o
    k˜`7H  ã                   @   s<  d dl mZmZ d dlmZmZ d dlmZmZ d dl	Z	d dl
Z
d dlZd dlZd dlZd dlmZmZmZ d dlT d dlmZmZ d dlmZmZ d d	lmZmZ d d
lmZ d dlm Z  d dl!m"Z" d dl#m$Z$ d dl%m&Z&m'Z' G dd„ de(ƒZ)G dd„ de*edZ+G dd„ de+ƒZ,G dd„ de,ƒZ-G dd„ de,ƒZ.dS )é    )ÚABCMetaÚabstractmethod)Ú	b64decodeÚ	b64encode)Úmd5Úsha1N)Ú
BoolOptionÚ	IntOptionÚOption)Ú*)ÚIAuthenticatorÚIRequestHandler)ÚChromeÚINavigationContributor)Úhex_entropyÚmd5crypt)Úcrypt)Ú	threading)Útime_now)Útag)Ú_Útag_c                   @   sÆ   e Zd ZdZeeeeƒ dZe	ddddƒZ
e	ddddƒZedd	d
dƒZeddddƒZeddd
dƒZdd„ Zdd„ Zdd„ Zdd„ Zdd„ Zdd„ Zdd„ Zdd „ Zd!d"„ Zd#d$„ Zd%d&„ Zd'd(„ Zd)S )*ÚLoginModulea†  User authentication manager.

    This component implements user authentication based on HTTP
    authentication provided by the web-server, combined with cookies
    for communicating the login information across the whole site.

    This mechanism expects that the web-server is setup so that a
    request to the path '/login' requires authentication (such as
    Basic or Digest). The login name is then stored in the database
    and associated with a unique key that gets passed back to the user
    agent using the 'trac_auth' cookie. This cookie is used to
    identify the user in subsequent requests to non-protected
    resources.
    FÚtracÚcheck_auth_ipÚfalsezQWhether the IP address of the user should be checked for
         authentication.Úignore_auth_casez6Whether login names should be converted to lower case.Úauth_cookie_domainÚ z£Auth cookie domain attribute.

        The auth cookie can be shared among multiple subdomains
        by setting the value to the domain. (//since 1.2//)
        Úauth_cookie_lifetimer   aL  Lifetime of the authentication cookie, in seconds.

        This value determines how long the browser will cache
        authentication information, and therefore, after how much
        inactivity a user will have to log in again. The value
        of 0 makes the cookie expire at the end of the browsing
        session.
        Úauth_cookie_pathzPath for the authentication cookie. Set this to the common
        base path of several Trac instances if you want them to share
        the cookie.
        c                 C   sH   d }|j r	|j }nd|jv r|  ||jd ¡}|sd S | jr"| ¡ }|S )NÚ	trac_auth)Úremote_userÚincookieÚ_get_name_for_cookieÚignore_caseÚlower)ÚselfÚreqÚauthname© r*   ú//usr/lib/python3/dist-packages/trac/web/auth.pyÚauthenticateZ   s   
ÿzLoginModule.authenticatec                 C   s   dS )NÚloginr*   ©r'   r(   r*   r*   r+   Úget_active_navigation_iteml   s   z&LoginModule.get_active_navigation_itemc                 c   sœ    |j r<ddtdt| jƒ ||j¡dfV  ddtjt tj	t
dƒdddtjd	d
|jd¡|j ¡ ddddfV  d S ddtjt
dƒ|j ¡ dfV  d S )NÚmetanavr-   zlogged in as %(user)s©ÚuserÚlogoutÚLogoutÚsubmit)ÚnameÚtypeÚhiddenÚ__FORM_TOKEN)r7   r6   ÚvalueÚpostztrac-logout)ÚactionÚmethodÚidÚclass_ÚLogin)Úhref)Úis_authenticatedr   r   ÚenvÚ
authorinfor)   r   ÚformÚdivÚbuttonr   ÚinputÚ
form_tokenrA   r3   Úar-   r.   r*   r*   r+   Úget_navigation_itemso   s0   €ÿÿÿÿý
ø
ÿ
ÿz LoginModule.get_navigation_itemsc                 C   s   t  d|j¡S )Nz/(login|logout)/?$)ÚreÚmatchÚ	path_infor.   r*   r*   r+   Úmatch_request„   s   zLoginModule.match_requestc                 C   s<   |j  d¡r|  |¡ n|j  d¡r|  |¡ |  |¡ d S )Nz/loginz/logout)rN   Ú
startswithÚ	_do_loginÚ
_do_logoutÚ_redirect_backr.   r*   r*   r+   Úprocess_request‡   s
   
zLoginModule.process_requestc                 C   s  |j stjtdƒtdƒ|j d¡d d}ttd|dƒ‚|j }| jr'| 	¡ }|j
d|fvr7ttd	|j
d
ƒ‚| jjB}|dttƒ ƒd fƒ d}|j d¡}|durb|  ||¡}||kr`|jnd}|du rvtƒ }|d|||jttƒ ƒfƒ W d  ƒ n1 s€w   Y  ||_
||jd< | jr˜| j|jd d< | jpŸ|jpŸd|jd d< | jjr°d|jd d< d|jd d< | jdkrÆ| j|jd d< dS dS )a”  Log the remote user in.

