Correction of windows' digest authentication, new database migration to fit the needs and adjusting tracim's login/change password/user creation to calculate and insert the new hash

tracim/migration/versions/b4b8d57b54e5_add_hash_column_for_digest_.py

@@ -0,0 +1,22 @@
+"""add hash column for digest authentication
+
+Revision ID: b4b8d57b54e5
+Revises: 534c4594ed29
+Create Date: 2016-08-11 10:27:28.951506
+
+"""
+
+# revision identifiers, used by Alembic.
+revision = 'b4b8d57b54e5'
+down_revision = '534c4594ed29'
+
+from alembic import op
+from sqlalchemy import Column, Unicode
+
+
+def upgrade():
+    op.add_column('users', Column('webdav_left_digest_response_hash', Unicode(128)))
+
+
+def downgrade():
+    op.drop_column('users', 'webdav_left_digest_response_hash')

tracim/tracim/controllers/admin/user.py

@@ -328,6 +328,9 @@ class UserRestController(TIMRestController):
             # Setup a random password to send email at user
             password = str(uuid.uuid4())
             user.password = password
+
+        user.webdav_left_digest_response_hash = '%s:/:%s' % (email, password)
+
         api.save(user)
 
         # Now add the user to related groups

tracim/tracim/controllers/user.py

@@ -123,6 +123,7 @@ class UserPasswordRestController(TIMRestController):
             tg.redirect(redirect_url)
 
         current_user.password = new_password1
+        current_user.webdav_left_digest_response_hash = '%s:/:%s' % (current_user.email, new_password1)
         pm.DBSession.flush()
 
         tg.flash(_('Your password has been changed'))

tracim/tracim/lib/auth/internal.py

@@ -5,6 +5,8 @@ from tg.configuration.auth import TGAuthMetadata
 from tracim.lib.auth.base import Auth
 from tracim.model import DBSession, User
 
+# TODO : temporary fix to update DB, to remove
+import transaction
 
 class InternalAuth(Auth):
 
@@ -34,6 +36,11 @@ class InternalApplicationAuthMetadata(TGAuthMetadata):
         )).first()
 
         if user and user.validate_password(identity['password']):
+            if user.webdav_left_digest_response_hash == '':
+                user.webdav_left_digest_response_hash = '%s:/:%s' % (identity['login'], identity['password'])
+                DBSession.flush()
+                # TODO : temporary fix to update DB, to remove
+                transaction.commit()
             return identity['login']
 
     def get_user(self, identity, userid):

tracim/tracim/lib/daemons.py

@@ -239,6 +239,18 @@ import traceback
 DEFAULT_CONFIG_FILE = "wsgidav.conf"
 PYTHON_VERSION = "%s.%s.%s" % (sys.version_info[0], sys.version_info[1], sys.version_info[2])
 
+def _get_checked_path(path, mustExist=True, allowNone=True):
+    """Convert path to absolute if not None."""
+    if path in (None, ""):
+        if allowNone:
+            return None
+        else:
+            raise ValueError("Invalid path %r" % path)
+    path = os.path.abspath(path)
+    if mustExist and not os.path.exists(path):
+        raise ValueError("Invalid path %r" % path)
+    return path
+
 class WsgiDavDaemon(Daemon):
 
     def __init__(self, *args, **kwargs):
@@ -261,6 +273,12 @@ class WsgiDavDaemon(Daemon):
         if not useLxml and config["verbose"] >= 1:
             print(
                 "WARNING: Could not import lxml: using xml instead (slower). Consider installing lxml from http://codespeak.net/lxml/.")
+        from wsgidav.dir_browser import WsgiDavDirBrowser
+        from wsgidav.debug_filter import WsgiDavDebugFilter
+        from tracim.lib.webdav.tracim_http_authenticator import TracimHTTPAuthenticator
+        from wsgidav.error_printer import ErrorPrinter
+
+        config['middleware_stack'] = [ WsgiDavDirBrowser, TracimHTTPAuthenticator, ErrorPrinter, WsgiDavDebugFilter ]
 
         config['provider_mapping'] = \
             {
@@ -273,7 +291,9 @@ class WsgiDavDaemon(Daemon):
             }
 
         config['domaincontroller'] = SQLDomainController(presetdomain=None, presetserver=None)
-        config['defaultdigest'] = False
+        config['defaultdigest'] = True
+        config['acceptdigest'] = True
+
         return config
 
     def _readConfigFile(self, config_file, verbose):
@@ -323,6 +343,7 @@ class WsgiDavDaemon(Daemon):
                 PYTHON_VERSION)
 
             wsgiserver.CherryPyWSGIServer.version = version
+
             protocol = "http"
 
             if config["verbose"] >= 1:

tracim/tracim/lib/webdav/__init__.py

@@ -6,6 +6,7 @@ from tracim.model.data import ActionDescription, ContentType, Content, Workspace
 from wsgidav import util
 
