slixmpp/sleekxmpp/features/feature_mechanisms/mechanisms.py

"""
    SleekXMPP: The Sleek XMPP Library
    Copyright (C) 2011  Nathanael C. Fritz
    This file is part of SleekXMPP.

    See the file LICENSE for copying permission.
"""

import sys
import logging

from sleekxmpp.util import sasl
from sleekxmpp.util.stringprep_profiles import StringPrepError
from sleekxmpp.stanza import StreamFeatures
from sleekxmpp.xmlstream import RestartStream, register_stanza_plugin
from sleekxmpp.plugins import BasePlugin
from sleekxmpp.xmlstream.matcher import MatchXPath
from sleekxmpp.xmlstream.handler import Callback
from sleekxmpp.features.feature_mechanisms import stanza


log = logging.getLogger(__name__)


class FeatureMechanisms(BasePlugin):

    name = 'feature_mechanisms'
    description = 'RFC 6120: Stream Feature: SASL'
    dependencies = set()
    stanza = stanza
    default_config = {
        'use_mech': None,
        'use_mechs': None,
        'min_mech': None,
        'sasl_callback': None,
        'security_callback': None,
        'encrypted_plain': True,
        'unencrypted_plain': False,
        'unencrypted_digest': False,
        'unencrypted_cram': False,
        'unencrypted_scram': True,
        'order': 100
    }

    def plugin_init(self):
        if not self.use_mech and not self.xmpp.boundjid.user:
            self.use_mech = 'ANONYMOUS'

        if self.sasl_callback is None:
            self.sasl_callback = self._default_credentials

        if self.security_callback is None:
            self.security_callback = self._default_security

        self.mech = None
        self.mech_list = set()
        self.attempted_mechs = set()

        register_stanza_plugin(StreamFeatures, stanza.Mechanisms)

        self.xmpp.register_stanza(stanza.Success)
        self.xmpp.register_stanza(stanza.Failure)
        self.xmpp.register_stanza(stanza.Auth)
        self.xmpp.register_stanza(stanza.Challenge)
        self.xmpp.register_stanza(stanza.Response)
        self.xmpp.register_stanza(stanza.Abort)

        self.xmpp.register_handler(
                Callback('SASL Success',
                         MatchXPath(stanza.Success.tag_name()),
                         self._handle_success,
                         instream=True))
        self.xmpp.register_handler(
                Callback('SASL Failure',
                         MatchXPath(stanza.Failure.tag_name()),
                         self._handle_fail,
                         instream=True))
        self.xmpp.register_handler(
                Callback('SASL Challenge',
                         MatchXPath(stanza.Challenge.tag_name()),
                         self._handle_challenge))

        self.xmpp.register_feature('mechanisms',
                self._handle_sasl_auth,
                restart=True,
                order=self.order)

    def _default_credentials(self, required_values, optional_values):
        creds = self.xmpp.credentials
        result = {}
        values = required_values.union(optional_values)
        for value in values:
            if value == 'username':
                result[value] = self.xmpp.boundjid.user
            elif value == 'password':
                result[value] = creds['password']
            elif value == 'authzid':
                result[value] = creds.get('authzid', '')
            elif value == 'email':
                jid = self.xmpp.boundjid.bare
                result[value] = creds.get('email', jid)
            elif value == 'channel_binding':
                if sys.version_info >= (3, 3):
                    result[value] = self.xmpp.socket.get_channel_binding()
                else:
                    result[value] = None
            elif value == 'host':
                result[value] = self.xmpp.boundjid.domain
            elif value == 'realm':
                result[value] = self.xmpp.boundjid.domain
            elif value == 'service-name':
                result[value] = self.xmpp._service_name
            elif value == 'service':
                result[value] = 'xmpp'
            elif value in creds:
                result[value] = creds[value]
        return result

    def _default_security(self, values):
        result = {}
        for value in values:
            if value == 'encrypted':
                result[value] = 'starttls' in self.xmpp.features
            else:
                result[value] = self.config.get(value, False)
        return result

    def _handle_sasl_auth(self, features):
        """
        Handle authenticating using SASL.

