Module exchangelib.transport

Expand source code
import logging
import time

import requests.auth
import requests_ntlm
import requests_oauthlib

from .errors import TransportError, UnauthorizedError
from .util import (
    CONNECTION_ERRORS,
    RETRY_WAIT,
    DummyResponse,
    _back_off_if_needed,
    _retry_after,
    add_xml_child,
    create_element,
    ns_translation,
    xml_to_str,
)

log = logging.getLogger(__name__)

# Authentication method enums
NOAUTH = "no authentication"
NTLM = "NTLM"
BASIC = "basic"
DIGEST = "digest"
GSSAPI = "gssapi"
SSPI = "sspi"
OAUTH2 = "OAuth 2.0"
CBA = "CBA"  # Certificate Based Authentication

# The auth types that must be accompanied by a credentials object
CREDENTIALS_REQUIRED = (NTLM, BASIC, DIGEST, OAUTH2)

AUTH_TYPE_MAP = {
    NTLM: requests_ntlm.HttpNtlmAuth,
    BASIC: requests.auth.HTTPBasicAuth,
    DIGEST: requests.auth.HTTPDigestAuth,
    OAUTH2: requests_oauthlib.OAuth2,
    CBA: None,
    NOAUTH: None,
}
try:
    import requests_gssapi

    AUTH_TYPE_MAP[GSSAPI] = requests_gssapi.HTTPSPNEGOAuth
except ImportError:
    # Kerberos auth is optional
    pass
try:
    import requests_negotiate_sspi

    AUTH_TYPE_MAP[SSPI] = requests_negotiate_sspi.HttpNegotiateAuth
except ImportError:
    # SSPI auth is optional
    pass

DEFAULT_ENCODING = "utf-8"
DEFAULT_HEADERS = {"Content-Type": f"text/xml; charset={DEFAULT_ENCODING}", "Accept-Encoding": "gzip, deflate"}


def wrap(content, api_version=None, account_to_impersonate=None, timezone=None):
    """Generate the necessary boilerplate XML for a raw SOAP request. The XML is specific to the server version.
    ExchangeImpersonation allows to act as the user we want to impersonate.

    RequestServerVersion element on MSDN:
    https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/requestserverversion

    ExchangeImpersonation element on MSDN:
    https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/exchangeimpersonation

    TimeZoneContent element on MSDN:
    https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/timezonecontext

    :param content:
    :param api_version:
    :param account_to_impersonate:  (Default value = None)
    :param timezone:  (Default value = None)
    """
    envelope = create_element("s:Envelope", nsmap=ns_translation)
    header = create_element("s:Header")
    if api_version:
        request_server_version = create_element("t:RequestServerVersion", attrs=dict(Version=api_version))
        header.append(request_server_version)
    if account_to_impersonate:
        exchange_impersonation = create_element("t:ExchangeImpersonation")
        connecting_sid = create_element("t:ConnectingSID")
        # We have multiple options for uniquely identifying the user. Here's a prioritized list in accordance with
        # https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/connectingsid
        for attr, tag in (
            ("sid", "SID"),
            ("upn", "PrincipalName"),
            ("smtp_address", "SmtpAddress"),
            ("primary_smtp_address", "PrimarySmtpAddress"),
        ):
            val = getattr(account_to_impersonate, attr)
            if val:
                add_xml_child(connecting_sid, f"t:{tag}", val)
                break
        exchange_impersonation.append(connecting_sid)
        header.append(exchange_impersonation)
    if timezone:
        timezone_context = create_element("t:TimeZoneContext")
        timezone_definition = create_element("t:TimeZoneDefinition", attrs=dict(Id=timezone.ms_id))
        timezone_context.append(timezone_definition)
        header.append(timezone_context)
    if len(header):
        envelope.append(header)
    body = create_element("s:Body")
    body.append(content)
    envelope.append(body)
    return xml_to_str(envelope, encoding=DEFAULT_ENCODING, xml_declaration=True)


def get_auth_instance(auth_type, **kwargs):
    """Return an *Auth instance suitable for the requests package.

