slixmpp/sleekxmpp/util/sasl/client.py

175 lines
4.9 KiB
Python
Raw Normal View History

2012-07-30 00:22:16 +00:00
# -*- coding: utf-8 -*-
"""
sleekxmpp.util.sasl.client
~~~~~~~~~~~~~~~~~~~~~~~~~~
This module was originally based on Dave Cridland's Suelta library.
Part of SleekXMPP: The Sleek XMPP Library
2013-05-13 20:33:04 +00:00
:copryight: (c) 2007-2011 David Alan Cridland
2012-07-30 00:22:16 +00:00
:copyright: (c) 2012 Nathanael C. Fritz, Lance J.T. Stout
2013-05-13 20:33:04 +00:00
2012-07-30 00:22:16 +00:00
:license: MIT, see LICENSE for more details
"""
2012-07-31 02:43:49 +00:00
import logging
2012-07-30 00:22:16 +00:00
import stringprep
from sleekxmpp.util import hashes, bytes, stringprep_profiles
2012-07-31 02:43:49 +00:00
log = logging.getLogger(__name__)
2012-07-30 00:22:16 +00:00
#: Global registry mapping mechanism names to implementation classes.
MECHANISMS = {}
#: Global registry mapping mechanism names to security scores.
MECH_SEC_SCORES = {}
#: The SASLprep profile of stringprep used to validate simple username
#: and password credentials.
saslprep = stringprep_profiles.create(
nfkc=True,
bidi=True,
mappings=[
stringprep_profiles.b1_mapping,
stringprep_profiles.c12_mapping],
prohibited=[
stringprep.in_table_c12,
stringprep.in_table_c21,
stringprep.in_table_c22,
stringprep.in_table_c3,
stringprep.in_table_c4,
stringprep.in_table_c5,
stringprep.in_table_c6,
stringprep.in_table_c7,
stringprep.in_table_c8,
stringprep.in_table_c9],
unassigned=[stringprep.in_table_a1])
def sasl_mech(score):
sec_score = score
def register(mech):
n = 0
mech.score = sec_score
if mech.use_hashes:
for hashing_alg in hashes():
n += 1
score = mech.score + n
name = '%s-%s' % (mech.name, hashing_alg)
MECHANISMS[name] = mech
MECH_SEC_SCORES[name] = score
if mech.channel_binding:
name += '-PLUS'
score += 10
MECHANISMS[name] = mech
MECH_SEC_SCORES[name] = score
else:
MECHANISMS[mech.name] = mech
MECH_SEC_SCORES[mech.name] = mech.score
if mech.channel_binding:
MECHANISMS[mech.name + '-PLUS'] = mech
MECH_SEC_SCORES[name] = mech.score + 10
return mech
return register
class SASLNoAppropriateMechanism(Exception):
2012-08-02 00:43:38 +00:00
def __init__(self, value=''):
self.message = value
2012-07-30 00:22:16 +00:00
class SASLCancelled(Exception):
2012-08-02 00:43:38 +00:00
def __init__(self, value=''):
self.message = value
2012-07-30 00:22:16 +00:00
class SASLFailed(Exception):
2012-08-02 00:43:38 +00:00
def __init__(self, value=''):
self.message = value
2012-07-30 00:22:16 +00:00
class SASLMutualAuthFailed(SASLFailed):
2012-08-02 00:43:38 +00:00
def __init__(self, value=''):
self.message = value
2012-07-30 00:22:16 +00:00
class Mech(object):
name = 'GENERIC'
score = -1
use_hashes = False
channel_binding = False
required_credentials = set()
optional_credentials = set()
security = set()
2012-07-30 00:22:16 +00:00
def __init__(self, name, credentials, security_settings):
self.credentials = credentials
self.security_settings = security_settings
self.values = {}
self.base_name = self.name
self.name = name
self.setup(name)
def setup(self, name):
pass
def process(self, challenge=b''):
return b''
def choose(mech_list, credentials, security_settings, limit=None, min_mech=None):
available_mechs = set(MECHANISMS.keys())
if limit is None:
limit = set(mech_list)
if not isinstance(limit, set):
limit = set(limit)
if not isinstance(mech_list, set):
mech_list = set(mech_list)
mech_list = mech_list.intersection(limit)
available_mechs = available_mechs.intersection(mech_list)
best_score = MECH_SEC_SCORES.get(min_mech, -1)
best_mech = None
for name in available_mechs:
if name in MECH_SEC_SCORES:
if MECH_SEC_SCORES[name] > best_score:
best_score = MECH_SEC_SCORES[name]
best_mech = name
if best_mech is None:
raise SASLNoAppropriateMechanism()
mech_class = MECHANISMS[best_mech]
try:
creds = credentials(mech_class.required_credentials,
mech_class.optional_credentials)
for req in mech_class.required_credentials:
if req not in creds:
raise SASLCancelled('Missing credential: %s' % req)
for opt in mech_class.optional_credentials:
if opt not in creds:
creds[opt] = b''
for cred in creds:
if cred in ('username', 'password', 'authzid'):
creds[cred] = bytes(saslprep(creds[cred]))
else:
creds[cred] = bytes(creds[cred])
security_opts = security_settings(mech_class.security)
return mech_class(best_mech, creds, security_opts)
except SASLCancelled as e:
2012-07-31 02:43:49 +00:00
log.info('SASL: %s: %s', best_mech, e.message)
2012-07-30 00:22:16 +00:00
mech_list.remove(best_mech)
return choose(mech_list, credentials, security_settings,
limit=limit,
min_mech=min_mech)