code.delx.au - gnu-emacs-elpa/blob - packages/url-http-ntlm/url-http-ntlm.el

   1 ;;; url-http-ntlm.el --- NTLM authentication for the url library
   2
   3 ;; Copyright (C) 2008, 2015 Free Software Foundation, Inc.
   4
   5 ;; Author: Tom Schutzer-Weissmann <tom.weissmann@gmail.com>
   6 ;; Maintainer: Thomas Fitzsimmons <fitzsim@fitzsim.org>
   7 ;; Keywords: comm, data, processes, hypermedia
   8 ;; Homepage: https://code.google.com/p/url-http-ntlm/
   9 ;; Package-Requires: ((cl-lib "0.5") (ntlm "2.0.0"))
  10
  11 ;; This program is free software; you can redistribute it and/or modify
  12 ;; it under the terms of the GNU General Public License as published by
  13 ;; the Free Software Foundation, either version 3 of the License, or
  14 ;; (at your option) any later version.
  15
  16 ;; This program is distributed in the hope that it will be useful,
  17 ;; but WITHOUT ANY WARRANTY; without even the implied warranty of
  18 ;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  19 ;; GNU General Public License for more details.
  20
  21 ;; You should have received a copy of the GNU General Public License
  22 ;; along with this program.  If not, see <http://www.gnu.org/licenses/>.
  23
  24 ;;; Commentary:
  25 ;;
  26 ;; This package provides a NTLM handler for the URL package.
  27 ;;
  28 ;; Installation:
  29 ;;
  30 ;; M-x package-install RET url-http-ntlm RET
  31 ;;
  32 ;; Acknowledgements:
  33 ;;
  34 ;; Taro Kawagishi <tarok@transpulse.org> wrote ntlm.el and md4.el,
  35 ;; which are parts of FLIM (Faithful Library about Internet Message).
  36 ;;
  37 ;; http://stuff.mit.edu/afs/sipb/contrib/emacs/packages/flim-1.14.7/ntlm.el
  38 ;; http://stuff.mit.edu/afs/sipb/contrib/emacs/packages/flim-1.14.7/md4.el
  39
  40 ;;; Code:
  41 (require 'url-auth)
  42 (require 'url-http)
  43 (require 'url-util)
  44 (require 'mail-parse)
  45 (require 'cl-lib)
  46 (require 'ntlm)
  47
  48 ;; Remove authorization after redirect.
  49 (when (and (boundp 'emacs-major-version)
  50            (< emacs-major-version 25))
  51   (require (intern (format "url-http-ntlm-parse-headers-%d.%d"
  52                            emacs-major-version
  53                            emacs-minor-version))))
  54
  55 \f
  56 ;;; Private variables.
  57 (defvar url-http-ntlm--auth-storage nil
  58   "Authentication storage.
  59 An alist that maps a server name to a pair of \(<username> <ntlm
  60 hashes>\).
  61
  62 The hashes are built using `ntlm-get-password-hashes'.")
  63
  64 (defvar url-http-ntlm--last-args nil
  65   "The last `url-http-ntlm--get-stage' arguments and result.
  66 This is used to detect multiple calls.")
  67 (make-variable-buffer-local 'url-http-ntlm--last-args)
  68
  69 (defvar url-http-ntlm--loop-timer-counter nil
  70   "A hash table used to detect NTLM negotiation errors.
  71 Keys are urls, entries are (START-TIME . COUNTER).")
  72
  73 (defvar url-http-ntlm--default-users nil
  74   "An alist that stores one default username per server.")
  75
  76 \f
  77 ;;; Private functions.
  78 (defun url-http-ntlm--detect-loop (url)
  79   "Detect potential infinite loop when NTLM fails on URL."
  80   (when (not url-http-ntlm--loop-timer-counter)
  81     (setq url-http-ntlm--loop-timer-counter (make-hash-table :test 'equal)))
  82   (let* ((url-string (url-recreate-url url))
  83          (last-entry (gethash url-string url-http-ntlm--loop-timer-counter))
  84          (start-time (car last-entry))
  85          (counter (cdr last-entry)))
  86     (if last-entry
  87         (progn
  88           (if (< (-  (float-time) start-time) 10.0)
  89               (if (< counter 20)
  90                   ;; Still within time window, so increment count.
  91                   (puthash url-string (cons start-time (1+ counter))
  92                            url-http-ntlm--loop-timer-counter)
  93                 ;; Error detected, so remove entry and clear.
  94                 (url-http-ntlm--authorization url-string :clear)
  95                 (remhash url-string url-http-ntlm--loop-timer-counter)
  96                 (error
  97                  (format (concat "Access rate to %s is too high,"
  98                                  " indicating an NTLM failure;"
  99                                  " to debug, re-run with url-debug set to 1")
 100                          url-string)))
 101             ;; Timeout expired, so reset counter.
