]> code.delx.au - gnu-emacs-elpa/blob - packages/url-http-ntlm/url-http-ntlm.el
delx.au / code / gnu-emacs-elpa / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
url-http-ntlm.el (url-http-ntlm-last-args): Group defvar with others
[gnu-emacs-elpa] / packages / url-http-ntlm / url-http-ntlm.el
1 ;;; url-http-ntlm.el --- NTLM authentication for the url library
2
3 ;; Copyright (C) 2008, 2015 Free Software Foundation, Inc.
4
5 ;; Author: Tom Schutzer-Weissmann <tom.weissmann@gmail.com>
6 ;; Maintainer: Thomas Fitzsimmons <fitzsim@fitzsim.org>
7 ;; Keywords: comm, data, processes, hypermedia
8
9 ;; This program is free software; you can redistribute it and/or modify
10 ;; it under the terms of the GNU General Public License as published by
11 ;; the Free Software Foundation, either version 3 of the License, or
12 ;; (at your option) any later version.
13
14 ;; This program is distributed in the hope that it will be useful,
15 ;; but WITHOUT ANY WARRANTY; without even the implied warranty of
16 ;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 ;; GNU General Public License for more details.
18
19 ;; You should have received a copy of the GNU General Public License
20 ;; along with this program. If not, see <http://www.gnu.org/licenses/>.
21
22 ;;; Commentary:
23 ;;
24 ;; This package provides a NTLM handler for the URL package.
25 ;; It supports one username and password per server.
26 ;;
27 ;; Installation:
28 ;;
29 ;; M-x package-install RET url-http-ntlm RET
30 ;;
31 ;; Acknowledgements:
32 ;;
33 ;; Taro Kawagishi <tarok@transpulse.org> wrote ntlm.el and md4.el,
34 ;; which are parts of FLIM (Faithful Library about Internet Message).
35 ;;
36 ;; http://stuff.mit.edu/afs/sipb/contrib/emacs/packages/flim-1.14.7/ntlm.el
37 ;; http://stuff.mit.edu/afs/sipb/contrib/emacs/packages/flim-1.14.7/md4.el
38
39 ;;; Code:
40 (require 'url-auth)
41 (require 'url-http)
42 (require 'mail-parse)
43 (require 'cl)
44 (require 'ntlm)
45
46 (defvar url-http-ntlm-auth-storage nil
47 "Authentication storage.
48 An alist that maps a server name to a pair of \(<username> <ntlm
49 hashes>\).
50
51 The hashes are built using `ntlm-get-password-hashes'.
52 The username can contain the domain name, in the form \"user@domain\".
53
54 Note that for any server, only one user and password is ever stored.")
55
56 (defvar url-http-ntlm-last-args nil
57 "Stores the last `url-http-ntlm-get-stage' arguments and return value.
58 This is used to detect multiple calls.")
59 (make-variable-buffer-local 'url-http-ntlm-last-args)
60
61 (defun url-http-ntlm-ensure-keepalive ()
62 "Report an error if `url-http-attempt-keepalives' is not set."
63 (assert url-http-attempt-keepalives
64 nil
65 (concat "NTLM authentication won't work unless"
66 " `url-http-attempt-keepalives' is set!")))
67
68 (defun url-http-ntlm-clean-headers ()
69 "Remove Authorization element from `url-http-extra-headers' alist."
70 (setq url-http-extra-headers
71 (url-http-ntlm-rmssoc "Authorization" url-http-extra-headers)))
72
73 (defun url-http-ntlm-get-stage (args)
74 "Determine what stage of the NTLM handshake we are at.
75 PROMPT and ARGS come from `url-ntlm-auth''s caller,
76 `url-get-authentication'. Their meaning depends on the current
77 implementation - this function is well and truly coupled.
78
79 url-get-authentication' calls `url-ntlm-auth' once when checking
80 what authentication schemes are supported (PROMPT and ARGS are
81 nil), and then twice for every stage of the handshake: the first
82 time PROMPT is nil, the second, t; ARGS contains the server
83 response's \"WWW-Authenticate\" header, munged by
84 `url-parse-args'."
