From 28dcbfbc6e3a61d47c2a1218bce5d2693c77d04d Mon Sep 17 00:00:00 2001 From: kali Date: Wed, 17 Oct 2012 06:14:57 +0900 Subject: moved srp registration to base and some minor changes in wizard, like textentry for provider. --- src/leap/base/auth.py | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 87 insertions(+) create mode 100644 src/leap/base/auth.py (limited to 'src/leap/base') diff --git a/src/leap/base/auth.py b/src/leap/base/auth.py new file mode 100644 index 00000000..c34ad39b --- /dev/null +++ b/src/leap/base/auth.py @@ -0,0 +1,87 @@ +import binascii +import logging + +import requests +import srp + +from leap.base import constants as baseconstants + +logger = logging.getLogger(__name__) + +SIGNUP_TIMEOUT = getattr(baseconstants, 'SIGNUP_TIMEOUT', 5) + + +class LeapSRPRegister(object): + + def __init__(self, + schema="https", + provider=None, + port=None, + register_path="1/users.json", + method="POST", + fetcher=requests, + srp=srp, + hashfun=srp.SHA256, + ng_constant=srp.NG_1024): + + self.schema = schema + self.provider = provider + self.port = port + self.register_path = register_path + self.method = method + self.fetcher = fetcher + self.srp = srp + self.HASHFUN = hashfun + self.NG = ng_constant + + self.init_session() + + def init_session(self): + self.session = self.fetcher.session() + + def get_registration_uri(self): + # XXX assert is https! + # use urlparse + if self.port: + uri = "%s://%s:%s/%s" % ( + self.schema, + self.provider, + self.port, + self.register_path) + else: + uri = "%s://%s/%s" % ( + self.schema, + self.provider, + self.register_path) + + return uri + + def register_user(self, username, password, keep=False): + """ + @rtype: tuple + @rparam: (ok, request) + """ + salt, vkey = self.srp.create_salted_verification_key( + username, + password, + self.HASHFUN, + self.NG) + + user_data = { + 'user[login]': username, + 'user[password_verifier]': binascii.hexlify(vkey), + 'user[password_salt]': binascii.hexlify(salt)} + + uri = self.get_registration_uri() + logger.debug('post to uri: %s' % uri) + + # XXX get self.method + req = self.session.post( + uri, data=user_data, + timeout=SIGNUP_TIMEOUT) + logger.debug(req) + logger.debug('user_data: %s', user_data) + #logger.debug('response: %s', req.text) + # we catch it in the form + #req.raise_for_status() + return (req.ok, req) -- cgit v1.2.3 From e1dbfc454180a77ebb38ecae6244ac4abe6d0ac5 Mon Sep 17 00:00:00 2001 From: kali Date: Thu, 18 Oct 2012 09:30:53 +0900 Subject: catch cert verification errors and ask user for trust with a little helper function using gnutls --- src/leap/base/checks.py | 17 ++++++++--------- src/leap/base/exceptions.py | 5 +++++ 2 files changed, 13 insertions(+), 9 deletions(-) (limited to 'src/leap/base') diff --git a/src/leap/base/checks.py b/src/leap/base/checks.py index 7285e74f..23446f4a 100644 --- a/src/leap/base/checks.py +++ b/src/leap/base/checks.py @@ -1,6 +1,7 @@ # -*- coding: utf-8 -*- import logging import platform +import socket import netifaces import ping @@ -23,7 +24,7 @@ class LeapNetworkChecker(object): def run_all(self, checker=None): if not checker: checker = self - self.error = None # ? + #self.error = None # ? # for MVS checker.check_tunnel_default_interface() @@ -118,11 +119,9 @@ class LeapNetworkChecker(object): if packet_loss > constants.MAX_ICMP_PACKET_LOSS: raise exceptions.NoConnectionToGateway - # XXX check for name resolution servers - # dunno what's the best way to do this... - # check for etc/resolv entries or similar? - # just try to resolve? - # is there something in psutil? - - # def check_name_resolution(self): - # pass + def check_name_resolution(self, domain_name): + try: + socket.gethostbyname(domain_name) + return True + except socket.gaierror: + raise exceptions.CannotResolveDomainError diff --git a/src/leap/base/exceptions.py b/src/leap/base/exceptions.py index f12a49d5..227da953 100644 --- a/src/leap/base/exceptions.py +++ b/src/leap/base/exceptions.py @@ -67,6 +67,11 @@ class NoInternetConnection(CriticalError): # and now we try to connect to our web to troubleshoot LOL :P +class CannotResolveDomainError(LeapException): + message = "Cannot resolve domain" + usermessage = "Domain cannot be found" + + class