summaryrefslogtreecommitdiff
path: root/paste/auth
Commit message (Collapse)AuthorAgeFilesLines
* auth/auth_tkt.py: enable overriding digest algorithmsJan Pokorn?2012-03-051-8/+22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently, mod_auth_tkt supports also SHA256 and SHA 512 [1], not just plain MD5. Quoting: ----v---- The default is MD5, which is faster, but has now been shown to be vulnerable to collision attacks. Such attacks are not directly applicable to mod_auth_tkt, which primarily relies on the security of the shared secret rather than the strength of the hashing scheme. More paranoid users will probably prefer to use one of the SHA digest types, however. The default is likely to change in a future version, so setting the digest type explicitly is encouraged. ----^---- Thus, enable it also in this implementation so one can optionally switch to a stronger secure hash. Backward compatibility should be untouched as ``md5`` is being passed as a default kwarg. The only change affecting external world is a new parameter required at ``calculate_digest`` (specifying the digest to use), but as it has probably no use outside the module, this is a non-issue. Alternatively: another optional kwarg. Update (based Ian's comments): The algorithm can also be specified as a string referring to the algorithm known to hashlib (otherwise AttributeError will be raised). Example session I used to check it works as expected (longish): >>> import sys; sys.path.append('../..') >>> from hashlib import sha256, sha512 >>> execfile('auth_tkt.py') >>> AuthTicket('secret', 'me', '0.0.0.0').cookie_value() '39fecb1395af5285232be390eba0eed34f5518c8me!' >>> AuthTicket('secret', 'me', '0.0.0.0', "md5").cookie_value() 'c3b8eacbbbf76a9c993c7dcb99975d504f5518cfme!m,d,5!' >>> AuthTicket('secret', 'me', '0.0.0.0', digest_algo="md5") \ ... .cookie_value() 'db3b04de3c44b5bd0e2b47019e903c064f5518dbme!' >>> AuthTicket('secret', 'me', '0.0.0.0', digest_algo="sha1") \ ... .cookie_value() 'dddaadc2be960b6e89263ae7fb8c39591554103d4f5518edme!' >>> AuthTicket('secret', 'me', '0.0.0.0', digest_algo=sha256) \ ... .cookie_value() 'bf5c9a32e49920f2ca517ec19a9d55e10a83849e5d532e8997891b8ccdbf0e634f551902me!' >>> AuthTicket('secret', 'me', '0.0.0.0', digest_algo="sha256") \ ... .cookie_value() '9cb12df90fd86b868c98353115df4da3b8f9fa83bebecdf0b7918fea5d06b0744f551908me!' >>> AuthTicket('secret', 'me', '0.0.0.0', digest_algo='foo') \ ... .cookie_value() Traceback (most recent call last): File "<stdin>", line 1, in <module> File "auth_tkt.py", line 107, in __init__ self.digest_algo = getattr(hashlib, digest_algo) AttributeError: 'module' object has no attribute 'foo' >>> >>> parse_ticket('secret', \ ... AuthTicket('secret', 'me', '0.0.0.0').cookie_value(),'0.0.0.0') (1330977060, 'me', [''], '') >>> parse_ticket('secret', \ ... AuthTicket('secret', 'me', '0.0.0.0', digest_algo='md5') \ ... .cookie_value(),'0.0.0.0', digest_algo='md5') (1330977096, 'me', [''], '') >>> parse_ticket('secret', \ ... AuthTicket('secret', 'me', '0.0.0.0', digest_algo=sha256) \ ... .cookie_value(),'0.0.0.0', digest_algo=sha256) (1330977115, 'me', [''], '') >>> parse_ticket('secret', \ ... AuthTicket('secret', 'me', '0.0.0.0', digest_algo=sha512) \ ... .cookie_value(),'0.0.0.0', digest_algo=sha512) (1330977125, 'me', [''], '') >>> parse_ticket('secret', \ ... AuthTicket('secret', 'me', '0.0.0.0', digest_algo=sha512) \ ... .cookie_value(),'0.0.0.0') Traceback (most recent call last): File "<stdin>", line 1, in <module> File "auth_tkt.py", line 179, in parse_ticket expected=(expected, digest)) __main__.BadTicket: Digest signature is not correct [1] http://linux.die.net/man/3/mod_auth_tkt
