code.delx.au - gnu-emacs-elpa/blob - packages/url-http-ntlm/url-http-ntlm.el

   1 ;;; url-http-ntlm.el --- NTLM authentication for the url library
   2
   3 ;; Copyright (C) 2008  Tom Schutzer-Weissmann
   4
   5 ;; Author: Tom Schutzer-Weissmann <tom@schutzer-weissmann.net>
   6 ;; Keywords: comm, data, processes, hypermedia
   7
   8 ;; This program is free software; you can redistribute it and/or modify
   9 ;; it under the terms of the GNU General Public License as published by
  10 ;; the Free Software Foundation, either version 3 of the License, or
  11 ;; (at your option) any later version.
  12
  13 ;; This program is distributed in the hope that it will be useful,
  14 ;; but WITHOUT ANY WARRANTY; without even the implied warranty of
  15 ;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16 ;; GNU General Public License for more details.
  17
  18 ;; You should have received a copy of the GNU General Public License
  19 ;; along with this program.  If not, see <http://www.gnu.org/licenses/>.
  20
  21 ;;; Commentary:
  22 ;;
  23 ;; This package provides a NTLM handler for the URL package.
  24 ;; It supports one username and password per server.
  25 ;;
  26 ;; Installation:
  27 ;;
  28 ;; Add the directory containing this file to the load path and then
  29 ;; load the url-http-ntlm package.  One way would be to add something
  30 ;; like the lines below to your .emacs file:
  31 ;;
  32 ;; (add-to-list 'load-path ".emacs.d/url-http-ntlm")
  33 ;; (require 'url-http-ntlm)
  34 ;;
  35 ;; Acknowledgements:
  36 ;;
  37 ;; Taro Kawagishi <tarok@transpulse.org> wrote ntlm.el and md4.el,
  38 ;; which are parts of FLIM (Faithful Library about Internet Message).
  39 ;;
  40 ;; http://stuff.mit.edu/afs/sipb/contrib/emacs/packages/flim-1.14.7/ntlm.el
  41 ;; http://stuff.mit.edu/afs/sipb/contrib/emacs/packages/flim-1.14.7/md4.el
  42
  43 ;;; Code:
  44 (require 'url-auth)
  45 (require 'url-http)
  46 (require 'mail-parse)
  47 (require 'cl)
  48 (require 'ntlm)
  49
  50 (defvar url-http-ntlm-auth-storage nil
  51   "Authentication storage.
  52 An alist that maps a server name to a pair of \(<username> <ntlm
  53 hashes>\).
  54
  55 The hashes are built using `ntlm-get-password-hashes'.
  56 The username can contain the domain name, in the form \"user@domain\".
  57
  58 Note that for any server, only one user and password is ever stored.")
  59
  60 (defun url-ntlm-auth (url &optional prompt overwrite realm args)
  61   "Return an NTLM HTTP authorization header.
  62 Get the contents of the Authorization header for a HTTP response
  63 using NTLM authentication, to access URL.  Because NTLM is a
  64 two-step process, this function expects to be called twice, first
  65 to generate the NTLM type 1 message (request), then to respond to
  66 the server's type 2 message (challenge) with a suitable response.
  67
  68 PROMPT, OVERWRITE, and REALM are ignored.
  69
  70 ARGS is expected to contain the WWW-Authentication header from
  71 the server's last response.  These are used by
  72 `url-http-get-stage' to determine what stage we are at."
  73   (url-ntlm-ensure-keepalive)
  74   (let ((stage (url-ntlm-get-stage args)))
  75     (case stage
  76       ;;
  77       ;; NTLM Type 1 message: the request
  78       (:request
  79        (destructuring-bind (&optional server user hash)
  80            (url-http-ntlm-authorisation url)
  81          (when server
  82            (url-http-ntlm-string (ntlm-build-auth-request user server)))))
  83       ;;
  84       ;; NTLM Type 3 message: the response
  85       (:response
  86        (let ((challenge (url-http-ntlm-get-challenge)))
  87          (destructuring-bind (server user hash)
  88              (url-http-ntlm-authorisation url)
  89            (url-http-ntlm-string (ntlm-build-auth-response challenge
  90                                                            user
  91                                                            hash)))))
  92       (:error
  93        (url-http-ntlm-authorisation url :clear)))))
  94
  95 (defun url-ntlm-ensure-keepalive ()
  96   "Report an error if `url-http-attempt-keepalives' is not set."
  97   (assert url-http-attempt-keepalives
  98           nil
  99           (concat "NTLM authentication won't work unless"
 100                   " `url-http-attempt-keepalives' is set!")))
 101
 102 (defun url-ntlm-clean-headers ()
 103   "Remove Authorization element from `url-http-extra-headers' alist."