85 (let* ((response-rxp "^NTLM TlRMTVNTUAADAAA")
86 (challenge-rxp "^TLRMTVNTUAACAAA")
87 (auth-header (assoc "Authorization" url-http-extra-headers))
88 (case-fold-search t)
89 stage)
90 (if (eq args (car url-http-ntlm-last-args))
91 ;; multiple calls, return the same argument we returned last time
92 (cdr url-http-ntlm-last-args)
93 (let ((stage
94 (cond ((and auth-header (string-match response-rxp
95 (cdr auth-header)))
96 :error)
97 ((and (= (length args) 2)
98 (destructuring-bind (challenge ntlm) args
99 (and (string-equal "ntlm" (car ntlm))
100 (string-match challenge-rxp
101 (car challenge)))))
102 :response)
103 (t
104 :request))))
105 (url-http-ntlm-clean-headers)
106 (setq url-http-ntlm-last-args (cons args stage))
107 stage))))
108
109 (defun url-http-ntlm-authorisation (url &optional clear)
110 "Get or clear NTLM authentication details for URL.
111 If CLEAR is non-nil, clear any saved credentials for server.
112 Otherwise, return the credentials, prompting the user if
113 necessary.
114
115 If URL contains a username and a password, they are used and
116 stored credentials are not affected.
117
118 Note that for any server, only one user and password is ever
119 stored."
120 (let* ((href (if (stringp url)
121 (url-generic-parse-url url)
122 url))
123 (server (url-host href))
124 (user (url-user href))
125 (pass (url-password href))
126 (stored (assoc server url-http-ntlm-auth-storage))
127 (both (and user pass)))
128 (if clear
129 ;; clear
130 (unless both
131 (setq url-http-ntlm-auth-storage
132 (url-http-ntlm-rmssoc server url-http-ntlm-auth-storage))
133 nil)
134 ;; get
135 (if (or both
136 (and stored user (not (equal user (second stored))))
137 (not stored))
138 (let* ((user* (if both
139 user
140 (read-string (url-auth-user-prompt url realm)
141 (or user (user-real-login-name)))))
142 (pass* (if both
143 pass
144 (read-passwd "Password: ")))
145 (entry `(,server . (,user*
146 ,(ntlm-get-password-hashes pass*)))))
147 (unless both
148 (setq url-http-ntlm-auth-storage
149 (cons entry
150 (url-http-ntlm-rmssoc server
151 url-http-ntlm-auth-storage))))
152 entry)
153 stored))))
154
155 (defun url-http-ntlm-get-challenge ()
156 "Return the NTLM Type-2 message in the WWW-Authenticate header, if present."
157 (save-restriction
158 (mail-narrow-to-head)
159 (let ((www-authenticate (mail-fetch-field "www-authenticate")))
160 (when (string-match "NTLM\\s-+\\(\\S-+\\)"
161 www-authenticate)
162 (base64-decode-string (match-string 1 www-authenticate))))))
163
164 (defun url-http-ntlm-rmssoc (key alist)
165 "Remove all elements whose `car' match KEY from ALIST."
166 (remove* key alist :key 'car :test 'equal))
167
168 (defun url-http-ntlm-string (data)
169 "Return DATA encoded as an NTLM string."
170 (concat "NTLM " (base64-encode-string data :nobreak)))
171
172 (defun url-ntlm-auth (url &optional prompt overwrite realm args)
173 "Return an NTLM HTTP authorization header.
174 Get the contents of the Authorization header for a HTTP response
175 using NTLM authentication, to access URL. Because NTLM is a
176 two-step process, this function expects to be called twice, first
177 to generate the NTLM type 1 message (request), then to respond to
178 the server's type 2 message (challenge) with a suitable response.
179
180 PROMPT, OVERWRITE, and REALM are ignored.
181
182 ARGS is expected to contain the WWW-Authentication header from
183 the server's last response. These are used by
184 `url-http-get-stage' to determine what stage we are at."
185 (url-http-ntlm-ensure-keepalive)
186 (let ((stage (url-http-ntlm-get-stage args)))
187 (case stage
188 ;; NTLM Type 1 message: the request
189 (:request
190 (destructuring-bind (&optional server user hash)
191 (url-http-ntlm-authorisation url)
192 (when server
193 (url-http-ntlm-string
194 (ntlm-build-auth-request user server)))))
195 ;; NTLM Type 3 message: the response
196 (:response
197 (let ((challenge (url-http-ntlm-get-challenge)))
198 (destructuring-bind (server user hash)
199 (url-http-ntlm-authorisation url)
200 (url-http-ntlm-string
201 (ntlm-build-auth-response challenge
202 user
203 hash)))))
204 (:error
205 (url-http-ntlm-authorisation url :clear)))))
206
207 (url-register-auth-scheme "ntlm" nil 8)
208
209 (provide 'url-http-ntlm)
210
211 ;;; url-http-ntlm.el ends here