        Arguments:
            features -- The stream features stanza.
        """
        if 'mechanisms' in self.xmpp.features:
            # SASL authentication has already succeeded, but the
            # server has incorrectly offered it again.
            return False

        enforce_limit = False
        limited_mechs = self.use_mechs

        if limited_mechs is None:
            limited_mechs = set()
        elif limited_mechs and not isinstance(limited_mechs, set):
            limited_mechs = set(limited_mechs)
            enforce_limit = True

        if self.use_mech:
            limited_mechs.add(self.use_mech)
            enforce_limit = True

        if enforce_limit:
            self.use_mechs = limited_mechs

        self.mech_list = set(features['mechanisms'])

        return self._send_auth()

    def _send_auth(self):
        mech_list = self.mech_list - self.attempted_mechs
        try:
            self.mech = sasl.choose(mech_list,
                                    self.sasl_callback,
                                    self.security_callback,
                                    limit=self.use_mechs,
                                    min_mech=self.min_mech)
        except sasl.SASLNoAppropriateMechanism:
            log.error("No appropriate login method.")
            self.xmpp.event("no_auth", direct=True)
            self.attempted_mechs = set()
            return self.xmpp.disconnect()

        resp = stanza.Auth(self.xmpp)
        resp['mechanism'] = self.mech.name
        try:
            resp['value'] = self.mech.process()
        except sasl.SASLCancelled:
            self.attempted_mechs.add(self.mech.name)
            self._send_auth()
        except sasl.SASLFailed:
            self.attempted_mechs.add(self.mech.name)
            self._send_auth()
        except sasl.SASLMutualAuthFailed:
            log.error("Mutual authentication failed! " + \
                      "A security breach is possible.")
            self.attempted_mechs.add(self.mech.name)
            self.xmpp.disconnect()
        except StringPrepError:
            log.exception("A credential value did not pass SASLprep.")
            self.xmpp.disconnect()
        else:
            resp.send(now=True)

        return True

    def _handle_challenge(self, stanza):
        """SASL challenge received. Process and send response."""
        resp = self.stanza.Response(self.xmpp)
        try:
            resp['value'] = self.mech.process(stanza['value'])
        except sasl.SASLCancelled:
            self.stanza.Abort(self.xmpp).send()
        except sasl.SASLFailed:
            self.stanza.Abort(self.xmpp).send()
        except sasl.SASLMutualAuthFailed:
            log.error("Mutual authentication failed! " + \
                      "A security breach is possible.")
            self.attempted_mechs.add(self.mech.name)
            self.xmpp.disconnect()
        else:
            resp.send(now=True)

    def _handle_success(self, stanza):
        """SASL authentication succeeded. Restart the stream."""
        try:
            final = self.mech.process(stanza['value'])
        except sasl.SASLMutualAuthFailed:
            log.error("Mutual authentication failed! " + \
                      "A security breach is possible.")
            self.attempted_mechs.add(self.mech.name)
            self.xmpp.disconnect()
        else:
            self.attempted_mechs = set()
            self.xmpp.authenticated = True
            self.xmpp.features.add('mechanisms')
            self.xmpp.event('auth_success', stanza, direct=True)
            raise RestartStream()

    def _handle_fail(self, stanza):
        """SASL authentication failed. Disconnect and shutdown."""
        self.attempted_mechs.add(self.mech.name)
        log.info("Authentication failed: %s", stanza['condition'])
        self.xmpp.event("failed_auth", stanza, direct=True)
        self._send_auth()
        return True
Reorganize features into plugins. 2011-06-30 22:40:22 +00:00			`"""`
			`SleekXMPP: The Sleek XMPP Library`
It isn't 2010 anymore. I keep forgetting to update the copyright on new code. 2011-07-03 05:49:34 +00:00			`Copyright (C) 2011 Nathanael C. Fritz`
Reorganize features into plugins. 2011-06-30 22:40:22 +00:00			`This file is part of SleekXMPP.`

