1
# Copyright (C) 2005, 2006, 2007, 2008 Canonical Ltd
3
# This program is free software; you can redistribute it and/or modify
4
# it under the terms of the GNU General Public License as published by
5
# the Free Software Foundation; either version 2 of the License, or
6
# (at your option) any later version.
8
# This program is distributed in the hope that it will be useful,
9
# but WITHOUT ANY WARRANTY; without even the implied warranty of
10
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11
# GNU General Public License for more details.
13
# You should have received a copy of the GNU General Public License
14
# along with this program; if not, write to the Free Software
15
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17
"""Support for secure authentication using GSSAPI over FTP.
19
See RFC2228 for details.
22
import base64, ftplib, getpass, socket
28
from bzrlib.trace import info, mutter
29
from bzrlib.transport.ftp import FtpTransport
30
from bzrlib.transport import register_transport_proto, register_transport
34
except ImportError, e:
35
mutter('failed to import kerberos lib: %s', e)
36
raise errors.DependencyNotPresent('kerberos', e)
38
if getattr(kerberos, "authGSSClientWrap", None) is None:
39
raise errors.DependencyNotPresent('kerberos',
40
"missing encryption function authGSSClientWrap")
43
class GSSAPIFtp(ftplib.FTP):
44
"""Extended version of ftplib.FTP that can authenticate using GSSAPI."""
46
def mic_putcmd(self, line):
47
rc = kerberos.authGSSClientWrap(self.vc,
48
base64.b64encode(line), kerberos.authGSSClientUserName(self.vc))
49
wrapped = kerberos.authGSSClientResponse(self.vc)
50
ftplib.FTP.putcmd(self, "MIC " + wrapped)
52
def mic_getline(self):
53
resp = ftplib.FTP.getline(self)
54
if resp[:4] != '631 ':
56
rc = kerberos.authGSSClientUnwrap(self.vc, resp[4:].strip("\r\n"))
57
response = base64.b64decode(kerberos.authGSSClientResponse(self.vc))
60
def gssapi_login(self, user):
61
# Try GSSAPI login first
63
# Used FTP response codes:
64
# 235 [ADAT=base64data] - indicates that the security data exchange
65
# completed successfully.
66
# 334 [ADAT=base64data] - indicates that the requested security
67
# mechanism is ok, and includes security data to be used by the
68
# client to construct the next command.
69
# 335 [ADAT=base64data] - indicates that the security data is
70
# acceptable, and more is required to complete the security
73
resp = self.sendcmd('AUTH GSSAPI')
74
if resp.startswith('334 '):
75
rc, self.vc = kerberos.authGSSClientInit("ftp@%s" % self.host)
76
if kerberos.authGSSClientStep(self.vc, "") != 1:
77
while resp[:4] in ('334 ', '335 '):
78
authdata = kerberos.authGSSClientResponse(self.vc)
79
resp = self.sendcmd('ADAT ' + authdata)
80
if resp[:9] in ('235 ADAT=', '335 ADAT='):
81
rc = kerberos.authGSSClientStep(self.vc, resp[9:])
82
if not ((resp.startswith('235 ') and rc == 1) or
83
(resp.startswith('335 ') and rc == 0)):
84
raise ftplib.error_reply, resp
85
info("Authenticated as %s" % kerberos.authGSSClientUserName(
89
self.putcmd = self.mic_putcmd
90
self.getline = self.mic_getline
91
self.sendcmd('USER ' + user)
93
mutter("Unable to use GSSAPI authentication: %s", resp)
96
class GSSAPIFtpTransport(FtpTransport):
97
"""FTP transport implementation that will try to use GSSAPI authentication.
101
def _create_connection(self, credentials=None):
102
"""Create a new connection with the provided credentials.
104
:param credentials: The credentials needed to establish the connection.
106
:return: The created connection and its associated credentials.
108
The credentials are a tuple with the username and password. The
109
password is used if GSSAPI Authentication is not available.
111
The username and password can both be None, in which case the
112
credentials specified in the URL or provided by the
113
AuthenticationConfig() are used.
115
if credentials is None:
116
user, password = self._user, self._password
118
user, password = credentials
120
auth = config.AuthenticationConfig()
122
user = auth.get_user('ftp', self._host, port=self._port)
124
# Default to local user
125
user = getpass.getuser()
127
mutter("Constructing FTP instance against %r" %
128
((self._host, self._port, user, '********',
131
connection = GSSAPIFtp()
132
connection.connect(host=self._host, port=self._port)
134
connection.gssapi_login(user=user)
135
except ftplib.error_perm, e:
136
if user and user != 'anonymous' and \
137
password is None: # '' is a valid password
138
password = auth.get_password('ftp', self._host, user,
140
connection.login(user=user, passwd=password)
141
connection.set_pasv(not self.is_active)
142
except socket.error, e:
143
raise errors.SocketConnectionError(self._host, self._port,
144
msg='Unable to connect to',
146
except ftplib.error_perm, e:
147
raise errors.TransportError(msg="Error setting up connection:"
148
" %s" % str(e), orig_error=e)
149
return connection, (user, password)
152
def get_test_permutations():
153
"""Return the permutations to be used in testing."""
154
from bzrlib import tests
155
if tests.FTPServerFeature.available():
156
from bzrlib.tests import ftp_server
157
return [(GSSAPIFtpTransport, ftp_server.FTPServer)]
added
removed
bzrlib/transport/ftp/_gssapi.py