* auth/auth_tkt.py: enable overriding digest algorithmsJan Pokorn?2012-03-011-14/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | Currently, mod_auth_tkt supports also SHA256 and SHA 512 [1], not just plain MD5. Quoting: ----v---- The default is MD5, which is faster, but has now been shown to be vulnerable to collision attacks. Such attacks are not directly applicable to mod_auth_tkt, which primarily relies on the security of the shared secret rather than the strength of the hashing scheme. More paranoid users will probably prefer to use one of the SHA digest types, however. The default is likely to change in a future version, so setting the digest type explicitly is encouraged. ----^---- Thus, enable it also in this implementation so one can optionally switch to a stronger secure hash. Backward compatibility should be untouched as ``md`` is being passed as a default kwarg. The only change affecting external world is a new parameter required at ``calculate digest`` (specifying the digest to use), but as it has probably no use outside the module, this is a non-issue. Alternatively: another optional kwarg. [1] http://linux.die.net/man/3/mod_auth_tkt
* Fix digest authentication (it was picking up commas inside of the digest ↵Toshio Kuratomi2011-12-211-4/+29
| | | | auth values)
* Add fix to make digest auth with internet explorer 8 (and possibly other ↵milinnovations_andreas2010-09-291-2/+2
| | | | versions)
* Fix #443: url_unquote undefinedIan Bicking2010-09-161-1/+14
|
* Fix test broken by 27a36b3e1843 (for ↵Taavi Burns2010-09-091-1/+1
| | | | http://trac.pythonpaste.org/pythonpaste/ticket/328)
* A probably incomplete fix for ↵Ian Bicking2010-09-021-2/+3
| | | | http://trac.pythonpaste.org/pythonpaste/ticket/328 -- quote the path before checking the digest. May not recreate the original quoting, but at least it is more correct than simply appending SCRIPT_NAME and PATH_INFO, which are definitely not quoted.
* Quote usernames in auth_tkt tickets ↵Ian Bicking2010-09-011-16/+19
| | | | (http://trac.pythonpaste.org/pythonpaste/ticket/380)
* Fix the auth_tkt middleware so it doesn't give exceptions when the token is badianb2009-03-071-9/+9
|
* Make cookies expire on logoutianb2009-03-051-5/+6
|
* Apply patch to paste.auth.auth_tkt to make it easier to get the cookies, and ↵ianb2009-03-031-12/+39
| | | | avoid wildcard cookies, and add httponly support
* don't need to strip the trailing newline anymoreianb2009-01-081-1/+1
|
* Fix #257, newlines in paste.auth.cookie cookiesianb2009-01-081-0/+1
|
* fix auth cookie generating bad headerspjenvey2008-10-101-1/+2
| | | | thanks Alberto Valverde, jnelson, Jorge Vargas, Graham Dumpleton
* prefer hashlib over the md5/sha modules which are deprecated in Python 2.6pjenvey2008-09-173-13/+26
|
* Set same cookies with same domains on logout as you do on login, in auth_tktianb2008-03-081-1/+8
|
* Use base64.encode|decodestring, for python 2.3 compatibilityianb2007-12-171-2/+2
|
* Try to encode values to auth_tktianb2007-08-091-0/+8
|
* remove tabsianb2007-07-221-2/+2
|
* Fix for #174; Paste Deploy entry point for paste.auth.form brokenianb2007-05-251-1/+6
|
* fixed the AuthCookieHandler examplepjenvey2007-02-161-1/+1
| | | | (thanks Damjan Georgievski)
* path from Robert Almeida, to re-enable the internal redirect to the login ↵ianb2007-02-011-5/+5
| | | | form. Dunno how it should really work, but eh
* oopscce2007-01-101-2/+0
|
* fixing server side cache /w the nocache headercce2007-01-101-0/+2
|
* convert old-style classes to new-style classespjenvey2007-01-055-8/+8
|
* Fix for error condition in OpenID auth; patch from Christopher Bausianb2006-11-261-1/+1
|
* Fixed #133 from cookedm: paste.auth.form doesn't return valid headersianb2006-11-021-2/+2
|
* A big commit, primarily aesthetic/whitespace in nature. This is the result ↵ianb2006-10-207-49/+53
| | | | of running pylint over the codebase. Some minor/hard-to-reach typos were also picked up.