 104   (setq url-http-extra-headers
 105         (url-http-ntlm-rmssoc "Authorization" url-http-extra-headers)))
 106
 107 (defvar url-ntlm-last-args nil
 108   "Stores the last ARGS argument to `url-ntlm-get-stage' and the return value.
 109 This is used to detect multiple calls.")
 110 (make-variable-buffer-local 'url-ntlm-last-args)
 111
 112 (defun url-ntlm-get-stage (args)
 113   "Determine what stage of the NTLM handshake we are at.
 114 PROMPT and ARGS come from `url-ntlm-auth''s caller,
 115 `url-get-authentication'.  Their meaning depends on the current
 116 implementation - this function is well and truly coupled.
 117
 118 url-get-authentication' calls `url-ntlm-auth' once when checking
 119 what authentication schemes are supported (PROMPT and ARGS are
 120 nil), and then twice for every stage of the handshake: the first
 121 time PROMPT is nil, the second, t; ARGS contains the server
 122 response's \"WWW-Authenticate\" header, munged by
 123 `url-parse-args'."
 124   (let* ((response-rxp     "^NTLM TlRMTVNTUAADAAA")
 125          (challenge-rxp    "^TLRMTVNTUAACAAA")
 126          (auth-header      (assoc "Authorization" url-http-extra-headers))
 127          (case-fold-search t)
 128          stage)
 129     (if (eq args (car url-ntlm-last-args))
 130         ;; multiple calls, return the same argument we returned last time
 131         (cdr url-ntlm-last-args)
 132         ;;
 133         (let ((stage
 134                (cond ((and auth-header (string-match response-rxp
 135                                                      (cdr auth-header)))
 136                       :error)
 137                      ((and (= (length args) 2)
 138                            (destructuring-bind (challenge ntlm) args
 139                              (and (string-equal "ntlm" (car ntlm))
 140                                   (string-match challenge-rxp
 141                                                 (car challenge)))))
 142                       :response)
 143                      (t
 144                       :request))))
 145           (url-ntlm-clean-headers)
 146           (setq url-ntlm-last-args (cons args stage))
 147           stage))))
 148
 149 (defun url-http-ntlm-authorisation (url &optional clear)
 150   "Get or clear NTLM authentication details for URL.
 151 If CLEAR is non-nil, clear any saved credentials for server.
 152 Otherwise, return the credentials, prompting the user if
 153 necessary.
 154
 155 If URL contains a username and a password, they are used and
 156 stored credentials are not affected.
 157
 158 Note that for any server, only one user and password is ever
 159 stored."
 160   (let* ((href   (if (stringp url)
 161                      (url-generic-parse-url url)
 162                      url))
 163          (server (url-host href))
 164          (user   (url-user href))
 165          (pass   (url-password href))
 166          (stored (assoc server url-http-ntlm-auth-storage))
 167          (both   (and user pass)))
 168     (if clear
 169         ;; clear
 170         (unless both
 171           (setq url-http-ntlm-auth-storage
 172                 (url-http-ntlm-rmssoc server url-http-ntlm-auth-storage))
 173           nil)
 174         ;; get
 175         (if (or both
 176                 (and stored user (not (equal user (second stored))))
 177                 (not stored))
 178             (let* ((user*  (if both
 179                                user
 180                                (read-string (url-auth-user-prompt url realm)
 181                                             (or user (user-real-login-name)))))
 182                    (pass*  (if both
 183                                pass
 184                                (read-passwd "Password: ")))
 185                    (entry `(,server . (,user*
 186                                        ,(ntlm-get-password-hashes pass*)))))
 187               (unless both
 188                 (setq url-http-ntlm-auth-storage
 189                       (cons entry
 190                             (url-http-ntlm-rmssoc server
 191                                                   url-http-ntlm-auth-storage))))
 192               entry)
 193             ;;
 194             stored))))
 195
 196 (defun url-http-ntlm-get-challenge ()
 197   "Return the NTLM Type-2 message in the WWW-Authenticate header, if present."
 198   (save-restriction
 199     (mail-narrow-to-head)
 200     (let ((www-authenticate (mail-fetch-field "www-authenticate")))
 201       (when (string-match "NTLM\\s-+\\(\\S-+\\)"
 202                           www-authenticate)
 203         (base64-decode-string (match-string 1 www-authenticate))))))
 204
 205 (defun url-http-ntlm-rmssoc (key alist)
 206   "Remove all elements whose `car' match KEY from ALIST."
 207   (remove* key alist :key 'car :test 'equal))
 208
 209 (defun url-http-ntlm-string (data)
 210   "Return DATA encoded as an NTLM string."
 211   (concat "NTLM " (base64-encode-string data :nobreak)))
 212
 213 (url-register-auth-scheme "ntlm" nil 8)
 214
 215 (provide 'url-http-ntlm)
 216
 217 ;;; url-http-ntlm.el ends here