13
13
# You should have received a copy of the GNU General Public License
14
14
# along with this program; if not, write to the Free Software
15
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
15
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17
17
"""Support for secure authentication using GSSAPI over FTP.
19
19
See RFC2228 for details.
22
from __future__ import absolute_import
22
import base64, ftplib, getpass, socket
26
24
from bzrlib import (
29
from bzrlib.i18n import gettext
30
from bzrlib.trace import (
28
from bzrlib.trace import info, mutter
34
29
from bzrlib.transport.ftp import FtpTransport
30
from bzrlib.transport import register_transport_proto, register_transport
48
44
"""Extended version of ftplib.FTP that can authenticate using GSSAPI."""
50
46
def mic_putcmd(self, line):
51
rc = kerberos.authGSSClientWrap(self.vc, base64.b64encode(line))
47
rc = kerberos.authGSSClientWrap(self.vc,
48
base64.b64encode(line), kerberos.authGSSClientUserName(self.vc))
52
49
wrapped = kerberos.authGSSClientResponse(self.vc)
53
50
ftplib.FTP.putcmd(self, "MIC " + wrapped)
64
61
# Try GSSAPI login first
66
63
# Used FTP response codes:
67
# 235 [ADAT=base64data] - indicates that the security data exchange
64
# 235 [ADAT=base64data] - indicates that the security data exchange
68
65
# completed successfully.
69
# 334 [ADAT=base64data] - indicates that the requested security
70
# mechanism is ok, and includes security data to be used by the
66
# 334 [ADAT=base64data] - indicates that the requested security
67
# mechanism is ok, and includes security data to be used by the
71
68
# client to construct the next command.
72
69
# 335 [ADAT=base64data] - indicates that the security data is
73
# acceptable, and more is required to complete the security
70
# acceptable, and more is required to complete the security
76
73
resp = self.sendcmd('AUTH GSSAPI')
82
79
resp = self.sendcmd('ADAT ' + authdata)
83
80
if resp[:9] in ('235 ADAT=', '335 ADAT='):
84
81
rc = kerberos.authGSSClientStep(self.vc, resp[9:])
85
if not ((resp.startswith('235 ') and rc == 1) or
82
if not ((resp.startswith('235 ') and rc == 1) or
86
83
(resp.startswith('335 ') and rc == 0)):
87
84
raise ftplib.error_reply, resp
88
note(gettext("Authenticated as %s") %
89
kerberos.authGSSClientUserName(self.vc))
85
info("Authenticated as %s" % kerberos.authGSSClientUserName(
91
88
# Monkey patch ftplib
92
89
self.putcmd = self.mic_putcmd
104
connection_class = GSSAPIFtp
106
def _login(self, connection, auth, user, password):
107
"""Login with GSSAPI Authentication.
109
The password is used if GSSAPI Authentication is not available.
111
The username and password can both be None, in which case the
112
credentials specified in the URL or provided by the
101
def _create_connection(self, credentials=None):
102
"""Create a new connection with the provided credentials.
104
:param credentials: The credentials needed to establish the connection.
106
:return: The created connection and its associated credentials.
108
The credentials are a tuple with the username and password. The
109
password is used if GSSAPI Authentication is not available.
111
The username and password can both be None, in which case the
112
credentials specified in the URL or provided by the
113
113
AuthenticationConfig() are used.
115
if credentials is None:
116
user, password = self._user, self._password
118
user, password = credentials
120
auth = config.AuthenticationConfig()
122
user = auth.get_user('ftp', self._host, port=self._port)
124
# Default to local user
125
user = getpass.getuser()
127
mutter("Constructing FTP instance against %r" %
128
((self._host, self._port, user, '********',
116
connection.gssapi_login(user=user)
131
connection = GSSAPIFtp()
132
connection.connect(host=self._host, port=self._port)
134
connection.gssapi_login(user=user)
135
except ftplib.error_perm, e:
136
if user and user != 'anonymous' and \
137
password is None: # '' is a valid password
138
password = auth.get_password('ftp', self._host, user,
140
connection.login(user=user, passwd=password)
141
connection.set_pasv(not self.is_active)
142
except socket.error, e:
143
raise errors.SocketConnectionError(self._host, self._port,
144
msg='Unable to connect to',
117
146
except ftplib.error_perm, e:
118
super(GSSAPIFtpTransport, self)._login(connection, auth,
147
raise errors.TransportError(msg="Error setting up connection:"
148
" %s" % str(e), orig_error=e)
149
return connection, (user, password)
122
152
def get_test_permutations():
123
153
"""Return the permutations to be used in testing."""
124
from bzrlib.tests import ftp_server
125
if ftp_server.FTPServerFeature.available():
126
return [(GSSAPIFtpTransport, ftp_server.FTPTestServer)]
154
from bzrlib import tests
155
if tests.FTPServerFeature.available():
156
from bzrlib.tests import ftp_server
157
return [(GSSAPIFtpTransport, ftp_server.FTPServer)]