|
|
from __future__ import absolute_import
|
|
|
|
|
|
import base64
|
|
|
import hashlib
|
|
|
|
|
|
from mercurial.hgweb import common
|
|
|
from mercurial import (
|
|
|
node,
|
|
|
)
|
|
|
|
|
|
def parse_keqv_list(req, l):
|
|
|
"""Parse list of key=value strings where keys are not duplicated."""
|
|
|
parsed = {}
|
|
|
for elt in l:
|
|
|
k, v = elt.split(b'=', 1)
|
|
|
if v[0:1] == b'"' and v[-1:] == b'"':
|
|
|
v = v[1:-1]
|
|
|
parsed[k] = v
|
|
|
return parsed
|
|
|
|
|
|
class digestauthserver(object):
|
|
|
def __init__(self):
|
|
|
self._user_hashes = {}
|
|
|
|
|
|
def gethashers(self):
|
|
|
def _md5sum(x):
|
|
|
m = hashlib.md5()
|
|
|
m.update(x)
|
|
|
return node.hex(m.digest())
|
|
|
|
|
|
h = _md5sum
|
|
|
|
|
|
kd = lambda s, d, h=h: h(b"%s:%s" % (s, d))
|
|
|
return h, kd
|
|
|
|
|
|
def adduser(self, user, password, realm):
|
|
|
h, kd = self.gethashers()
|
|
|
a1 = h(b'%s:%s:%s' % (user, realm, password))
|
|
|
self._user_hashes[(user, realm)] = a1
|
|
|
|
|
|
def makechallenge(self, realm):
|
|
|
# We aren't testing the protocol here, just that the bytes make the
|
|
|
# proper round trip. So hardcoded seems fine.
|
|
|
nonce = b'064af982c5b571cea6450d8eda91c20d'
|
|
|
return b'realm="%s", nonce="%s", algorithm=MD5, qop="auth"' % (realm,
|
|
|
nonce)
|
|
|
|
|
|
def checkauth(self, req, header):
|
|
|
log = req.rawenv[b'wsgi.errors']
|
|
|
|
|
|
h, kd = self.gethashers()
|
|
|
resp = parse_keqv_list(req, header.split(b', '))
|
|
|
|
|
|
if resp.get(b'algorithm', b'MD5').upper() != b'MD5':
|
|
|
log.write(b'Unsupported algorithm: %s' % resp.get(b'algorithm'))
|
|
|
raise common.ErrorResponse(common.HTTP_FORBIDDEN,
|
|
|
b"unknown algorithm")
|
|
|
user = resp[b'username']
|
|
|
realm = resp[b'realm']
|
|
|
nonce = resp[b'nonce']
|
|
|
|
|
|
ha1 = self._user_hashes.get((user, realm))
|
|
|
if not ha1:
|
|
|
log.write(b'No hash found for user/realm "%s/%s"' % (user, realm))
|
|
|
raise common.ErrorResponse(common.HTTP_FORBIDDEN, b"bad user")
|
|
|
|
|
|
qop = resp.get(b'qop', b'auth')
|
|
|
if qop != b'auth':
|
|
|
log.write(b"Unsupported qop: %s" % qop)
|
|
|
raise common.ErrorResponse(common.HTTP_FORBIDDEN, b"bad qop")
|
|
|
|
|
|
cnonce, ncvalue = resp.get(b'cnonce'), resp.get(b'nc')
|
|
|
if not cnonce or not ncvalue:
|
|
|
log.write(b'No cnonce (%s) or ncvalue (%s)' % (cnonce, ncvalue))
|
|
|
raise common.ErrorResponse(common.HTTP_FORBIDDEN, b"no cnonce")
|
|
|
|
|
|
a2 = b'%s:%s' % (req.method, resp[b'uri'])
|
|
|
noncebit = b"%s:%s:%s:%s:%s" % (nonce, ncvalue, cnonce, qop, h(a2))
|
|
|
|
|
|
respdig = kd(ha1, noncebit)
|
|
|
if respdig != resp[b'response']:
|
|
|
log.write(b'User/realm "%s/%s" gave %s, but expected %s'
|
|
|
% (user, realm, resp[b'response'], respdig))
|
|
|
return False
|
|
|
|
|
|
return True
|
|
|
|
|
|
digest = digestauthserver()
|
|
|
|
|
|
def perform_authentication(hgweb, req, op):
|
|
|
auth = req.headers.get(b'Authorization')
|
|
|
|
|
|
if req.headers.get(b'X-HgTest-AuthType') == b'Digest':
|
|
|
if not auth:
|
|
|
challenge = digest.makechallenge(b'mercurial')
|
|
|
raise common.ErrorResponse(common.HTTP_UNAUTHORIZED, b'who',
|
|
|
[(b'WWW-Authenticate', b'Digest %s' % challenge)])
|
|
|
|
|
|
if not digest.checkauth(req, auth[7:]):
|
|
|
raise common.ErrorResponse(common.HTTP_FORBIDDEN, b'no')
|
|
|
|
|
|
return
|
|
|
|
|
|
if not auth:
|
|
|
raise common.ErrorResponse(common.HTTP_UNAUTHORIZED, b'who',
|
|
|
[(b'WWW-Authenticate', b'Basic Realm="mercurial"')])
|
|
|
|
|
|
if base64.b64decode(auth.split()[1]).split(b':', 1) != [b'user', b'pass']:
|
|
|
raise common.ErrorResponse(common.HTTP_FORBIDDEN, b'no')
|
|
|
|
|
|
def extsetup(ui):
|
|
|
common.permhooks.insert(0, perform_authentication)
|
|
|
digest.adduser(b'user', b'pass', b'mercurial')
|
|
|
|