			`See the file LICENSE for copying permission.`
			`"""`

Update and integrate Suelta. 2012-07-30 00:22:16 +00:00			`import sys`
Reorganize features into plugins. 2011-06-30 22:40:22 +00:00			`import logging`

Update and integrate Suelta. 2012-07-30 00:22:16 +00:00			`from sleekxmpp.util import sasl`
			`from sleekxmpp.util.stringprep_profiles import StringPrepError`
SASL failure event now includes the failure stanza. Broke SASL stanzas into separate files. Fixed typo in feature_bind. 2011-07-03 06:09:29 +00:00			`from sleekxmpp.stanza import StreamFeatures`
			`from sleekxmpp.xmlstream import RestartStream, register_stanza_plugin`
Move feature_mechanisms to new system. 2012-03-13 02:50:27 +00:00			`from sleekxmpp.plugins import BasePlugin`
More extraneous import cleanup. 2012-02-17 22:59:56 +00:00			`from sleekxmpp.xmlstream.matcher import MatchXPath`
			`from sleekxmpp.xmlstream.handler import Callback`
Finish cleaning up stream feature organization. Fixed missing references that weren't caught due to leftover pyc file allowing tests to keep working when they shouldn't have. 2011-07-03 04:43:02 +00:00			`from sleekxmpp.features.feature_mechanisms import stanza`
Reorganize features into plugins. 2011-06-30 22:40:22 +00:00

			`log = logging.getLogger(__name__)`


Move feature_mechanisms to new system. 2012-03-13 02:50:27 +00:00			`class FeatureMechanisms(BasePlugin):`
Reorganize features into plugins. 2011-06-30 22:40:22 +00:00
Move feature_mechanisms to new system. 2012-03-13 02:50:27 +00:00			`name = 'feature_mechanisms'`
			`description = 'RFC 6120: Stream Feature: SASL'`
			`dependencies = set()`
			`stanza = stanza`
Enhance plugin config with attribute accessors. This makes updating the config after plugin initialization much easier. 2012-07-27 06:04:16 +00:00			`default_config = {`
			`'use_mech': None,`
Update and integrate Suelta. 2012-07-30 00:22:16 +00:00			`'use_mechs': None,`
			`'min_mech': None,`
Enhance plugin config with attribute accessors. This makes updating the config after plugin initialization much easier. 2012-07-27 06:04:16 +00:00			`'sasl_callback': None,`
Update and integrate Suelta. 2012-07-30 00:22:16 +00:00			`'security_callback': None,`
			`'encrypted_plain': True,`
			`'unencrypted_plain': False,`
			`'unencrypted_digest': False,`
			`'unencrypted_cram': False,`
			`'unencrypted_scram': True,`
Enhance plugin config with attribute accessors. This makes updating the config after plugin initialization much easier. 2012-07-27 06:04:16 +00:00			`'order': 100`
			`}`
Reorganize features into plugins. 2011-06-30 22:40:22 +00:00
Move feature_mechanisms to new system. 2012-03-13 02:50:27 +00:00			`def plugin_init(self):`
Explicitly set the desired SASL mech to ANONYMOUS if no username is provided. 2012-03-13 19:24:41 +00:00			`if not self.use_mech and not self.xmpp.boundjid.user:`
			`self.use_mech = 'ANONYMOUS'`

Enhance plugin config with attribute accessors. This makes updating the config after plugin initialization much easier. 2012-07-27 06:04:16 +00:00			`if self.sasl_callback is None:`
Update and integrate Suelta. 2012-07-30 00:22:16 +00:00			`self.sasl_callback = self._default_credentials`
Integrate a modified version of Dave Cridland's Suelta SASL library. 2011-08-04 00:00:51 +00:00
Update and integrate Suelta. 2012-07-30 00:22:16 +00:00			`if self.security_callback is None:`
			`self.security_callback = self._default_security`
Integrate a modified version of Dave Cridland's Suelta SASL library. 2011-08-04 00:00:51 +00:00
Update and integrate Suelta. 2012-07-30 00:22:16 +00:00			`self.mech = None`
Allow attempting multiple SASL mechs during a single stream. Instead of disconnecting when the first chosen mech fails, we will try all of them once. 2012-01-20 10:01:08 +00:00			`self.mech_list = set()`
			`self.attempted_mechs = set()`

SASL failure event now includes the failure stanza. Broke SASL stanzas into separate files. Fixed typo in feature_bind. 2011-07-03 06:09:29 +00:00			`register_stanza_plugin(StreamFeatures, stanza.Mechanisms)`
Integrate a modified version of Dave Cridland's Suelta SASL library. 2011-08-04 00:00:51 +00:00
Finish cleaning up stream feature organization. Fixed missing references that weren't caught due to leftover pyc file allowing tests to keep working when they shouldn't have. 2011-07-03 04:43:02 +00:00			`self.xmpp.register_stanza(stanza.Success)`
			`self.xmpp.register_stanza(stanza.Failure)`
			`self.xmpp.register_stanza(stanza.Auth)`
Integrate a modified version of Dave Cridland's Suelta SASL library. 2011-08-04 00:00:51 +00:00			`self.xmpp.register_stanza(stanza.Challenge)`
			`self.xmpp.register_stanza(stanza.Response)`
Handle SASLCancelled and SASLError exceptions. 2012-01-21 08:19:08 +00:00			`self.xmpp.register_stanza(stanza.Abort)`
Reorganize features into plugins. 2011-06-30 22:40:22 +00:00
			`self.xmpp.register_handler(`
			`Callback('SASL Success',`
Finish cleaning up stream feature organization. Fixed missing references that weren't caught due to leftover pyc file allowing tests to keep working when they shouldn't have. 2011-07-03 04:43:02 +00:00			`MatchXPath(stanza.Success.tag_name()),`
Reorganize features into plugins. 2011-06-30 22:40:22 +00:00			`self._handle_success,`
Allow attempting multiple SASL mechs during a single stream. Instead of disconnecting when the first chosen mech fails, we will try all of them once. 2012-01-20 10:01:08 +00:00			`instream=True))`
Reorganize features into plugins. 2011-06-30 22:40:22 +00:00			`self.xmpp.register_handler(`
			`Callback('SASL Failure',`
Finish cleaning up stream feature organization. Fixed missing references that weren't caught due to leftover pyc file allowing tests to keep working when they shouldn't have. 2011-07-03 04:43:02 +00:00			`MatchXPath(stanza.Failure.tag_name()),`
Reorganize features into plugins. 2011-06-30 22:40:22 +00:00			`self._handle_fail,`
Allow attempting multiple SASL mechs during a single stream. Instead of disconnecting when the first chosen mech fails, we will try all of them once. 2012-01-20 10:01:08 +00:00			`instream=True))`
Integrate a modified version of Dave Cridland's Suelta SASL library. 2011-08-04 00:00:51 +00:00			`self.xmpp.register_handler(`
			`Callback('SASL Challenge',`
			`MatchXPath(stanza.Challenge.tag_name()),`
			`self._handle_challenge))`
Reorganize features into plugins. 2011-06-30 22:40:22 +00:00
Revert "Remove stream feature handlers on session_start." This reverts commit 4274f49ada77d709b931f65e34d3a64e75b81638. The SASL mech was choking on this, so let's send it back for some more refining. 2012-01-18 19:51:00 +00:00			`self.xmpp.register_feature('mechanisms',`
			`self._handle_sasl_auth,`
			`restart=True,`
Enhance plugin config with attribute accessors. This makes updating the config after plugin initialization much easier. 2012-07-27 06:04:16 +00:00			`order=self.order)`
Reorganize features into plugins. 2011-06-30 22:40:22 +00:00
Update and integrate Suelta. 2012-07-30 00:22:16 +00:00			`def _default_credentials(self, required_values, optional_values):`
			`creds = self.xmpp.credentials`
			`result = {}`
			`values = required_values.union(optional_values)`
			`for value in values:`
			`if value == 'username':`
			`result[value] = self.xmpp.boundjid.user`
			`elif value == 'password':`
			`result[value] = creds['password']`
Ensure default authzids are handled. 2012-08-02 20:47:06 +00:00			`elif value == 'authzid':`
			`result[value] = creds.get('authzid', '')`
Update and integrate Suelta. 2012-07-30 00:22:16 +00:00			`elif value == 'email':`
			`jid = self.xmpp.boundjid.bare`
			`result[value] = creds.get('email', jid)`
			`elif value == 'channel_binding':`
			`if sys.version_info >= (3, 3):`
Use correct method for getting channel binding. 2012-08-01 16:04:58 +00:00			`result[value] = self.xmpp.socket.get_channel_binding()`
Update and integrate Suelta. 2012-07-30 00:22:16 +00:00			`else:`
			`result[value] = None`
			`elif value == 'host':`
			`result[value] = self.xmpp.boundjid.domain`
			`elif value == 'realm':`
			`result[value] = self.xmpp.boundjid.domain`
			`elif value == 'service-name':`
Fix tracking service name for DIGEST-MD5 2012-08-10 19:40:28 +00:00			`result[value] = self.xmpp._service_name`
Update and integrate Suelta. 2012-07-30 00:22:16 +00:00			`elif value == 'service':`
			`result[value] = 'xmpp'`
			`elif value in creds:`
			`result[value] = creds[value]`
			`return result`

			`def _default_security(self, values):`
			`result = {}`
			`for value in values:`
			`if value == 'encrypted':`
			`result[value] = 'starttls' in self.xmpp.features`
			`else:`
			`result[value] = self.config.get(value, False)`
			`return result`

Reorganize features into plugins. 2011-06-30 22:40:22 +00:00			`def _handle_sasl_auth(self, features):`
			`"""`
			`Handle authenticating using SASL.`

			`Arguments:`
			`features -- The stream features stanza.`
			`"""`
Use a set to track negotiated features. Added guards to prevent renegotiating STARTTLS or SASL in cases where servers don't behave properly. 2011-07-03 05:30:34 +00:00			`if 'mechanisms' in self.xmpp.features:`
			`# SASL authentication has already succeeded, but the`
			`# server has incorrectly offered it again.`
			`return False`

Update and integrate Suelta. 2012-07-30 00:22:16 +00:00			`enforce_limit = False`
			`limited_mechs = self.use_mechs`

			`if limited_mechs is None:`
			`limited_mechs = set()`
			`elif limited_mechs and not isinstance(limited_mechs, set):`
			`limited_mechs = set(limited_mechs)`
			`enforce_limit = True`

			`if self.use_mech:`
			`limited_mechs.add(self.use_mech)`
			`enforce_limit = True`

			`if enforce_limit:`
			`self.use_mechs = limited_mechs`

			`self.mech_list = set(features['mechanisms'])`

Allow attempting multiple SASL mechs during a single stream. Instead of disconnecting when the first chosen mech fails, we will try all of them once. 2012-01-20 10:01:08 +00:00			`return self._send_auth()`

			`def _send_auth(self):`
			`mech_list = self.mech_list - self.attempted_mechs`
Update and integrate Suelta. 2012-07-30 00:22:16 +00:00			`try:`
			`self.mech = sasl.choose(mech_list,`
			`self.sasl_callback,`
			`self.security_callback,`
			`limit=self.use_mechs,`
			`min_mech=self.min_mech)`
			`except sasl.SASLNoAppropriateMechanism:`
Reorganize features into plugins. 2011-06-30 22:40:22 +00:00			`log.error("No appropriate login method.")`
			`self.xmpp.event("no_auth", direct=True)`
Reset attempted SASL mech set after no suitable mechs are found. 2012-04-11 16:53:22 +00:00			`self.attempted_mechs = set()`
Update and integrate Suelta. 2012-07-30 00:22:16 +00:00			`return self.xmpp.disconnect()`