* Several name problems, small bugs, extra imports caught by pyflakesianb2006-10-204-5/+2
|
* Updated the docstring to specify the correct information for set_user and ↵thejimmyg2006-09-011-2/+2
| | | | logout_user in the environ dictionary
* Make sure timeout isn't passed in as a stringianb2006-08-211-0/+5
|
* better error message in paste.auth.cookieianb2006-08-211-0/+5
|
* Added an entry point for paste.auth.cookie; added/currected a little info to ↵ianb2006-08-191-10/+91
| | | | the docstrings
* Patch from Brad Clements to add Paste Deploy support for paste.auth methodsianb2006-06-303-0/+55
|
* Added copyright header to a bunch of filesianb2006-06-133-0/+6
|
* This updates the paste.auth.* modules to includecce2006-02-244-28/+26
| | | | | | | | | | | | | | | | | | | | | | environ in the authentication callback functions. - auth.basic was modified to have a callback of authfunc(environ, username, password) - auth.digest was modified in a similar manner, authfunc(environ, realm, password) - auth.digest's digest_password also had it's arguments reversed to be consistent with the corresponding authfunc(); if you're going to break -- let's fix two things at once! - auth.form has a change similar to auth.basic These changes were suggested via Matthew Scott on the paste mailing list; only that I put the environ first to be consistent with other WSGI functions.
* Added to the do-it-yourself docianb2006-02-011-1/+1
|
* remove debugging prints from openidianb2006-01-301-4/+0
|
* Added a url->username translation function to the app (so we can actually ↵ianb2006-01-271-11/+48
| | | | try to log the user in when they complete the process). Added specific hooks for auth_tkt stuff -- should be changed in the future so it is common to all login systems. Made the login_redirect actually redirect externally, not internally. Not sure if that will work with everyone -- I guess not, if they aren't using auth_tkt with the auth_tkt hooks. But I'm not sure how it is supposed to work otherwise either. Maybe there needs to be two settings -- login_redirect and login_external_redirect. Or maybe leaving login_redirect blank should be okay, and that will cause the user to be redirected back to where they came from (another feature that should be added to this)
* Fixed some little bugs; added logout_path setting, a path that implies a ↵ianb2006-01-271-4/+34
| | | | logout when accessed
* Added a paste.deploy entry point for open_id; added a 401 catcher option to ↵ianb2006-01-271-8/+58
| | | | open_id (but I haven't tested that yet)
* Fixed typoish thingianb2006-01-211-1/+1
|
* @@ FIX: I commented this out since I didn't know what it was supposed to do ↵bbangert2006-01-211-1/+1
| | | | and it was bad syntax otherwise
* Added middleware for reading mod_auth_tkt-style signed cookies ↵ianb2006-01-182-0/+414
| | | | (paste.auth.auth_tkt). Added middleware to set user and group based on IP addresses (paste.auth.grantip). Added some modules for handling ranges of IP addresses, taken from some Python Cookbook recipes -- license is unclear on these, but I've requested clarification from the author (shouldn't be released until that is clarified).
* Indentation in docstringianb2006-01-181-20/+22
|
* moving httpserver from util sub-package up a levelcce2006-01-096-6/+6
|
* - removing unnecessary trailing spaces, that's allcce2006-01-052-17/+17
|
* Thread safe patchingbbangert2006-01-051-47/+46
|
* - made the example program simpler for paste.auth.cookie, nocce2006-01-031-8/+3
| | | | | point in adding in so many features when trying to introduce a new person to this module
* (no commit message)cce2006-01-031-10/+12
|
View Lorry Controller Status