Basic auth

Posted on
Sat Oct 22, 2016 6:10 pm
rhanson offline
Posts: 192
Joined: Apr 30, 2013

Basic auth

Sorry if this has been covered, I searched, but nothing came up.

I installed piBeacon today and was wondering why nothing was showing up in the UI. So I looked at the logfiles and it's using curl's digest authentication. For those of use who are not using digest, what should be the workaround?

I swapped --digest to --basic in various files, and it works. Also, wrapped my username+password in quotes, since it contains spaces. And escaped it since my username/password also contains single and double quotes, just to break command line apps. :-)

Posted on
Sat Oct 22, 2016 7:18 pm
kw123 offline
User avatar
Posts: 8333
Joined: May 12, 2013
Location: Dallas, TX

Re: Basic auth

Could you send me the special characters you use. I will try to make that work.


Sent from my iPhone using Tapatalk

Posted on
Sat Oct 22, 2016 7:45 pm
kw123 offline
User avatar
Posts: 8333
Joined: May 12, 2013
Location: Dallas, TX

Re: Basic auth

currently I do:
"/usr/bin/curl -u "+userIdOfServer+":"+passwordOfServer+" ....

I could change that to
"/usr/bin/curl -u '"+userIdOfServer+"':'"+passwordOfServer+"' .... (aded ' around uid and passwd)
= put single quotes around the userid and password . It goes through in my code and should enable " and spaces.. but not single quotes

if that helps, should a quick fix ..

Karl

adding the single ' seems to work fine with my userid and password .. at least it does not harm.

Posted on
Sat Oct 22, 2016 8:31 pm
rhanson offline
Posts: 192
Joined: Apr 30, 2013

Re: Basic auth

From my brief look through the code, I would suggest a couple things:

1) add "authMethod" to your parameters file, and by default it contains "digest". I don't think there are enough people who use basic to make it part of your GUI. But people like me could just change it to "basic". Of course, you'll have to add "--" to the beginning when you make the curl call.

2) change your os.system("command_and_args_here") method to subprocess.call("command","arg1","arg2"...) instead. The subprocess class will take care of the escaping for you, and is supposedly more robust than os.system.

3) check the curl output that comes back from subprocess.call (or the existing os.system). Grep it for a portion of the standard text that Indigo replies with (it sends an HTML-formatted "Access Denied" message when it fails).

Can't wait to make good use of this thing with a slew of RPis! Thanks for supporting the GPIO pins!

Posted on
Sat Oct 22, 2016 9:58 pm
kw123 offline
User avatar
Posts: 8333
Joined: May 12, 2013
Location: Dallas, TX

Re: Basic auth

Need to look I to security methods.
So far I just copied what works. Normally I use subprocess but os.system shorter to write.


But yes I can add that one.


Busy right now with adding a large LED-RGB display from adafruit to the RPI. Will be able to display text histogram bar thermometers from the plugin and directly from the rpi you could setup a distance sensor in you garage that show you how far the car is away from the wall when you drive in. Or it shows temp scrolls to humidity then pressure ...






Sent from my iPhone using Tapatalk

Posted on
Sat Oct 22, 2016 11:20 pm
kw123 offline
User avatar
Posts: 8333
Joined: May 12, 2013
Location: Dallas, TX

Re: Basic auth

have added the option for digest vs basic authentication into config as an option... but i am maintaining only the i6+1 code right now and I don't want to go back ..

you might need to wait for it .

Karl

Posted on
Sat Oct 22, 2016 11:31 pm
kw123 offline
User avatar
Posts: 8333
Joined: May 12, 2013
Location: Dallas, TX

Re: Basic auth

3) check the curl output that comes back from subprocess.call (or the existing os.system). Grep it for a portion of the standard text that Indigo replies with (it sends an HTML-formatted "Access Denied" message when it fails).


yes you are right, but i don't know what to do with an error. When it fails it can't tell anyone that it failed.

and so far the only error i got from any user was wrong userid or password, no other issue with it. As long as it is connected to the network.
but will think about it ..

