Coverage for deluge/ui/web/auth : 0%
Hot-keys on this page
r m x p toggle line displays
j k next/prev highlighted chunk
0 (zero) top of page
1 (one) first highlighted chunk
|
# -*- coding: utf-8 -*- # # Copyright (C) 2009 Damien Churchill <damoxc@gmail.com> # # This file is part of Deluge and is licensed under GNU General Public License 3.0, or later, with # the additional special exception to link portions of this program with the OpenSSL library. # See LICENSE for more details. #
import hashlib import logging import random import time from datetime import datetime, timedelta from email.utils import formatdate from functools import reduce
from twisted.internet.task import LoopingCall
from deluge import component from deluge.common import utf8_encoded
log = logging.getLogger(__name__)
AUTH_LEVEL_NONE = 0 AUTH_LEVEL_READONLY = 1 AUTH_LEVEL_NORMAL = 5 AUTH_LEVEL_ADMIN = 10
AUTH_LEVEL_DEFAULT = AUTH_LEVEL_NORMAL
class AuthError(Exception): """ An exception that might be raised when checking a request for authentication. """ pass
# Import after as json_api imports the above AuthError and AUTH_LEVEL_DEFAULT from deluge.ui.web.json_api import export, JSONComponent # isort:skip
def make_checksum(session_id): return reduce(lambda x, y: x + y, map(ord, session_id))
def get_session_id(session_id): """ Checks a session id against its checksum """ if not session_id: return None
try: checksum = int(session_id[-4:]) session_id = session_id[:-4]
if checksum == make_checksum(session_id): return session_id return None except Exception as ex: log.exception(ex) return None
def make_expires(timeout): dt = timedelta(seconds=timeout) expires = time.mktime((datetime.now() + dt).timetuple()) expires_str = formatdate(timeval=expires, localtime=False, usegmt=True) return expires, expires_str
class Auth(JSONComponent): """ The component that implements authentification into the JSON interface. """
def __init__(self): super(Auth, self).__init__("Auth") self.worker = LoopingCall(self._clean_sessions) self.worker.start(5)
def _clean_sessions(self): config = component.get("DelugeWeb").config session_ids = config["sessions"].keys()
now = time.gmtime() for session_id in session_ids: session = config["sessions"][session_id]
if "expires" not in session: del config["sessions"][session_id] continue
if time.gmtime(session["expires"]) < now: del config["sessions"][session_id] continue
def _create_session(self, request, login='admin'): """ Creates a new session.
:keyword login: the username of the user logging in, currently \ only for future use currently. :type login: string """ m = hashlib.md5() m.update(login) m.update(str(time.time())) m.update(str(random.getrandbits(40))) m.update(m.hexdigest()) session_id = m.hexdigest()
config = component.get("DelugeWeb").config
expires, expires_str = make_expires(config["session_timeout"]) checksum = str(make_checksum(session_id))
request.addCookie('_session_id', session_id + checksum, path=request.base + "json", expires=expires_str)
log.debug("Creating session for %s", login) config = component.get("DelugeWeb").config
if type(config["sessions"]) is list: config.config["sessions"] = {}
config["sessions"][session_id] = { "login": login, "level": AUTH_LEVEL_ADMIN, "expires": expires } return True
def check_password(self, password): config = component.get("DelugeWeb").config if "pwd_md5" in config.config: # We are using the 1.2-dev auth method log.debug("Received a password via the 1.2-dev auth method") m = hashlib.md5() m.update(config["pwd_salt"]) m.update(utf8_encoded(password)) if m.hexdigest() == config['pwd_md5']: # We want to move the password over to sha1 and remove # the old passwords from the config file. self._change_password(password) del config.config["pwd_md5"]
# Remove the older password if there is now. if "old_pwd_md5" in config.config: del config.config["old_pwd_salt"] del config.config["old_pwd_md5"]
return True
elif "old_pwd_md5" in config.config: # We are using the 1.1 webui auth method log.debug("Received a password via the 1.1 auth method") from base64 import decodestring m = hashlib.md5() m.update(decodestring(config["old_pwd_salt"])) m.update(utf8_encoded(password)) if m.digest() == decodestring(config["old_pwd_md5"]):
# We want to move the password over to sha1 and remove # the old passwords from the config file. self._change_password(password) del config.config["old_pwd_salt"] del config.config["old_pwd_md5"]
return True
elif "pwd_sha1" in config.config: # We are using the 1.2 auth method log.debug("Received a password via the 1.2 auth method") s = hashlib.sha1() s.update(config["pwd_salt"]) s.update(utf8_encoded(password)) if s.hexdigest() == config["pwd_sha1"]: return True
else: # Can't detect which method we should be using so just deny # access. log.debug("Failed to detect the login method") return False
def check_request(self, request, method=None, level=None): """ Check to ensure that a request is authorised to call the specified method of authentication level.
:param request: The HTTP request in question :type request: twisted.web.http.Request :keyword method: Check the specified method :type method: function :keyword level: Check the specified auth level :type level: integer
:raises: Exception """
config = component.get("DelugeWeb").config session_id = get_session_id(request.getCookie("_session_id"))
if session_id not in config["sessions"]: auth_level = AUTH_LEVEL_NONE session_id = None else: session = config["sessions"][session_id] auth_level = session["level"] expires, expires_str = make_expires(config["session_timeout"]) session["expires"] = expires
_session_id = request.getCookie("_session_id") request.addCookie('_session_id', _session_id, path=request.base + "json", expires=expires_str)
if method: if not hasattr(method, "_json_export"): raise Exception("Not an exported method")
method_level = getattr(method, "_json_auth_level") if method_level is None: raise Exception("Method has no auth level")
level = method_level
if level is None: raise Exception("No level specified to check against")
request.auth_level = auth_level request.session_id = session_id
if auth_level < level: raise AuthError("Not authenticated")
def _change_password(self, new_password): """ Change the password. This is to allow the UI to change/reset a password.
:param new_password: the password to change to :type new_password: string """ log.debug("Changing password") salt = hashlib.sha1(str(random.getrandbits(40))).hexdigest() s = hashlib.sha1(salt) s.update(utf8_encoded(new_password)) config = component.get("DelugeWeb").config config["pwd_salt"] = salt config["pwd_sha1"] = s.hexdigest() return True
@export def change_password(self, old_password, new_password): """ Change the password.
:param old_password: the current password :type old_password: string :param new_password: the password to change to :type new_password: string """ if not self.check_password(old_password): return False return self._change_password(new_password)
@export(AUTH_LEVEL_NONE) def check_session(self, session_id=None): """ Check a session to see if it's still valid.
:returns: True if the session is valid, False if not. :rtype: booleon """ return __request__.session_id is not None
@export def delete_session(self): """ Removes a session.
:param session_id: the id for the session to remove :type session_id: string """ config = component.get("DelugeWeb").config del config["sessions"][__request__.session_id] return True
@export(AUTH_LEVEL_NONE) def login(self, password): """ Test a password to see if it's valid.
:param password: the password to test :type password: string :returns: a session id or False :rtype: string or False """ if self.check_password(password): return self._create_session(__request__) else: log.error('Login failed (ClientIP %s)', __request__.getClientIP()) return False |