;ò
Pí¿?c        '   @   sá  d  Z  d Z d k Z d k Z d Z h  d d <d d <d d	 <d
 d <d d <d d <Z h  d d <d d <Z e d ƒ Z d „  Z	 y d k
 Z
 Wn? e j
 o3 e	 e d d
 d d g ƒ e	 e d d g ƒ nXy d k Z Wn< e j
 o0 e	 e d d
 d g ƒ e	 e d d g ƒ n Xe i ƒ  y d k Z Wn6 e j
 o* e	 e d d g ƒ e	 e d g ƒ n Xy d k Z Wn6 e j
 o* e	 e d d
 g ƒ e	 e d g ƒ n Xy d k Z Wn# e j
 o e	 e d g ƒ n Xd e d „ Z d f  d „  ƒ  YZ d e f d „  ƒ  YZ d e f d „  ƒ  YZ d e f d „  ƒ  YZ e od d  f d d! f d d" f d d# f d$ d% f d$ d& f d$ d' f d$ d( f d) d* f d) d+ f d) d, f d) d- f d. d/ f d. d0 f d. d1 f d. d2 f d3 d4 f d3 d5 f d3 d6 f d3 d7 f d8 d9 f d8 d: f d8 d; f d8 d< f d= d> f d= d? f d= d@ f d= dA f dB dC f dB dD f dB dE f dB dF f dG dH f dG dI f dG dJ f dG dK f dL dM f dN dO f g& Z dP „  Z e dQ j o e ƒ  qÝn d S(R   s›  
ldaputil.passwd - client-side password setting
(c) by Michael Stroeder <michael@stroeder.com>

This module is distributed under the terms of the
GPL (GNU GENERAL PUBLIC LICENSE) Version 2
(see http://www.gnu.org/copyleft/gpl.html)

Python compability note:
This module only works with Python 1.6+ since all string parameters
are assumed to be Unicode objects and string methods are used instead
string module.
s   0.1.0Ns@   ./0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZs   shas   userPassword SHA-1s   sshas   userPassword salted SHA-1s   md5s   userPassword MD5s   smd5s   userPassword salted MD5s   crypts   userPassword Unix crypts    s   userPassword plain texts   sha1s   authPassword SHA-1s   authPassword MD5u    c         C   s6   x/ | D]' } y |  | =Wq t j
 o q Xq Wd S(   sa   
  Not for public use:
  Remove a list item ignoring ValueError: list.remove(x): x not in list
  N(   s   rls   is   ls   KeyError(   s   ls   rls   i(    (    s   ./pylib/ldaputil/passwd.pys   _remove_dict_items*   s      i   c         C   sœ   g  } | oH t | ƒ d } xk t |  ƒ D]# } | i | t i	 d | ƒ ƒ q* Wn7 x3 t |  ƒ D]% } | i t
 t i	 d d ƒ ƒ ƒ qb Wd i | ƒ Sd S(   sÿ   
  Create a random salt.

  saltLen
      Requested length of salt string.
  saltAlphabet
      If non-zero string it is assumed to contain all valid chars
      for the salt. If zero-length or None the salt returned is an
      arbitrary octet string.
  i   i    iÿ   s    N(   s   salts   saltAlphabets   lens   saltAlphabetBounces   ranges   saltLens   is   appends   randoms	   randranges   chrs   join(   s   saltLens   saltAlphabets   saltAlphabetBounces   is   salt(    (    s   ./pylib/ldaputil/passwd.pys   _saltS   s    
  % #s   Passwordc           B   s_   t  Z d  Z e d d „ Z d „  Z d „  Z d „  Z e d „ Z e e e d „ Z	 d „  Z
 RS(	   s/   
  Base class for plain-text LDAP passwords.
  s   utf-8c         C   s¹   | |  _ | |  _ d |  _ | |  _ | t j oz |  i i	 |  i t
 i d |  i g ƒ } | o? | d d } | i |  i | i |  i i ƒ  g  ƒ ƒ |  _ qµ g  |  _ n
 g  |  _ d S(   s|  
    l
        LDAPObject instance to operate with. The application
        is responsible to bind with appropriate bind DN before(!)
        creating the Password instance.
    dn
        string object with DN of entry
    charset
        Character set for encoding passwords. Note that this might
        differ from the character set used for the normal directory strings.
    i    s   (objectClass=*)i   N(   s   ls   selfs   _ls   dns   _dns	   _multiples   charsets   _charsets   Nones   search_ss   ldaps
   SCOPE_BASEs   passwordAttributeTypes   results
   entry_datas   gets   lowers   _passwordAttributeValue(   s   selfs   ls   dns   charsets
   entry_datas   result(    (    s   ./pylib/ldaputil/passwd.pys   __init__n   s     				'1c         C   s   | | j Sd S(   sÅ   
    Compare testPassword with encoded password in singlePasswordValue.
    