TunnelNotDefaultRouteError(CriticalError): message = "Tunnel connection dissapeared. VPN down?" usermessage = "The Encrypted Connection was lost. Shutting down..." -- cgit v1.2.3 From c45e6d34b1beb44d4eb7cecd6426f6c762249484 Mon Sep 17 00:00:00 2001 From: kali Date: Fri, 19 Oct 2012 11:01:27 +0900 Subject: srp authentication class + useful decorator --- src/leap/base/auth.py | 158 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 158 insertions(+) (limited to 'src/leap/base') diff --git a/src/leap/base/auth.py b/src/leap/base/auth.py index c34ad39b..1f93c9c3 100644 --- a/src/leap/base/auth.py +++ b/src/leap/base/auth.py @@ -1,15 +1,22 @@ import binascii +import json import logging +import urlparse import requests import srp +from PyQt4 import QtCore + from leap.base import constants as baseconstants logger = logging.getLogger(__name__) SIGNUP_TIMEOUT = getattr(baseconstants, 'SIGNUP_TIMEOUT', 5) +# XXX remove me!! +SERVER = "http://springbok/1" + class LeapSRPRegister(object): @@ -85,3 +92,154 @@ class LeapSRPRegister(object): # we catch it in the form #req.raise_for_status() return (req.ok, req) + + +class SRPAuthenticationError(Exception): + """ + exception raised + for authentication errors + """ + pass + +safe_unhexlify = lambda x: binascii.unhexlify(x) \ + if (len(x) % 2 == 0) else binascii.unhexlify('0' + x) + + +class SRPAuth(requests.auth.AuthBase): + + def __init__(self, username, password): + self.username = username + self.password = password + + # XXX init something similar to + # SERVER... + + self.init_data = None + self.session = requests.session() + + self.init_srp() + + def get_data(self, response): + return json.loads(response.content) + + def init_srp(self): + usr = srp.User( + self.username, + self.password, + srp.SHA256, + srp.NG_1024) + uname, A = usr.start_authentication() + + self.srp_usr = usr + self.A = A + + def get_auth_data(self): + return { + 'login': self.username, + 'A': binascii.hexlify(self.A) + } + + def get_init_data(self): + init_session = self.session.post( + SERVER + '/sessions', + data=self.get_auth_data()) + self.init_data = self.get_data(init_session) + return self.init_data + + def authenticate(self): + print 'start authentication...' + + init_data = self.get_init_data() + salt = init_data.get('salt', None) + B = init_data.get('B', None) + + if not salt or not B: + raise SRPAuthenticationError + + self.M = self.srp_usr.process_challenge( + safe_unhexlify(salt), + safe_unhexlify(B) + ) + + auth_result = self.session.put( + SERVER + '/sessions/' + self.username, + data={'client_auth': binascii.hexlify(self.M)}) + + # XXX check for errors + auth_data = self.get_data(auth_result) + self.srp_usr.verify_session( + safe_unhexlify(auth_data["M2"])) + + try: + assert self.srp_usr.authenticated() + print 'user is authenticated!' + except (AssertionError): + raise SRPAuthenticationError + + def __call__(self, req): + self.authenticate() + req.session = self.session + return req + + +def srpauth_protected(user=None, passwd=None): + """ + decorator factory that accepts + user and password keyword arguments + and add those to the decorated request + """ + def srpauth(fn, user=user, passwd=passwd): + def wrapper(*args, **kwargs): + print 'uri is ', args[0] + if user and passwd: + auth = SRPAuth(user, passwd) + kwargs['auth'] = auth + return fn(*args, **kwargs) + return wrapper + return srpauth + + +def magic_srpauth(fn): + """ + decorator that gets user and password + from the config file and adds those to + the decorated request + """ + # TODO --- finish this... + def wrapper(*args, **kwargs): + uri = args[0] + # XXX Ugh! + # Problem with this approach. + # This won't work when we're using + # api.foo.bar + # Unless we keep a table with the + # equivalencies... + + domain = urlparse.urlparse(uri).netloc + + # XXX check this settings init... + settings = QtCore.QSettings() + user = settings.get('%s_username' % domain, None) + + # uh... I forgot. + # get secret? + # leapkeyring.get_password(foo?) + passwd = settings.get('%s_password' % domain, None) + + auth = SRPAuth(user, passwd) + kwargs['auth'] = auth + return fn(*args, **kwargs) + return wrapper + + +if __name__ == "__main__": + + TEST_USER = "test1" + TEST_PASS = "1234" + + @srpauth_protected(user=TEST_USER, passwd=TEST_PASS) + def test_srp_protected_get(*args, **kwargs): + req = requests.get(*args, **kwargs) + print req.content + + test_srp_protected_get('http://springbok/1/cert') -- cgit v1.2.3 From a1acfd6417beeae312f056f76ac009b80c38654d Mon Sep 17 00:00:00 2001 From: kali Date: Fri, 19 Oct 2012 23:20:35 +0900 Subject: added docs --- src/leap/base/auth.py | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'src/leap/base') diff --git a/src/leap/base/auth.py b/src/leap/base/auth.py index 1f93c9c3..7d99a7fe 100644 --- a/src/leap/base/auth.py +++ b/src/leap/base/auth.py @@ -18,6 +18,18 @@ SIGNUP_TIMEOUT = getattr(baseconstants, 'SIGNUP_TIMEOUT', 5) SERVER = "http://springbok/1" +""" +Registration and authentication classes for the +SRP auth mechanism used in the leap platform. + +We're currently using the (pure python?) srp library since +it seemed the fastest way of getting something working. + +In the future we can switch to use python-gnutls, since +libgnutls implements srp protocol. +""" + + class LeapSRPRegister(object): def __init__(self, @@ -206,6 +218,7 @@ def magic_srpauth(fn): the decorated request """ # TODO --- finish this... + # currently broken. def wrapper(*args, **kwargs): uri = args[0] # XXX Ugh! -- cgit v1.2.3 From f791a83ce57cef7010da819d61e7f5132fa4611e Mon Sep 17 00:00:00 2001 From: kali Date: Sat, 20 Oct 2012 06:30:16 +0900 Subject: connecting page and changes to functions having to do with the default path to certs. --- src/leap/base/config.py | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'src/leap/base') diff --git a/src/leap/base/config.py b/src/leap/base/config.py index cf01d1aa..9ce2e9f0 100644 --- a/src/leap/base/config.py +++ b/src/leap/base/config.py @@ -252,6 +252,15 @@ def get_default_provider_path(): return default_provider_path +def get_provider_path(domain): + # XXX if not domain, return get_default_provider_path + default_subpath = os.path.join("providers", domain) + provider_path = get_config_file( + '', + folder=default_subpath) + return provider_path + + def validate_ip(ip_str): """ raises exception if the ip_str is -- cgit v1.2.3 From 47a9a04145e30476c162a1d76d4d8b4b360de0bd Mon Sep 17 00:00:00 2001 From: kali Date: Tue, 23 Oct 2012 00:34:39 +0900 Subject: allow to test auth from cli --- src/leap/base/auth.py | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'src/leap/base') diff --git a/src/leap/base/auth.py b/src/leap/base/auth.py index 7d99a7fe..5a9ebe1d 100644 --- a/src/leap/base/auth.py +++ b/src/leap/base/auth.py @@ -246,13 +246,14 @@ def magic_srpauth(fn): if __name__ == "__main__": + import sys + user = sys.argv[1] + passwd = sys.argv[2] - TEST_USER = "test1" - TEST_PASS = "1234" - - @srpauth_protected(user=TEST_USER, passwd=TEST_PASS) + @srpauth_protected(user=user, passwd=passwd) def test_srp_protected_get(*args, **kwargs): req = requests.get(*args, **kwargs) - print req.content + req.raise_for_status + #print req.content test_srp_protected_get('http://springbok/1/cert') -- cgit v1.2.3 From a0fc20884a02ccffe1f9a83440b5e2212853289a Mon Sep 17 00:00:00 2001 From: kali Date: Thu, 25 Oct 2012 07:12:34 +0900 Subject: login branch in wizard --- src/leap/base/auth.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'src/leap/base') diff --git a/src/leap/base/auth.py b/src/leap/base/auth.py index 5a9ebe1d..cc9562d8 100644 --- a/src/leap/base/auth.py +++ b/src/leap/base/auth.py @@ -177,10 +177,16 @@ class SRPAuth(requests.auth.AuthBase): SERVER + '/sessions/' + self.username, data={'client_auth': binascii.hexlify(self.M)}) - # XXX check for errors auth_data = self.get_data(auth_result) + M2 = auth_data.get("M2", None) + if not M2: + errors = auth_data.get('errors', None) + if errors: + logger.error(errors) + raise SRPAuthenticationError('Authentication Error') + self.srp_usr.verify_session( - safe_unhexlify(auth_data["M2"])) + safe_unhexlify(M2)) try: assert self.srp_usr.authenticated() -- cgit v1.2.3 From 0590991d7777de473a7df21ed32e1fa7caa9cf4b Mon Sep 17 00:00:00 2001 From: kali Date: Fri, 26 Oct 2012 00:12:08 +0900 Subject: user credentials saved on login/signup branches. cert request is using magick decorator that retrieves