[Repoze-checkins] r831 - in pamplugins/pamradius: . pamradius
Chris Shenton
chris.shenton at nasa.gov
Tue Mar 18 17:01:37 EDT 2008
Author: Chris Shenton <chris.shenton at nasa.gov>
Date: Tue Mar 18 17:01:37 2008
New Revision: 831
Log:
Initial checkin
Added:
pamplugins/pamradius/
pamplugins/pamradius/CHANGES.txt
pamplugins/pamradius/README.txt
pamplugins/pamradius/ez_setup.py
pamplugins/pamradius/pamradius/
pamplugins/pamradius/pamradius/__init__.py
pamplugins/pamradius/pamradius/tests.py
pamplugins/pamradius/rad.ini
pamplugins/pamradius/setup.py
pamplugins/pamradius/version.txt
Added: pamplugins/pamradius/CHANGES.txt
==============================================================================
--- (empty file)
+++ pamplugins/pamradius/CHANGES.txt Tue Mar 18 17:01:37 2008
@@ -0,0 +1,8 @@
+=========
+ CHANGES
+=========
+
+0.1 (2008-03-18)
+========================
+* Initial implementation by Chris Shenton and Chris McDonough
+ at PyCon 2008
Added: pamplugins/pamradius/README.txt
==============================================================================
--- (empty file)
+++ pamplugins/pamradius/README.txt Tue Mar 18 17:01:37 2008
@@ -0,0 +1,19 @@
+===========
+ pamradius
+===========
+
+Plugin for repoze.pam that queries RADIUS backend for authentication.
+
+Non-functionality
+=================
+
+It doesn't do anything with RADIUS accounting.
+
+In order to avoid the need for full RADIUS dictionary, we define
+locally only the minimum we need for authentication. I've not been
+able to parse with pyrad dictionaries from FreeRADIUS-1.7,
+FreeRADIUS-2.0.3, GNU RADIUS, or Cistron RADIUS, but was able to parse
+one from an old version, perhaps FreeRADIUS-1.6 or earlier.
+
+Lack of dictionary means we can't decode reply packets, which might
+provide useful information for subsequent functionality.
Added: pamplugins/pamradius/ez_setup.py
==============================================================================
--- (empty file)
+++ pamplugins/pamradius/ez_setup.py Tue Mar 18 17:01:37 2008
@@ -0,0 +1,272 @@
+#!python
+"""Bootstrap setuptools installation
+
+If you want to use setuptools in your package's setup.py, just include this
+file in the same directory with it, and add this to the top of your setup.py::
+
+ from ez_setup import use_setuptools
+ use_setuptools()
+
+If you want to require a specific version of setuptools, set a download
+mirror, or use an alternate download directory, you can do so by supplying
+the appropriate options to ``use_setuptools()``.
+
+This file can also be run as a script to install or upgrade setuptools.
+"""
+import sys
+DEFAULT_VERSION = "0.6c8"
+DEFAULT_URL = "http://pypi.python.org/packages/%s/s/setuptools/" % sys.version[:3]
+
+md5_data = {
+ 'setuptools-0.6b1-py2.3.egg': '8822caf901250d848b996b7f25c6e6ca',
+ 'setuptools-0.6b1-py2.4.egg': 'b79a8a403e4502fbb85ee3f1941735cb',
+ 'setuptools-0.6b2-py2.3.egg': '5657759d8a6d8fc44070a9d07272d99b',
+ 'setuptools-0.6b2-py2.4.egg': '4996a8d169d2be661fa32a6e52e4f82a',
+ 'setuptools-0.6b3-py2.3.egg': 'bb31c0fc7399a63579975cad9f5a0618',
+ 'setuptools-0.6b3-py2.4.egg': '38a8c6b3d6ecd22247f179f7da669fac',
+ 'setuptools-0.6b4-py2.3.egg': '62045a24ed4e1ebc77fe039aa4e6f7e5',
+ 'setuptools-0.6b4-py2.4.egg': '4cb2a185d228dacffb2d17f103b3b1c4',
+ 'setuptools-0.6c1-py2.3.egg': 'b3f2b5539d65cb7f74ad79127f1a908c',
+ 'setuptools-0.6c1-py2.4.egg': 'b45adeda0667d2d2ffe14009364f2a4b',
+ 'setuptools-0.6c2-py2.3.egg': 'f0064bf6aa2b7d0f3ba0b43f20817c27',
+ 'setuptools-0.6c2-py2.4.egg': '616192eec35f47e8ea16cd6a122b7277',
+ 'setuptools-0.6c3-py2.3.egg': 'f181fa125dfe85a259c9cd6f1d7b78fa',
+ 'setuptools-0.6c3-py2.4.egg': 'e0ed74682c998bfb73bf803a50e7b71e',
+ 'setuptools-0.6c3-py2.5.egg': 'abef16fdd61955514841c7c6bd98965e',
+ 'setuptools-0.6c4-py2.3.egg': 'b0b9131acab32022bfac7f44c5d7971f',
+ 'setuptools-0.6c4-py2.4.egg': '2a1f9656d4fbf3c97bf946c0a124e6e2',
+ 'setuptools-0.6c4-py2.5.egg': '8f5a052e32cdb9c72bcf4b5526f28afc',
+ 'setuptools-0.6c5-py2.3.egg': 'ee9fd80965da04f2f3e6b3576e9d8167',
+ 'setuptools-0.6c5-py2.4.egg': 'afe2adf1c01701ee841761f5bcd8aa64',
+ 'setuptools-0.6c5-py2.5.egg': 'a8d3f61494ccaa8714dfed37bccd3d5d',
+ 'setuptools-0.6c6-py2.3.egg': '35686b78116a668847237b69d549ec20',
+ 'setuptools-0.6c6-py2.4.egg': '3c56af57be3225019260a644430065ab',
+ 'setuptools-0.6c6-py2.5.egg': 'b2f8a7520709a5b34f80946de5f02f53',
+ 'setuptools-0.6c7-py2.3.egg': '209fdf9adc3a615e5115b725658e13e2',
+ 'setuptools-0.6c7-py2.4.egg': '5a8f954807d46a0fb67cf1f26c55a82e',
+ 'setuptools-0.6c7-py2.5.egg': '45d2ad28f9750e7434111fde831e8372',
+ 'setuptools-0.6c8-py2.3.egg': '50759d29b349db8cfd807ba8303f1902',
+ 'setuptools-0.6c8-py2.4.egg': 'cba38d74f7d483c06e9daa6070cce6de',
+ 'setuptools-0.6c8-py2.5.egg': '1721747ee329dc150590a58b3e1ac95b',
+}
+
+import sys, os
+
+def _validate_md5(egg_name, data):
+ if egg_name in md5_data:
+ from md5 import md5
+ digest = md5(data).hexdigest()
+ if digest != md5_data[egg_name]:
+ print >>sys.stderr, (
+ "md5 validation of %s failed! (Possible download problem?)"
+ % egg_name
+ )
+ sys.exit(2)
+ return data
+
+
+def use_setuptools(
+ version=DEFAULT_VERSION, download_base=DEFAULT_URL, to_dir=os.curdir,
+ download_delay=15
+):
+ """Automatically find/download setuptools and make it available on sys.path
+
+ `version` should be a valid setuptools version number that is available
+ as an egg for download under the `download_base` URL (which should end with
+ a '/'). `to_dir` is the directory where setuptools will be downloaded, if
+ it is not already available. If `download_delay` is specified, it should
+ be the number of seconds that will be paused before initiating a download,
+ should one be required. If an older version of setuptools is installed,
+ this routine will print a message to ``sys.stderr`` and raise SystemExit in
+ an attempt to abort the calling script.
+ """
+ was_imported = 'pkg_resources' in sys.modules or 'setuptools' in sys.modules
+ def do_download():
+ egg = download_setuptools(version, download_base, to_dir, download_delay)
+ sys.path.insert(0, egg)
+ import setuptools; setuptools.bootstrap_install_from = egg
+ try:
+ import pkg_resources
+ except ImportError:
+ return do_download()
+ try:
+ pkg_resources.require("setuptools>="+version); return
+ except pkg_resources.VersionConflict, e:
+ if was_imported:
+ print >>sys.stderr, (
+ "The required version of setuptools (>=%s) is not available, and\n"
+ "can't be installed while this script is running. Please install\n"
+ " a more recent version first, using 'easy_install -U setuptools'."