    testPassword
        Plain text password for testing
    singlePasswordValue
        password to verify against
    N(   s   testPasswords   singlePasswordValue(   s   selfs   testPasswords   singlePasswordValue(    (    s   ./pylib/ldaputil/passwd.pys   _compareSinglePasswordŒ   s     c         C   s`   t  | ƒ t j o | i |  i ƒ } n x, |  i D]! } |  i | | ƒ o d Sq3 q3 Wd Sd S(   sE   
    Return 1 if testPassword is in self._passwordAttributeValue
    i   i    N(	   s   types   testPasswords   _UnicodeTypes   encodes   selfs   _charsets   _passwordAttributeValues   ps   _compareSinglePassword(   s   selfs   testPasswords   p(    (    s   ./pylib/ldaputil/passwd.pys   comparePassword—   s     
 c         C   sJ   g  i  } |  i D]. } |  i | | i ƒ  ƒ o | | ƒ q q ~ Sd S(   sG   
    Return list with all occurences of oldPassword being removed.
    N(   s   appends   _[1]s   selfs   _passwordAttributeValues   ps   _compareSinglePasswords   oldPasswords   strip(   s   selfs   oldPasswords   _[1]s   p(    (    s   ./pylib/ldaputil/passwd.pys   _delOldPassword¢   s     c         C   s1   t  | ƒ t j o | i |  i ƒ } n | Sd S(   s7   
    encode plainPassword into plain text password
    N(   s   types   plainPasswords   _UnicodeTypes   encodes   selfs   _charset(   s   selfs   plainPasswords   scheme(    (    s   ./pylib/ldaputil/passwd.pys   encodePassword¬   s     c         C   sœ   | t j o t | ƒ t j o | i t ƒ } n |  i o | t j o |  i | ƒ } n g  } |  i
 | | ƒ } | i | ƒ |  i | | ƒ | Sd S(   s%  
    oldPassword
      Old password associated with entry.
      If a Unicode object is supplied it will be encoded with
      self._charset.
    newPassword    
      New password for entry.
      If a Unicode object is supplied it will be encoded with
      charset before being transferred to the directory.
    scheme
        Hashing scheme to be used for encoding password.
        Default is plain text.
    charset
        This character set is used to encode passwords
        in case oldPassword and/or newPassword are Unicode objects.
    N(   s   oldPasswords   Nones   types   _UnicodeTypes   encodes   charsets   selfs	   _multiples   _delOldPasswords   newPasswordValueLists   encodePasswords   newPasswords   schemes   newPasswordValues   appends   _storePassword(   s   selfs   oldPasswords   newPasswords   schemes   newPasswordValueLists   newPasswordValue(    (    s   ./pylib/ldaputil/passwd.pys   changePassword´   s     !c         C   s,   |  i i |  i t i |  i | f g ƒ d S(   s%   Replace the password value completelyN(   s   selfs   _ls   modify_ss   _dns   ldaps   MOD_REPLACEs   passwordAttributeTypes   newPasswordValueList(   s   selfs   oldPasswords   newPasswordValueList(    (    s   ./pylib/ldaputil/passwd.pys   _storePasswordÒ   s     (   s   __name__s
   __module__s   __doc__s   Nones   __init__s   _compareSinglePasswords   comparePasswords   _delOldPasswords   encodePasswords   changePasswords   _storePassword(    (    (    s   ./pylib/ldaputil/passwd.pys   Passwordi   s    			
s   UserPasswordc           B   sb   t  Z d  Z d Z h  d d <d d <Z e e d d d „ Z e d	 „ Z d d
 „ Z d „  Z	 RS(   s  
  Class for LDAP password changing in userPassword attribute

