]> code.delx.au - gnu-emacs-elpa/blob - packages/url-http-ntlm/url-http-ntlm.el
delx.au / code / gnu-emacs-elpa / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
url-http-ntlm: Prevent infinite loops
[gnu-emacs-elpa] / packages / url-http-ntlm / url-http-ntlm.el
1 ;;; url-http-ntlm.el --- NTLM authentication for the url library
2
3 ;; Copyright (C) 2008, 2015 Free Software Foundation, Inc.
4
5 ;; Author: Tom Schutzer-Weissmann <tom.weissmann@gmail.com>
6 ;; Maintainer: Thomas Fitzsimmons <fitzsim@fitzsim.org>
7 ;; Keywords: comm, data, processes, hypermedia
8
9 ;; This program is free software; you can redistribute it and/or modify
10 ;; it under the terms of the GNU General Public License as published by
11 ;; the Free Software Foundation, either version 3 of the License, or
12 ;; (at your option) any later version.
13
14 ;; This program is distributed in the hope that it will be useful,
15 ;; but WITHOUT ANY WARRANTY; without even the implied warranty of
16 ;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 ;; GNU General Public License for more details.
18
19 ;; You should have received a copy of the GNU General Public License
20 ;; along with this program. If not, see <http://www.gnu.org/licenses/>.
21
22 ;;; Commentary:
23 ;;
24 ;; This package provides a NTLM handler for the URL package.
25 ;; It supports one username and password per server.
26 ;;
27 ;; Installation:
28 ;;
29 ;; M-x package-install RET url-http-ntlm RET
30 ;;
31 ;; Acknowledgements:
32 ;;
33 ;; Taro Kawagishi <tarok@transpulse.org> wrote ntlm.el and md4.el,
34 ;; which are parts of FLIM (Faithful Library about Internet Message).
35 ;;
36 ;; http://stuff.mit.edu/afs/sipb/contrib/emacs/packages/flim-1.14.7/ntlm.el
37 ;; http://stuff.mit.edu/afs/sipb/contrib/emacs/packages/flim-1.14.7/md4.el
38
39 ;;; Code:
40 (require 'url-auth)
41 (require 'url-http)
42 (require 'mail-parse)
43 (require 'cl-lib)
44 (require 'ntlm)
45
46 ;; Remove authorization after redirect.
47 (when (and (boundp 'emacs-major-version)
48 (< emacs-major-version 25))
49 (require (intern (format "url-http-ntlm-parse-headers-%d.%d"
50 emacs-major-version
51 emacs-minor-version))))
52
53 \f
54 ;;; Private variables.
55 (defvar url-http-ntlm--auth-storage nil
56 "Authentication storage.
57 An alist that maps a server name to a pair of \(<username> <ntlm
58 hashes>\).
59
60 The hashes are built using `ntlm-get-password-hashes'.
61 The username can contain the domain name, in the form \"user@domain\".
62
63 Note that for any server, only one user and password is ever stored.")
64
65 (defvar url-http-ntlm--last-args nil
66 "Stores the last `url-http-ntlm--get-stage' arguments and return value.
67 This is used to detect multiple calls.")
68 (make-variable-buffer-local 'url-http-ntlm--last-args)
69
70 (defvar url-http-ntlm--loop-timer-counter nil
71 "A hash table used to detect NTLM negotiation errors.
72 Keys are urls, entries are (START-TIME . COUNTER).")
73
74 \f
75 ;;; Private functions.
76 (defun url-http-ntlm--detect-loop (url)
77 "Detect potential infinite loop when NTLM fails on URL."
78 (when (not url-http-ntlm--loop-timer-counter)
79 (setq url-http-ntlm--loop-timer-counter (make-hash-table :test 'equal)))
80 (let* ((url-string (url-recreate-url url))
81 (last-entry (gethash url-string url-http-ntlm--loop-timer-counter))
82 (start-time (car last-entry))
83 (counter (cdr last-entry)))
84 (if last-entry
85 (progn
86 (if (< (- (float-time) start-time) 10.0)
87 (if (< counter 20)
88 ;; Still within time window, so increment count.
89 (puthash url-string (cons start-time (1+ counter))
90 url-http-ntlm--loop-timer-counter)
91 ;; Error detected, so remove entry and clear.
92 (url-http-ntlm--authorisation url-string :clear)
93 (remhash url-string url-http-ntlm--loop-timer-counter)
94 (error
95 (format (concat "Access rate to %s is too high,"
96 " indicating an NTLM failure;"
97 " to debug, re-run with url-debug set to 1")
98 url-string)))
99 ;; Timeout expired, so reset counter.
100 (puthash url-string (cons (float-time) 0)
101 url-http-ntlm--loop-timer-counter)))
102 ;; New access, so initialize counter to 0.
103 (puthash url-string (cons (float-time) 0)
104 url-http-ntlm--loop-timer-counter))))
105
106 (defun url-http-ntlm--ensure-keepalive ()
107 "Report an error if `url-http-attempt-keepalives' is not set."
108 (cl-assert url-http-attempt-keepalives
109 nil
110 (concat "NTLM authentication won't work unless"
111 " `url-http-attempt-keepalives' is set!")))
112
113 (defun url-http-ntlm--clean-headers ()
114 "Remove Authorization element from `url-http-extra-headers' alist."
115 (setq url-http-extra-headers
116 (url-http-ntlm--rmssoc "Authorization" url-http-extra-headers)))
117
118 (defun url-http-ntlm--get-stage (args)
119 "Determine what stage of the NTLM handshake we are at.
120 PROMPT and ARGS come from `url-ntlm-auth''s caller,
121 `url-get-authentication'. Their meaning depends on the current
122 implementation - this function is well and truly coupled.