    :param auth_type:
    :param kwargs:
    """
    model = AUTH_TYPE_MAP[auth_type]
    if model is None:
        return None
    if auth_type == GSSAPI:
        # Kerberos auth relies on credentials supplied via a ticket available externally to this library
        return model()
    if auth_type == SSPI:
        # SSPI auth does not require credentials, but can have it
        return model(**kwargs)
    return model(**kwargs)


def get_service_authtype(service_endpoint, retry_policy, api_versions, name):
    # Get auth type by tasting headers from the server. Only do POST requests. HEAD is too error prone, and some servers
    # are set up to redirect to OWA on all requests except POST to /EWS/Exchange.asmx
    #
    # We don't know the API version yet, but we need it to create a valid request because some Exchange servers only
    # respond when given a valid request. Try all known versions. Gross.
    from .protocol import BaseProtocol

    retry = 0
    t_start = time.monotonic()
    headers = DEFAULT_HEADERS.copy()
    for api_version in api_versions:
        data = dummy_xml(api_version=api_version, name=name)
        log.debug("Requesting %s from %s", data, service_endpoint)
        while True:
            _back_off_if_needed(retry_policy.back_off_until)
            log.debug("Trying to get service auth type for %s", service_endpoint)
            with BaseProtocol.raw_session(service_endpoint) as s:
                try:
                    r = s.post(
                        url=service_endpoint,
                        headers=headers,
                        data=data,
                        allow_redirects=False,
                        timeout=BaseProtocol.TIMEOUT,
                    )
                    r.close()  # Release memory
                    break
                except CONNECTION_ERRORS as e:
                    # Don't retry on TLS errors. They will most likely be persistent.
                    total_wait = time.monotonic() - t_start
                    r = DummyResponse(url=service_endpoint, request_headers=headers)
                    if retry_policy.may_retry_on_error(response=r, wait=total_wait):
                        wait = _retry_after(r, RETRY_WAIT)
                        log.info(
                            "Connection error on URL %s (retry %s, error: %s). Cool down %s secs",
                            service_endpoint,
                            retry,
                            e,
                            wait,
                        )
                        retry_policy.back_off(wait)
                        retry += 1
                        continue
                    raise TransportError(str(e)) from e
        if r.status_code not in (200, 401):
            log.debug("Unexpected response: %s %s", r.status_code, r.reason)
            continue
        try:
            auth_type = get_auth_method_from_response(response=r)
            log.debug("Auth type is %s", auth_type)
            return auth_type, api_version
        except UnauthorizedError:
            continue
    raise TransportError("Failed to get auth type from service")


def get_auth_method_from_response(response):
    # First, get the auth method from headers. Then, test credentials. Don't handle redirects - burden is on caller.
    log.debug("Request headers: %s", response.request.headers)
    log.debug("Response headers: %s", response.headers)
    if response.status_code == 200:
        return NOAUTH
    # Get auth type from headers
    for key, val in response.headers.items():
        if key.lower() == "www-authenticate":
            # Requests will combine multiple HTTP headers into one in 'request.headers'
            vals = _tokenize(val.lower())
            for v in vals:
                if v.startswith("realm"):
                    realm = v.split("=")[1].strip('"')
                    log.debug("realm: %s", realm)
            # Prefer most secure auth method if more than one is offered. See discussion at
            # http://docs.oracle.com/javase/7/docs/technotes/guides/net/http-auth.html
            if "digest" in vals:
                return DIGEST
            if "ntlm" in vals:
                return NTLM
            if "basic" in vals:
                return BASIC
    raise UnauthorizedError("No compatible auth type was reported by server")