  RFC 2307:
    http://www.ietf.org/rfc/rfc2307.txt
  OpenLDAP FAQ:
    http://www.openldap.org/faq/data/cache/419.html
  Netscape Developer Docs:
    http://developer.netscape.com/docs/technote/ldap/pass_sha.html
  s   userPasswords   md5i   s   shai   s   utf-8i    c         C   s#   | |  _ t i |  | | | ƒ d S(   s²   
    Like CharsetPassword.__init__() with one additional parameter:
    multiple
        Allow multi-valued password attribute.
        Default is single-valued (flag is 0).
    N(   s   multiples   selfs	   _multiples   Passwords   __init__s   ls   dns   charset(   s   selfs   ls   dns   charsets   multiple(    (    s   ./pylib/ldaputil/passwd.pys   __init__ë   s     	c         C   s^  | i ƒ  } | t i ƒ  j o* t d | |  i i f ‚ t d | ‚ n | t	 j o\ | d j o t
 d d d t ƒ } q³ | d d g j o t
 d d	 d t	 ƒ } q³ d
 } n | d j o t i | | ƒ Sn‡ | d d g j o. t i t i | | ƒ i ƒ  | ƒ i ƒ  SnF | d d g j o. t i t i | | ƒ i ƒ  | ƒ i ƒ  Sn | Sd S(   s2   
    Return hashed password (including salt).
    s-   Hashing scheme %s not supported for class %s.s    Hashing scheme %s not supported.s   crypts   saltLeni   s   saltAlphabets   smd5s   sshai   s    s   md5s   shaN(   s   schemes   lowers   AVAIL_USERPASSWORD_SCHEMESs   keyss
   ValueErrors   selfs	   __class__s   __name__s   salts   Nones   _salts   CRYPT_ALPHABETs   crypts   passwords   base64s   encodestrings   md5s   news   digests   strips   sha(   s   selfs   passwords   schemes   salt(    (    s   ./pylib/ldaputil/passwd.pys   _hashPasswordõ   s$     
..c         C   s  | i ƒ  } y- | | i d ƒ d i d d ƒ \ }	 } Wn% t j
 o d | f \ }	 } n X|	 i ƒ  }	 |	 d d d d g j og t i	 | ƒ } |	 d d g j o/ |  i |	 d } | |  | | f \ } }
 qí | d f \ } }
 n |  i | |	 |
 ƒ } | | j Sd	 S(
   sþ   
    Compare testPassword with encoded password in singlePasswordValue.
    
    testPassword
        Plain text password for testing. If Unicode object
        it is encoded using charset.
    singlePasswordValue
        {scheme} encrypted password
    s   {i   s   }s    s   md5s   shas   smd5s   sshaN(   s   singlePasswordValues   strips   finds   splits   schemes	   encoded_ps
   ValueErrors   lowers   base64s   decodestrings   hashed_ps   selfs   _hash_bytelens   poss   cmp_passwords   salts   _hashPasswords   testPasswords   hashed_password(   s   selfs   testPasswords   singlePasswordValues   charsets   hashed_ps   cmp_passwords   poss	   encoded_ps   hashed_passwords   schemes   salt(    (    s   ./pylib/ldaputil/passwd.pys   _compareSinglePassword  s    	 -c         C   sN   t  i |  | ƒ } | o- d | i ƒ  |  i | | ƒ f i d ƒ Sn | Sd S(   sM   
    encode plainPassword according to RFC2307 password attribute syntax
    s   {%s}%ss   asciiN(   s   Passwords   encodePasswords   selfs   plainPasswords   schemes   uppers   _hashPasswords   encode(   s   selfs   plainPasswords   scheme(    (    s   ./pylib/ldaputil/passwd.pys   encodePassword)  s
     -(
   s   __name__s
   __module__s   __doc__s   passwordAttributeTypes   _hash_bytelens   Nones   __init__s   _hashPasswords   _compareSinglePasswords   encodePassword(    (    (    s   ./pylib/ldaputil/passwd.pys   UserPasswordÜ   s   
 
s   AuthPasswordc           B   sG   t  Z d  Z d Z e e d d d „ Z e d „ Z d „  Z d „  Z RS(   sx   
  Class for LDAP password changing in authPassword attribute.
  
  RFC 3112:
    http://www.ietf.org/rfc/rfc3112.txt
  s   authPasswords   utf-8i    c         C   s#   | |  _ t i |  | | | ƒ d S(   s²   
    Like CharsetPassword.__init__() with one additional parameter:
    multiple
        Allow multi-valued password attribute.
        Default is single-valued (flag is 0).
    N(   s   multiples   selfs	   _multiples   CharsetPasswords   __init__s   ls   dns   charset(   s   selfs   ls   dns   charsets   multiple(    (    s   ./pylib/ldaputil/passwd.pys   __init__@  s     	c         C   sÜ   | i ƒ  } | t i ƒ  j o t d | |  i i f ‚ n | t	 j o t
 d d d t	 ƒ } n | d j o! t i | | ƒ i ƒ  | f SnH | d j o! t i | | ƒ i ƒ  | f Sn t d | |  i i f ‚ d S(	   sB   
    Returns tuple of hashed password (including salt), salt.
    s-   Hashing scheme %s not supported for class %s.s   saltLeni   s   saltAlphabets   md5s   sha1s/   Hashing scheme %s not implemented for class %s.N(   s   schemes   lowers   AVAIL_AUTHPASSWORD_SCHEMESs   keyss
   ValueErrors   selfs	   __class__s   __name__s   salts   Nones   _salts   md5s   news   passwords   digests   sha(   s   selfs   passwords   schemes   salt(    (    s   ./pylib/ldaputil/passwd.pys   _hashPasswordJ  s     !!c   
      C   s   t  g  i } | i d d ƒ D] } | | i ƒ  ƒ q ~ ƒ \ } } } t
 i | ƒ } t
 i | ƒ } |  i | | | ƒ \ } }	 | | j Sd S(   s¾   
    Compare password with encoded password in singlePasswordValue.
    