+ "\n\n(Currently using %r)"
+ ) % (version, e.args[0])
+ sys.exit(2)
+ else:
+ del pkg_resources, sys.modules['pkg_resources'] # reload ok
+ return do_download()
+ except pkg_resources.DistributionNotFound:
+ return do_download()
+
+def download_setuptools(
+ version=DEFAULT_VERSION, download_base=DEFAULT_URL, to_dir=os.curdir,
+ delay = 15
+):
+ """Download setuptools from a specified location and return its filename
+
+ `version` should be a valid setuptools version number that is available
+ as an egg for download under the `download_base` URL (which should end
+ with a '/'). `to_dir` is the directory where the egg will be downloaded.
+ `delay` is the number of seconds to pause before an actual download attempt.
+ """
+ import urllib2, shutil
+ egg_name = "setuptools-%s-py%s.egg" % (version,sys.version[:3])
+ url = download_base + egg_name
+ saveto = os.path.join(to_dir, egg_name)
+ src = dst = None
+ if not os.path.exists(saveto): # Avoid repeated downloads
+ try:
+ from distutils import log
+ if delay:
+ log.warn("""
+---------------------------------------------------------------------------
+This script requires setuptools version %s to run (even to display
+help). I will attempt to download it for you (from
+%s), but
+you may need to enable firewall access for this script first.
+I will start the download in %d seconds.
+
+(Note: if this machine does not have network access, please obtain the file
+
+ %s
+
+and place it in this directory before rerunning this script.)
+---------------------------------------------------------------------------""",
+ version, download_base, delay, url
+ ); from time import sleep; sleep(delay)
+ log.warn("Downloading %s", url)
+ src = urllib2.urlopen(url)
+ # Read/write all in one block, so we don't create a corrupt file
+ # if the download is interrupted.
+ data = _validate_md5(egg_name, src.read())
+ dst = open(saveto,"wb"); dst.write(data)
+ finally:
+ if src: src.close()
+ if dst: dst.close()
+ return os.path.realpath(saveto)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+def main(argv, version=DEFAULT_VERSION):
+ """Install or upgrade setuptools and EasyInstall"""
+ try:
+ import setuptools
+ except ImportError:
+ egg = None
+ try:
+ egg = download_setuptools(version, delay=0)
+ sys.path.insert(0,egg)
+ from setuptools.command.easy_install import main
+ return main(list(argv)+[egg]) # we're done here
+ finally:
+ if egg and os.path.exists(egg):
+ os.unlink(egg)
+ else:
+ if setuptools.__version__ == '0.0.1':
+ print >>sys.stderr, (
+ "You have an obsolete version of setuptools installed. Please\n"
+ "remove it from your system entirely before rerunning this script."
+ )
+ sys.exit(2)
+
+ req = "setuptools>="+version
+ import pkg_resources
+ try:
+ pkg_resources.require(req)
+ except pkg_resources.VersionConflict:
+ try:
+ from setuptools.command.easy_install import main
+ except ImportError:
+ from easy_install import main
+ main(list(argv)+[download_setuptools(delay=0)])
+ sys.exit(0) # try to force an exit
+ else:
+ if argv:
+ from setuptools.command.easy_install import main
+ main(argv)
+ else:
+ print "Setuptools version",version,"or greater has been installed."
+ print '(Run "ez_setup.py -U setuptools" to reinstall or upgrade.)'
+
+def update_md5(filenames):
+ """Update our built-in md5 registry"""
+
+ import re
+ from md5 import md5
+
+ for name in filenames:
+ base = os.path.basename(name)
+ f = open(name,'rb')
+ md5_data[base] = md5(f.read()).hexdigest()
+ f.close()
+
+ data = [" %r: %r,\n" % it for it in md5_data.items()]
+ data.sort()
+ repl = "".join(data)
+
+ import inspect
+ srcfile = inspect.getsourcefile(sys.modules[__name__])
+ f = open(srcfile, 'rb'); src = f.read(); f.close()
+
+ match = re.search("\nmd5_data = {\n([^}]+)}", src)
+ if not match:
+ print >>sys.stderr, "Internal error!"
