s" % (self.nonce_count, nonce,
	364	time.ctime(), randombytes(8)))
	365	return dig[:16]
	366
	367	def get_authorization(self, req, chal):
	368	try:
	369	realm = chal['realm']
	370	nonce = chal['nonce']
	371	qop = chal.get('qop')
	372	algorithm = chal.get('algorithm', 'MD5')
	373	# mod_digest doesn't send an opaque, even though it isn't
	374	# supposed to be optional
	375	opaque = chal.get('opaque', None)
	376	except KeyError:
	377	return None
	378
	379	H, KD = self.get_algorithm_impls(algorithm)
	380	if H is None:
	381	return None
	382
	383	user, pw = self.passwd.find_user_password(realm, req.get_full_url())
	384	if user is None:
	385	return None
	386
	387	# XXX not implemented yet
	388	if req.has_data():
	389	entdig = self.get_entity_digest(req.get_data(), chal)
	390	else:
	391	entdig = None
	392
	393	A1 = "%s:%s:%s" % (user, realm, pw)
	394	A2 = "%s:%s" % (req.get_method(),
	395	# XXX selector: what about proxies and full urls
	396	req.get_selector())
	397	if qop == 'auth':
	398	self.nonce_count += 1
	399	ncvalue = '%08x' % self.nonce_count
	400	cnonce = self.get_cnonce(nonce)
	401	noncebit = "%s:%s:%s:%s:%s" % (nonce, ncvalue, cnonce, qop, H(A2))
	402	respdig = KD(H(A1), noncebit)
	403	elif qop is None:
	404	respdig = KD(H(A1), "%s:%s" % (nonce, H(A2)))
	405	else:
	406	# XXX handle auth-int.
	407	pass
	408
	409	# XXX should the partial digests be encoded too?
	410
	411	base = 'username="%s", realm="%s", nonce="%s", uri="%s", ' \
	412	'response="%s"' % (user, realm, nonce, req.get_selector(),
	413	respdig)
	414	if opaque:
	415	base += ', opaque="%s"' % opaque
	416	if entdig:
	417	base += ', digest="%s"' % entdig
	418	base += ', algorithm="%s"' % algorithm
	419	if qop:
	420	base += ', qop=auth, nc=%s, cnonce="%s"' % (ncvalue, cnonce)
	421	return base
	422
	423	def get_algorithm_impls(self, algorithm):
	424	# lambdas assume digest modules are imported at the top level
	425	if algorithm == 'MD5':
	426	H = md5_digest
	427	elif algorithm == 'SHA':
	428	H = sha1_digest
	429	# XXX MD5-sess
	430	KD = lambda s, d: H("%s:%s" % (s, d))
	431	return H, KD
	432
	433	def get_entity_digest(self, data, chal):
	434	# XXX not implemented yet
	435	return None
	436
	437
	438	class HTTPDigestAuthHandler(BaseHandler, AbstractDigestAuthHandler):
	439	"""An authentication protocol defined by RFC 2069
	440
	441	Digest authentication improves on basic authentication because it
	442	does not transmit passwords in the clear.
	443	"""
	444
	445	auth_header = 'Authorization'
	446	handler_order = 490
	447
	448	def http_error_401(self, req, fp, code, msg, headers):
	449	host = urlparse.urlparse(req.get_full_url())[1]
	450	retry = self.http_error_auth_reqed('www-authenticate',
	451	host, req, headers)
	452	self.reset_retry_count()
	453	return retry
	454
	455
	456	class ProxyDigestAuthHandler(BaseHandler, AbstractDigestAuthHandler):
	457
	458	auth_header = 'Proxy-Authorization'
	459	handler_order = 490
	460
	461	def http_error_407(self, req, fp, code, msg, headers):
	462	host = req.get_host()
	463	retry = self.http_error_auth_reqed('proxy-authenticate',
	464	host, req, headers)
	465	self.reset_retry_count()
	466	return retry
	467
	468
	469	# XXX ugly implementation, should probably not bother deriving
	470	class HTTPProxyPasswordMgr(HTTPPasswordMgr):
	471	# has default realm and host/port
	472	def add_password(self, realm, uri, user, passwd):
	473	# uri could be a single URI or a sequence
	474	if uri is None or isinstance(uri, basestring):
	475	uris = [uri]
	476	else:
	477	uris = uri
	478	passwd_by_domain = self.passwd.setdefault(realm, {})
	479	for uri in uris:
	480	for default_port in True, False:
	481	reduced_uri = self.reduce_uri(uri, default_port)
	482	passwd_by_domain[reduced_uri] = (user, passwd)
	483
	484	def find_user_password(self, realm, authuri):
	485	attempts = [(realm, authuri), (None, authuri)]
	486	# bleh, want default realm to take precedence over default
	487	# URI/authority, hence this outer loop
	488	for default_uri in False, True:
	489	for realm, authuri in attempts:
	490	authinfo_by_domain = self.passwd.get(realm, {})
	491	for default_port in True, False:
	492	reduced_authuri = self.reduce_uri(authuri, default_port)
	493	for uri, authinfo in authinfo_by_domain.iteritems():
	494	if uri is None and not default_uri:
	495	continue
	496	if self.is_suburi(uri, reduced_authuri):
	497	return authinfo
	498	user, password = None, None
	499
	500	if user is not None:
	501	break
	502	return user, password
	503
	504	def reduce_uri(self, uri, default_port=True):
	505	if uri is None:
	506	return None
	507	return HTTPPasswordMgr.reduce_uri(self, uri, default_port)
	508
	509	def is_suburi(self, base, test):
	510	if base is None:
	511	# default to the proxy's host/port
	512	hostport, path = test
	513	base = (hostport, "/")
	514	return HTTPPasswordMgr.is_suburi(self, base, test)
	515
	516
	517	class HTTPSClientCertMgr(HTTPPasswordMgr):
	518	# implementation inheritance: this is not a proper subclass
	519	def add_key_cert(self, uri, key_file, cert_file):
	520	self.add_password(None, uri, key_file, cert_file)
	521	def find_key_cert(self, authuri):
	522	return HTTPPasswordMgr.find_user_password(self, None, authuri)

Note: See TracBrowser for help on using the repository browser.

Download in other formats: