2011-06-30 22:40:22 +00:00
|
|
|
"""
|
|
|
|
SleekXMPP: The Sleek XMPP Library
|
2011-07-03 05:49:34 +00:00
|
|
|
Copyright (C) 2011 Nathanael C. Fritz
|
2011-06-30 22:40:22 +00:00
|
|
|
This file is part of SleekXMPP.
|
|
|
|
|
|
|
|
See the file LICENSE for copying permission.
|
|
|
|
"""
|
|
|
|
|
2012-08-14 18:06:36 +00:00
|
|
|
import ssl
|
2011-06-30 22:40:22 +00:00
|
|
|
import logging
|
|
|
|
|
2012-07-30 00:22:16 +00:00
|
|
|
from sleekxmpp.util import sasl
|
|
|
|
from sleekxmpp.util.stringprep_profiles import StringPrepError
|
2011-07-03 06:09:29 +00:00
|
|
|
from sleekxmpp.stanza import StreamFeatures
|
|
|
|
from sleekxmpp.xmlstream import RestartStream, register_stanza_plugin
|
2012-03-13 02:50:27 +00:00
|
|
|
from sleekxmpp.plugins import BasePlugin
|
2012-02-17 22:59:56 +00:00
|
|
|
from sleekxmpp.xmlstream.matcher import MatchXPath
|
|
|
|
from sleekxmpp.xmlstream.handler import Callback
|
2011-07-03 04:43:02 +00:00
|
|
|
from sleekxmpp.features.feature_mechanisms import stanza
|
2011-06-30 22:40:22 +00:00
|
|
|
|
|
|
|
|
|
|
|
log = logging.getLogger(__name__)
|
|
|
|
|
|
|
|
|
2012-03-13 02:50:27 +00:00
|
|
|
class FeatureMechanisms(BasePlugin):
|
2011-06-30 22:40:22 +00:00
|
|
|
|
2012-03-13 02:50:27 +00:00
|
|
|
name = 'feature_mechanisms'
|
|
|
|
description = 'RFC 6120: Stream Feature: SASL'
|
|
|
|
dependencies = set()
|
|
|
|
stanza = stanza
|
2012-07-27 06:04:16 +00:00
|
|
|
default_config = {
|
|
|
|
'use_mech': None,
|
2012-07-30 00:22:16 +00:00
|
|
|
'use_mechs': None,
|
|
|
|
'min_mech': None,
|
2012-07-27 06:04:16 +00:00
|
|
|
'sasl_callback': None,
|
2012-07-30 00:22:16 +00:00
|
|
|
'security_callback': None,
|
|
|
|
'encrypted_plain': True,
|
|
|
|
'unencrypted_plain': False,
|
|
|
|
'unencrypted_digest': False,
|
|
|
|
'unencrypted_cram': False,
|
|
|
|
'unencrypted_scram': True,
|
2012-07-27 06:04:16 +00:00
|
|
|
'order': 100
|
|
|
|
}
|
2011-06-30 22:40:22 +00:00
|
|
|
|
2012-03-13 02:50:27 +00:00
|
|
|
def plugin_init(self):
|
2012-07-27 06:04:16 +00:00
|
|
|
if self.sasl_callback is None:
|
2012-07-30 00:22:16 +00:00
|
|
|
self.sasl_callback = self._default_credentials
|
2011-08-04 00:00:51 +00:00
|
|
|
|
2012-07-30 00:22:16 +00:00
|
|
|
if self.security_callback is None:
|
|
|
|
self.security_callback = self._default_security
|
2011-08-04 00:00:51 +00:00
|
|
|
|
2012-11-28 00:53:43 +00:00
|
|
|
creds = self.sasl_callback(set(['username']), set())
|
|
|
|
if not self.use_mech and not creds['username']:
|
|
|
|
self.use_mech = 'ANONYMOUS'
|
|
|
|
|
2012-07-30 00:22:16 +00:00