2) change your os.system("command_and_args_here") method to subprocess.call("command","arg1","arg2"...) instead. The subprocess class will take care of the escaping for you, and is supposedly more robust than os.system.


the robustness is only about security injection into strings that will be executed but the system. as this should not be an issue here.

changing it to the "proper" method with putting the individual items into a list of strings is work, concatenating is so much simpler. But for this one will do it .


But I don't have a way to test it, don't want to change server password to include "' and spaces ..

Karl

Posted on
Wed Oct 26, 2016 11:01 am
kw123 offline
User avatar
Posts: 8333
Joined: May 12, 2013
Location: Dallas, TX

Re: Basic auth

rhanson:

I have a version ready which should do "basic" auth and it puts something into the log file if not successful
in addition It has kinds of new features(*) but it should work under i6. Under i6+1 cpu usage is ~ 1/2

Do you want to test it? -- let me know.


Karl

(*) ultrasound distance, different displays attached to RPI (incl BIG rib-led) and groups of beacons with triggers (onehome, all home, one away, all away)
more tolerant to applescript time outs . and some bugs remove .. (and probably some added - hopefully less added than removed)


the URL section is now instead of 3 lines:
Code: Select all
            cmd=[]
            if userIdOfServer =="":
                    cmd.append("/usr/bin/curl")
                    cmd.append("-X")
                    cmd.append("PUT")
                    cmd.append("-d")
                    cmd.append("value="+data0)
            else:
                if authentication == "basic":   
                    cmd.append("/usr/bin/curl")
                    cmd.append("--user")
                    cmd.append(userIdOfServer+":"+passwordOfServer)
                    cmd.append("-X")
                    cmd.append("PUT")
                    cmd.append("-d")
                    cmd.append("value="+data0)
                else:
                    cmd.append("/usr/bin/curl")
                    cmd.append("-u")
                    cmd.append(userIdOfServer+":"+passwordOfServer)
                    cmd.append("--digest")
                    cmd.append("-X")
                    cmd.append("PUT")
                    cmd.append("-d")
                    cmd.append("value="+data0)
            cmd.append("http://"+ipOfServer+":"+portOfServer+"/variables/pi_IN_"+str(myPiNumber)) 
            toLog(0,"msg: " + unicode(cmd)+"\n" )
            ret = subprocess.Popen(cmd,stdout=subprocess.PIPE,stderr=subprocess.PIPE).communicate()
            if ret[0].find("This resource can be found at")==-1:  # std return from indigo, if not there : error
                toLog(-1,"curl err:"+ ret[0])
                toLog(-1,"curl err:"+ ret[1])

Posted on
Wed Oct 26, 2016 12:20 pm
RogueProeliator offline
User avatar
Posts: 2501
Joined: Nov 13, 2012
Location: Baton Rouge, LA

Re: Basic auth

the robustness is only about security injection into strings that will be executed but the system. as this should not be an issue here.

That's not true, subprocess provides a bunch of additional functionality to easily tie into things like standard input/output/error handles. It also allows better catching and tracing of errors and a few other benefits. Also, the escaping may be far more robust than a simple quotes escape which you are implementing on your own. Just an FYI for future use...

Posted on
Wed Oct 26, 2016 12:37 pm
kw123 offline
User avatar
Posts: 8333
Joined: May 12, 2013
Location: Dallas, TX

Re: Basic auth

yes I know, was just lazy and everything works besides special characters in userid and password

Posted on
Thu Oct 27, 2016 3:22 am
rhanson offline
Posts: 192
Joined: Apr 30, 2013

Re: Basic auth

Thanks! Yes, I'll give it a spin over the weekend. Feel free to PM me a dropbox link if you don't want to make a full release.

Posted on
Thu Oct 27, 2016 1:48 pm
kw123 offline
User avatar
Posts: 8333
Joined: May 12, 2013
Location: Dallas, TX

Re: Basic auth

have released the whole package in the download section .
its version 7.28.2

karl

Page 1 of 1

Who is online

Users browsing this forum: No registered users and 4 guests