 import transaction
+from wsgidav import compat
 
 class HistoryType(object):
     Deleted = 'deleted'
@@ -27,7 +28,8 @@ class FakeFileStream(object):
         :param workspace: content's workspace, necessary if the file is new as we've got no other way to get it
         :param content: either the content to be updated or None if it's a new file
         """
-        self._buffer = []
+        self._buff = compat.BytesIO()
+
         self._file_name = file_name if file_name != '' else self._content.file_name
         self._content = content
         self._api = content_api
@@ -44,20 +46,18 @@ class FakeFileStream(object):
 
     def write(self, s: str):
         """Called by request_server when writing content to files, we stock it in our file"""
-        self._buffer.append(s)
+        self._buff.write(s)
 
     def close(self):
         """Called by request_server when everything has been written and we either update the file or
         create a new file"""
-        item_content = b''
 
-        for part in self._buffer:
-            item_content += part
+        self._buff.seek(0)
 
         if self._content is None:
-            self.create_file(item_content)
+            self.create_file(self._buff)
         else:
-            self.update_file(item_content)
+            self.update_file(self._buff)
 
     def create_file(self, item_content):
         file = self._api.create(
@@ -70,20 +70,20 @@ class FakeFileStream(object):
             file,
             self._file_name,
             util.guessMimeType(self._file_name),
-            item_content
+            item_content.read()
         )
 
         self._api.save(file, ActionDescription.CREATION)
 
         transaction.commit()
 
-    def update_file(self, item_content: bytes):
+    def update_file(self, item_content):
         with new_revision(self._content):
             self._api.update_file_data(
                 self._content,
                 self._file_name,
                 util.guessMimeType(self._content.file_name),
-                item_content
+                item_content.read()
             )
             self._api.save(self._content, ActionDescription.EDITION)
 

tracim/tracim/lib/webdav/sql_dav_provider.py

@@ -61,6 +61,7 @@ class Provider(DAVProvider):
     #########################################################
     # Everything override from DAVProvider
     def getResourceInst(self, path, environ):
+        print("ok : ", path)
         #if not self.exists(path, environ):
         #    return None
         if not self.exists(path, environ):
@@ -178,6 +179,7 @@ class Provider(DAVProvider):
             return None
 
     def exists(self, path, environ):
+        print("ok (exist) : ", path)
         uapi = UserApi(None)
         environ['user'] = uapi.get_one_by_email(environ['http_authenticator.username'])
 
@@ -193,6 +195,7 @@ class Provider(DAVProvider):
         )
 
         if path == root_path:
+            print("ok (pass ici) : ", path)
             return True
         elif parent_path == root_path:
             return self.get_workspace_from_path(

tracim/tracim/lib/webdav/sql_domain_controller.py

@@ -8,18 +8,18 @@ class SQLDomainController(object):
         self._api = UserApi(None)
 
     def getDomainRealm(self, inputURL, environ):
-        """
-        On va récupérer le workspace de travail pour travailler sur les droits
-        """
+
+        '''On va récupérer le workspace de travail pour travailler sur les droits'''
+
         return '/'
 
     def requireAuthentication(self, realmname, environ):
         return True
 
     def isRealmUser(self, realmname, username, environ):
-        """
-        travailler dans la bdd pour vérifier si utilisateur existe
-        """
+
+        '''travailler dans la bdd pour vérifier si utilisateur existe'''
+
         try:
             self._api.get_one_by_email(username)
             return True
@@ -27,14 +27,21 @@ class SQLDomainController(object):
             return False
 
     def getRealmUserPassword(self, realmname, username, environ):
-        """Retourne le mdp pour l'utilisateur pour ce real"""
+        '''Retourne le mdp pour l'utilisateur pour ce real'''
         try:
             user = self._api.get_one_by_email(username)
             return user.password
         except:
             return None
 
+    def get_left_digest_response_hash(self, realmname, username, environ):
+        try:
+            user = self._api.get_one_by_email(username)
+            return user.webdav_left_digest_response_hash
+        except:
+            return None
+
     def authDomainUser(self, realmname, username, password, environ):
-        """Vérifier que l'utilisateur est valide pour ce domaine"""
+        '''Vérifier que l'utilisateur est valide pour ce domaine'''
         return self.isRealmUser(realmname, username, environ) and \
-            self._api.get_one_by_email(username).validate_password(password)
+            self._api.get_one_by_email(username).validate_password(password)

tracim/tracim/lib/webdav/sql_resources.py

@@ -379,6 +379,11 @@ class Folder(Workspace):
             self.content_api,
             WorkspaceApi(self.environ['user']))
 
