requests_ntlm-1.1.0/0000755000076500000240000000000013171516212015160 5ustar jboreanstaff00000000000000requests_ntlm-1.1.0/PKG-INFO0000644000076500000240000000151313171516212016255 0ustar jboreanstaff00000000000000Metadata-Version: 1.1 Name: requests_ntlm Version: 1.1.0 Summary: This package allows for HTTP NTLM authentication using the requests library. Home-page: https://github.com/requests/requests-ntlm Author: Ben Toews Author-email: mastahyeti@gmail.com License: ISC Description-Content-Type: UNKNOWN Description: UNKNOWN Platform: UNKNOWN Classifier: Development Status :: 4 - Beta Classifier: Intended Audience :: Developers Classifier: Programming Language :: Python Classifier: Programming Language :: Python :: 2 Classifier: Programming Language :: Python :: 2.6 Classifier: Programming Language :: Python :: 2.7 Classifier: Programming Language :: Python :: 3 Classifier: Programming Language :: Python :: 3.3 Classifier: Programming Language :: Python :: 3.4 Classifier: License :: OSI Approved :: ISC License (ISCL) Provides: requests_ntlm requests_ntlm-1.1.0/requests_ntlm/0000755000076500000240000000000013171516212020065 5ustar jboreanstaff00000000000000requests_ntlm-1.1.0/requests_ntlm/requests_ntlm.py0000644000076500000240000002274613170762401023361 0ustar jboreanstaff00000000000000import binascii import sys import warnings from cryptography import x509 from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import hashes from cryptography.exceptions import UnsupportedAlgorithm from ntlm_auth import ntlm from requests.auth import AuthBase from requests.packages.urllib3.response import HTTPResponse class HttpNtlmAuth(AuthBase): """ HTTP NTLM Authentication Handler for Requests. Supports pass-the-hash. """ def __init__(self, username, password, session=None, send_cbt=True): """Create an authentication handler for NTLM over HTTP. :param str username: Username in 'domain\\username' format :param str password: Password :param str session: Unused. Kept for backwards-compatibility. :param bool send_cbt: Will send the channel bindings over a HTTPS channel (Default: True) """ if ntlm is None: raise Exception("NTLM libraries unavailable") # parse the username try: self.domain, self.username = username.split('\\', 1) except ValueError: self.username = username self.domain = '' if self.domain: self.domain = self.domain.upper() self.password = password self.send_cbt = send_cbt # This exposes the encrypt/decrypt methods used to encrypt and decrypt messages # sent after ntlm authentication. These methods are utilised by libraries that # call requests_ntlm to encrypt and decrypt the messages sent after authentication self.session_security = None def retry_using_http_NTLM_auth(self, auth_header_field, auth_header, response, auth_type, args): # Get the certificate of the server if using HTTPS for CBT server_certificate_hash = self._get_server_cert(response) """Attempt to authenticate using HTTP NTLM challenge/response.""" if auth_header in response.request.headers: return response content_length = int( response.request.headers.get('Content-Length', '0'), base=10) if hasattr(response.request.body, 'seek'): if content_length > 0: response.request.body.seek(-content_length, 1) else: response.request.body.seek(0, 0) # Consume content and release the original connection # to allow our new request to reuse the same one. response.content response.raw.release_conn() request = response.request.copy() # ntlm returns the headers as a base64 encoded bytestring. Convert to # a string. context = ntlm.Ntlm() negotiate_message = context.create_negotiate_message(self.domain).decode('ascii') auth = u'%s %s' % (auth_type, negotiate_message) request.headers[auth_header] = auth # A streaming response breaks authentication. # This can be fixed by not streaming this request, which is safe # because the returned response3 will still have stream=True set if # specified in args. In addition, we expect this request to give us a # challenge and not the real content, so the content will be short # anyway. args_nostream = dict(args, stream=False) response2 = response.connection.send(request, **args_nostream) # needed to make NTLM auth compatible with requests-2.3.0 # Consume content and release the original connection # to allow our new request to reuse the same one. response2.content response2.raw.release_conn() request = response2.request.copy() # this is important for some web applications that store # authentication-related info in cookies (it took a long time to # figure out) if response2.headers.get('set-cookie'): request.headers['Cookie'] = response2.headers.get('set-cookie') # get the challenge auth_header_value = response2.headers[auth_header_field] auth_strip = auth_type + ' ' ntlm_header_value = next( s for s in (val.lstrip() for val in