        This function expects to be called when the remote user name
        is available. The user name is inserted into the `auth_cookie`
        table and a cookie identifying the user on subsequent requests
        is sent back to the client.

        If the Authenticator was created with `ignore_case` set to
        true, then the authentication name passed from the web server
        in req.remote_user will be converted to lower case before
        being used. This is to avoid problems on installations
        authenticating against Windows which is not case sensitive
        regarding user names and domain names
        zinstallation documentationzConfiguring AuthenticationÚTracInstallz#ConfiguringAuthentication)ÚtitlerA   zKAuthentication information not available. Please refer to the %(inst_doc)s.)Úinst_docÚ	anonymouszAlready logged in as %(user)s.r1   z'DELETE FROM auth_cookie WHERE time < %si / Nr!   zŒ
                    INSERT INTO auth_cookie (cookie, name, ipnr, time)
                         VALUES (%s, %s, %s, %s)
                   Údomainú/ÚpathTÚsecureÚhttponlyr   Úexpires)r"   r   rJ   r   rA   ÚwikiÚ	TracErrorr   r%   r&   r)   rC   Údb_transactionÚintr   r#   ÚgetÚ_cookie_to_namer:   r   Úremote_addrÚ	outcookier   r    Ú	base_pathÚsecure_cookiesr   )r'   r(   rW   r"   ÚdbÚcookier!   r6   r*   r*   r+   rQ      sd   

ÿþþÿ
ÿÿý€ô
ÿÿ
ÿzLoginModule._do_loginc                 C   s   |j dks|js
dS d|jv r| j d|jd jf¡ n	| j d|jf¡ |  |¡ | jd  	d¡}|rFt
 d|¡s?| |¡}| |¡ dS dS )	zoLog the user out.

        Simply deletes the corresponding record from the auth_cookie
        table.
        ÚPOSTNr!   z'DELETE FROM auth_cookie WHERE cookie=%sz%DELETE FROM auth_cookie WHERE name=%sr0   zlogout.redirectz	https?:|/)r=   rB   r#   rC   ra   r:   r)   Ú_expire_cookieÚconfigrc   rL   rM   rA   Úredirect)r'   r(   Úcustom_redirectr*   r*   r+   rR   Í   s    
ÿÿ

ýzLoginModule._do_logoutc                 C   sp   d|j d< | jr| j|j d d< | jp|jpd|j d d< d|j d d< | jjr/d|j d d	< d|j d d
< dS )zyInstruct the user agent to drop the auth cookie by setting
        the "expires" property to a date in the past.
        r   r!   rY   rZ   r[   iðØÿÿr^   Tr\   r]   N)rf   r   r    rg   rC   rh   r.   r*   r*   r+   rl   ã   s   
ÿÿzLoginModule._expire_cookiec                 C   sD   | j rd}|j|jf}nd}|jf}| j ||¡D ]\}|  S d S )Nz8SELECT name FROM auth_cookie WHERE cookie=%s AND ipnr=%sz,SELECT name FROM auth_cookie WHERE cookie=%s)Úcheck_ipr:   re   rC   Údb_query)r'   r(   rj   ÚsqlÚargsr6   r*   r*   r+   rd   ñ   s   ÿzLoginModule._cookie_to_namec                 C   s"   |   ||¡}|d u r|  |¡ |S ©N)rd   rl   )r'   r(   rj   r6   r*   r*   r+   r$   ý   s   
z LoginModule._get_name_for_cookiec           
      C   sÞ   |   |¡}|rf| d¡s%tj |j¡dd… \}}tj |||dddf¡}|j d¡}|jd|… }|j|d… }| d¡}|| d¡d… }	|	|ksR|	 |d ¡rf|	 d¡||j	 d¡ krf| 
||	 ¡ | 
| ¡ ¡ dS )z0Redirect the user back to the URL she came from.)zhttp://zhttps://Né   ú:rZ   )Ú_refererrP   ÚurllibÚparseÚurlparseÚbase_urlÚ
urlunparseÚfindÚrstriprN   rn   Úabs_href)
r'   r(   ÚrefererÚschemeÚhostÚposÚbase_schemeÚbase_noschemeÚbase_noscheme_normÚreferer_noschemer*   r*   r+   rS     s(   