def _tokenize(val):
    # Splits cookie auth values
    auth_methods = []
    auth_method = ""
    quote = False
    for c in val:
        if c in (" ", ",") and not quote:
            if auth_method not in ("", ","):
                auth_methods.append(auth_method)
            auth_method = ""
            continue
        if c == '"':
            auth_method += c
            if quote:
                auth_methods.append(auth_method)
                auth_method = ""
            quote = not quote
            continue
        auth_method += c
    if auth_method:
        auth_methods.append(auth_method)
    return auth_methods


def dummy_xml(api_version, name):
    # Generate a minimal, valid EWS request
    from .services import ResolveNames  # Avoid circular import

    return wrap(
        content=ResolveNames(protocol=None).get_payload(
            unresolved_entries=[name],
            parent_folders=None,
            return_full_contact_data=False,
            search_scope=None,
            contact_data_shape=None,
        ),
        api_version=api_version,
    )

Functions

def dummy_xml(api_version, name)
Expand source code
def dummy_xml(api_version, name):
    # Generate a minimal, valid EWS request
    from .services import ResolveNames  # Avoid circular import

    return wrap(
        content=ResolveNames(protocol=None).get_payload(
            unresolved_entries=[name],
            parent_folders=None,
            return_full_contact_data=False,
            search_scope=None,
            contact_data_shape=None,
        ),
        api_version=api_version,
    )
def get_auth_instance(auth_type, **kwargs)

Return an *Auth instance suitable for the requests package.

:param auth_type: :param kwargs:

Expand source code
def get_auth_instance(auth_type, **kwargs):
    """Return an *Auth instance suitable for the requests package.

    :param auth_type:
    :param kwargs:
    """
    model = AUTH_TYPE_MAP[auth_type]
    if model is None:
        return None
    if auth_type == GSSAPI:
        # Kerberos auth relies on credentials supplied via a ticket available externally to this library
        return model()
    if auth_type == SSPI:
        # SSPI auth does not require credentials, but can have it
        return model(**kwargs)
    return model(**kwargs)
def get_auth_method_from_response(response)
Expand source code
def get_auth_method_from_response(response):
    # First, get the auth method from headers. Then, test credentials. Don't handle redirects - burden is on caller.
    log.debug("Request headers: %s", response.request.headers)
    log.debug("Response headers: %s", response.headers)
    if response.status_code == 200:
        return NOAUTH
    # Get auth type from headers
    for key, val in response.headers.items():
        if key.lower() == "www-authenticate":
            # Requests will combine multiple HTTP headers into one in 'request.headers'
            vals = _tokenize(val.lower())
            for v in vals:
                if v.startswith("realm"):
                    realm = v.split("=")[1].strip('"')
                    log.debug("realm: %s", realm)
            # Prefer most secure auth method if more than one is offered. See discussion at
            # http://docs.oracle.com/javase/7/docs/technotes/guides/net/http-auth.html
            if "digest" in vals:
                return DIGEST
            if "ntlm" in vals:
                return NTLM
            if "basic" in vals:
                return BASIC
    raise UnauthorizedError("No compatible auth type was reported by server")
def get_service_authtype(service_endpoint, retry_policy, api_versions, name)
Expand source code
def get_service_authtype(service_endpoint, retry_policy, api_versions, name):
    # Get auth type by tasting headers from the server. Only do POST requests. HEAD is too error prone, and some servers
    # are set up to redirect to OWA on all requests except POST to /EWS/Exchange.asmx
    #
    # We don't know the API version yet, but we need it to create a valid request because some Exchange servers only
    # respond when given a valid request. Try all known versions. Gross.
    from .protocol import BaseProtocol