    password
        Plain text password for testing
    singlePasswordValue
        {scheme} encrypted password
    s   $i   N(   s   tuples   appends   _[1]s   authPasswordValues   splits   ps   strips   schemes   authInfos	   authValues   base64s   decodestrings   selfs   _hashPasswords   passwords   hashed_passwords   dummy(
   s   selfs   passwords   authPasswordValues   hashed_passwords   schemes	   authValues   _[1]s   ps   authInfos   dummy(    (    s   ./pylib/ldaputil/passwd.pys   _compareSinglePassword^  s     Hc         C   s`   |  i t i |  | ƒ | ƒ \ } } d | t i	 | ƒ i
 ƒ  t i	 | ƒ i
 ƒ  f i d ƒ Sd S(   sD   
    encode plainPassword according to RFC3112 attribute syntax
    s   %s $ %s $ %ss   asciiN(   s   selfs   _hashPasswords   Passwords   encodePasswords   plainPasswords   schemes   authInfos	   authValues   base64s   encodestrings   strips   encode(   s   selfs   plainPasswords   schemes	   authValues   authInfo(    (    s   ./pylib/ldaputil/passwd.pys   encodePasswordp  s     $(	   s   __name__s
   __module__s   __doc__s   passwordAttributeTypes   Nones   __init__s   _hashPasswords   _compareSinglePasswords   encodePassword(    (    (    s   ./pylib/ldaputil/passwd.pys   AuthPassword7  s    
	s
   UnicodePwdc           B   s>   t  Z d  Z d Z d Z e e d „ Z e d „ Z d „  Z RS(   så   
  Class for LDAP password changing in unicodePwd attribute
  on Active Directory servers.
  (see "HOWTO: Change a Windows 2000 User's Password Through
  LDAP" on http://support.microsoft.com/support/kb/articles/q269/1/90.ASP)
  s
   unicodePwdi    c         C   s    t  i |  | | ƒ d |  _ d S(   sH   
    Like CharsetPassword.__init__() with one additional parameter.
    s	   utf-16-leN(   s   Passwords   __init__s   selfs   ls   dns   _charset(   s   selfs   ls   dn(    (    s   ./pylib/ldaputil/passwd.pys   __init__‡  s     c         C   s   d t  i |  | ƒ Sd S(   s;   
    Enclose Unicode password string in double-quotes.
    s   "%s"N(   s   Passwords   encodePasswords   selfs   plainPassword(   s   selfs   plainPasswords   scheme(    (    s   ./pylib/ldaputil/passwd.pys   encodePasswordŽ  s     c         C   s   | t j o, |  i i |  i t i |  i | f g ƒ nE |  i i |  i |  i t i
 |  i | f t i |  i | d f g ƒ d S(   sx  
    Two different use-cases:
    If the application sets oldPassword to None it is assumed
    that an admin resets a user's password
    => A single replace operation is used to reset the unicodePwd attribute.
    If oldPassword is not None it is assumed it is assumed that
    the user changes his/her own password
    => a delete followed by an add operation is used.
    i    N(   s   oldPasswords   Nones   selfs   _ls   modify_ss   _dns   ldaps   MOD_REPLACEs   passwordAttributeTypes   newPasswordValueLists
   MOD_DELETEs   MOD_ADD(   s   selfs   oldPasswords   newPasswordValueList(    (    s   ./pylib/ldaputil/passwd.pys   _storePassword”  s    	 (	   s   __name__s