ÿ
ÿÿzLoginModule._redirect_backc                 C   s   |j  d¡p
| d¡S )Nr€   ÚReferer)rs   rc   Ú
get_headerr.   r*   r*   r+   rw     s   zLoginModule._refererN)Ú__name__Ú
__module__Ú__qualname__Ú__doc__Ú
implementsr   r   r   Úis_valid_default_handlerr   rp   r%   r
   r   r	   r   r    r,   r/   rK   rO   rT   rQ   rR   rl   rd   r$   rS   rw   r*   r*   r*   r+   r   &   s>    ÿÿÿÿ
ÿ	=	r   c                   @   s   e Zd Zedd„ ƒZdS )ÚHTTPAuthenticationc                 C   s   d S rt   r*   )r'   ÚenvironÚstart_responser*   r*   r+   Údo_auth#  s   zHTTPAuthentication.do_authN)rŠ   r‹   rŒ   r   r“   r*   r*   r*   r+   r   !  s    r   )Ú	metaclassc                   @   s   e Zd Zdd„ Zdd„ ZdS )ÚPasswordFileAuthenticationc                 C   s.   || _ t |¡j| _|  | j ¡ t ¡ | _d S rt   )	ÚfilenameÚosÚstatÚst_mtimeÚmtimeÚloadr   ÚLockÚ_lock)r'   r–   r*   r*   r+   Ú__init__)  s   z#PasswordFileAuthentication.__init__c                 C   sf   | j & t | j¡j}|| jkr!|| _|  | j¡ W d   ƒ d S W d   ƒ d S 1 s,w   Y  d S rt   )r   r—   r˜   r–   r™   rš   r›   )r'   rš   r*   r*   r+   Úcheck_reload/  s   
ü"þz'PasswordFileAuthentication.check_reloadN)rŠ   r‹   rŒ   rž   rŸ   r*   r*   r*   r+   r•   (  s    r•   c                   @   s,   e Zd Zdd„ Zdd„ Zdd„ Zdd„ Zd	S )
ÚBasicAuthenticationc                 C   s"   || _ t| _i | _t | |¡ d S rt   )Úrealmr   Úhashr•   rž   )r'   Úhtpasswdr¡   r*   r*   r+   rž   9  ó   zBasicAuthentication.__init__c              
   C   sð   i | _ t|ddV}|D ]K}| d¡d  ¡ }|sqz| d¡d d… \}}W n ty;   td||f tjd Y qw d	|v sH| d
¡sH| j	rN|| j |< qtd| tjd qW d   ƒ n1 sbw   Y  | j i krvtd|tjd d S d S )Núutf-8©Úencodingú#r   rv   ru   z(Warning: invalid password line in %s: %s©Úfileú$ú{SHA}znWarning: cannot parse password for user "%s" without the "crypt" module. Install the passlib package from PyPIz Warning: found no users in file:)
r¢   ÚopenÚsplitÚstripÚ
ValueErrorÚprintÚsysÚstderrrP   r   )r'   r–   ÚfdÚlineÚuÚhr*   r*   r+   r›   @  s<   ÿÿýþþóÿ

ÿÿzBasicAuthentication.loadc                 C   s¬   |   ¡  | j |¡}|d u rdS | d¡r)ttt| d¡ƒ ¡ ƒdƒ|dd … kS d|vr9|  	||d d… ¡|kS |dd …  
d¡d d… \}}d| d }t|||ƒ|kS )	NFr¬   r¥   Úasciié   r«   ru   é   )rŸ   r¢   rc   rP   Ústrr   r   ÚencodeÚdigestr   r®   r   )r'   r2   ÚpasswordÚthe_hashÚmagicÚsaltr*   r*   r+   ÚtestY  s   
ÿ
ÿzBasicAuthentication.testc           	      C   s€   |  d¡}|r,| d¡r,tt|dd … ƒdƒ d¡}t|ƒdkr,|\}}|  ||¡r,|S dd| j fd	g}|d
|ƒ}|dƒ d S )NÚHTTP_AUTHORIZATIONÚBasicé   r¥   rv   ru   úWWW-AuthenticatezBasic realm="%s"©zContent-LengthÚ0ú401 Unauthorizedó    )rc   rP   r»   r   r®   ÚlenrÂ   r¡   )	r'   r‘   r’   ÚheaderÚauthr2   r¾   ÚheadersÚwriter*   r*   r+   r“   j  s   
ÿ
zBasicAuthentication.do_authN)rŠ   r‹   rŒ   rž   r›   rÂ   r“   r*   r*   r*   r+   r    7  s
    r    c                   @   s>   e Zd ZdZdZdd„ Zdd„ Zdd„ Zdd
d„Zdd„ Z	dS )ÚDigestAuthenticationzEA simple HTTP digest authentication implementation
    (:rfc:`2617`).éd   c                 C   s"   g | _ || _i | _t | |¡ d S rt   )Úactive_noncesr¡   r¢   r•   rž   )r'   Úhtdigestr¡   r*   r*   r+   rž     r¤   zDigestAuthentication.__init__c              
   C   sÒ   i | _ t|ddF}|D ];}| d¡d  ¡ }|sqz| d¡dd… \}}}W n ty<   td||f tjd	 Y qw || jkrG|| j |< qW d  ƒ n1 sRw   Y  | j i krgtd
| jtjd	 dS dS )zxLoad account information from apache style htdigest files,
        only users from the specified realm are used
        r¥   r¦   r¨   r   rv   Né   z&Warning: invalid digest line in %s: %sr©   z!Warning: found no users in realm:)	r¢   r­   r®   r¯   r°   r±   r²   r³   r¡   )r'   r–   r´   rµ   r¶   ÚrÚa1r*   r*   r+   r›   †  s4   ÿÿý