+ sys.exit(2)
+
+ src = src[:match.start(1)] + repl + src[match.end(1):]
+ f = open(srcfile,'w')
+ f.write(src)
+ f.close()
+
+
+if __name__=='__main__':
+ if len(sys.argv)>2 and sys.argv[1]=='--md5update':
+ update_md5(sys.argv[2:])
+ else:
+ main(sys.argv[1:])
+
+
+
+
+
Added: pamplugins/pamradius/pamradius/__init__.py
==============================================================================
--- (empty file)
+++ pamplugins/pamradius/pamradius/__init__.py Tue Mar 18 17:01:37 2008
@@ -0,0 +1,107 @@
+from zope.interface import implements
+from repoze.pam.interfaces import IAuthenticator
+
+class RadiusPlugin(object):
+
+ implements(IAuthenticator)
+
+ def __init__(self, server):
+ self.server = server
+
+ # IAuthenticatorPlugin
+ def authenticate(self, environ, identity):
+ try:
+ login = identity['login']
+ password = identity['password']
+ except KeyError:
+ return None
+ if self.server.authenticate(login, password):
+ return login
+ return None
+
+
+
+
+class Server(object):
+ """A RADIUS server has host, authport, shared secret.
+ The host can be an DNS name or IP address,
+ authport is (UDP) typically 1812 or 1845;
+ shared secret is a string the server keeps for this client.
+ Optional timeout is jammed into server to speed testing.
+ """
+ def __init__(self, host, authport, secret, timeout=None):
+ self.host = host
+ self.authport = authport
+ self.secret = secret
+ self.timeout = timeout
+
+ def authenticate(self, username, password):
+ """Return True or False per the RADIUS server's response.
+ TODO: Do we need to worry about realms like chris at realmname
+ and different realm separators?
+ Different username versus login name?
+ """
+ from StringIO import StringIO
+ import pyrad.packet
+ from pyrad.client import Client
+ from pyrad.dictionary import Dictionary
+ dictionary = """
+ATTRIBUTE User-Name 1 string
+ATTRIBUTE User-Password 2 string encrypt=1
+"""
+ client = Client(server=self.host,
+ authport=self.authport,
+ secret=self.secret,
+ dict=Dictionary(StringIO(dictionary)),
+ )
+ if self.timeout:
+ client.timeout = self.timeout # pyrad init has no way to set
+ req = client.CreateAuthPacket(code=pyrad.packet.AccessRequest,
+ User_Name=username)
+ req["User-Password"] = req.PwCrypt(password)
+ reply = client.SendPacket(req)
+ if reply.code == pyrad.packet.AccessAccept:
+ # don't save reply since we don't have full dictionary to decode it
+ return True
+ return False
+
+def make_test_middleware(app, global_conf):
+ # be able to test without a config file
+ # TODO: auth_tkt instead of cookie
+ import sys
+ import os
+ import logging
+ from repoze.pam.plugins.form import FormPlugin
+ #from repoze.pam.plugins.cookie import InsecureCookiePlugin
+ from repoze.pam.plugins.auth_tkt import AuthTktCookiePlugin
+ from repoze.pam.middleware import PluggableAuthenticationMiddleware
+ from repoze.pam.classifiers import default_request_classifier
+ from repoze.pam.classifiers import default_challenge_decider
+
+ #form = FormPlugin('__do_login', rememberer_name='cookie')
+ form = FormPlugin('__do_login', rememberer_name='auth_tkt')
+ #cookie = InsecureCookiePlugin('biscotti')
+ auth_tkt = AuthTktCookiePlugin('secret squirrel',
+ cookie_name='test_auth_tkt',
+ include_ip=True)
+ #identifier = [('form', form), ('cookie', cookie)]
+ identifiers = [('form', form), ('auth_tkt', auth_tkt)]
+ server = Server('localhost', 1812, 'testing123')
+ radiusplugin = RadiusPlugin(server)