|
|
|
self.mech = None
|
2012-01-20 10:01:08 +00:00
|
|
|
self.mech_list = set()
|
|
|
|
self.attempted_mechs = set()
|
|
|
|
|
2011-07-03 06:09:29 +00:00
|
|
|
register_stanza_plugin(StreamFeatures, stanza.Mechanisms)
|
2011-08-04 00:00:51 +00:00
|
|
|
|
2011-07-03 04:43:02 +00:00
|
|
|
self.xmpp.register_stanza(stanza.Success)
|
|
|
|
self.xmpp.register_stanza(stanza.Failure)
|
|
|
|
self.xmpp.register_stanza(stanza.Auth)
|
2011-08-04 00:00:51 +00:00
|
|
|
self.xmpp.register_stanza(stanza.Challenge)
|
|
|
|
self.xmpp.register_stanza(stanza.Response)
|
2012-01-21 08:19:08 +00:00
|
|
|
self.xmpp.register_stanza(stanza.Abort)
|
2011-06-30 22:40:22 +00:00
|
|
|
|
|
|
|
self.xmpp.register_handler(
|
|
|
|
Callback('SASL Success',
|
2011-07-03 04:43:02 +00:00
|
|
|
MatchXPath(stanza.Success.tag_name()),
|
2011-06-30 22:40:22 +00:00
|
|
|
self._handle_success,
|
2012-01-20 10:01:08 +00:00
|
|
|
instream=True))
|
2011-06-30 22:40:22 +00:00
|
|
|
self.xmpp.register_handler(
|
|
|
|
Callback('SASL Failure',
|
2011-07-03 04:43:02 +00:00
|
|
|
MatchXPath(stanza.Failure.tag_name()),
|
2011-06-30 22:40:22 +00:00
|
|
|
self._handle_fail,
|
2012-01-20 10:01:08 +00:00
|
|
|
instream=True))
|
2011-08-04 00:00:51 +00:00
|
|
|
self.xmpp.register_handler(
|
|
|
|
Callback('SASL Challenge',
|
|
|
|
MatchXPath(stanza.Challenge.tag_name()),
|
|
|
|
self._handle_challenge))
|
2011-06-30 22:40:22 +00:00
|
|
|
|
2012-01-18 19:51:00 +00:00
|
|
|
self.xmpp.register_feature('mechanisms',
|
|
|
|
self._handle_sasl_auth,
|
|
|
|
restart=True,
|
2012-07-27 06:04:16 +00:00
|
|
|
order=self.order)
|
2011-06-30 22:40:22 +00:00
|
|
|
|
2012-07-30 00:22:16 +00:00
|
|
|
def _default_credentials(self, required_values, optional_values):
|
|
|
|
creds = self.xmpp.credentials
|
|
|
|
result = {}
|
|
|
|
values = required_values.union(optional_values)
|
|
|
|
for value in values:
|
|
|
|
if value == 'username':
|
2012-11-28 00:53:04 +00:00
|
|
|
result[value] = creds.get('username', self.xmpp.requested_jid.user)
|
2012-07-30 00:22:16 +00:00
|
|
|
elif value == 'email':
|
2012-08-17 17:17:35 +00:00
|
|
|
jid = self.xmpp.requested_jid.bare
|
2012-07-30 00:22:16 +00:00
|
|
|
result[value] = creds.get('email', jid)
|
|
|
|
elif value == 'channel_binding':
|
2012-12-03 20:42:30 +00:00
|
|
|
if hasattr(self.xmpp.socket, 'get_channel_binding'):
|
2012-08-01 16:04:58 +00:00
|
|
|
result[value] = self.xmpp.socket.get_channel_binding()
|
2012-07-30 00:22:16 +00:00
|
|
|
else:
|
2013-09-22 02:10:12 +00:00
|
|
|
log.debug("Channel binding not supported.")