123
124 url-get-authentication' calls `url-ntlm-auth' once when checking
125 what authentication schemes are supported (PROMPT and ARGS are
126 nil), and then twice for every stage of the handshake: the first
127 time PROMPT is nil, the second, t; ARGS contains the server
128 response's \"WWW-Authenticate\" header, munged by
129 `url-parse-args'."
130 (let* ((response-rxp "^NTLM TlRMTVNTUAADAAA")
131 (challenge-rxp "^TLRMTVNTUAACAAA")
132 (auth-header (assoc "Authorization" url-http-extra-headers))
133 (case-fold-search t)
134 stage)
135 (if (eq args (car url-http-ntlm--last-args))
136 ;; multiple calls, return the same argument we returned last time
137 (cdr url-http-ntlm--last-args)
138 (let ((stage
139 (cond ((and auth-header (string-match response-rxp
140 (cdr auth-header)))
141 :error)
142 ((and (= (length args) 2)
143 (cl-destructuring-bind (challenge ntlm) args
144 (and (string-equal "ntlm" (car ntlm))
145 (string-match challenge-rxp
146 (car challenge)))))
147 :response)
148 (t
149 :request))))
150 (url-http-ntlm--clean-headers)
151 (setq url-http-ntlm--last-args (cons args stage))
152 stage))))
153
154 (defun url-http-ntlm--authorisation (url &optional clear)
155 "Get or clear NTLM authentication details for URL.
156 If CLEAR is non-nil, clear any saved credentials for server.
157 Otherwise, return the credentials, prompting the user if
158 necessary.
159
160 If URL contains a username and a password, they are used and
161 stored credentials are not affected.
162
163 Note that for any server, only one user and password is ever
164 stored."
165 (let* ((href (if (stringp url)
166 (url-generic-parse-url url)
167 url))
168 (server (url-host href))
169 (user (url-user href))
170 (pass (url-password href))
171 (stored (assoc server url-http-ntlm--auth-storage))
172 (both (and user pass)))
173 (if clear
174 ;; clear
175 (unless both
176 (setq url-http-ntlm--auth-storage
177 (url-http-ntlm--rmssoc server url-http-ntlm--auth-storage))
178 nil)
179 ;; get
180 (if (or both
181 (and stored user (not (equal user (cl-second stored))))
182 (not stored))
183 (let* ((user* (if both
184 user
185 (read-string (url-auth-user-prompt url realm)
186 (or user (user-real-login-name)))))
187 (pass* (if both
188 pass
189 (read-passwd "Password: ")))
190 (entry `(,server . (,user*
191 ,(ntlm-get-password-hashes pass*)))))
192 (unless both
193 (setq url-http-ntlm--auth-storage
194 (cons entry
195 (url-http-ntlm--rmssoc server
196 url-http-ntlm--auth-storage))))
197 entry)
198 stored))))
199
200 (defun url-http-ntlm--get-challenge ()
201 "Return the NTLM Type-2 message in the WWW-Authenticate header, if present."
202 (save-restriction
203 (mail-narrow-to-head)
204 (let ((www-authenticate (mail-fetch-field "www-authenticate")))
205 (when (string-match "NTLM\\s-+\\(\\S-+\\)"
206 www-authenticate)
207 (base64-decode-string (match-string 1 www-authenticate))))))
208
209 (defun url-http-ntlm--rmssoc (key alist)
210 "Remove all elements whose `car' match KEY from ALIST."
211 (cl-remove key alist :key 'car :test 'equal))
212
213 (defun url-http-ntlm--string (data)
214 "Return DATA encoded as an NTLM string."
215 (concat "NTLM " (base64-encode-string data :nobreak)))
216
217 \f
218 ;;; Public function called by `url-get-authentication'.
219 (defun url-ntlm-auth (url &optional prompt overwrite realm args)
220 "Return an NTLM HTTP authorization header.
221 Get the contents of the Authorization header for a HTTP response
222 using NTLM authentication, to access URL. Because NTLM is a
223 two-step process, this function expects to be called twice, first
224 to generate the NTLM type 1 message (request), then to respond to
225 the server's type 2 message (challenge) with a suitable response.
226
227 PROMPT, OVERWRITE, and REALM are ignored.
228
229 ARGS is expected to contain the WWW-Authentication header from
230 the server's last response. These are used by
231 `url-http-get-stage' to determine what stage we are at."
232 (url-http-ntlm--ensure-keepalive)
233 (let ((stage (url-http-ntlm--get-stage args)))
234 (cl-case stage
235 ;; NTLM Type 1 message: the request
236 (:request
237 (url-http-ntlm--detect-loop user-url)
238 (cl-destructuring-bind (&optional server user hash)
239 (url-http-ntlm--authorisation url)
240 (when server
241 (url-http-ntlm--string
242 (ntlm-build-auth-request user server)))))
243 ;; NTLM Type 3 message: the response
244 (:response
245 (url-http-ntlm--detect-loop user-url)
246 (let ((challenge (url-http-ntlm--get-challenge)))
247 (cl-destructuring-bind (server user hash)
248 (url-http-ntlm--authorisation url)
249 (url-http-ntlm--string
250 (ntlm-build-auth-response challenge
251 user
252 hash)))))
253 (:error
254 (url-http-ntlm--authorisation url :clear)))))
255
256 \f
257 ;;; Register `url-ntlm-auth' HTTP authentication method.
258 (url-register-auth-scheme "ntlm" nil 8)
259
260 (provide 'url-http-ntlm)
261
262 ;;; url-http-ntlm.el ends here