Changeset 243

Timestamp:

07/16/07 11:12:15 (5 years ago)

Author:

marc

Message:

Fixed #20 (ISA #1). Where /screenshot did not prompt auth.

Location:

trunk

Files:

• ChangeLog (modified) (1 diff)
• server.py (modified) (7 diffs)

trunk/ChangeLog

@@ -5 +5 @@
  * Simplified and improved Makefile
  * Cleaning of the code to try to be at least more compatible with PEP-8.
+
+0.2.1:
+ * Fixed a serious security bug in which /screenshot prompted no auth. Also
+ fixed sending the wrong Content-Lenght for the screenshot.
 
 0.2 (I've been watching you...):

trunk/server.py

@@ -194 +194 @@
         # Here we use our own static.Data special child resource because we need Authentication handling
         # Otherwise we would just use our own self.add_static_resource
-        self.root = RootResource(self.gui, self.itaka_globals.head_html + self.configuration['html']['html'] + self.itaka_globals.footer_html)
+
+        # Also we create our unique authentication handler this keeps track if the user authenticated or not
+        self.authresource = AuthenticatedResource(self.gui)
+        self.root = RootResource(self.gui, self.authresource, self.itaka_globals.head_html + self.configuration['html']['html'] + self.itaka_globals.footer_html)
         self.add_child_to_resource('root', '', self.root)
-        self.add_child_to_resource('root', 'screenshot', ScreenshotResource(self.gui))
+        self.add_child_to_resource('root', 'screenshot', ScreenshotResource(self.gui, self.authresource))
         self.create_site(self.root)
 
-class RootResource(static.Data):
-    """
-    Main resource with authentication support
-
-    Please read RFC 2617 to understand the HTTP Authentication process
-    """
-
-    def __init__(self, gui_instance, data, type='text/html; charset=UTF-8'):
-
+class AuthenticatedResource:
+    """
+    Helper object to handle authentication for resources.
+    """
+
+    def __init__(self, gui_instance):
         """ 
         Constructor that inherits code from resource.Resource->static.Data
@@ -213 +213 @@
         @type gui_instance: instance
         @param gui_instance: An instance of our L{Gui} class
-
-        @type html: string
-        @param html: The HTML to be displayed
+        """
+
+        self.gui = gui_instance
+        self.configuration = self.gui.configuration
+        self.itaka_globals = self.gui.itaka_globals
+        self.noauth = self.itaka_globals.head_html + self.configuration['html']['authfailure'] + self.itaka_globals.footer_html
+        self.request_data_set = False
+        self.authenticated = False
+
+    def set_request_data(self, data, size, type, session_end=False):
+        """
+        Set the information about the data we are handling
+
+
+        @type data: string
+        @param data: The data to be displayed
+
+        @type size: string
+        @param size: A string for Content-Lenght
 