auth_header_value.split(',')) if s.startswith(auth_strip) ).strip() # Parse the challenge in the ntlm context context.parse_challenge_message(ntlm_header_value[len(auth_strip):]) # build response # Get the response based on the challenge message authenticate_message = context.create_authenticate_message( self.username, self.password, self.domain, server_certificate_hash=server_certificate_hash ) authenticate_message = authenticate_message.decode('ascii') auth = u'%s %s' % (auth_type, authenticate_message) request.headers[auth_header] = auth response3 = response2.connection.send(request, **args) # Update the history. response3.history.append(response) response3.history.append(response2) # Get the session_security object created by ntlm-auth for signing and sealing of messages self.session_security = context.session_security return response3 def response_hook(self, r, **kwargs): """The actual hook handler.""" if r.status_code == 401: # Handle server auth. www_authenticate = r.headers.get('www-authenticate', '').lower() auth_type = _auth_type_from_header(www_authenticate) if auth_type is not None: return self.retry_using_http_NTLM_auth( 'www-authenticate', 'Authorization', r, auth_type, kwargs ) elif r.status_code == 407: # If we didn't have server auth, do proxy auth. proxy_authenticate = r.headers.get( 'proxy-authenticate', '' ).lower() auth_type = _auth_type_from_header(proxy_authenticate) if auth_type is not None: return self.retry_using_http_NTLM_auth( 'proxy-authenticate', 'Proxy-authorization', r, auth_type, kwargs ) return r def _get_server_cert(self, response): """ Get the certificate at the request_url and return it as a hash. Will get the raw socket from the original response from the server. This socket is then checked if it is an SSL socket and then used to get the hash of the certificate. The certificate hash is then used with NTLMv2 authentication for Channel Binding Tokens support. If the raw object is not a urllib3 HTTPReponse (default with requests) then no certificate will be returned. :param response: The original 401 response from the server :return: The hash of the DER encoded certificate at the request_url or None if not a HTTPS endpoint """ if self.send_cbt: certificate_hash = None raw_response = response.raw if isinstance(raw_response, HTTPResponse): if sys.version_info > (3, 0): socket = raw_response._fp.fp.raw._sock else: socket = raw_response._fp.fp._sock try: server_certificate = socket.getpeercert(True) except AttributeError: pass else: certificate_hash = _get_certificate_hash(server_certificate) else: warnings.warn( "Requests is running with a non urllib3 backend, cannot retrieve server certificate for CBT", NoCertificateRetrievedWarning) return certificate_hash else: return None def __call__(self, r): # we must keep the connection because NTLM authenticates the # connection, not single requests r.headers["Connection"] = "Keep-Alive" r.register_hook('response', self.response_hook) return r def _auth_type_from_header(header): """ Given a WWW-Authenticate or Proxy-Authenticate header, returns the authentication type to use. We prefer NTLM over Negotiate if the server suppports it. """ if 'ntlm' in header: return 'NTLM' elif 'negotiate' in header: return 'Negotiate' return None def _get_certificate_hash(certificate_der): # https://tools.ietf.org/html/rfc5929#section-4.1 cert = x509.load_der_x509_certificate(certificate_der, default_backend()) try: hash_algorithm = cert.signature_hash_algorithm except UnsupportedAlgorithm as ex: warnings.warn("Failed to get signature algorithm from certificate, " "unable to pass channel bindings: %s" % str(ex), UnknownSignatureAlgorithmOID) return None # if the cert signature algorithm is either md5 or sha1 then use sha256 # otherwise use the signature algorithm if hash_algorithm.name in ['md5', 'sha1']: digest = hashes.Hash(hashes.SHA256(), default_backend()) else: digest = hashes.Hash(hash_algorithm, default_backend()) digest.update(certificate_der) certificate_hash_bytes = digest.finalize() certificate_hash = binascii.hexlify(certificate_hash_bytes).decode().upper() return certificate_hash class NoCertificateRetrievedWarning(Warning): pass class UnknownSignatureAlgorithmOID(Warning): pass requests_ntlm-1.1.0/requests_ntlm/__init__.py0000644000076500000240000000010513170762401022174 0ustar jboreanstaff00000000000000from .requests_ntlm import HttpNtlmAuth __all__ = ('HttpNtlmAuth',) requests_ntlm-1.1.0/LICENSE0000644000076500000240000000134313170762401016170 0ustar jboreanstaff00000000000000ISC License Copyright (c) 2013 Ben Toews Permission to use, copy, modify and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS-IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. requests_ntlm-1.1.0/MANIFEST.in0000644000076500000240000000002013170762401016710 0ustar jboreanstaff00000000000000include LICENSE requests_ntlm-1.1.0/setup.py0000644000076500000240000000176213170762401016702 0ustar jboreanstaff00000000000000#!