+        workspace = self.provider.get_workspace_from_path(
+            normpath(destpath),
+            WorkspaceApi(self.environ['user'])
+        )
+
         with new_revision(self.content):
             if basename(destpath) != self.content.label:
                 self.content_api.update_content(self.content, basename(destpath), self.content.description)
@@ -397,14 +402,7 @@ class Folder(Workspace):
                 try:
                     self.content_api.move_recursively(self.content, parent, parent.workspace)
                 except AttributeError:
-                    self.content_api.move_recursively(
-                        self.content,
-                        parent,
-                        self.provider.get_workspace_from_path(
-                            destpath,
-                            WorkspaceApi(self.environ['user'])
-                        )
-                    )
+                    self.content_api.move_recursively(self.content, parent, workspace)
 
         transaction.commit()
 
@@ -818,6 +816,11 @@ class File(DAVNonCollection):
             WorkspaceApi(self.environ['user'])
         )
 
+        workspace = self.provider.get_workspace_from_path(
+            normpath(destpath),
+            WorkspaceApi(self.environ['user'])
+        )
+
         with new_revision(self.content):
             if basename(destpath) != self.content.label:
                 self.content_api.update_content(self.content, basename(destpath), self.content.description)
@@ -827,7 +830,7 @@ class File(DAVNonCollection):
                 item=self.content,
                 new_parent=parent,
                 must_stay_in_same_workspace=False,
-                new_workspace=parent.workspace
+                new_workspace=workspace
             )
 
         transaction.commit()
@@ -893,6 +896,9 @@ class OtherFile(File):
     def getDisplayName(self) -> str:
         return self.content.get_label()
 
+    def getPreferredPath(self):
+        return self.path + '.html'
+
     def __repr__(self) -> str:
         return "<DAVNonCollection: OtherFile (%s)" % self.content.file_name
 