the certificates using srp. --- src/leap/base/auth.py | 37 ++++++++++++++++++------------------- 1 file changed, 18 insertions(+), 19 deletions(-) (limited to 'src/leap/base') diff --git a/src/leap/base/auth.py b/src/leap/base/auth.py index cc9562d8..1665f48e 100644 --- a/src/leap/base/auth.py +++ b/src/leap/base/auth.py @@ -1,7 +1,7 @@ import binascii import json import logging -import urlparse +#import urlparse import requests import srp @@ -9,6 +9,7 @@ import srp from PyQt4 import QtCore from leap.base import constants as baseconstants +from leap.crypto import leapkeyring logger = logging.getLogger(__name__) @@ -159,7 +160,7 @@ class SRPAuth(requests.auth.AuthBase): return self.init_data def authenticate(self): - print 'start authentication...' + logger.debug('start authentication...') init_data = self.get_init_data() salt = init_data.get('salt', None) @@ -190,7 +191,7 @@ class SRPAuth(requests.auth.AuthBase): try: assert self.srp_usr.authenticated() - print 'user is authenticated!' + logger.debug('user is authenticated!') except (AssertionError): raise SRPAuthenticationError @@ -217,34 +218,32 @@ def srpauth_protected(user=None, passwd=None): return srpauth -def magic_srpauth(fn): +def get_leap_credentials(): + settings = QtCore.QSettings() + full_username = settings.value('eip_username') + username, domain = full_username.split('@') + seed = settings.value('%s_seed' % domain, None) + password = leapkeyring.leap_get_password(full_username, seed=seed) + return (username, password) + + +def magick_srpauth(fn): """ decorator that gets user and password from the config file and adds those to the decorated request """ - # TODO --- finish this... - # currently broken. + logger.debug('magick srp auth decorator called') + def wrapper(*args, **kwargs): - uri = args[0] + #uri = args[0] # XXX Ugh! # Problem with this approach. # This won't work when we're using # api.foo.bar # Unless we keep a table with the # equivalencies... - - domain = urlparse.urlparse(uri).netloc - - # XXX check this settings init... - settings = QtCore.QSettings() - user = settings.get('%s_username' % domain, None) - - # uh... I forgot. - # get secret? - # leapkeyring.get_password(foo?) - passwd = settings.get('%s_password' % domain, None) - + user, passwd = get_leap_credentials() auth = SRPAuth(user, passwd) kwargs['auth'] = auth return fn(*args, **kwargs) -- cgit v1.2.3 From 593e4ba1ddf185d14f27c96ffb970fde7a3271fa Mon Sep 17 00:00:00 2001 From: kali Date: Fri, 26 Oct 2012 02:04:34 +0900 Subject: fix systray context menu. Closes #761 --- src/leap/base/connection.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'src/leap/base') diff --git a/src/leap/base/connection.py b/src/leap/base/connection.py index e478538d..41d13935 100644 --- a/src/leap/base/connection.py +++ b/src/leap/base/connection.py @@ -37,11 +37,11 @@ class Connection(Authentication): """ pass - def shutdown(self): - """ - shutdown and quit - """ - self.desired_con_state = self.status.DISCONNECTED + #def shutdown(self): + #""" + #shutdown and quit + #""" + #self.desired_con_state = self.status.DISCONNECTED def connection_state(self): """ -- cgit v1.2.3 From c387a52f841e8933ed7282d198ed1ece863979fc Mon Sep 17 00:00:00 2001 From: kali Date: Tue, 6 Nov 2012 01:26:05 +0900 Subject: new validation pages in a reusable MVC style using progress indicators inside QTableWidget --- src/leap/base/tests/__init__.py | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 src/leap/base/tests/__init__.py (limited to 'src/leap/base') diff --git a/src/leap/base/tests/__init__.py b/src/leap/base/tests/__init__.py new file mode 100644 index 00000000..e69de29b -- cgit v1.2.3 From 8a70d249df9782a370c00a37de9a7d3af568c0f5 Mon Sep 17 00:00:00 2001 From: kali Date: Thu, 8 Nov 2012 08:32:57 +0900 Subject: more specific errors catched during srpauth --- src/leap/base/auth.py | 104 +++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 81 insertions(+), 23 deletions(-) (limited to 'src/leap/base') diff --git a/src/leap/base/auth.py b/src/leap/base/auth.py index 1665f48e..9ee159e7 100644 --- a/src/leap/base/auth.py +++ b/src/leap/base/auth.py @@ -16,7 +16,7 @@ logger = logging.getLogger(__name__) SIGNUP_TIMEOUT = getattr(baseconstants, 