kami / python-yubico-client Goto Github PK

View Code? Open in Web Editor NEW

83.0 6.0 19.0 200 KB

Python library for validating Yubico Yubikey One Time Passwords (OTPs) based on the validation protocol version 2.0.

Home Page: https://yubico-client.readthedocs.org/en/latest/

License: Other

Python 100.00%

python-yubico-client's People

Contributors

Stargazers

Watchers

Forkers

syneus fredrikt treinhard yosmudge dainnilsson hyaticua lrobson thescriptsage vcarel jmartiuk5 meddius thebureaugroup nrw505 privacytoolkit bellyfat rmallensb cubit9 justinkumpe

python-yubico-client's Issues

'URLThread' object has no attribute 'is_alive'

When running the example, I get 'URLThread' object has no attribute 'is_alive' after entering the otp.

Traceback (most recent call last):
File "./example.py", line 21, in
status = client.verify(token)
File "/Users/psy/repos/git/python-yubico-client/yubico/yubico.py", line 67, in verify
if not thread.is_alive() and thread.response:
AttributeError: 'URLThread' object has no attribute 'is_alive'

Bye
Jochen

python-yubico-client not compatible with Python 2.5.x

Python <= 2.5 does not support is_alive.

Then I'd like to propose a feature request! :)

1.6.2: pytest fails in tests/test_yubico.py

I'm packaging your module as an rpm package so I'm using the typical PEP517 based build, install and test cycle used on building packages from non-root account.

python3 -sBm build -w --no-isolation
because I'm calling build with --no-isolation I'm using during all processes only locally installed modules
install .whl file in </install/prefix> using installer module
run pytest with $PYTHONPATH pointing to sitearch and sitelib inside </install/prefix>
build is performed in env which is cut off from access to the public network (pytest is executed with -m "not network")

Here is pytest output:

+ PYTHONPATH=/home/tkloczko/rpmbuild/BUILDROOT/python-yubico-1.6.2-2.fc37.x86_64/usr/lib64/python3.10/site-packages:/home/tkloczko/rpmbuild/BUILDROOT/python-yubico-1.6.2-2.fc37.x86_64/usr/lib/python3.10/site-packages
+ /usr/bin/pytest -ra -m 'not network'
==================================================================================== test session starts ====================================================================================
platform linux -- Python 3.10.14, pytest-8.1.1, pluggy-1.4.0
rootdir: /home/tkloczko/rpmbuild/BUILD/python-yubico-client-1.6.2
collected 0 items / 1 error

========================================================================================== ERRORS ===========================================================================================
___________________________________________________________________________ ERROR collecting tests/test_yubico.py ___________________________________________________________________________
/usr/lib/python3.10/site-packages/_pytest/python.py:525: in importtestmodule
    mod = import_path(
/usr/lib/python3.10/site-packages/_pytest/pathlib.py:584: in import_path
    importlib.import_module(module_name)
/usr/lib64/python3.10/importlib/__init__.py:126: in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
<frozen importlib._bootstrap>:1050: in _gcd_import
    ???
<frozen importlib._bootstrap>:1027: in _find_and_load
    ???
<frozen importlib._bootstrap>:1006: in _find_and_load_unlocked
    ???
<frozen importlib._bootstrap>:688: in _load_unlocked
    ???
/usr/lib/python3.10/site-packages/_pytest/assertion/rewrite.py:169: in exec_module
    source_stat, co = _rewrite_test(fn, self.config)
/usr/lib/python3.10/site-packages/_pytest/assertion/rewrite.py:351: in _rewrite_test
    tree = ast.parse(source, filename=strfn)
/usr/lib64/python3.10/ast.py:50: in parse
    return compile(source, filename, mode, flags,
E     File "/home/tkloczko/rpmbuild/BUILD/python-yubico-client-1.6.2/tests/test_yubico.py", line 68
E       except StatusCodeError, e:
E              ^^^^^^^^^^^^^^^^^^
E   SyntaxError: multiple exception types must be parenthesized
================================================================================== short test summary info ==================================================================================
ERROR tests/test_yubico.py
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Interrupted: 1 error during collection !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
===================================================================================== 1 error in 0.22s ======================================================================================```
</details>

