stub-ntlm-helper 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,2 @@
1
+ Gemfile.lock
2
+ .*.swp
data/Gemfile ADDED
@@ -0,0 +1,3 @@
1
+ source :rubygems
2
+
3
+ gemspec
data/LICENSE ADDED
@@ -0,0 +1,13 @@
1
+ Copyright 2011 ThoughtWorks, Inc.
2
+
3
+ Licensed under the Apache License, Version 2.0 (the "License");
4
+ you may not use this file except in compliance with the License.
5
+ You may obtain a copy of the License at
6
+
7
+ http://www.apache.org/licenses/LICENSE-2.0
8
+
9
+ Unless required by applicable law or agreed to in writing, software
10
+ distributed under the License is distributed on an "AS IS" BASIS,
11
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12
+ See the License for the specific language governing permissions and
13
+ limitations under the License.
@@ -0,0 +1,13 @@
1
+ # stub-ntlm-helper
2
+
3
+ ## Storytime
4
+
5
+ Using Apache or Squid or whatever with NTLM? Ever had Active Directory arbitrarily hate winbind?
6
+
7
+ I feel for you.
8
+
9
+ Sometimes, passwords and security and Kerberos just don't matter.
10
+
11
+ ## What is this?
12
+
13
+ This is a stub `ntlm_helper`. It **always** authenticates.
@@ -0,0 +1,5 @@
1
+ require 'rspec/core/rake_task'
2
+
3
+ RSpec::Core::RakeTask.new(:spec)
4
+
5
+ task :default => :spec
@@ -0,0 +1,40 @@
1
+ #!/usr/bin/env ruby
2
+
3
+ $LOAD_PATH.unshift File.expand_path('../../lib', __FILE__)
4
+
5
+ require 'stub-ntlm-helper'
6
+
7
+ YR = /YR/
8
+ KK = /KK ([0-9A-Za-z=+\/]+)$/
9
+
10
+ $<.each do |line|
11
+ if line =~ YR
12
+ challenge = NTLM::Challenge.new
13
+
14
+ [
15
+ :negotiate_ntlm,
16
+ :negotiate_extended_security,
17
+
18
+ # I wish so much I could say :negotiate_unicode here.
19
+ #
20
+ # But, Windows uses UCS-8LE and third-party clients (curl, Firefox,
21
+ # etc.) use UTF-8. And there's no reliable way to determine which
22
+ # encoding was used. So, instead, we default to OEM, which is close
23
+ # enough to ASCII, which is close enough to UTF-8, and just pass
24
+ # through the value directly to Apache/Squid/whoever.
25
+ #
26
+ # Let them deal with codepage compatibility. They brought it on
27
+ # themselves.
28
+ :negotiate_oem,
29
+ ].each { |f| challenge.flags[f] = 1 }
30
+
31
+ puts "TT " + challenge.encode
32
+ elsif line =~ KK
33
+ authenticate = NTLM::Authenticate.decode $1
34
+ puts "AF #{authenticate.username}"
35
+ else
36
+ puts "BH #{line}"
37
+ end
38
+
39
+ $stdout.flush
40
+ end
@@ -0,0 +1,114 @@
1
+ require 'base64'
2
+ require 'bindata'
3
+
4
+ # With help from:
5
+ #
6
+ # ruby-ntlm: https://github.com/macks/ruby-ntlm/blob/master/lib/ntlm/message.rb
7
+ # davenport: http://davenport.sourceforge.net/ntlm.html
8
+ # squid: http://devel.squid-cache.org/ntlm/squid_helper_protocol.html
9
+
10
+ module NTLM
11
+ SSP_SIGNATURE = 'NTLMSSP'
12
+
13
+ module Serializer
14
+ module ClassMethods
15
+ def decode b64
16
+ self.new.tap { |r| r.read Base64.decode64(b64) }
17
+ end
18
+ end
19
+
20
+ def self.included klass
21
+ klass.extend ClassMethods
22
+ end
23
+
24
+ def encode
25
+ Base64.encode64(to_binary_s).tr "\n", ""
26
+ end
27
+ end
28
+
29
+ class SecurityBuffer < BinData::Record
30
+ endian :little
31
+
32
+ int16 :uzunluk # Length
33
+ int16 :reserved
34
+ int32 :siktir # "Offset"
35
+
36
+ def value
37
+ parent.to_binary_s[siktir ... (siktir + uzunluk)]
38
+ end
39
+ end
40
+
41
+ class Flags < BinData::Record
42
+ # D
43
+ bit1 :negotiate_lm_key # LAN Manager session key computation
44
+ bit1 :negotiate_datagram # Connectionless authentication
45
+ bit1 :negotiate_seal # Session key negotiation for message confidentiality
46
+ bit1 :negotiate_sign # Session key negotiation for message signatures
47
+ bit1 :unused10
48