'SIGNUP_TIMEOUT', 5) # XXX remove me!! -SERVER = "http://springbok/1" +SERVER = "https://localhost:8443/1" """ @@ -120,9 +120,10 @@ safe_unhexlify = lambda x: binascii.unhexlify(x) \ class SRPAuth(requests.auth.AuthBase): - def __init__(self, username, password): + def __init__(self, username, password, verify=None): self.username = username self.password = password + self.verify = verify # XXX init something similar to # SERVER... @@ -132,7 +133,7 @@ class SRPAuth(requests.auth.AuthBase): self.init_srp() - def get_data(self, response): + def get_json_data(self, response): return json.loads(response.content) def init_srp(self): @@ -153,12 +154,45 @@ class SRPAuth(requests.auth.AuthBase): } def get_init_data(self): - init_session = self.session.post( - SERVER + '/sessions', - data=self.get_auth_data()) - self.init_data = self.get_data(init_session) + try: + init_session = self.session.post( + SERVER + '/sessions.json/', + data=self.get_auth_data(), + verify=self.verify) + except requests.exceptions.ConnectionError: + raise SRPAuthenticationError( + "No connection made (salt).") + if init_session.status_code not in (200, ): + raise SRPAuthenticationError( + "No valid response (salt).") + + # XXX should get auth_result.json instead + self.init_data = self.get_json_data(init_session) return self.init_data + def get_server_proof_data(self): + try: + auth_result = self.session.put( + SERVER + '/sessions.json/' + self.username, + data={'client_auth': binascii.hexlify(self.M)}, + verify=self.verify) + except requests.exceptions.ConnectionError: + raise SRPAuthenticationError( + "No connection made (HAMK).") + + if auth_result.status_code not in (200, ): + raise SRPAuthenticationError( + "No valid response (HAMK).") + + # XXX should get auth_result.json instead + try: + self.auth_data = self.get_json_data(auth_result) + except ValueError: + raise SRPAuthenticationError( + "No valid data sent (HAMK)") + + return self.auth_data + def authenticate(self): logger.debug('start authentication...') @@ -166,34 +200,54 @@ class SRPAuth(requests.auth.AuthBase): salt = init_data.get('salt', None) B = init_data.get('B', None) + # XXX refactor this function + # move checks and un-hex + # to routines + if not salt or not B: - raise SRPAuthenticationError + raise SRPAuthenticationError( + "Server did not send initial data.") + + try: + unhex_salt = safe_unhexlify(salt) + except TypeError: + raise SRPAuthenticationError( + "Bad data from server (salt)") + try: + unhex_B = safe_unhexlify(B) + except TypeError: + raise SRPAuthenticationError( + "Bad data from server (B)") self.M = self.srp_usr.process_challenge( - safe_unhexlify(salt), - safe_unhexlify(B) + unhex_salt, + unhex_B ) - auth_result = self.session.put( - SERVER + '/sessions/' + self.username, - data={'client_auth': binascii.hexlify(self.M)}) + proof_data = self.get_server_proof_data() - auth_data = self.get_data(auth_result) - M2 = auth_data.get("M2", None) - if not M2: - errors = auth_data.get('errors', None) + HAMK = proof_data.get("M2", None) + if not HAMK: + errors = proof_data.get('errors', None) if errors: logger.error(errors) - raise SRPAuthenticationError('Authentication Error') + raise SRPAuthenticationError("Server did not send HAMK.") + + try: + unhex_HAMK = safe_unhexlify(HAMK) + except TypeError: + raise SRPAuthenticationError( + "Bad data from server (HAMK)") self.srp_usr.verify_session( - safe_unhexlify(M2)) + unhex_HAMK) try: assert self.srp_usr.authenticated() logger.debug('user is authenticated!') except (AssertionError): - raise SRPAuthenticationError + raise SRPAuthenticationError( + "Auth verification failed.") def __call__(self, req): self.authenticate() @@ -201,7 +255,7 @@ class SRPAuth(requests.auth.AuthBase): return req -def srpauth_protected(user=None, passwd=None): +def srpauth_protected(user=None, passwd=None, verify=True): """ decorator factory that accepts user and password keyword arguments @@ -211,7 +265,7 @@ def srpauth_protected(user=None, passwd=None): def wrapper(*args, **kwargs): print 'uri is ', args[0] if user and passwd: - auth = SRPAuth(user, passwd) + auth = SRPAuth(user, passwd, verify) kwargs['auth'] = auth return fn(*args, **kwargs) return wrapper @@ -227,6 +281,10 @@ def get_leap_credentials(): return (username, password) +# XXX TODO +# Pass verify as single argument, +# in srpauth_protected style + def magick_srpauth(fn): """ decorator that gets user and password @@ -261,4 +319,4 @@ if __name__ == "__main__": req.raise_for_status #print req.content - test_srp_protected_get('http://springbok/1/cert') + test_srp_protected_get('http://localhost:8443/1/cert') -- cgit v1.2.3 From 8118056a244ca74d16380ad26a70e3da40e7e401 Mon Sep 17 00:00:00 2001 From: kali Date: Fri, 9 Nov 2012 11:21:40 +0900 Subject: connect page merged into regvalidation. Flow nearly working with fake provider, except for authentication. --- src/leap/base/auth.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'src/leap/base') diff --git a/src/leap/base/auth.py b/src/leap/base/auth.py index 9ee159e7..f1b618ba 100644 --- a/src/leap/base/auth.py +++ b/src/leap/base/auth.py @@ -37,6 +37,7 @@ class LeapSRPRegister(object): schema="https", provider=None, port=None, + verify=True, register_path="1/users.json", method="POST", fetcher=requests, @@ -47,6 +48,7 @@ class LeapSRPRegister(object): self.schema = schema self.provider = provider self.port = port + self.verify = verify self.register_path = register_path self.method = method self.fetcher = fetcher @@ -98,7 +100,8 @@ class LeapSRPRegister(object): # XXX get self.method req = self.session.post( uri, data=user_data, - timeout=SIGNUP_TIMEOUT) + timeout=SIGNUP_TIMEOUT, + verify=self.verify) logger.debug(req) logger.debug('user_data: %s', user_data) #logger.debug('response: %s', req.text) -- cgit v1.2.3 From 8fd77ba036cb78c81939bbfce312b12cdc90d881 Mon Sep 17 00:00:00 2001 From: kali Date: Fri, 9 Nov 2012 18:13:32 +0900 Subject: working version of the fake provider. wizard can now be completely tested against this. --- src/leap/base/auth.py | 126 +++++++++++++++++++++++++++++++++++--------------- 1 file changed, 88 insertions(+), 38 deletions(-) (limited to 'src/leap/base') diff --git a/src/leap/base/auth.py b/src/leap/base/auth.py index f1b618ba..58ae9d69 100644 --- a/src/leap/base/auth.py +++ b/src/leap/base/auth.py @@ -10,27 +10,46 @@ from PyQt4 import QtCore from leap.base import constants as baseconstants from leap.crypto import leapkeyring +from leap.util.web import get_https_domain_and_port logger = logging.getLogger(__name__) SIGNUP_TIMEOUT = getattr(baseconstants, 'SIGNUP_TIMEOUT', 5) -# XXX remove me!! -SERVER = "https://localhost:8443/1" - - """ Registration and authentication classes for the SRP auth mechanism used in the leap platform. -We're currently using the (pure python?) srp library since -it seemed the fastest way of getting something working. - -In the future we can switch to use python-gnutls, since -libgnutls implements srp protocol. +We're using the srp library which uses a c-based implementation +of the protocol if the c extension is available, and a python-based +one if not. """ +class ImproperlyConfigured(Exception): + """ + """ + + +class SRPAuthenticationError(Exception): + """ + exception raised + for authentication errors + """ + + +def null_check(value, value_name): + try: + assert value is not None + except AssertionError: + raise ImproperlyConfigured( + "%s parameter cannot be None" % value_name) + + +safe_unhexlify = lambda x: binascii.unhexlify(x) \ + if (len(x) % 2 == 0) else binascii.unhexlify('0' + x) + + class LeapSRPRegister(object): def __init__(self, @@ -45,9 +64,19 @@ class LeapSRPRegister(object): hashfun=srp.SHA256, ng_constant=srp.NG_1024): + null_check(provider, provider) + self.schema = schema + + # XXX FIXME self.provider = provider self.port = port + # XXX splitting server,port + # deprecate port call. + domain, port = get_https_domain_and_port(provider) + self.provider = domain + self.port = port + self.verify = verify self.register_path = register_path self.method = method @@ -110,27 +139,16 @@ class LeapSRPRegister(object): return (req.ok, req) -class SRPAuthenticationError(Exception): - """ - exception raised - for authentication errors - """ - pass - -safe_unhexlify = lambda x: binascii.unhexlify(x) \ - if (len(x) % 2 == 0) else binascii.unhexlify('0' + x) - - class SRPAuth(requests.auth.AuthBase): - def __init__(self, username, password, verify=None): + def __init__(self, username, password, server=None, verify=None): + # sanity check + null_check(server, 'server') self.username = username self.password = password + self.server = server self.verify = verify - # XXX init something similar to - # SERVER... - self.init_data = None self.session = requests.session() @@ -159,7 +177,7 @@ class SRPAuth(requests.auth.AuthBase): def get_init_data(self): try: init_session = self.session.post( - SERVER + '/sessions.json/', + self.server + '/1/sessions.json/', data=self.get_auth_data(), verify=self.verify) except requests.exceptions.ConnectionError: @@ -176,7 +194,7 @@ class SRPAuth(requests.auth.AuthBase): def get_server_proof_data(self): try: auth_result = self.session.put( - SERVER + '/sessions.json/' + self.username, + self.server + '/1/sessions.json/' + self.username, data={'client_auth': binascii.hexlify(self.M)}, verify=self.verify) except requests.exceptions.ConnectionError: @@ -258,18 +276,18 @@ class SRPAuth(requests.auth.AuthBase): return req -def srpauth_protected(user=None, passwd=None, verify=True): +def srpauth_protected(user=None, passwd=None, server=None, verify=True): """ decorator factory that accepts user and password keyword arguments and add those to the decorated request """ - def srpauth(fn, user=user, passwd=passwd): + def srpauth(fn): def wrapper(*args, **kwargs): - print 'uri is ', args[0] if user and passwd: - auth = SRPAuth(user, passwd, verify) + auth = SRPAuth(user, passwd, server, verify) kwargs['auth'] = auth + kwargs['verify'] = verify return fn(*args, **kwargs) return wrapper return srpauth @@ -305,6 +323,9 @@ def magick_srpauth(fn): # Unless we keep a table with the # equivalencies... user, passwd = get_leap_credentials() + + # XXX pass verify and server too + # (pop) auth = SRPAuth(user, passwd) kwargs['auth'] = auth return fn(*args, **kwargs) @@ -312,14 +333,43 @@ def magick_srpauth(fn): if __name__ == "__main__": + """ + To test against test_provider (twisted version) + Register an user: (will be valid during the session) + >>> python auth.py add test password + + Test login with that user: + >>> python auth.py login test password + """ + import sys - user = sys.argv[1] - passwd = sys.argv[2] - @srpauth_protected(user=user, passwd=passwd) - def test_srp_protected_get(*args, **kwargs): - req = requests.get(*args, **kwargs) - req.raise_for_status - #print req.content + if len(sys.argv) not in (4, 5): + print 'Usage: auth [server]' + sys.exit(0) + + action = sys.argv[1] + user = sys.argv[2] + passwd = sys.argv[3] + + if len(sys.argv) == 5: + SERVER = sys.argv[4] + else: + SERVER = "https://localhost:8443" + + if action == "login": + + @srpauth_protected( + user=user, passwd=passwd, server=SERVER, verify=False) + def test_srp_protected_get(*args, **kwargs): + req = requests.get(*args, **kwargs) + req.raise_for_status + return req + + req = test_srp_protected_get('https://localhost:8443/1/cert') + print 'cert :', req.content[:200] + "..." + sys.exit(0) - test_srp_protected_get('http://localhost:8443/1/cert') + if action == "add": + auth = LeapSRPRegister(provider=SERVER, verify=False) + auth.register_user(user, passwd) -- cgit v1.2.3 From 13c4bd9087e4caaf9e440efa210d5762b8aca875 Mon Sep 17 00:00:00 2001 From: kali Date: Mon, 12 Nov 2012 11:49:11 +0900 Subject: fix uri for sessions PUT --- src/leap/base/auth.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'src/leap/base') diff --git a/src/leap/base/auth.py b/src/leap/base/auth.py index 58ae9d69..50533278 100644 --- a/src/leap/base/auth.py +++ b/src/leap/base/auth.py @@ -194,7 +194,8 @@ class SRPAuth(requests.auth.AuthBase): def get_server_proof_data(self): try: auth_result = self.session.put( - self.server + '/1/sessions.json/' + self.username, + #self.server + '/1/sessions.json/' + self.username, + self.server + '/1/sessions/' + self.username, data={'client_auth': binascii.hexlify(self.M)}, verify=self.verify) except requests.exceptions.ConnectionError: -- cgit v1.2.3 From d2dcf5a1060d60c451570349a6a06ad102d6924c Mon Sep 17 00:00:00 2001 From: kali Date: Tue, 13 Nov 2012 21:54:04 +0900 Subject: fix missing provider parameter in leapconfig objects chain --- src/leap/base/config.py | 1 + src/leap/base/providers.py | 14 +++++++------- 2 files changed, 8 insertions(+), 7 deletions(-) (limited to 'src/leap/base') diff --git a/src/leap/base/config.py b/src/leap/base/config.py index 9ce2e9f0..0255fbab 100644 --- a/src/leap/base/config.py +++ b/src/leap/base/config.py @@ -118,6 +118,7 @@ class JSONLeapConfig(BaseLeapConfig): " derived class") assert issubclass(self.spec, PluggableConfig) + self.domain = kwargs.pop('domain', None) self._config = self.spec(format="json") self._config.load() self.fetcher = kwargs.pop('fetcher', requests) diff --git a/src/leap/base/providers.py b/src/leap/base/providers.py index 7b219cc7..d41f3695 100644 --- a/src/leap/base/providers.py +++ b/src/leap/base/providers.py @@ -7,20 +7,20 @@ class LeapProviderDefinition(baseconfig.JSONLeapConfig): spec = specs.leap_provider_spec def _get_slug(self): - provider_path = baseconfig.get_default_provider_path() + domain = getattr(self, 'domain', None) + if domain: + path = baseconfig.get_provider_path(domain) + else: + path = baseconfig.get_default_provider_path() + return baseconfig.get_config_file( - 'provider.json', - folder=provider_path) + 'provider.json', folder=path) def _set_slug(self, *args, **kwargs): raise AttributeError("you cannot set slug") slug = property(_get_slug, _set_slug) - # TODO (MVS+) - # we will construct slug from providers/%s/definition.json - # where %s is domain name. we can get that on __init__ - class LeapProviderSet(object): # we gather them from the filesystem -- cgit v1.2.3 From d24c7328fa845737dbb83d512e4b3f287634c4cc Mon Sep 17 00:00:00 2001 From: kali Date: Wed, 14 Nov 2012 00:33:05 +0900 Subject: make tests pass + pep8 They were breaking mainly because I did not bother to have a pass over them to change the PROVIDER settings from the branding case. All good now, although much testing is yet needed and some refactor could be used. long live green tests! --- src/leap/base/network.py | 2 +- src/leap/base/tests/test_checks.py | 7 +++++++ src/leap/base/tests/test_providers.py | 6 ++++-- 3 files changed, 12 insertions(+), 3 deletions(-) (limited to 'src/leap/base') diff --git a/src/leap/base/network.py b/src/leap/base/network.py index 3891b00a..3aba3f61 100644 --- a/src/leap/base/network.py +++ b/src/leap/base/network.py @@ -31,7 +31,7 @@ class NetworkCheckerThread(object): # see in eip.config for function # #718 self.checker = LeapNetworkChecker( - provider_gw = get_eip_gateway()) + provider_gw=get_eip_gateway()) def start(self): self.process_handle = self._launch_recurrent_network_checks( diff --git a/src/leap/base/tests/test_checks.py b/src/leap/base/tests/test_checks.py index bec09ce6..8d573b1e 100644 --- a/src/leap/base/tests/test_checks.py +++ b/src/leap/base/tests/test_checks.py @@ -40,7 +40,14 @@ class LeapNetworkCheckTest(BaseLeapTest): def test_checker_should_actually_call_all_tests(self): checker = checks.LeapNetworkChecker() + mc = Mock() + checker.run_all(checker=mc) + self.assertTrue(mc.check_internet_connection.called, "not called") + self.assertTrue(mc.check_tunnel_default_interface.called, "not called") + self.assertTrue(mc.is_internet_up.called, "not called") + # ping gateway only called if we pass provider_gw + checker = checks.LeapNetworkChecker(provider_gw="0.0.0.0") mc = Mock() checker.run_all(checker=mc) self.assertTrue(mc.check_internet_connection.called, "not called") diff --git a/src/leap/base/tests/test_providers.py b/src/leap/base/tests/test_providers.py index 8d3b8847..15c4ed58 100644 --- a/src/leap/base/tests/test_providers.py +++ b/src/leap/base/tests/test_providers.py @@ -30,7 +30,9 @@ EXPECTED_DEFAULT_CONFIG = { class TestLeapProviderDefinition(BaseLeapTest): def setUp(self): - self.definition = providers.LeapProviderDefinition() + self.domain = "testprovider.example.org" + self.definition = providers.LeapProviderDefinition( + domain=self.domain) self.definition.save() self.definition.load() self.config = self.definition.config @@ -51,7 +53,7 @@ class TestLeapProviderDefinition(BaseLeapTest): os.path.join( self.home, '.config', 'leap', 'providers', - '%s' % BRANDING.get('provider_domain'), + '%s' % self.domain, 'provider.json')) with self.assertRaises(AttributeError): self.definition.slug = 23 -- cgit v1.2.3