[wrw.git] / wrw / auth.py

import binascii, hashlib, threading, time
import resp, proto

class unauthorized(resp.httperror):
    def __init__(self, challenge, message=None, detail=None):
        super(unauthorized, self).__init__(401, message, detail)
        if isinstance(challenge, str):
            challenge = [challenge]
        self.challenge = challenge

    def handle(self, req):
        for challenge in self.challenge:
            req.ohead.add("WWW-Authenticate", challenge)
        return super(unauthorized, self).handle(req)

class forbidden(resp.httperror):
    def __init__(self, message=None, detail=None):
        super(forbidden, self).__init__(403, message, detail)

def parsemech(req):
    h = req.ihead.get("Authorization", None)
    if h is None:
        return None, None
    p = h.find(" ")
    if p < 0:
        return None, None
    return h[:p].strip().lower(), h[p + 1:].strip()

def parsebasic(req):
    mech, data = parsemech(req)
    if mech != "basic":
        return None, None
    try:
        raw = proto.unb64(data)
    except binascii.Error:
        return None, None
    p = raw.find(":")
    if p < 0:
        return None, None
    return raw[:p], raw[p + 1:]

class basiccache(object):
    cachetime = 300

    def __init__(self, realm, authfn=None):
        self._lock = threading.Lock()
        self._cache = {}
        self.realm = realm
        if authfn is not None:
            self.auth = authfn

    def _obscure(self, nm, pw):
        dig = hashlib.sha256()
        dig.update(self.realm)
        dig.update(nm)
        dig.update(pw)
        return dig.digest()

    def check(self, req):
        nm, pw = parsebasic(req)
        if nm is None:
            raise unauthorized("Basic Realm=\"%s\"" % self.realm)
        pwh = self._obscure(nm, pw)
        now = time.time()
        with self._lock:
            if (nm, pwh) in self._cache:
                lock, atime, res, resob = self._cache[nm, pwh]
                if now - atime < self.cachetime:
                    if res == "s":
                        return resob
                    elif res == "f":
                        raise resob
            else:
                lock = threading.Lock()
                self._cache[nm, pwh] = (lock, now, None, None)
        with lock:
            try:
                ret = self.auth(req, nm, pw)
            except forbidden, exc:
                with self._lock:
                    self._cache[nm, pwh] = (lock, now, "f", exc)
                raise
            if ret is None:
                raise forbidden()
            with self._lock:
                self._cache[nm, pwh] = (lock, now, "s", ret)
            return ret

    def auth(self, req, nm, pw):
        raise Exception("authentication function neither supplied nor overridden")
Commit	Line	Data
ecbfa279	1	import binascii, hashlib, threading, time
b6f62b89	2	import resp, proto
ecbfa279 FT	3
	4	class unauthorized(resp.httperror):
	5	def __init__(self, challenge, message=None, detail=None):
	6	super(unauthorized, self).__init__(401, message, detail)
	7	if isinstance(challenge, str):
	8	challenge = [challenge]
	9	self.challenge = challenge
	10
	11	def handle(self, req):
	12	for challenge in self.challenge:
	13	req.ohead.add("WWW-Authenticate", challenge)
	14	return super(unauthorized, self).handle(req)
	15
	16	class forbidden(resp.httperror):
	17	def __init__(self, message=None, detail=None):
	18	super(forbidden, self).__init__(403, message, detail)
	19
	20	def parsemech(req):
	21	h = req.ihead.get("Authorization", None)
	22	if h is None:
	23	return None, None
	24	p = h.find(" ")
	25	if p < 0:
	26	return None, None
	27	return h[:p].strip().lower(), h[p + 1:].strip()
	28
	29	def parsebasic(req):
	30	mech, data = parsemech(req)
	31	if mech != "basic":
	32	return None, None
	33	try:
c4b97e16	34	raw = proto.unb64(data)
ecbfa279 FT	35	except binascii.Error:
	36	return None, None
	37	p = raw.find(":")
	38	if p < 0:
	39	return None, None
	40	return raw[:p], raw[p + 1:]
	41
	42	class basiccache(object):
	43	cachetime = 300
	44
	45	def __init__(self, realm, authfn=None):
	46	self._lock = threading.Lock()
	47	self._cache = {}
	48	self.realm = realm
	49	if authfn is not None:
	50	self.auth = authfn
	51
	52	def _obscure(self, nm, pw):
	53	dig = hashlib.sha256()
	54	dig.update(self.realm)
	55	dig.update(nm)
	56	dig.update(pw)
	57	return dig.digest()
	58
	59	def check(self, req):
	60	nm, pw = parsebasic(req)
	61	if nm is None:
	62	raise unauthorized("Basic Realm=\"%s\"" % self.realm)
	63	pwh = self._obscure(nm, pw)
	64	now = time.time()
	65	with self._lock:
	66	if (nm, pwh) in self._cache:
	67	lock, atime, res, resob = self._cache[nm, pwh]
	68	if now - atime < self.cachetime:
	69	if res == "s":
	70	return resob
	71	elif res == "f":
	72	raise resob
	73	else:
	74	lock = threading.Lock()
	75	self._cache[nm, pwh] = (lock, now, None, None)
	76	with lock:
	77	try:
	78	ret = self.auth(req, nm, pw)
	79	except forbidden, exc:
	80	with self._lock:
	81	self._cache[nm, pwh] = (lock, now, "f", exc)
	82	raise
	83	if ret is None:
	84	raise forbidden()
	85	with self._lock:
	86	self._cache[nm, pwh] = (lock, now, "s", ret)
	87	return ret
	88
	89	def auth(self, req, nm, pw):
	90	raise Exception("authentication function neither supplied nor overridden")