|
|
|
|
log.debug("Use Python 3.3+ for channel binding and " + \
|
|
|
|
"SCRAM-SHA-1-PLUS support")
|
2012-07-30 00:22:16 +00:00
|
|
|
result[value] = None
|
|
|
|
elif value == 'host':
|
2012-11-28 00:53:04 +00:00
|
|
|
result[value] = creds.get('host', self.xmpp.requested_jid.domain)
|
2012-07-30 00:22:16 +00:00
|
|
|
elif value == 'realm':
|
2012-11-28 00:53:04 +00:00
|
|
|
result[value] = creds.get('realm', self.xmpp.requested_jid.domain)
|
2012-07-30 00:22:16 +00:00
|
|
|
elif value == 'service-name':
|
2012-11-28 00:53:04 +00:00
|
|
|
result[value] = creds.get('service-name', self.xmpp._service_name)
|
2012-07-30 00:22:16 +00:00
|
|
|
elif value == 'service':
|
2012-11-28 00:53:04 +00:00
|
|
|
result[value] = creds.get('service', 'xmpp')
|
2012-07-30 00:22:16 +00:00
|
|
|
elif value in creds:
|
|
|
|
result[value] = creds[value]
|
|
|
|
return result
|
|
|
|
|
|
|
|
def _default_security(self, values):
|
|
|
|
result = {}
|
|
|
|
for value in values:
|
|
|
|
if value == 'encrypted':
|
2012-08-14 18:06:36 +00:00
|
|
|
if 'starttls' in self.xmpp.features:
|
|
|
|
result[value] = True
|
|
|
|
elif isinstance(self.xmpp.socket, ssl.SSLSocket):
|
|
|
|
result[value] = True
|
|
|
|
else:
|
|
|
|
result[value] = False
|
2012-07-30 00:22:16 +00:00
|
|
|
else:
|
|
|
|
result[value] = self.config.get(value, False)
|
|
|
|
return result
|
|
|
|
|
2011-06-30 22:40:22 +00:00
|
|
|
def _handle_sasl_auth(self, features):
|
|
|
|
"""
|
|
|
|
Handle authenticating using SASL.
|
|
|
|
|
|
|
|
Arguments:
|
|
|
|
features -- The stream features stanza.
|
|
|
|
"""
|
2011-07-03 05:30:34 +00:00
|
|
|
if 'mechanisms' in self.xmpp.features:
|
|
|
|
# SASL authentication has already succeeded, but the
|
|
|
|
# server has incorrectly offered it again.
|
|
|
|
return False
|
|
|
|
|
2012-07-30 00:22:16 +00:00
|
|
|
enforce_limit = False
|
|
|
|
limited_mechs = self.use_mechs
|
|
|
|
|
|
|
|
if limited_mechs is None:
|
|
|
|
limited_mechs = set()
|
|
|
|
elif limited_mechs and not isinstance(limited_mechs, set):
|
|
|
|
limited_mechs = set(limited_mechs)
|
|
|
|
enforce_limit = True
|
|
|
|
|
|
|
|
if self.use_mech:
|
|
|
|
limited_mechs.add(self.use_mech)
|
|
|
|
enforce_limit = True
|
|
|
|
|
|
|
|
if enforce_limit:
|
|
|
|
self.use_mechs = limited_mechs
|
|
|
|
|
|
|
|
self.mech_list = set(features['mechanisms'])
|
|
|
|
|
2012-01-20 10:01:08 +00:00
|
|
|
return self._send_auth()
|
|
|
|
|
|
|
|
def _send_auth(self):
|
|
|
|
mech_list = self.mech_list - self.attempted_mechs
|
2012-07-30 00:22:16 +00:00
|
|
|
try:
|
|
|
|
self.mech = sasl.choose(mech_list,
|
|
|
|
self.sasl_callback,
|
|
|
|
self.security_callback,
|
|
|
|
limit=self.use_mechs,
|
|
|
|
min_mech=self.min_mech)
|
|
|
|
except sasl.SASLNoAppropriateMechanism:
|
2011-06-30 22:40:22 +00:00
|
|
|
log.error("No appropriate login method.")
|
|
|
|
self.xmpp.event("no_auth", direct=True)
|
2013-03-28 17:52:18 +00:00
|
|
|
self.xmpp.event("failed_auth", direct=True)
|
2012-04-11 16:53:22 +00:00
|
|
|
self.attempted_mechs = set()
|
2012-07-30 00:22:16 +00:00
|
|
|
return self.xmpp.disconnect()
|
2013-01-24 10:45:28 +00:00
|
|
|
except StringPrepError:
|
|
|
|
log.exception("A credential value did not pass SASLprep.")
