185 lines
5.8 KiB
Python
185 lines
5.8 KiB
Python
# -*- test-case-name: twisted.test.test_strcred -*-
|
|
#
|
|
# Copyright (c) Twisted Matrix Laboratories.
|
|
# See LICENSE for details.
|
|
|
|
"""
|
|
Cred plugin for UNIX user accounts.
|
|
"""
|
|
|
|
|
|
from zope.interface import implementer
|
|
|
|
from twisted import plugin
|
|
from twisted.cred.checkers import ICredentialsChecker
|
|
from twisted.cred.credentials import IUsernamePassword
|
|
from twisted.cred.error import UnauthorizedLogin
|
|
from twisted.cred.strcred import ICheckerFactory
|
|
from twisted.internet import defer
|
|
|
|
|
|
def verifyCryptedPassword(crypted, pw):
|
|
"""
|
|
Use L{crypt.crypt} to Verify that an unencrypted
|
|
password matches the encrypted password.
|
|
|
|
@param crypted: The encrypted password, obtained from
|
|
the Unix password database or Unix shadow
|
|
password database.
|
|
@param pw: The unencrypted password.
|
|
@return: L{True} if there is successful match, else L{False}.
|
|
@rtype: L{bool}
|
|
"""
|
|
try:
|
|
import crypt
|
|
except ImportError:
|
|
crypt = None
|
|
|
|
if crypt is None:
|
|
raise NotImplementedError("cred_unix not supported on this platform")
|
|
if isinstance(pw, bytes):
|
|
pw = pw.decode("utf-8")
|
|
if isinstance(crypted, bytes):
|
|
crypted = crypted.decode("utf-8")
|
|
try:
|
|
crypted_check = crypt.crypt(pw, crypted)
|
|
if isinstance(crypted_check, bytes):
|
|
crypted_check = crypted_check.decode("utf-8")
|
|
return crypted_check == crypted
|
|
except OSError:
|
|
return False
|
|
|
|
|
|
@implementer(ICredentialsChecker)
|
|
class UNIXChecker:
|
|
"""
|
|
A credentials checker for a UNIX server. This will check that
|
|
an authenticating username/password is a valid user on the system.
|
|
|
|
Does not work on Windows.
|
|
|
|
Right now this supports Python's pwd and spwd modules, if they are
|
|
installed. It does not support PAM.
|
|
"""
|
|
|
|
credentialInterfaces = (IUsernamePassword,)
|
|
|
|
def checkPwd(self, pwd, username, password):
|
|
"""
|
|
Obtain the encrypted password for C{username} from the Unix password
|
|
database using L{pwd.getpwnam}, and see if it it matches it matches
|
|
C{password}.
|
|
|
|
@param pwd: Module which provides functions which
|
|
access to the Unix password database.
|
|
@type pwd: C{module}
|
|
@param username: The user to look up in the Unix password database.
|
|
@type username: L{unicode}/L{str} or L{bytes}
|
|
@param password: The password to compare.
|
|
@type username: L{unicode}/L{str} or L{bytes}
|
|
"""
|
|
try:
|
|
if isinstance(username, bytes):
|
|
username = username.decode("utf-8")
|
|
cryptedPass = pwd.getpwnam(username).pw_passwd
|
|
except KeyError:
|
|
return defer.fail(UnauthorizedLogin())
|
|
else:
|
|
if cryptedPass in ("*", "x"):
|
|
# Allow checkSpwd to take over
|
|
return None
|
|
elif verifyCryptedPassword(cryptedPass, password):
|
|
return defer.succeed(username)
|
|
|
|
def checkSpwd(self, spwd, username, password):
|
|
"""
|
|
Obtain the encrypted password for C{username} from the
|
|
Unix shadow password database using L{spwd.getspnam},
|
|
and see if it it matches it matches C{password}.
|
|
|
|
@param spwd: Module which provides functions which
|
|
access to the Unix shadow password database.
|
|
@type spwd: C{module}
|
|
@param username: The user to look up in the Unix password database.
|
|
@type username: L{unicode}/L{str} or L{bytes}
|
|
@param password: The password to compare.
|
|
@type username: L{unicode}/L{str} or L{bytes}
|
|
"""
|
|
try:
|
|
if isinstance(username, bytes):
|
|
username = username.decode("utf-8")
|
|
if getattr(spwd.struct_spwd, "sp_pwdp", None):
|
|
# Python 3
|
|
cryptedPass = spwd.getspnam(username).sp_pwdp
|
|
else:
|
|
# Python 2
|
|
cryptedPass = spwd.getspnam(username).sp_pwd
|
|
except KeyError:
|
|
return defer.fail(UnauthorizedLogin())
|
|
else:
|
|
if verifyCryptedPassword(cryptedPass, password):
|
|
return defer.succeed(username)
|
|
|
|
def requestAvatarId(self, credentials):
|
|
username, password = credentials.username, credentials.password
|
|
|
|
try:
|
|
import pwd
|
|
except ImportError:
|
|
pwd = None
|
|
|
|
if pwd is not None:
|
|
checked = self.checkPwd(pwd, username, password)
|
|
if checked is not None:
|
|
return checked
|
|
|
|
try:
|
|
import spwd
|
|
except ImportError:
|
|
spwd = None
|
|
|
|
if spwd is not None:
|
|
checked = self.checkSpwd(spwd, username, password)
|
|
if checked is not None:
|
|
return checked
|
|
# TODO: check_pam?
|
|
# TODO: check_shadow?
|
|
return defer.fail(UnauthorizedLogin())
|
|
|
|
|
|
unixCheckerFactoryHelp = """
|
|
This checker will attempt to use every resource available to
|
|
authenticate against the list of users on the local UNIX system.
|
|
(This does not support Windows servers for very obvious reasons.)
|
|
|
|
Right now, this includes support for:
|
|
|
|
* Python's pwd module (which checks /etc/passwd)
|
|
* Python's spwd module (which checks /etc/shadow)
|
|
|
|
Future versions may include support for PAM authentication.
|
|
"""
|
|
|
|
|
|
@implementer(ICheckerFactory, plugin.IPlugin)
|
|
class UNIXCheckerFactory:
|
|
"""
|
|
A factory for L{UNIXChecker}.
|
|
"""
|
|
|
|
authType = "unix"
|
|
authHelp = unixCheckerFactoryHelp
|
|
argStringFormat = "No argstring required."
|
|
credentialInterfaces = UNIXChecker.credentialInterfaces
|
|
|
|
def generateChecker(self, argstring):
|
|
"""
|
|
This checker factory ignores the argument string. Everything
|
|
needed to generate a user database is pulled out of the local
|
|
UNIX environment.
|
|
"""
|
|
return UNIXChecker()
|
|
|
|
|
|
theUnixCheckerFactory = UNIXCheckerFactory()
|