+ bit1 :request_target # TargetName is supplied in challenge message
49
+ bit1 :negotiate_oem # OEM character set encoding
50
+ bit1 :negotiate_unicode # Unicode character set encoding
51
+
52
+ # C
53
+ bit1 :negotiate_always_sign
54
+ bit1 :unused7
55
+ bit1 :oem_workstation_supplied # Workstations field is present
56
+ bit1 :oem_domain_supplied # Domain field is present
57
+ bit1 :anonymous # Anonymous connection
58
+ bit1 :unused8
59
+ bit1 :negotiate_ntlm # NTLM v1 protocol
60
+ bit1 :unused9
61
+
62
+ # B
63
+ bit1 :negotiate_target_info # Requests TargetInfo
64
+ bit1 :request_non_nt_session_key # LM session key is used
65
+ bit1 :unused5
66
+ bit1 :negotiate_identify # Requests identify level token
67
+ bit1 :negotiate_extended_security # NTLM v2 session security
68
+ bit1 :unused6
69
+ bit1 :target_type_server # TargetName is server name
70
+ bit1 :target_type_domain # TargetName is domain name
71
+
72
+ # A
73
+ bit1 :negotiate_56 # 56bit encryption
74
+ bit1 :negotiate_key_exch # Explicit key exchange
75
+ bit1 :negotiate_128 # 128bit encryption
76
+ bit1 :unused1
77
+ bit1 :unused2
78
+ bit1 :unused3
79
+ bit1 :negotiate_version # Version field is present
80
+ bit1 :unused4
81
+ end
82
+
83
+ class Challenge < BinData::Record
84
+ include Serializer
85
+
86
+ endian :little
87
+
88
+ stringz :signature, :value => SSP_SIGNATURE, :check_value => SSP_SIGNATURE
89
+ int32 :message_type, :value => 2, :check_value => 2
90
+ security_buffer :target_name
91
+ flags :flags
92
+ string :challenge, :length => 8
93
+ array :data, :type => :int8, :read_until => :eof
94
+ end
95
+
96
+ class Authenticate < BinData::Record
97
+ include Serializer
98
+
99
+ endian :little
100
+
101
+ stringz :signature, :check_value => SSP_SIGNATURE
102
+ int32 :message_type, :check_value => 3
103
+ security_buffer :lm_response
104
+ security_buffer :ntlm_response
105
+ security_buffer :target_name
106
+ security_buffer :user_name
107
+ security_buffer :workstation_name
108
+ array :data, :type => :int8, :read_until => :eof
109
+
110
+ def username
111
+ "#{target_name.value}+#{user_name.value}"
112
+ end
113
+ end
114
+ end
@@ -0,0 +1,31 @@
1
+ require 'stub-ntlm-helper'
2
+
3
+ describe NTLM::Challenge do
4
+ context "a minimal type 2 message" do
5
+ let(:minimal_type_2_message) { 'TlRMTVNTUAACAAAAAAAAAAAAAAACAgAAASNFZ4mrze8=' }
6
+
7
+ subject { NTLM::Challenge.decode minimal_type_2_message }
8
+
9
+ [:negotiate_ntlm, :negotiate_oem].each do |f|
10
+ it "#{f} flag should be true" do
11
+ subject.flags[f].should == 1
12
+ end
13
+ end
14
+
15
+ [
16
+ :negotiate_lm_key, :negotiate_datagram, :negotiate_seal,
17
+ :negotiate_sign, :unused10, :request_target, :negotiate_unicode,
18
+ :negotiate_always_sign, :unused7, :oem_workstation_supplied,
19
+ :oem_domain_supplied, :anonymous, :unused8, :unused9,
20
+ :negotiate_target_info, :request_non_nt_session_key, :unused5,
21
+ :negotiate_identify, :negotiate_extended_security, :unused6,
22
+ :target_type_server, :target_type_domain, :negotiate_56,
23
+ :negotiate_key_exch, :negotiate_128, :unused1, :unused2, :unused3,
24
+ :negotiate_version, :unused4
25
+ ].each do |f|
26
+ it "#{f} flag should be false" do
27
+ subject.flags[f].should == 0
28
+ end
29
+ end
30
+ end
31
+ end
@@ -0,0 +1,29 @@
1
+ # -*- encoding: utf-8 -*-
2
+ Gem::Specification.new do |s|
3
+ s.name = 'stub-ntlm-helper'
4
+ s.version = '0.0.1'
5
+ s.platform = Gem::Platform::RUBY
6
+ s.authors = ['Scott Robinson', 'Mustafa Sezgin']
7
+ s.email = ['sr@thoughtworks.com', 'msezgin@thoughtworks.com']
8
+ s.summary = 'This is a stub ntlm_helper. It always authenticates.'
9
+ s.description = <<-EOF
10
+ Using Apache or Squid or whatever with NTLM? Ever had Active Directory arbitrarily hate winbind?