    retry = 0
    t_start = time.monotonic()
    headers = DEFAULT_HEADERS.copy()
    for api_version in api_versions:
        data = dummy_xml(api_version=api_version, name=name)
        log.debug("Requesting %s from %s", data, service_endpoint)
        while True:
            _back_off_if_needed(retry_policy.back_off_until)
            log.debug("Trying to get service auth type for %s", service_endpoint)
            with BaseProtocol.raw_session(service_endpoint) as s:
                try:
                    r = s.post(
                        url=service_endpoint,
                        headers=headers,
                        data=data,
                        allow_redirects=False,
                        timeout=BaseProtocol.TIMEOUT,
                    )
                    r.close()  # Release memory
                    break
                except CONNECTION_ERRORS as e:
                    # Don't retry on TLS errors. They will most likely be persistent.
                    total_wait = time.monotonic() - t_start
                    r = DummyResponse(url=service_endpoint, request_headers=headers)
                    if retry_policy.may_retry_on_error(response=r, wait=total_wait):
                        wait = _retry_after(r, RETRY_WAIT)
                        log.info(
                            "Connection error on URL %s (retry %s, error: %s). Cool down %s secs",
                            service_endpoint,
                            retry,
                            e,
                            wait,
                        )
                        retry_policy.back_off(wait)
                        retry += 1
                        continue
                    raise TransportError(str(e)) from e
        if r.status_code not in (200, 401):
            log.debug("Unexpected response: %s %s", r.status_code, r.reason)
            continue
        try:
            auth_type = get_auth_method_from_response(response=r)
            log.debug("Auth type is %s", auth_type)
            return auth_type, api_version
        except UnauthorizedError:
            continue
    raise TransportError("Failed to get auth type from service")
def wrap(content, api_version=None, account_to_impersonate=None, timezone=None)

Generate the necessary boilerplate XML for a raw SOAP request. The XML is specific to the server version. ExchangeImpersonation allows to act as the user we want to impersonate.

RequestServerVersion element on MSDN: https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/requestserverversion

ExchangeImpersonation element on MSDN: https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/exchangeimpersonation

TimeZoneContent element on MSDN: https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/timezonecontext

:param content: :param api_version: :param account_to_impersonate: (Default value = None) :param timezone: (Default value = None)

Expand source code
def wrap(content, api_version=None, account_to_impersonate=None, timezone=None):
    """Generate the necessary boilerplate XML for a raw SOAP request. The XML is specific to the server version.
    ExchangeImpersonation allows to act as the user we want to impersonate.

    RequestServerVersion element on MSDN:
    https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/requestserverversion

    ExchangeImpersonation element on MSDN:
    https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/exchangeimpersonation

    TimeZoneContent element on MSDN:
    https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/timezonecontext

    :param content:
    :param api_version:
    :param account_to_impersonate:  (Default value = None)
    :param timezone:  (Default value = None)
    """
    envelope = create_element("s:Envelope", nsmap=ns_translation)
    header = create_element("s:Header")
    if api_version:
        request_server_version = create_element("t:RequestServerVersion", attrs=dict(Version=api_version))
        header.append(request_server_version)
    if account_to_impersonate:
        exchange_impersonation = create_element("t:ExchangeImpersonation")
        connecting_sid = create_element("t:ConnectingSID")
        # We have multiple options for uniquely identifying the user. Here's a prioritized list in accordance with
        # https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/connectingsid
        for attr, tag in (
            ("sid", "SID"),
            ("upn", "PrincipalName"),
            ("smtp_address", "SmtpAddress"),
            ("primary_smtp_address", "PrimarySmtpAddress"),
        ):
            val = getattr(account_to_impersonate, attr)
            if val:
                add_xml_child(connecting_sid, f"t:{tag}", val)
                break
        exchange_impersonation.append(connecting_sid)
        header.append(exchange_impersonation)
    if timezone:
        timezone_context = create_element("t:TimeZoneContext")
        timezone_definition = create_element("t:TimeZoneDefinition", attrs=dict(Id=timezone.ms_id))
        timezone_context.append(timezone_definition)
        header.append(timezone_context)
    if len(header):
        envelope.append(header)
    body = create_element("s:Body")
    body.append(content)
    envelope.append(body)
    return xml_to_str(envelope, encoding=DEFAULT_ENCODING, xml_declaration=True)