pysasl.creds Package

pysasl.creds Module

class pysasl.creds.Credentials(*args, **kwargs)[source]

SASL authentication credentials consist of an authentication identity and an authorization identity, the identity to be assumed.

Consider a UNIX system where root is the superuser and only it may assume the identity of other users. With an authentication identity of root and an authorization identity of terry, the authorization would succeed because the authentication identity has sufficient privileges to assume the authorization identity. If the authentication identity were greg, authorization would fail because greg does not have superuser privileges to assume the identity of terry.

See:

Identity, RFC 4422 2.

abstract property authcid: str

The authentication identity, e.g. a login username.

abstract property authzid: str

The authorization identity. The authcid identity must have sufficient privileges to assume this identity for the authentication attempt to succeed.

pysasl.creds.server Module

class pysasl.creds.server.ServerCredentials(*args, **kwargs)[source]

Bases: Credentials, Protocol

Credentials that are received from a client and should be authenticated against a known secret value.

abstract verify(identity)[source]

Authenticates the credentials against the given identity.

Parameters:

identity (Identity | None) – The identity being authenticated.

Raises:

MechanismUnusable – The mechanism is not capable of verifying identity.

Return type:

bool

pysasl.creds.client Module

class pysasl.creds.client.ClientCredentials(authcid, secret, authzid=None)[source]

Bases: Credentials

Credentials that are provided by the user and transmitted to the server for authentication..

Parameters:

  • authcid (str) – The authentication identity, e.g. a login username.

  • secret (str) – The secret string, e.g. password.

  • authzid (str | None) – The authorization identity, or an empty string.

property authcid: str

The authentication identity, e.g. a login username.

property secret: str

The secret string, e.g. password.

property authzid: str

The authorization identity. The authcid identity must have sufficient privileges to assume this identity for the authentication attempt to succeed.

pysasl.creds.plain Module

class pysasl.creds.plain.PlainCredentials(authcid, secret, authzid='')[source]

Bases: ServerCredentials

Implementation of ServerCredentials for typical SASL mechanisms like PlainMechanism where the mechanism operates on the secret string in cleartext.

Parameters:

  • authcid (str) – Authentication ID string (the username).

  • secret (str) – Secret string (the password).

  • authzid (str) – Authorization ID string, if provided.

property authcid: str

The authentication identity, e.g. a login username.

property authzid: str

The authorization identity. The authcid identity must have sufficient privileges to assume this identity for the authentication attempt to succeed.

verify(identity)[source]

Authenticates the credentials against the given identity.

Parameters:

identity (Identity | None) – The identity being authenticated.

Raises:

MechanismUnusable – The mechanism is not capable of verifying identity.

Return type:

bool

pysasl.creds.external Module

exception pysasl.creds.external.ExternalVerificationRequired(identity, token=None)[source]

Bases: AuthenticationError

The credentials are structurally valid but require external verification.

If token is None, the credentials provided no additional information for verification. Otherwise, token should be verified and authorized for identity.

Parameters:

  • identity (Identity | None) – The identity resolved from the credentials.

  • token (str | None) – A bearer token, if required for verification.

Return type:

None

class pysasl.creds.external.ExternalCredentials(authzid, token=None)[source]

Bases: ServerCredentials

Credentials that require external verification, rather than by a traditional hashing algorithm.

Parameters:

  • authzid (str) – Authorization ID string.

  • token (str | None) – A bearer token, if required for verification.

property authcid: str

The authentication identity, e.g. a login username.

property authzid: str

The authorization identity. The authcid identity must have sufficient privileges to assume this identity for the authentication attempt to succeed.

verify(identity)[source]

This method always throws ExternalVerificationRequired. For applications to support these types of credentials, they must catch this exception and use it to authenticate and authorize the request.

Parameters:

identity (Identity | None) – The identity being authenticated.

Raises:

ExternalVerificationRequired – Always thrown.

Return type:

NoReturn