tracim/tracim/lib/webdav/tracim_http_authenticator.py

@@ -0,0 +1,144 @@
+from wsgidav.http_authenticator import HTTPAuthenticator
+from wsgidav import util
+import re
+
+_logger = util.getModuleLogger(__name__, True)
+HOTFIX_WINXP_AcceptRootShareLogin = True
+
+class TracimHTTPAuthenticator(HTTPAuthenticator):
+    def __init__(self, application, config):
+        super(TracimHTTPAuthenticator, self).__init__(application, config)
+        self._headerfixparser = re.compile(r'([\w]+)=("[^"]*,[^"]*"),')
+
+    def authDigestAuthRequest(self, environ, start_response):
+        realmname = self._domaincontroller.getDomainRealm(environ["PATH_INFO"], environ)
+
+        isinvalidreq = False
+
+        authheaderdict = dict([])
+        authheaders = environ["HTTP_AUTHORIZATION"] + ","
+        if not authheaders.lower().strip().startswith("digest"):
+            isinvalidreq = True
+            # Hotfix for Windows file manager and OSX Finder:
+        # Some clients don't urlencode paths in auth header, so uri value may
+        # contain commas, which break the usual regex headerparser. Example:
+        # Digest username="user",realm="/",uri="a,b.txt",nc=00000001, ...
+        # -> [..., ('uri', '"a'), ('nc', '00000001'), ...]
+        # Override any such values with carefully extracted ones.
+        authheaderlist = self._headerparser.findall(authheaders)
+        authheaderfixlist = self._headerfixparser.findall(authheaders)
+        if authheaderfixlist:
+            _logger.info("Fixing authheader comma-parsing: extend %s with %s" \
+                         % (authheaderlist, authheaderfixlist))
+            authheaderlist += authheaderfixlist
+        for authheader in authheaderlist:
+            authheaderkey = authheader[0]
+            authheadervalue = authheader[1].strip().strip("\"")
+            authheaderdict[authheaderkey] = authheadervalue
+
+        _logger.debug("authDigestAuthRequest: %s" % environ["HTTP_AUTHORIZATION"])
+        _logger.debug("  -> %s" % authheaderdict)
+
+        if "username" in authheaderdict:
+            req_username = authheaderdict["username"]
+            req_username_org = req_username
+            # Hotfix for Windows XP:
+            #   net use W: http://127.0.0.1/dav /USER:DOMAIN\tester tester
+            # will send the name with double backslashes ('DOMAIN\\tester')
+            # but send the digest for the simple name ('DOMAIN\tester').
+            if r"\\" in req_username:
+                req_username = req_username.replace("\\\\", "\\")
+                _logger.info("Fixing Windows name with double backslash: '%s' --> '%s'" % (req_username_org, req_username))
+
+            if not self._domaincontroller.isRealmUser(realmname, req_username, environ):
+                isinvalidreq = True
+        else:
+            isinvalidreq = True
+
+            # TODO: Chun added this comments, but code was commented out
+            # Do not do realm checking - a hotfix for WinXP using some other realm's
+            # auth details for this realm - if user/password match
+        print(authheaderdict.get("realm"), realmname)
+        if 'realm' in authheaderdict:
+            if authheaderdict["realm"].upper() != realmname.upper():
+                if HOTFIX_WINXP_AcceptRootShareLogin:
+                    # Hotfix: also accept '/'
+                    if authheaderdict["realm"].upper() != "/":
+                        isinvalidreq = True
+                else:
+                    isinvalidreq = True
+
+        if "algorithm" in authheaderdict:
+            if authheaderdict["algorithm"].upper() != "MD5":
+                isinvalidreq = True  # only MD5 supported
+
+        if "uri" in authheaderdict:
+            req_uri = authheaderdict["uri"]
+
+        if "nonce" in authheaderdict:
+            req_nonce = authheaderdict["nonce"]
+        else:
+            isinvalidreq = True
+
+        req_hasqop = False
+        if "qop" in authheaderdict:
+            req_hasqop = True
+            req_qop = authheaderdict["qop"]
+            if req_qop.lower() != "auth":
+                isinvalidreq = True  # only auth supported, auth-int not supported
+        else:
+            req_qop = None
+
+        if "cnonce" in authheaderdict:
+            req_cnonce = authheaderdict["cnonce"]
+        else:
+            req_cnonce = None
+            if req_hasqop:
+                isinvalidreq = True
+
+        if "nc" in authheaderdict:  # is read but nonce-count checking not implemented
+            req_nc = authheaderdict["nc"]
+        else:
+            req_nc = None
+            if req_hasqop:
+                isinvalidreq = True
+
+        if "response" in authheaderdict:
+            req_response = authheaderdict["response"]
+        else:
+            isinvalidreq = True
+
+        if not isinvalidreq:
+            left_digest_response_hash = self._domaincontroller.get_left_digest_response_hash(realmname, req_username, environ)
+
+            req_method = environ["REQUEST_METHOD"]
+
+            required_digest = self.tracim_compute_digest_response(left_digest_response_hash, req_method, req_uri, req_nonce,
+                                                         req_cnonce, req_qop, req_nc)
+
+            if required_digest != req_response:
+                _logger.warning("computeDigestResponse('%s', '%s', ...): %s != %s" % (
+                realmname, req_username, required_digest, req_response))
+                isinvalidreq = True
+            else:
+                _logger.debug("digest succeeded for realm '%s', user '%s'" % (realmname, req_username))
+            pass
+
+        if isinvalidreq:
+            _logger.warning("Authentication failed for user '%s', realm '%s'" % (req_username, realmname))
+            return self.sendDigestAuthResponse(environ, start_response)
+
+        environ["http_authenticator.realm"] = realmname
+        environ["http_authenticator.username"] = req_username
+        return self._application(environ, start_response)
+
+    def tracim_compute_digest_response(self, left_digest_response_hash, method, uri, nonce, cnonce, qop, nc):
+        # A1 : username:realm:password
+        A2 = method + ":" + uri
+        if qop:
+            digestresp = self.md5kd(left_digest_response_hash, nonce + ":" + nc + ":" + cnonce + ":" + qop + ":" + self.md5h(A2))
+        else:
+            digestresp = self.md5kd(left_digest_response_hash, nonce + ":" + self.md5h(A2))
+            # print(A1, A2)
+        # print(digestresp)
+        return digestresp

tracim/tracim/model/auth.py

@@ -14,6 +14,7 @@ from hashlib import sha256
 from slugify import slugify
 from sqlalchemy.ext.hybrid import hybrid_property
 from tg.i18n import lazy_ugettext as l_
+from hashlib import md5
 
 __all__ = ['User', 'Group', 'Permission']
 
@@ -121,6 +122,7 @@ class User(DeclarativeBase):
     created = Column(DateTime, default=datetime.now)
     is_active = Column(Boolean, default=True, nullable=False)
     imported_from = Column(Unicode(32), nullable=True)
+    _webdav_left_digest_response_hash = Column('webdav_left_digest_response_hash', Unicode(128))
 
     @hybrid_property
     def email_address(self):
@@ -197,6 +199,20 @@ class User(DeclarativeBase):
     password = synonym('_password', descriptor=property(_get_password,
                                                         _set_password))
 
+    @classmethod
+    def _hash_digest(cls, digest):
+        return md5(bytes(digest, 'utf-8')).hexdigest()
+
+    def _set_hash_digest(self, digest):
+        self._webdav_left_digest_response_hash = self._hash_digest(digest)
+
+    def _get_hash_digest(self):
+        return self._webdav_left_digest_response_hash
+
+    webdav_left_digest_response_hash = synonym('_webdav_left_digest_response_hash',
+                                               descriptor=property(_get_hash_digest,
+                                                                    _set_hash_digest))
+
     def validate_password(self, password):
         """
         Check the password against existing credentials.