         @type type: str
         @param type: The type of data we are serving
+
+        @type session_end: bool
+        @param session_end: Whether this request is the last of a session. This deauthenticates the session.
+        """
+
+        self.request_data_set = True
+        self.data = data
+        self.size = size
+        self.type = type
+        self.session_end = session_end
+
+    def _prompt_auth(self):
+        """
+        Prompt the authorization dialog on the browser
+        """
+
+        self.authenticated = False
+        self.request.setHeader('WWW-Authenticate', 'Basic realm="Itaka Screenshot Server"')
+        self.request.setResponseCode(http.UNAUTHORIZED)
+        self.request.setHeader('Content-Type', 'text/html; charset=UTF-8')
+        self.request.setHeader('Content-Length', str(len(self.noauth)))
+        self.request.setHeader('Connection', 'close')
+
+    def authenticate(self, request):
+        """
+        Main handler for authenticated objects.
+
+        @type request: instance
+        @param request: twisted.web.server.Request instance
+
+        @rtype: bool
+        @return: Whether the user authenticated sucessfully. 
+        """
+
+        # Get up to date configuration values everytime there is a request
+        self.configuration = self.gui.configuration
+
+        self.request = request
+        self._prompt_auth()
+        self.username = self.request.getUser()
+        self.password = self.request.getPassword()
+        self.ip = self.request.getClientIP()
+        self.time = datetime.datetime.now()
+       
+        if not self.username and not self.password:
+            self.gui.log.failure(('RootResource', 'render'), (_('Client provided empty username and password'), _('Client %s provided empty username and password') % (self.ip)), 'WARNING')
+            self._prompt_auth()
+        else:
+            if self.username != self.configuration['server']['username'] or self.password != self.configuration['server']['password']:
+                self.gui.log.failure(('RootResource', 'render'), (_('Client provided incorrect username and password'), _('Client %s provided incorrect username and password: %s:%s') % (self.ip, self.username, self.password)), 'WARNING')
+                self._prompt_auth()
+            elif self.username == self.configuration['server']['username'] and self.password == self.configuration['server']['password']:
+                self.authenticated = True
+        return self.authenticated
+
+
+    def return_object_data(self):
+        """
+        Returns the data passed by set_request_data() or the default forbidden string if authentication failed.
+
+        @rtype: str
+        @return: self.data or self.noauth
+        """
+
+        if self.request_data_set and self.authenticated:
+            self.request.setResponseCode(http.OK)
+            self.request.setHeader('Content-Type', self.type)
+            self.request.setHeader('Content-Length', self.size)
+            self.request.setHeader('Connection', 'close')
+            # Deauthenticate if it's the screenshot
+            if self.session_end:
+                self.authenticated = False
+            self.request_data_set = True
+            return self.data
+        else:
+            # No authentication given
+            return self.noauth
+    
+class RootResource(static.Data):
+    """
+    Main resource with authentication support
+
+    Please read RFC 2617 to understand the HTTP Authentication process
+    """
+
+    def __init__(self, gui_instance, auth_instance, data, type='text/html; charset=UTF-8'):
+
+        """ 
+        Constructor that inherits code from resource.Resource->static.Data
+
+        @type gui_instance: Gui
+        @param gui_instance: An instance of our L{Gui} class
+
+        @type auth_instance: AuthenticatedResource
+        @param auth_instance: An instance of our L{AuthenticatedResource} class
+
+        @type data: string
+        @param data: The HTML to be displayed
+
+        @type type: str
+        @param type: The type of data we are serving
         """
 
         self.gui = gui_instance
-        self.console = self.gui.console
-        self.itaka_globals = self.gui.itaka_globals
+        self.auth = auth_instance
         self.configuration = self.gui.configuration
 
@@ -229 +345 @@
         self.children = {}
         self.data = data
+        self.size = str(len(self.data))
         self.type = type
-
-        self.noauth = self.itaka_globals.head_html + self.configuration['html']['authfailure'] + self.itaka_globals.footer_html
-
-    def _promptAuth(self):
-        """
-        Prompt the authorization dialog on the browser
-        """
-
-        self.request.setHeader('WWW-Authenticate', 'Basic realm="Itaka Screenshot Server"')
-        self.request.setResponseCode(http.UNAUTHORIZED)
-        self.request.setHeader('Content-Type', self.type)
-        self.request.setHeader('Connection', 'close')
-        self.request.setHeader('Content-Length', str(len(self.noauth)))
 
     def render(self, request):
@@ -254 +358 @@
         # Get up to date configuration values everytime there is a request
         self.configuration = self.gui.configuration
-
         self.request = request
-        self.ip = self.request.getClientIP()
-        self.time = datetime.datetime.now()
 
         if self.configuration['server']['authentication']:
-            self._promptAuth()
-            self.username = self.request.getUser()
-            self.password = self.request.getPassword()
-           
-            if not self.username and not self.password:
-                self.gui.log.failure(('RootResource', 'render'), (_('Client provided empty username and password'), _('Client %s provided empty username and password') % (self.ip)), 'WARNING')
-                self._promptAuth()
-            else:
-                if self.username != self.configuration['server']['username'] or self.password != self.configuration['server']['password']:
-                    self.gui.log.failure(('RootResource', 'render'), (_('Client provided incorrect username and password'), _('Client %s provided incorrect username and password: %s:%s') % (self.ip, self.username, self.password)), 'WARNING')
-                    self._promptAuth()
-                elif self.username == self.configuration['server']['username'] and self.password == self.configuration['server']['password']:
-                    self.request.setResponseCode(http.OK)
-                    self.request.setHeader('Content-Type', self.type)
-                    self.request.setHeader('Connection', 'close')
-                    self.request.setHeader('Content-Length', str(len(self.data)))
-                    return self.data
+            if self.auth.authenticate(self.request):
+                self.auth.set_request_data(self.data, self.size, self.type)
+            return self.auth.return_object_data()
         else:
             self.request.setHeader('Content-Type', self.type)
+            self.request.setHeader('Content-Length', self.size)
             self.request.setHeader('Connection', 'close')
-            self.request.setHeader('Content-Length', str(len(self.data)))
             return self.data
 