11
+
12
+ I feel for you.
13
+
14
+ Sometimes, passwords and security and Kerberos just don't matter.
15
+
16
+ This is a stub ntlm_helper. It always authenticates.
17
+ EOF
18
+ s.homepage = 'https://github.com/offshore-safety/stub-ntlm-helper'
19
+
20
+ s.files = `git ls-files`.split "\n"
21
+ s.test_files = `git ls-files -- {test,spec,features}/*`.split "\n"
22
+ s.executables = `git ls-files -- bin/*`.split("\n").map { |f| File.basename(f) }
23
+ s.require_paths = ['lib']
24
+
25
+ s.add_development_dependency 'rspec'
26
+ s.add_development_dependency 'rake'
27
+
28
+ s.add_dependency 'bindata'
29
+ end
metadata ADDED
@@ -0,0 +1,127 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: stub-ntlm-helper
3
+ version: !ruby/object:Gem::Version
4
+ hash: 29
5
+ prerelease:
6
+ segments:
7
+ - 0
8
+ - 0
9
+ - 1
10
+ version: 0.0.1
11
+ platform: ruby
12
+ authors:
13
+ - Scott Robinson
14
+ - Mustafa Sezgin
15
+ autorequire:
16
+ bindir: bin
17
+ cert_chain: []
18
+
19
+ date: 2011-11-22 00:00:00 +11:00
20
+ default_executable:
21
+ dependencies:
22
+ - !ruby/object:Gem::Dependency
23
+ name: rspec
24
+ prerelease: false
25
+ requirement: &id001 !ruby/object:Gem::Requirement
26
+ none: false
27
+ requirements:
28
+ - - ">="
29
+ - !ruby/object:Gem::Version
30
+ hash: 3
31
+ segments:
32
+ - 0
33
+ version: "0"
34
+ type: :development
35
+ version_requirements: *id001
36
+ - !ruby/object:Gem::Dependency
37
+ name: rake
38
+ prerelease: false
39
+ requirement: &id002 !ruby/object:Gem::Requirement
40
+ none: false
41
+ requirements:
42
+ - - ">="
43
+ - !ruby/object:Gem::Version
44
+ hash: 3
45
+ segments:
46
+ - 0
47
+ version: "0"
48
+ type: :development
49
+ version_requirements: *id002
50
+ - !ruby/object:Gem::Dependency
51
+ name: bindata
52
+ prerelease: false
53
+ requirement: &id003 !ruby/object:Gem::Requirement
54
+ none: false
55
+ requirements:
56
+ - - ">="
57
+ - !ruby/object:Gem::Version
58
+ hash: 3
59
+ segments:
60
+ - 0
61
+ version: "0"
62
+ type: :runtime
63
+ version_requirements: *id003
64
+ description: |
65
+ Using Apache or Squid or whatever with NTLM? Ever had Active Directory arbitrarily hate winbind?
66
+
67
+ I feel for you.
68
+
69
+ Sometimes, passwords and security and Kerberos just don't matter.
70
+
71
+ This is a stub ntlm_helper. It always authenticates.
72
+
73
+ email:
74
+ - sr@thoughtworks.com
75
+ - msezgin@thoughtworks.com
76
+ executables:
77
+ - stub-ntlm-helper
78
+ extensions: []
79
+
80
+ extra_rdoc_files: []
81
+
82
+ files:
83
+ - .gitignore
84
+ - Gemfile
85
+ - LICENSE
86
+ - README.md
87
+ - Rakefile
88
+ - bin/stub-ntlm-helper
89
+ - lib/stub-ntlm-helper.rb
90
+ - spec/challenge_spec.rb
91
+ - stub-ntlm-helper.gemspec
92
+ has_rdoc: true
93
+ homepage: https://github.com/offshore-safety/stub-ntlm-helper
94
+ licenses: []
95
+
96
+ post_install_message:
97
+ rdoc_options: []
98
+
99
+ require_paths:
100
+ - lib
101
+ required_ruby_version: !ruby/object:Gem::Requirement
102
+ none: false
103
+ requirements:
104
+ - - ">="
105
+ - !ruby/object:Gem::Version
106
+ hash: 3
107
+ segments:
108
+ - 0
109
+ version: "0"
110
+ required_rubygems_version: !ruby/object:Gem::Requirement
111
+ none: false
112
+ requirements:
113
+ - - ">="
114
+ - !ruby/object:Gem::Version
115
+ hash: 3
116
+ segments:
117
+ - 0
118
+ version: "0"
119
+ requirements: []
120
+
121
+ rubyforge_project:
122
+ rubygems_version: 1.6.2
123
+ signing_key:
124
+ specification_version: 3
125
+ summary: This is a stub ntlm_helper. It always authenticates.
126
+ test_files:
127
+ - spec/challenge_spec.rb