4 # Copyright (C) 2007, 2008 Google Inc.
6 # This program is free software; you can redistribute it and/or modify
7 # it under the terms of the GNU General Public License as published by
8 # the Free Software Foundation; either version 2 of the License, or
9 # (at your option) any later version.
11 # This program is distributed in the hope that it will be useful, but
12 # WITHOUT ANY WARRANTY; without even the implied warranty of
13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 # General Public License for more details.
16 # You should have received a copy of the GNU General Public License
17 # along with this program; if not, write to the Free Software
18 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
21 """HTTP authentication module.
31 from ganeti import constants
32 from ganeti import utils
33 from ganeti import http
35 from cStringIO import StringIO
38 # Digest types from RFC2617
39 HTTP_BASIC_AUTH = "Basic"
40 HTTP_DIGEST_AUTH = "Digest"
42 # Not exactly as described in RFC2616, section 2.2, but good enough
43 _NOQUOTE = re.compile(r"^[-_a-z0-9]$", re.I)
46 def _FormatAuthHeader(scheme, params):
47 """Formats WWW-Authentication header value as per RFC2617, section 1.2
50 @param scheme: Authentication scheme
52 @param params: Additional parameters
54 @return: Formatted header value
61 for name, value in params.iteritems():
65 if _NOQUOTE.match(value):
69 # TODO: Better quoting
70 buf.write(value.replace("\"", "\\\""))
76 class HttpServerRequestAuthentication(object):
77 # Default authentication realm
80 def GetAuthRealm(self, req):
81 """Returns the authentication realm for a request.
83 MAY be overriden by a subclass, which then can return different realms for
84 different paths. Returning "None" means no authentication is needed for a
87 @type req: L{http.server._HttpServerRequest}
88 @param req: HTTP request context
90 @return: Authentication realm
93 return self.AUTH_REALM
95 def PreHandleRequest(self, req):
96 """Called before a request is handled.
98 @type req: L{http.server._HttpServerRequest}
99 @param req: HTTP request context
102 realm = self.GetAuthRealm(req)
104 # Authentication required?
108 # Check "Authorization" header
109 if self._CheckAuthorization(req):
110 # User successfully authenticated
113 # Send 401 Unauthorized response
118 # TODO: Support for Digest authentication (RFC2617, section 3).
119 # TODO: Support for more than one WWW-Authenticate header with the same
120 # response (RFC2617, section 4.6).
122 http.HTTP_WWW_AUTHENTICATE: _FormatAuthHeader(HTTP_BASIC_AUTH, params),
125 raise http.HttpUnauthorized(headers=headers)
127 def _CheckAuthorization(self, req):
128 """Checks "Authorization" header sent by client.
130 @type req: L{http.server._HttpServerRequest}
131 @param req: HTTP request context
132 @type credentials: str
133 @param credentials: Credentials sent
135 @return: Whether user is allowed to execute request
138 credentials = req.request_headers.get(http.HTTP_AUTHORIZATION, None)
143 parts = credentials.strip().split(None, 2)
148 # RFC2617, section 1.2: "[...] It uses an extensible, case-insensitive
149 # token to identify the authentication scheme [...]"
150 scheme = parts[0].lower()
152 if scheme == HTTP_BASIC_AUTH.lower():
153 # Do basic authentication
155 raise http.HttpBadRequest(message=("Basic authentication requires"
157 return self._CheckBasicAuthorization(req, parts[1])
159 elif scheme == HTTP_DIGEST_AUTH.lower():
160 # TODO: Implement digest authentication
161 # RFC2617, section 3.3: "Note that the HTTP server does not actually need
162 # to know the user's cleartext password. As long as H(A1) is available to
163 # the server, the validity of an Authorization header may be verified."
166 # Unsupported authentication scheme
169 def _CheckBasicAuthorization(self, req, input):
170 """Checks credentials sent for basic authentication.
172 @type req: L{http.server._HttpServerRequest}
173 @param req: HTTP request context
175 @param input: Username and password encoded as Base64
177 @return: Whether user is allowed to execute request
181 creds = base64.b64decode(input.encode('ascii')).decode('ascii')
182 except (TypeError, binascii.Error, UnicodeError):
183 logging.exception("Error when decoding Basic authentication credentials")
189 (user, password) = creds.split(":", 1)
191 return self.Authenticate(req, user, password)
193 def AuthenticateBasic(self, req, user, password):
194 """Checks the password for a user.
196 This function MUST be overriden by a subclass.
199 raise NotImplementedError()