/usr/bin/env python # coding: utf-8 from setuptools import setup setup( name='requests_ntlm', version='1.1.0', packages=[ 'requests_ntlm' ], install_requires=[ 'requests>=2.0.0', 'ntlm-auth>=1.0.2', 'cryptography>=1.3' ], provides=[ 'requests_ntlm' ], author='Ben Toews', author_email='mastahyeti@gmail.com', url='https://github.com/requests/requests-ntlm', description='This package allows for HTTP NTLM authentication using the requests library.', license='ISC', classifiers=[ 'Development Status :: 4 - Beta', 'Intended Audience :: Developers', 'Programming Language :: Python', 'Programming Language :: Python :: 2', 'Programming Language :: Python :: 2.6', 'Programming Language :: Python :: 2.7', 'Programming Language :: Python :: 3', 'Programming Language :: Python :: 3.3', 'Programming Language :: Python :: 3.4', 'License :: OSI Approved :: ISC License (ISCL)', ], ) requests_ntlm-1.1.0/requests_ntlm.egg-info/0000755000076500000240000000000013171516212021557 5ustar jboreanstaff00000000000000requests_ntlm-1.1.0/requests_ntlm.egg-info/PKG-INFO0000644000076500000240000000151313171516212022654 0ustar jboreanstaff00000000000000Metadata-Version: 1.1 Name: requests-ntlm Version: 1.1.0 Summary: This package allows for HTTP NTLM authentication using the requests library. Home-page: https://github.com/requests/requests-ntlm Author: Ben Toews Author-email: mastahyeti@gmail.com License: ISC Description-Content-Type: UNKNOWN Description: UNKNOWN Platform: UNKNOWN Classifier: Development Status :: 4 - Beta Classifier: Intended Audience :: Developers Classifier: Programming Language :: Python Classifier: Programming Language :: Python :: 2 Classifier: Programming Language :: Python :: 2.6 Classifier: Programming Language :: Python :: 2.7 Classifier: Programming Language :: Python :: 3 Classifier: Programming Language :: Python :: 3.3 Classifier: Programming Language :: Python :: 3.4 Classifier: License :: OSI Approved :: ISC License (ISCL) Provides: requests_ntlm requests_ntlm-1.1.0/requests_ntlm.egg-info/SOURCES.txt0000644000076500000240000000043013171516212023440 0ustar jboreanstaff00000000000000LICENSE MANIFEST.in README.rst setup.py requests_ntlm/__init__.py requests_ntlm/requests_ntlm.py requests_ntlm.egg-info/PKG-INFO requests_ntlm.egg-info/SOURCES.txt requests_ntlm.egg-info/dependency_links.txt requests_ntlm.egg-info/requires.txt requests_ntlm.egg-info/top_level.txtrequests_ntlm-1.1.0/requests_ntlm.egg-info/requires.txt0000644000076500000240000000006313171516212024156 0ustar jboreanstaff00000000000000requests>=2.0.0 ntlm-auth>=1.0.2 cryptography>=1.3 requests_ntlm-1.1.0/requests_ntlm.egg-info/top_level.txt0000644000076500000240000000001613171516212024306 0ustar jboreanstaff00000000000000requests_ntlm requests_ntlm-1.1.0/requests_ntlm.egg-info/dependency_links.txt0000644000076500000240000000000113171516212025625 0ustar jboreanstaff00000000000000 requests_ntlm-1.1.0/setup.cfg0000644000076500000240000000004613171516212017001 0ustar jboreanstaff00000000000000[egg_info] tag_build = tag_date = 0 requests_ntlm-1.1.0/README.rst0000644000076500000240000000306213170762401016652 0ustar jboreanstaff00000000000000requests-ntlm ============= .. image:: https://travis-ci.org/requests/requests-ntlm.svg?branch=master :target: https://travis-ci.org/requests/requests-ntlm .. image:: https://coveralls.io/repos/github/requests/requests-ntlm/badge.svg?branch=master :target: https://coveralls.io/github/requests/requests-ntlm?branch=master This package allows for HTTP NTLM authentication using the requests library. Usage ----- ``HttpNtlmAuth`` extends requests ``AuthBase``, so usage is simple: .. code:: python import requests from requests_ntlm import HttpNtlmAuth requests.get("http://ntlm_protected_site.com",auth=HttpNtlmAuth('domain\\username','password')) ``HttpNtlmAuth`` can be used in conjunction with a ``Session`` in order to make use of connection pooling. Since NTLM authenticates connections, this is more efficient. Otherwise, each request will go through a new NTLM challenge-response. .. code:: python import requests from requests_ntlm import HttpNtlmAuth session = requests.Session() session.auth = HttpNtlmAuth('domain\\username','password') session.get('http://ntlm_protected_site.com') Installation ------------ pip install requests_ntlm Requirements ------------ - requests_ - ntlm-auth_ .. _requests: https://github.com/kennethreitz/requests/ .. _ntlm-auth: https://github.com/jborean93/ntlm-auth Authors ------- - `Ben Toews`_ .. _Ben Toews: https://github.com/mastahyeti - `Ian Cordasco`_ .. _Ian Cordasco: https://github.com/sigmavirus24 - `Cory Benfield`_ .. _Cory Benfield: https://github.com/Lukasa