|
|
|
|
self.xmpp.disconnect()
|
2012-07-30 00:22:16 +00:00
|
|
|
|
|
|
|
resp = stanza.Auth(self.xmpp)
|
|
|
|
resp['mechanism'] = self.mech.name
|
|
|
|
try:
|
|
|
|
resp['value'] = self.mech.process()
|
|
|
|
except sasl.SASLCancelled:
|
|
|
|
self.attempted_mechs.add(self.mech.name)
|
|
|
|
self._send_auth()
|
|
|
|
except sasl.SASLFailed:
|
|
|
|
self.attempted_mechs.add(self.mech.name)
|
|
|
|
self._send_auth()
|
|
|
|
except sasl.SASLMutualAuthFailed:
|
|
|
|
log.error("Mutual authentication failed! " + \
|
|
|
|
"A security breach is possible.")
|
|
|
|
self.attempted_mechs.add(self.mech.name)
|
|
|
|
self.xmpp.disconnect()
|
|
|
|
else:
|
|
|
|
resp.send(now=True)
|
|
|
|
|
2011-06-30 22:40:22 +00:00
|
|
|
return True
|
|
|
|
|
2011-08-04 00:00:51 +00:00
|
|
|
def _handle_challenge(self, stanza):
|
|
|
|
"""SASL challenge received. Process and send response."""
|
|
|
|
resp = self.stanza.Response(self.xmpp)
|
2012-01-21 08:19:08 +00:00
|
|
|
try:
|
|
|
|
resp['value'] = self.mech.process(stanza['value'])
|
2012-07-30 00:22:16 +00:00
|
|
|
except sasl.SASLCancelled:
|
2012-01-21 08:19:08 +00:00
|
|
|
self.stanza.Abort(self.xmpp).send()
|
2012-07-30 00:22:16 +00:00
|
|
|
except sasl.SASLFailed:
|
2012-01-21 08:19:08 +00:00
|
|
|
self.stanza.Abort(self.xmpp).send()
|
2012-07-30 00:22:16 +00:00
|
|
|
except sasl.SASLMutualAuthFailed:
|
|
|
|
log.error("Mutual authentication failed! " + \
|
|
|
|
"A security breach is possible.")
|
|
|
|
self.attempted_mechs.add(self.mech.name)
|
|
|
|
self.xmpp.disconnect()
|
2012-01-21 08:19:08 +00:00
|
|
|
else:
|
2014-05-14 21:32:51 +00:00
|
|
|
if resp.get_value() == '':
|
|
|
|
resp.del_value()
|
2012-01-21 08:19:08 +00:00
|
|
|
resp.send(now=True)
|
2011-08-04 00:00:51 +00:00
|
|
|
|
2011-06-30 22:40:22 +00:00
|
|
|
def _handle_success(self, stanza):
|
|
|
|
"""SASL authentication succeeded. Restart the stream."""
|
2012-07-30 00:22:16 +00:00
|
|
|
try:
|
|
|
|
final = self.mech.process(stanza['value'])
|
|
|
|
except sasl.SASLMutualAuthFailed:
|
|
|
|
log.error("Mutual authentication failed! " + \
|
|
|
|
"A security breach is possible.")
|
|
|
|
self.attempted_mechs.add(self.mech.name)
|
|
|
|
self.xmpp.disconnect()
|
|
|
|
else:
|
|
|
|
self.attempted_mechs = set()
|
|
|
|
self.xmpp.authenticated = True
|
|
|
|
self.xmpp.features.add('mechanisms')
|
|
|
|
self.xmpp.event('auth_success', stanza, direct=True)
|
|
|
|
raise RestartStream()
|
2011-06-30 22:40:22 +00:00
|
|
|
|
|
|
|
def _handle_fail(self, stanza):
|
|
|
|
"""SASL authentication failed. Disconnect and shutdown."""
|
2012-01-21 08:19:08 +00:00
|
|
|
self.attempted_mechs.add(self.mech.name)
|
2011-11-19 20:07:57 +00:00
|
|
|
log.info("Authentication failed: %s", stanza['condition'])
|
2013-03-28 18:41:00 +00:00
|
|
|
self.xmpp.event("failed_auth", stanza, direct=True)
|
2012-01-20 10:01:08 +00:00
|
|
|
self._send_auth()
|
2011-06-30 22:40:22 +00:00
|
|
|
return True
|