			`resp = stanza.Auth(self.xmpp)`
			`resp['mechanism'] = self.mech.name`
			`try:`
			`resp['value'] = self.mech.process()`
			`except sasl.SASLCancelled:`
			`self.attempted_mechs.add(self.mech.name)`
			`self._send_auth()`
			`except sasl.SASLFailed:`
			`self.attempted_mechs.add(self.mech.name)`
			`self._send_auth()`
			`except sasl.SASLMutualAuthFailed:`
			`log.error("Mutual authentication failed! " + \`
			`"A security breach is possible.")`
			`self.attempted_mechs.add(self.mech.name)`
			`self.xmpp.disconnect()`
			`except StringPrepError:`
			`log.exception("A credential value did not pass SASLprep.")`
Reorganize features into plugins. 2011-06-30 22:40:22 +00:00			`self.xmpp.disconnect()`
Update and integrate Suelta. 2012-07-30 00:22:16 +00:00			`else:`
			`resp.send(now=True)`

Reorganize features into plugins. 2011-06-30 22:40:22 +00:00			`return True`

Integrate a modified version of Dave Cridland's Suelta SASL library. 2011-08-04 00:00:51 +00:00			`def _handle_challenge(self, stanza):`
			`"""SASL challenge received. Process and send response."""`
			`resp = self.stanza.Response(self.xmpp)`
Handle SASLCancelled and SASLError exceptions. 2012-01-21 08:19:08 +00:00			`try:`
			`resp['value'] = self.mech.process(stanza['value'])`
Update and integrate Suelta. 2012-07-30 00:22:16 +00:00			`except sasl.SASLCancelled:`
Handle SASLCancelled and SASLError exceptions. 2012-01-21 08:19:08 +00:00			`self.stanza.Abort(self.xmpp).send()`
Update and integrate Suelta. 2012-07-30 00:22:16 +00:00			`except sasl.SASLFailed:`
Handle SASLCancelled and SASLError exceptions. 2012-01-21 08:19:08 +00:00			`self.stanza.Abort(self.xmpp).send()`
Update and integrate Suelta. 2012-07-30 00:22:16 +00:00			`except sasl.SASLMutualAuthFailed:`
			`log.error("Mutual authentication failed! " + \`
			`"A security breach is possible.")`
			`self.attempted_mechs.add(self.mech.name)`
			`self.xmpp.disconnect()`
Handle SASLCancelled and SASLError exceptions. 2012-01-21 08:19:08 +00:00			`else:`
			`resp.send(now=True)`
Integrate a modified version of Dave Cridland's Suelta SASL library. 2011-08-04 00:00:51 +00:00
Reorganize features into plugins. 2011-06-30 22:40:22 +00:00			`def _handle_success(self, stanza):`
			`"""SASL authentication succeeded. Restart the stream."""`
Update and integrate Suelta. 2012-07-30 00:22:16 +00:00			`try:`
			`final = self.mech.process(stanza['value'])`
			`except sasl.SASLMutualAuthFailed:`
			`log.error("Mutual authentication failed! " + \`
			`"A security breach is possible.")`
			`self.attempted_mechs.add(self.mech.name)`
			`self.xmpp.disconnect()`
			`else:`
			`self.attempted_mechs = set()`
			`self.xmpp.authenticated = True`
			`self.xmpp.features.add('mechanisms')`
			`self.xmpp.event('auth_success', stanza, direct=True)`
			`raise RestartStream()`
Reorganize features into plugins. 2011-06-30 22:40:22 +00:00
			`def _handle_fail(self, stanza):`
			`"""SASL authentication failed. Disconnect and shutdown."""`
Handle SASLCancelled and SASLError exceptions. 2012-01-21 08:19:08 +00:00			`self.attempted_mechs.add(self.mech.name)`
Tidy up logging calls. 2011-11-19 20:07:57 +00:00			`log.info("Authentication failed: %s", stanza['condition'])`
SASL failure event now includes the failure stanza. Broke SASL stanzas into separate files. Fixed typo in feature_bind. 2011-07-03 06:09:29 +00:00			`self.xmpp.event("failed_auth", stanza, direct=True)`
Allow attempting multiple SASL mechs during a single stream. Instead of disconnecting when the first chosen mech fails, we will try all of them once. 2012-01-20 10:01:08 +00:00			`self._send_auth()`
Reorganize features into plugins. 2011-06-30 22:40:22 +00:00			`return True`