1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
|
#------------------------------------------------------------------------------
#
# Copyright (c) Microsoft Corporation.
# All rights reserved.
#
# This code is licensed under the MIT License.
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files(the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions :
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
#
#------------------------------------------------------------------------------
#Note, this module does not appear being used anywhere
import re
import requests
from . import util
from . import log
from .constants import HttpError
AUTHORIZATION_URI = 'authorization_uri'
RESOURCE = 'resource'
WWW_AUTHENTICATE_HEADER = 'www-authenticate'
# pylint: disable=anomalous-backslash-in-string,too-few-public-methods
class AuthenticationParameters(object):
def __init__(self, authorization_uri, resource):
self.authorization_uri = authorization_uri
self.resource = resource
# The 401 challenge is a standard defined in RFC6750, which is based in part on RFC2617.
# The challenge has the following form.
# WWW-Authenticate : Bearer
# authorization_uri="https://login.microsoftonline.com/mytenant.com/oauth2/authorize",
# Resource_id="00000002-0000-0000-c000-000000000000"
# This regex is used to validate the structure of the challenge header.
# Match whole structure: ^\s*Bearer\s+([^,\s="]+?)="([^"]*?)"\s*(,\s*([^,\s="]+?)="([^"]*?)"\s*)*$
# ^ Start at the beginning of the string.
# \s*Bearer\s+ Match 'Bearer' surrounded by one or more amount of whitespace.
# ([^,\s="]+?) This captures the key which is composed of any characters except
# comma, whitespace or a quotes.
# = Match the = sign.
# "([^"]*?)" Captures the value can be any number of non quote characters.
# At this point only the first key value pair as been captured.
# \s* There can be any amount of white space after the first key value pair.
# ( Start a capture group to retrieve the rest of the key value
# pairs that are separated by commas.
# \s* There can be any amount of whitespace before the comma.
# , There must be a comma.
# \s* There can be any amount of whitespace after the comma.
# (([^,\s="]+?) This will capture the key that comes after the comma. It's made
# of a series of any character except comma, whitespace or quotes.
# = Match the equal sign between the key and value.
# " Match the opening quote of the value.
# ([^"]*?) This will capture the value which can be any number of non
# quote characters.
# " Match the values closing quote.
# \s* There can be any amount of whitespace before the next comma.
# )* Close the capture group for key value pairs. There can be any
# number of these.
# $ The rest of the string can be whitespace but nothing else up to
# the end of the string.
#
# This regex checks the structure of the whole challenge header. The complete
# header needs to be checked for validity before we can be certain that
# we will succeed in pulling out the individual parts.
bearer_challenge_structure_validation = re.compile(
r"""^\s*Bearer\s+([^,\s="]+?)="([^"]*?)"\s*(,\s*([^,\s="]+?)="([^"]*?)"\s*)*$""")
# This regex pulls out the key and value from the very first pair.
first_key_value_pair_regex = re.compile(r"""^\s*Bearer\s+([^,\s="]+?)="([^"]*?)"\s*""")
# This regex is used to pull out all of the key value pairs after the first one.
# All of these begin with a comma.
all_other_key_value_pair_regex = re.compile(r"""(?:,\s*([^,\s="]+?)="([^"]*?)"\s*)""")
def parse_challenge(challenge):
if not bearer_challenge_structure_validation.search(challenge):
raise ValueError("The challenge is not parseable as an RFC6750 OAuth2 challenge")
challenge_parameters = {}
match = first_key_value_pair_regex.search(challenge)
if match:
challenge_parameters[match.group(1)] = match.group(2)
for match in all_other_key_value_pair_regex.finditer(challenge):
challenge_parameters[match.group(1)] = match.group(2)
return challenge_parameters
def create_authentication_parameters_from_header(challenge):
challenge_parameters = parse_challenge(challenge)
authorization_uri = challenge_parameters.get(AUTHORIZATION_URI)
if not authorization_uri:
raise ValueError("Could not find 'authorization_uri' in challenge header.")
resource = challenge_parameters.get(RESOURCE)
return AuthenticationParameters(authorization_uri, resource)
def create_authentication_parameters_from_response(response):
if response is None:
raise AttributeError('Missing required parameter: response')
if not hasattr(response, 'status_code') or not response.status_code:
raise AttributeError('The response parameter does not have the expected HTTP status_code field')
if not hasattr(response, 'headers') or not response.headers:
raise AttributeError('There were no headers found in the response.')
if response.status_code != HttpError.UNAUTHORIZED:
raise ValueError('The response status code does not correspond to an OAuth challenge. '
'The statusCode is expected to be 401 but is: {}'.format(response.status_code))
challenge = response.headers.get(WWW_AUTHENTICATE_HEADER)
if not challenge:
raise ValueError("The response does not contain a WWW-Authenticate header that can be "
"used to determine the authority_uri and resource.")
return create_authentication_parameters_from_header(challenge)
def validate_url_object(url):
if not url or not hasattr(url, 'geturl'):
raise AttributeError('Parameter is of wrong type: url')
def create_authentication_parameters_from_url(url, correlation_id=None):
if isinstance(url, str):
challenge_url = url
else:
validate_url_object(url)
challenge_url = url.geturl()
log_context = log.create_log_context(correlation_id)
logger = log.Logger('AuthenticationParameters', log_context)
logger.debug(
"Attempting to retrieve authentication parameters from: {}".format(challenge_url)
)
class _options(object):
_call_context = {'log_context': log_context}
options = util.create_request_options(_options())
try:
response = requests.get(challenge_url, headers=options['headers'])
except Exception:
logger.info("Authentication parameters http get failed.")
raise
try:
return create_authentication_parameters_from_response(response)
except Exception:
logger.info("Unable to parse response in to authentication parameters.")
raise
|