+ authenticators = [('radius', radiusplugin)]
+ challengers = [('form', form) ]
+ log_stream = sys.stdout
+ if os.environ.get('NO_PAM_LOG'):
+ log_stream = None
+ middleware = PluggableAuthenticationMiddleware(
+ app,
+ identifiers,
+ authenticators,
+ challengers,
+ default_request_classifier,
+ default_challenge_decider,
+ log_stream = log_stream,
+ log_level = logging.DEBUG # this level should be configable
+ )
+ return middleware
+
Added: pamplugins/pamradius/pamradius/tests.py
==============================================================================
--- (empty file)
+++ pamplugins/pamradius/pamradius/tests.py Tue Mar 18 17:01:37 2008
@@ -0,0 +1,124 @@
+import unittest
+
+dictionary = """
+ATTRIBUTE User-Name 1 string
+ATTRIBUTE User-Password 2 string encrypt=1
+"""
+
+class TrivialObject:
+ """dummy object"""
+
+class RadiusMiddlewareTests(unittest.TestCase):
+
+ def _getTargetClass(self):
+ from pamradius import RadiusPlugin
+ return RadiusPlugin
+
+ def _makeOne(self, *arg, **kw):
+ klass = self._getTargetClass()
+ return klass(*arg, **kw)
+
+ def test_implements(self):
+ from repoze.pam.interfaces import IAuthenticator
+ from zope.interface.verify import verifyClass
+ klass = self._getTargetClass()
+ verifyClass(IAuthenticator, klass)
+
+ def test_null_login_ok(self):
+ server = NullServer(True)
+ s = self._makeOne(server)
+ environ = {}
+ identity = {'login': 'user', 'password': 'password'}
+ result = s.authenticate(environ, identity)
+ self.assertEqual(result, 'user')
+
+ def test_null_login_bad(self):
+ server = NullServer(False)
+ s = self._makeOne(server)
+ environ = {}
+ identity = {'login': 'user', 'password': 'password'}
+ result = s.authenticate(environ, identity)
+ self.assertEqual(result, None)
+
+class RadiusServerTests(unittest.TestCase):
+
+ def _getTargetClass(self):
+ from pamradius import Server
+ return Server
+
+ def _makeOne(self, *arg, **kw):
+ klass = self._getTargetClass()
+ return klass(*arg, **kw)
+
+ def test_getServer(self):
+ server = self._makeOne('localhost', 61812, 'secret', timeout=42)
+ self.assertEqual(server.host, 'localhost')
+ self.assertEqual(server.authport, 61812)
+ self.assertEqual(server.secret, 'secret')
+ self.assertEqual(server.timeout, 42)
+
+ def test_server_down(self):
+ from pyrad.client import Timeout
+ server = self._makeOne('localhost', 61812, 'secret', timeout=0.2)
+ self.assertRaises(Timeout, server.authenticate, 'user', 'password')
+
+ def test_server_accept(self):
+ from pyrad.packet import AccessRequest
+ server = ServerAccept()
+ client_pkt = TrivialObject()
+ client_pkt.code=AccessRequest
+ client_pkt.source=("host", "port")
+ result = server._HandleAuthPacket(client_pkt)
+ self.assertEqual(result, None)
+
+ def test_server_deny(self):
+ from pyrad.packet import AccessRequest
+ from pyrad.server import ServerPacketError
+ server = ServerDeny()
+ client_pkt = TrivialObject()
+ client_pkt.code=AccessRequest
+ client_pkt.source=("host", "port")
+ self.assertRaises(ServerPacketError, server._HandleAuthPacket, client_pkt)
+
+from pyrad.server import Server
+
+
+class NullServer(object):
+ def __init__(self, result):
+ self.result = result
+
+ def authenticate(self, username, password):
+ return self.result
+
+class ServerWithRemoteHost(Server):
+ """Subclass Server and create a remote host that can talk to us.
+ The server does actually bind to its sockets so avoid standard ports.
