diff options
-rw-r--r-- | .gitignore | 3 | ||||
-rw-r--r-- | LICENSE | 202 | ||||
-rw-r--r-- | README.md | 42 | ||||
-rwxr-xr-x | demo.sh | 22 | ||||
-rwxr-xr-x | login-freebsd.sh | 3 | ||||
-rwxr-xr-x | login.py | 111 | ||||
-rwxr-xr-x | login_test.py | 20 |
7 files changed, 403 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..02e0d9f --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +__pycache__ +*swp +*~ @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/README.md b/README.md new file mode 100644 index 0000000..be8421c --- /dev/null +++ b/README.md @@ -0,0 +1,42 @@ +# apache-auth-xmppmessage + +Authenticate users using tokens sent via xmpp. + +This script is almost stateless, there is no database required. +To protect against DoS it uses a lockfile, this way allowing only on +instance at a time. + +## Install requirements + + # pip + pip3 install --user -r sleekxmpp==1.3.1 + + # FreeBSD: + pkg install py34-sleekxmpp + pkg install ap24-mod_authnz_external24 + + +## Configuration + + DefineExternalAuth xmpp-login pipe /usr/local/etc/apache24/login.py + <Location /foo> + AuthType Basic + AuthName "Login with Jabber ID and empty password to request a token" + AuthBasicProvider external + AuthExternalContext "validsec=7200;secret=adsasd;users=user1@jabber.org,user2@jabber.org;jid=bot@jabber.org;jid_pw=secret-xmpp-pw" + AuthExternal xmpp-login + Require valid-user + </Location> + +### Options + +- validsec: timespan in which a token is valid. + There are always 2 valid tokens, the current and the previous. + The current is `token(now % validsec)`. The previous is `token(now % validsec - validsec)`. + A token valid-range is determined by `% validsec` and NOT by the time the token was requested. +- secret: random secret data. Used as a salt for the token. +- users: comma separated list of JIDs that are allowed to receive tokens. + Tokens are user-specific. User `A` cannot use the token from user `B`. +- jid: JID of the bot who sends the tokens to the users. +- jid\_pw: password of the bot. + @@ -0,0 +1,22 @@ +#!/bin/sh +# Usage: +# - No arguments: Request a token +# - With arguments: Verify a token +export IP=1.2.3.4 +export URI=/test +export HTTP_HOST=www.example.com; +export CONTEXT="validsec=60;secret=asdsad;users=yvesf@xapek.org,marc@xapek.org;jid=___;jid_pw=___" +export SKIP_XMPP=1 + +if [ -z "$1" ]; then # request token + ( + echo "yvesf@xapek.org" + echo "" + ) | ./login.py +else # verify token + ( + echo "yvesf@xapek.org" + echo "$1" + ) | ./login.py + echo "Result $?" +fi diff --git a/login-freebsd.sh b/login-freebsd.sh new file mode 100755 index 0000000..f943eec --- /dev/null +++ b/login-freebsd.sh @@ -0,0 +1,3 @@ +#!/bin/sh +dir="`dirname \"$0\"`" +/usr/local/bin/python3.4 "$dir/"login.py $* diff --git a/login.py b/login.py new file mode 100755 index 0000000..584398c --- /dev/null +++ b/login.py @@ -0,0 +1,111 @@ +#!/usr/bin/env python3.4 +import os +import re +import sys +import time +import struct +import hashlib + +# To speed up start time load some modules only as needed + +if sys.version_info < (3, 0): + raise Exception("Require python3+") + + +def file_lock(lock_file): + from contextlib import contextmanager + + @contextmanager + def file_lock(): + try: + with open(lock_file, "x") as fh: + try: + yield + except: + raise + finally: + fh.close() + os.remove(lock_file) + except FileExistsError: + raise Exception("Locking failed on {}".format(lock_file)) + return file_lock() + + +def send_message(jid, password, recipient, message): + import sleekxmpp + + def start(event): + cl.send_message(mto=recipient, mtype='chat', mbody=message) + cl.disconnect(wait=True) + + cl = sleekxmpp.ClientXMPP(jid, password) + cl.add_event_handler("session_start", start, threaded=True) + if cl.connect(): + cl.process(block=True) + else: + raise Exception("Unable to connect to xmpp server") + + +def generate_token(username, secret, time): + input = "{}{}{}".format(secret, username, time).encode('utf-8') + output = struct.unpack(b"<L", hashlib.md5(input).digest()[:4])[0] + token = "{:02X}-{:02X}-{:02X}".format( + (output >> 16) & 0xff, (output >> 8) & 0xff, output & 0xff) + return token + + +def token_message(username, secret, validsec): + time_now = int(time.time()) + time_now_start = int(time_now - time_now % validsec) + time_next_end = time_now_start + 2 * validsec + token = generate_token(username, secret, time_now_start) + message = "Username: {} Token: {}".format(username, token) + message += "\nValid from: {} to: {}".format( + time.strftime("%c %Z(%z)", time.gmtime(time_now_start)), + time.strftime("%c %Z(%z)", time.gmtime(time_next_end))) + message += "\nRequested by: {} for: {} on: {}".format( + os.getenv("IP"), ascii(os.getenv("URI")), os.getenv("HTTP_HOST")) + return message + + +def normalize_token(token): + return re.sub(r"[^A-F0-9]", "", token.upper()) + + +def run(config): + conf_users = config['users'].split(',') + conf_secret = config['secret'] + conf_validsec = int(config['validsec']) + conf_jid = config['jid'] + conf_jid_pw = config['jid_pw'] + + # reading the credential supplied in a pipe from apache + username = sys.stdin.readline().strip() + password = sys.stdin.readline().strip() + + if password == "" and username in conf_users: + # avoid spamming by allowing only one message sent at a time + lockfile = os.path.basename(__file__) + with file_lock("/tmp/lock." + lockfile): + message = token_message(username, conf_secret, conf_validsec) + if os.getenv("SKIP_XMPP"): # used for testing + print(message) + else: + send_message(conf_jid, conf_jid_pw, username, message) + elif username in conf_users: + time_now = int(time.time()) + time_now_start = int(time_now - time_now % conf_validsec) + time_prev_start = time_now_start - conf_validsec + valid_tokens = list(map(normalize_token, ( + generate_token(username, conf_secret, time_now_start), + generate_token(username, conf_secret, time_prev_start) + ))) + if normalize_token(password) in valid_tokens: + return os.EX_OK # grant access + + return os.EX_NOPERM # fail by default + +if __name__ == "__main__": + config = dict(map(lambda kv: kv.split("="), + os.getenv("CONTEXT").split(";"))) + sys.exit(run(config)) diff --git a/login_test.py b/login_test.py new file mode 100755 index 0000000..4557de8 --- /dev/null +++ b/login_test.py @@ -0,0 +1,20 @@ +#!/usr/bin/env python3 +import unittest +import login + + +class TestStringMethods(unittest.TestCase): + def test_normalize(self): + self.assertEqual(login.normalize_token("A4-B4-C5"), + "A4B4C5") + self.assertEqual(login.normalize_token("a4-b4-c5"), + "A4B4C5") + self.assertEqual(login.normalize_token("a4b4c5"), + "A4B4C5") + self.assertEqual(login.normalize_token("A4B4C5"), + "A4B4C5") + + +if __name__ == '__main__': + unittest.main() + |