 102             (puthash url-string (cons (float-time) 0)
 103                      url-http-ntlm--loop-timer-counter)))
 104       ;; New access, so initialize counter to 0.
 105       (puthash url-string (cons (float-time) 0)
 106                url-http-ntlm--loop-timer-counter))))
 107
 108 (defun url-http-ntlm--ensure-user (url)
 109   "Return URL with its user slot set.
 110 If URL's user slot is nil, set it to the last user that made a
 111 request to the host in URL's server slot."
 112   (let ((new-url url))
 113     (if (url-user new-url)
 114         new-url
 115       (setf (url-user new-url)
 116             (cdr (assoc (url-host new-url) url-http-ntlm--default-users)))
 117       new-url)))
 118
 119 (defun url-http-ntlm--ensure-keepalive ()
 120   "Report an error if `url-http-attempt-keepalives' is not set."
 121   (cl-assert url-http-attempt-keepalives
 122              nil
 123              (concat "NTLM authentication won't work unless"
 124                      " `url-http-attempt-keepalives' is set!")))
 125
 126 (defun url-http-ntlm--clean-headers ()
 127   "Remove Authorization element from `url-http-extra-headers' alist."
 128   (cl-declare (special url-http-extra-headers))
 129   (setq url-http-extra-headers
 130         (url-http-ntlm--rmssoc "Authorization" url-http-extra-headers)))
 131
 132 (defun url-http-ntlm--get-stage (args)
 133   "Determine what stage of the NTLM handshake we are at.
 134 PROMPT and ARGS come from `url-ntlm-auth''s caller,
 135 `url-get-authentication'.  Their meaning depends on the current
 136 implementation - this function is well and truly coupled.
 137
 138 url-get-authentication' calls `url-ntlm-auth' once when checking
 139 what authentication schemes are supported (PROMPT and ARGS are
 140 nil), and then twice for every stage of the handshake: the first
 141 time PROMPT is nil, the second, t; ARGS contains the server
 142 response's \"WWW-Authenticate\" header, munged by
 143 `url-parse-args'."
 144   (cl-declare (special url-http-extra-headers))
 145   (let* ((response-rxp     "^NTLM TlRMTVNTUAADAAA")
 146          (challenge-rxp    "^TLRMTVNTUAACAAA")
 147          (auth-header      (assoc "Authorization" url-http-extra-headers))
 148          (case-fold-search t)
 149          stage)
 150     (url-debug 'url-http-ntlm "Buffer: %s" (current-buffer))
 151     (url-debug 'url-http-ntlm "Arguments: %s" args)
 152     (url-debug 'url-http-ntlm "Previous arguments: %s" url-http-ntlm--last-args)
 153     (if (eq args (car url-http-ntlm--last-args))
 154         ;; multiple calls, return the same argument we returned last time
 155         (progn
 156           (url-debug 'url-http-ntlm "Returning previous result: %s"
 157                      (cdr url-http-ntlm--last-args))
 158           (cdr url-http-ntlm--last-args))
 159       (let ((stage
 160              (cond ((and auth-header (string-match response-rxp
 161                                                    (cdr auth-header)))
 162                     :error)
 163                    ((and (= (length args) 2)
 164                          (cl-destructuring-bind (challenge ntlm) args
 165                            (and (string-equal "ntlm" (car ntlm))
 166                                 (string-match challenge-rxp
 167                                               (car challenge)))))
 168                     :response)
 169                    (t
 170                     :request))))
 171         (url-http-ntlm--clean-headers)
 172         (setq url-http-ntlm--last-args (cons args stage))
 173         stage))))
 174
 175 (defun url-http-ntlm--authorization (url &optional clear realm)
 176   "Get or clear NTLM authentication details for URL.
 177 If CLEAR is non-nil, clear any saved credentials for server.
 178 Otherwise, return the credentials, prompting the user if
 179 necessary.  REALM appears in the prompt.
 180
 181 If URL contains a username and a password, they are used and
 182 stored credentials are not affected."