   __module__s   __doc__s   passwordAttributeTypes	   _multiples   Nones   __init__s   encodePasswords   _storePassword(    (    (    s   ./pylib/ldaputil/passwd.pys
   UnicodePwd}  s    s   test1s   {MD5}WhBei51A4TKXgNYuoiZdig==s"   {SMD5}i1GhUWtlHIva18fyzSVoSi6pLqk=s!   {SHA}tESsBmE/yNY3lb6a0L6vVQEZNqw=s&   {SSHA}uWg1PmLHZsZUqGOncZBiRTNXE3uHSyGCs   test2s   {MD5}rQI0gpIFuQMxlrqBj3qHKw==s"   {SMD5}cavgPXL7OAX6Nkz4oxPCw0ff8/8=s!   {SHA}EJ9LPFDXsN9ynSmbxvjp75Bmlx8=s&   {SSHA}STa8xdUq+G6StaVHCjAKzy0rB9DZBIrys   test3s   {MD5}ith1e6qFZNwTbB4HUH9KmA==s"   {SMD5}MSQjqRuAZYtVmF1te6hO2Yn7gFQ=s!   {SHA}Pr+jAdxZGW8YWTxF5RkoeiMpdYk=s&   {SSHA}BUTK//6laPB9HN4cjK31RzTnmwMYmHnGs   test4s   {MD5}hpheEF95uV1ryRj7Rex3Jw==s"   {SMD5}5TWxU4fGloruSpD0u1IdxKd5ZZA=s!   {SHA}H/KzcErt4E7stR5QymmO/VChN5s=s&   {SSHA}4ckBH1ib1IgiISp3tvZf4bDXtk5xlUBys   test5s   {MD5}49cE81QrRKYh6+1w3A7+Ew==s"   {SMD5}4NJzKqIX2sr8q3a4u0i92/4KPOY=s!   {SHA}kR3cO4+aE7VJm2vEY4orTz9ovyM=s&   {SSHA}kNTfeXHKb32yT4wUkN3AcpMCTHEx3Q2Qs   test6s   {MD5}TPrXB2Epli7nDDaDmh4+FQ==s"   {SMD5}TesgPJdimK4miVwRcRQk/FZr7Uk=s!   {SHA}pm3yYRILbCMRxu8LG6tOWDr8vMA=s&   {SSHA}dIXzm4t40GfUXdHyBs//O3f09i/Ft3iks   test7s   {MD5}sECD5T4kJiZZXiuOoyflJQ==s"   {SMD5}TX6YHy6c0p1U9n6etx/irMv3cyE=s!   {SHA}6jJDEy1lOzkCWpROcPPs33DuOZQ=s&   {SSHA}zQ1xCPfNJgeDahwzzCLjM05cMJjaCULJs   test8s   {MD5}XkDQn6BSl4Gv0SVKQpE4Rw==s"   {SMD5}6wNcr1crfhnTOmJj0oi4Ukc9/+o=s!   {SHA}0D+dNBlDkwGebRLXyUKCfr1pREM=s&   {SSHA}BnNwRej74F2NicyGggpTgWUajPenNvZas   test9s   {MD5}c5lptTJGsscnhQ27NJDt5g==s"   {SMD5}mJUntKUUqtO+FgO7pIreIAHW4tA=s!   {SHA}U9Ulg2zJbQiaWkIYtGT9pTL33r4=s&   {SSHA}LdF62OhXywwvY6DMOCVkO25hHGG5fIAAs   abcs!   {SHA}qZk+NkcGgWq6PiVxeFDCbJzQ2J0=s8   abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopqs!   {SHA}hJg+RBw70m66rkqh+VEp5eVGcPE=c          C   sR   t  ƒ  } xB t D]: \ }  } |  G| GH| i |  | ƒ o d G|  G| GHq q Wd  S(   Ns   Test failed:(   s   UserPasswords   us   rfc2307_testss   passwords   encoded_passwords   _compareSinglePassword(   s   passwords   us   encoded_password(    (    s   ./pylib/ldaputil/passwd.pys   testÝ  s    	 	s   __main__(   s   __doc__s   __version__s   randoms   ldaps   CRYPT_ALPHABETs   AVAIL_USERPASSWORD_SCHEMESs   AVAIL_AUTHPASSWORD_SCHEMESs   types   _UnicodeTypes   _remove_dict_itemss   base64s   ImportErrors   seeds   shas   md5s   crypts   Nones   _salts   Passwords   UserPasswords   AuthPasswords
   UnicodePwds	   __debug__s   rfc2307_testss   tests   __name__(   s   randoms
   UnicodePwds   UserPasswords   _remove_dict_itemss   crypts   base64s   _UnicodeTypes   AVAIL_USERPASSWORD_SCHEMESs   ldaps   tests   Passwords   AuthPasswords   AVAIL_AUTHPASSWORD_SCHEMESs   md5s   __version__s   CRYPT_ALPHABETs   shas   _salts   rfc2307_tests(    (    s   ./pylib/ldaputil/passwd.pys   ?   sV   <		
s[F1ÿ ].	