+ """
+ def __init__(self, addresses=[], authport=1812, acctport=1813, hosts=None, dict=None):
+ from StringIO import StringIO
+ from pyrad.server import RemoteHost
+ from pyrad.dictionary import Dictionary
+ remotehost = RemoteHost("127.0.0.1", "secret", "host", authport=61812)
+ Server.__init__(self,
+ addresses=["127.0.0.1"],
+ authport=61812,
+ acctport=61813,
+ hosts={"127.0.0.1": remotehost},
+ dict=Dictionary(StringIO(dictionary)))
+ self.hosts["host"] = TrivialObject()
+ self.hosts["host"].secret = "secretBAD"
+
+class ServerAccept(ServerWithRemoteHost):
+ """Always act like we accept the packet
+ This doesn't decode or check any secret and password.
+ """
+ def HandleAuthPacket(self, pkt):
+ pass
+
+class ServerDeny(ServerWithRemoteHost):
+ """Always act like we deny the authentication request.
+ This doesn't decode or check any secret or password.
+ """
+ def HandleAuthPacket(self, pkt):
+ from pyrad.server import ServerPacketError
+ raise ServerPacketError, "Authentication denied."
Added: pamplugins/pamradius/rad.ini
==============================================================================
--- (empty file)
+++ pamplugins/pamradius/rad.ini Tue Mar 18 17:01:37 2008
@@ -0,0 +1,12 @@
+[app:app]
+paste.app_factory = repoze.pam.fixtures.testapp:make_app
+
+[pipeline:main]
+pipeline =
+ egg:pamradius#test
+ app
+
+[server:main]
+use = egg:PasteScript#cherrypy
+host = 127.0.0.1
+port = 8080
Added: pamplugins/pamradius/setup.py
==============================================================================
--- (empty file)
+++ pamplugins/pamradius/setup.py Tue Mar 18 17:01:37 2008
@@ -0,0 +1,58 @@
+##############################################################################
+#
+# Copyright (c) 2007 Agendaless Consulting and Contributors.
+# All Rights Reserved.
+#
+# This software is subject to the provisions of the BSD-like license at
+# http://www.repoze.org/LICENSE.txt. A copy of the license should accompany
+# this distribution. THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL
+# EXPRESS OR IMPLIED WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO,
+# THE IMPLIED WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND
+# FITNESS FOR A PARTICULAR PURPOSE
+#
+##############################################################################
+
+__version__ = open("version.txt").read()
+
+import os
+
+from ez_setup import use_setuptools
+use_setuptools()
+
+from setuptools import setup, find_packages
+
+here = os.path.abspath(os.path.dirname(__file__))
+README = open(os.path.join(here, 'README.txt')).read()
+
+setup(name='pamradius',
+ version=__version__,
+ description=('Repoze pluggable authentication middleware)'
+ 'querying RADIUS back-end for authentication.'),
+ long_description=README,
+ classifiers=[
+ "Development Status :: 1 - Planning",
+ "Intended Audience :: Developers",
+ "Programming Language :: Python",
+ "Topic :: Internet :: WWW/HTTP",
+ "Topic :: Internet :: WWW/HTTP :: Dynamic Content",
+ "Topic :: Internet :: WWW/HTTP :: WSGI",
+ "Topic :: Internet :: WWW/HTTP :: WSGI :: Application",
+ ],
+ keywords='web application server wsgi zope',
+ author="Chris Shenton",
+ author_email="chris at koansys.com",
+ dependency_links=['http://dist.repoze.org'],
+ url="http://www.repoze.org",
+ license="BSD-derived (http://www.repoze.org/LICENSE.txt)",
+ packages=find_packages(),
+ include_package_data=True,
+ zip_safe=False,
+ tests_require = ['repoze.pam', 'pyrad>=1.1'],
+ install_requires=['repoze.pam', 'pyrad>=1.1'],
+ test_suite="pamradius.tests",
+ entry_points = """
+ [paste.filter_app_factory]
+ test = pamradius:make_test_middleware
+ """
+ )
+
Added: pamplugins/pamradius/version.txt
==============================================================================
--- (empty file)
+++ pamplugins/pamradius/version.txt Tue Mar 18 17:01:37 2008
@@ -0,0 +1 @@
+0.1
More information about the Repoze-checkins
mailing list