 183   (let* ((href   (if (stringp url)
 184                      (url-generic-parse-url url)
 185                    url))
 186          (type   (url-type href))
 187          (user   (url-user href))
 188          (server (url-host href))
 189          (port   (url-portspec href))
 190          (pass   (url-password href))
 191          (stored (assoc (list type user server port)
 192                         url-http-ntlm--auth-storage))
 193          (both   (and user pass)))
 194     (if clear
 195         ;; clear
 196         (unless both
 197           (setq url-http-ntlm--default-users
 198                 (url-http-ntlm--rmssoc server url-http-ntlm--default-users))
 199           (setq url-http-ntlm--auth-storage
 200                 (url-http-ntlm--rmssoc '(type user* server port)
 201                                        url-http-ntlm--auth-storage))
 202           nil)
 203       ;; get
 204       (if (or both
 205               (and stored user (not (equal user (cl-second (car stored)))))
 206               (not stored))
 207           (let* ((user* (or user
 208                             (url-do-auth-source-search server type :user)
 209                             (read-string (url-auth-user-prompt url realm)
 210                                          (or user (user-real-login-name)))))
 211                  (pass* (if both
 212                             pass
 213                           (or (url-do-auth-source-search server type :secret)
 214                               (read-passwd (format "Password [for %s]: "
 215                                                    (url-recreate-url url))))))
 216                  (key   (list type user* server port))
 217                  (entry `(,key . (,(ntlm-get-password-hashes pass*)))))
 218             (unless both
 219               (setq url-http-ntlm--default-users
 220                     (cons
 221                      `(,server . ,user*)
 222                      (url-http-ntlm--rmssoc server
 223                                             url-http-ntlm--default-users)))
 224               (setq url-http-ntlm--auth-storage
 225                     (cons entry
 226                           (url-http-ntlm--rmssoc
 227                            key
 228                            url-http-ntlm--auth-storage))))
 229             entry)
 230         stored))))
 231
 232 (defun url-http-ntlm--get-challenge ()
 233   "Return the NTLM Type-2 message in the WWW-Authenticate header.
 234 Return nil if the NTLM Type-2 message is not present."
 235   (save-restriction
 236     (mail-narrow-to-head)
 237     (let ((www-authenticate (mail-fetch-field "www-authenticate")))
 238       (when (string-match "NTLM\\s-+\\(\\S-+\\)"
 239                           www-authenticate)
 240         (base64-decode-string (match-string 1 www-authenticate))))))
 241
 242 (defun url-http-ntlm--rmssoc (key alist)
 243   "Remove all elements whose `car' match KEY from ALIST."
 244   (cl-remove key alist :key 'car :test 'equal))
 245
 246 (defun url-http-ntlm--string (data)
 247   "Return DATA encoded as an NTLM string."
 248   (concat "NTLM " (base64-encode-string data :nobreak)))
 249
 250 \f
 251 ;;; Public function called by `url-get-authentication'.
 252 ;;;###autoload
 253 (defun url-ntlm-auth (url &optional prompt overwrite realm args)
 254   "Return an NTLM HTTP authorization header.
 255 Get the contents of the Authorization header for a HTTP response
 256 using NTLM authentication, to access URL.  Because NTLM is a
 257 two-step process, this function expects to be called twice, first
 258 to generate the NTLM type 1 message (request), then to respond to
 259 the server's type 2 message (challenge) with a suitable response.
 260
 261 PROMPT, OVERWRITE, and REALM are ignored.
 262
 263 ARGS is expected to contain the WWW-Authentication header from
 264 the server's last response.  These are used by
 265 `url-http-get-stage' to determine what stage we are at."
 266   (url-http-ntlm--ensure-keepalive)
 267   (let* ((user-url (url-http-ntlm--ensure-user url))
 268          (stage (url-http-ntlm--get-stage args)))
 269     (url-debug 'url-http-ntlm "Stage: %s" stage)
 270     (cl-case stage
 271       ;; NTLM Type 1 message: the request
 272       (:request
 273        (url-http-ntlm--detect-loop user-url)
 274        (cl-destructuring-bind (&optional key hash)
 275            (url-http-ntlm--authorization user-url nil realm)
 276          (when (cl-third key)
 277            (url-http-ntlm--string
 278             (ntlm-build-auth-request (cl-second key) (cl-third key))))))
 279       ;; NTLM Type 3 message: the response
 280       (:response
 281        (url-http-ntlm--detect-loop user-url)
 282        (let ((challenge (url-http-ntlm--get-challenge)))
 283          (cl-destructuring-bind (key hash)
 284              (url-http-ntlm--authorization user-url nil realm)
 285            (url-http-ntlm--string
 286             (ntlm-build-auth-response challenge
 287                                       (cl-second key)
 288                                       hash)))))
 289       (:error
 290        (url-http-ntlm--authorization user-url :clear)))))
 291
 292 \f
 293 ;;; Register `url-ntlm-auth' HTTP authentication method.
 294 ;;;###autoload
 295 (url-register-auth-scheme "ntlm" nil 8)
 296
 297 (provide 'url-http-ntlm)
 298
 299 ;;; url-http-ntlm.el ends here