€õÿ

ÿÿzDigestAuthentication.loadc                 C   s\   i }t j |¡D ]#}| dd¡\}}|d dkr'|d dkr'|dd… ||< q|||< q|S )Nú=rº   r   ú"éÿÿÿÿ)rx   ÚrequestÚparse_http_listr®   )r'   ÚauthorizationÚvaluesr:   ÚnÚvr*   r*   r+   Úparse_auth_header  s   
z&DigestAuthentication.parse_auth_headerr   c                 C   sd   t ƒ }| j |¡ t| jƒ| jkr| j| j d… | _dd| j||f fdg}|d|ƒ}|dƒ dS )zdSend a digest challange to the browser. Record used nonces
        to avoid replay attacks.
        NrÆ   z5Digest realm="%s", nonce="%s", qop="auth", stale="%s"rÇ   rÉ   rÊ   )r   rÒ   ÚappendrË   Ú
MAX_NONCESr¡   )r'   r‘   r’   ÚstaleÚnoncerÎ   rÏ   r*   r*   r+   Úsend_auth_request§  s   
ÿÿý
z&DigestAuthentication.send_auth_requestc                 C   s0  |  d¡}|r| d¡s|  ||¡ d S |  |dd … ¡}g d¢}|D ]}||vr2|  ||¡  d S q#|  ¡  |d | jvrF|  ||¡ d S dd„ }| j|d  }||d |d	 gƒ}	|||d
 |d |d |d |	gƒ}
|d |
kr{|  ||¡ d S |d
 | jvrŒ| j||dd d S | j |d
 ¡ |d S )NrÃ   ÚDigesté   )Úusernamer¡   rä   ÚuriÚresponseÚncÚcnoncerè   c                 S   s   t d dd„ | D ƒ¡ƒ ¡ S )Nó   :c                 s   s    | ]}|  d ¡V  qdS )r¥   N)r¼   )Ú.0rß   r*   r*   r+   Ú	<genexpr>Ê  s   € zADigestAuthentication.do_auth.<locals>.<lambda>.<locals>.<genexpr>)r   ÚjoinÚ	hexdigest)Úxr*   r*   r+   Ú<lambda>Ê  s    z.DigestAuthentication.do_auth.<locals>.<lambda>ÚREQUEST_METHODré   rä   rë   rì   Úqoprê   Útrue)rã   )rc   rP   rå   rà   rŸ   r¢   rÒ   Úremove)r'   r‘   r’   rÌ   rÍ   Úrequired_keysÚkeyÚkdrÖ   Úa2Úcorrectr*   r*   r+   r“   ¶  s:   
þÿzDigestAuthentication.do_authN)r   )
rŠ   r‹   rŒ   r   râ   rž   r›   rà   rå   r“   r*   r*   r*   r+   rÐ   y  s    

rÐ   )/Úabcr   r   Úbase64r   r   Úhashlibr   r   r—   rL   r²   Úurllib.parserx   Úurllib.requestÚtrac.configr   r	   r
   Ú	trac.coreÚtrac.web.apir   r   Útrac.web.chromer   r   Ú	trac.utilr   r   Útrac.util.compatr   Útrac.util.concurrencyr   Útrac.util.datefmtr   Útrac.util.htmlr   Útrac.util.translationr   r   Ú	Componentr   Úobjectr   r•   r    rÐ   r*   r*   r*   r+   Ú<module>   s0    |B