<details>
<summary>List of installed modules in build env:</summary>

```console
Package            Version
------------------ -----------
build              1.2.1
exceptiongroup     1.1.3
importlib_metadata 7.1.0
iniconfig          2.0.0
installer          0.7.0
packaging          24.0
pluggy             1.4.0
pyproject_hooks    1.0.0
pytest             8.1.1
python-dateutil    2.9.0.post0
setuptools         69.4.0
tokenize_rt        5.2.0
tomli              2.0.1
wheel              0.43.0
zipp               3.18.1

Please let me know if you need more details or want me to perform some diagnostics.

verify_cert not triggering the HTTPS CA check correctly (or skipping it)

In the Notes section on the project page (https://github.com/Kami/python-yubico-client), it says you have to specify “verifiy_cert = True” if you want to verify the HTTPS connection, and change CA_CERTS to point the path of a CA file. I left all the default values (including CA_CERTS=’’), and I got an exception: “Exception: If you want to validate server certificate, you need to set CA_CERTS variable in the httplib_ssl.py file pointing to a file which contains a list of trusted CA certificates”. I looked at yubico.py, and that exception is raised even if verify_cert=False. I THINK the if line should be changed to “if use_https and httplib_ssl and httplib_ssl.CA_CERTS == '' and verify_cert: “

Python3 incompatibility (nonce type)

Version:

239468b (Latest from git.)

Problem:

example.py works with python2.7 but not with python3.3

How to reproduce:

$ python2.7 example.py
Enter your client id:
Enter your secret key (optional):
Enter OTP token:
Success, the provided OTP is valid

$ python3.3 example.py
Enter your client id:
Enter your secret key (optional):
Enter OTP token:
Traceback (most recent call last):
File "example.py", line 20, in
status = client.verify(token)
File "/python-yubico-client/yubico_client/yubico.py", line 143, in verify
return_response)
File "/python-yubico-client/yubico_client/yubico.py", line 261, in verify_response
raise InvalidValidationResponse(message, response, param_dict)
yubico_client.yubico_exceptions.InvalidValidationResponse: Unexpected nonce in response. Possible attack!

Patch:

This patch is only meant to illustrate the cause of the problem, nonce should probably have the correct type to begin with.

diff --git a/yubico_client/yubico.py b/yubico_client/yubico.py
index d81a8a6..d9d8620 100644
--- a/yubico_client/yubico.py
+++ b/yubico_client/yubico.py
@@ -253,7 +253,7 @@ class Yubico(object):
message = 'Unexpected OTP in response. Possible attack!'
raise InvalidValidationResponse(message, response, param_dict)

   if 'nonce' in param_dict and param_dict['nonce'] != nonce:

   if 'nonce' in param_dict and param_dict['nonce'] != nonce.decode("ascii"):
     message = 'Unexpected nonce in response. Possible attack!'
     raise InvalidValidationResponse(message, response, param_dict)

NO_VALID_ANSWERS error

API URL api.yubico.com is used.

python-yubico-client version: v1.12.0
python version: python-2.7.5-90.el7.x86_64
OS: CentOS 7

NO_VALID_ANSWERS error is raised all the time while curling the same URL from bash has OK state. This service had been running for more than 1 year.

  File "/usr/lib/pritunl/lib/python2.7/site-packages/pritunl/sso/yubico.py", line 30, in auth_yubico
    if client.verify(yubikey) is not True:
  File "/usr/lib/pritunl/lib/python2.7/site-packages/yubico_client/yubico.py", line 188, in verify
    raise Exception('NO_VALID_ANSWERS')
Exception: NO_VALID_ANSWERS

The workaround is to override the IP address of api.yubico.com in hosts file with one of the four short lived A records.

Specify supported Python versions somewhere.

What versions of Python do you officially support?

Most exceptions raise "NO_VALID_ANSWERS"

Most exceptions are raising "NO_VALID_ANSWERS". For example, when I made a bad OTP, I got that exception. I expected "BAD_OTP". I patched this by using the "BAD_STATUS_CODES" list that was already defined:

@@ -195,7 +195,7 @@
                 return True
         elif status == 'NO_SUCH_CLIENT':
             raise InvalidClientIdError(self.client_id)
-        elif status in BAD_STATUS_CODES:
+        elif status == 'REPLAYED_OTP':
             raise StatusCodeError(status)

         return False

Throw exception on IOError in URLThread

Throw custom exception on urllib timeout or if the connection cannot be made (IOError) instead of setting the response variable to None

Support newer requests version

Currently requests is limit to versions between 2.2.0 and 2.3 (exclusive). For me this is causing problems as e.g. devpi requires newer versions of requests.

Requests itself recommends that the latest version should be used. Is there a reason why the maximum version is limited.

Response parsing faulty

Hi,

I'm not exactly sure about this. A server might return something like this:

status=OK
h=k7X/nNf3G7fsfbTMJiDv2LxU+sE=
t=1278507824

In line 125 of yubico.py you split the response like this: response.split('status=')
http://github.com/Kami/python-yubico-client/blob/master/yubico/yubico.py#L125

Then you check for status == 'OK', which will fail if the response has more than one line and the status value isn't in the last line. I couldn't find a convention in the documentation (http://code.google.com/p/yubikey-val-server-php/wiki/ValidationProtocolV11) for this, so I'm not sure if it is best practice to assume that status will be the last parameter.

Ciao Jochen

Dividing by 0.125 ?

Hi,

I see this:

DEFAULT_MAX_TIME_WINDOW = 40    # How many seconds can pass between the first
                                # and last OTP generations so the OTP is
                                # still considered valid (only used in the
                                # multi mode) default is 5 seconds
                                # (40 / 0.125 = 5)

40 / 0.125 is not 5, 40 / 8 is 5.

Why don't you keep everything in seconds and just divide the delta by 8.0 in verify_multi? (And add a little remark that the OTPs have an 8Hz timestamp counter there.)

That should clarify things.

Cheers,
Walter Doekes
OSSO B.V.

Setting custom CA_CERTS_BUNDLE_PATH doesn't work

We want to define a custom CA_CERTS_BUNDLE_PATH location.
We have this code:
yubico = Yubico('123', '1234567890',use_https=True)
yubico.CA_CERTS_BUNDLE_PATH = '/tmp/cert/api.yubico.com.pem'
print yubico._get_ca_bundle_path()
print yubico.CA_CERTS_BUNDLE_PATH

Note that yubico._get_ca_bundle_path() doesn't return the path that we set.

It does work if we change _get_ca_bundle_path:
if self.CA_CERTS_BUNDLE_PATH:
# User provided a custom path
return self.CA_CERTS_BUNDLE_PATH

We would like it better if we can set the custom path when initializing the object.

OTP Translation error

Hello,

Sometimes the translation algorithm makes errors, for example: vvbtbtndhtlfguefgluvbdcetnitidgkvfkbicevgcin can be decoded into both vvbfbfjghfuetiketuivbgckfjlflgtnvenblckvtclj and vvbtbtndhtlfguefgluvbdcetnitidgkvfkbicevgcin.

Maybe it would be better to prefer the one that matches the original instead of just taking the first?

/klas