-        # No auth given
-        return self.noauth
 
 class ScreenshotResource(resource.Resource):
@@ -291 +376 @@
     """
 
-    def __init__(self, gui_instance):
+    def __init__(self, gui_instance, auth_instance):
         """ 
         Constructor
 
-        @type gui_instance: instance
+        @type gui_instance: Gui
         @param gui_instance: An instance of our L{Gui} class
+
+        @type gui_instance: AuthenticatedResource
+        @param gui_instance: An instance of our L{AuthenticatedResource} class
         """
 
         self.gui = gui_instance
+        self.auth = auth_instance
         self.console = self.gui.console
         self.itaka_globals = self.gui.itaka_globals
@@ -307 +396 @@
         self.counter = 0
 
+
+    def take_shot(self):
+        """
+        Takes a screenshot and notify the GUI.
+        """
+
+        try:
+            self.shot_file = self.screenshot.take_screenshot()
+        except error.ItakaScreenshotError, e:
+            raise error.ItakaScreenshotError, e
+
+        self.data = open(self.shot_file, 'rb').read()
+        self.size = str(os.stat(self.shot_file).st_size)
+        self.counter += 1
+
+        if self.configuration['server']['notify'] and self.itaka_globals.notify_available:
+            import pynotify
+            uri = "file://" + (os.path.join(self.itaka_globals.image_dir, "itaka-take.png")) 
+
+            n = pynotify.Notification(_('Screenshot taken'), _('%s requested screenshot' % (self.ip)), uri)
+
+            n.set_timeout(1500)
+            n.attach_to_status_icon(self.gui.statusIcon)
+            n.show()
+        self.gui.update_gui(self.counter, self.ip, self.time)
+
     def render_GET(self, request):
         """
@@ -318 +433 @@
         """
 
-        # Get up to date configuration values everytime there is a request
-        self.configuration = self.gui.configuration
-
         self.request = request
-        self.ip = self.request.getClientIP()
-        self.time = datetime.datetime.now()
-
         if (self.request.uri == "/screenshot"):
-            try:
-                self.shot_file = self.screenshot.take_screenshot()
-            except error.ItakaScreenshotError:
-                return
-            
-            self.request.setHeader('Content-Type', "image/" + self.configuration['screenshot']['format'])
-            self.request.setHeader('Content-Length', str(len(self.shot_file)))
-            self.request.setHeader('Connection', 'close')
-
-            self.counter += 1
-
-            if self.configuration['server']['notify'] and self.itaka_globals.notify_available:
-                import pynotify
-                uri = "file://" + (os.path.join(self.itaka_globals.image_dir, "itaka-take.png")) 
-
-                n = pynotify.Notification(_('Screenshot taken'), _('%s requested screenshot' % (self.ip)), uri)
-
-                n.set_timeout(1500)
-                n.attach_to_status_icon(self.gui.statusIcon)
-                n.show()
-            self.gui.update_gui(self.counter, self.ip, self.time)
-
-            return open(self.shot_file, 'rb').read()
+
+            # Get up to date configuration values everytime there is a request
+            self.configuration = self.gui.configuration
+
+            self.ip = self.request.getClientIP()
+            self.time = datetime.datetime.now()
+            self.type = "image/" + self.configuration['screenshot']['format']
+
+            if self.configuration['server']['authentication']:
+                if self.auth.authenticated:
+                    try:
+                        self.take_shot()
+                    except error.ItakaScreenshotError:
+                        return
+                    self.auth.set_request_data(self.data, self.size, self.type, True)
+                else:
+                    if self.auth.authenticate(self.request):
+                        try:
+                            self.take_shot()
+                        except error.ItakaScreenshotError:
+                            return
+                        self.auth.set_request_data(self.data, self.size, self.type, True)
+                return self.auth.return_object_data()
+            else:
+                try:
+                    self.take_shot()
+                except error.ItakaScreenshotError:
+                    return
+                self.request.setHeader('Content-Type', self.type)
+                self.request.setHeader('Content-Length', self.size)
+                self.request.setHeader('Connection', 'close')
+                return self.data