-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathauthentication.py
More file actions
433 lines (372 loc) · 16.6 KB
/
authentication.py
File metadata and controls
433 lines (372 loc) · 16.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
"""Handles username/password authentication and two-step authentication"""
import logging
import time
from functools import partial
from typing import Any, Callable, Dict, List, Mapping, Tuple
from icloudpd.mfa_provider import MFAProvider
from icloudpd.status import Status, StatusExchange
from pyicloud_ipd.base import PyiCloudService
from pyicloud_ipd.exceptions import (
PyiCloudConnectionException,
)
from pyicloud_ipd.response_types import (
AuthAPIError,
AuthConnectionError,
AuthDomainMismatchError,
AuthenticationFailed,
AuthenticationSuccessWithService,
AuthenticatorConnectionError,
AuthenticatorMFAError,
AuthenticatorResult,
AuthenticatorSuccess,
AuthenticatorTwoSAExit,
AuthInvalidCredentials,
AuthPasswordNotProvided,
AuthRequires2SAWithService,
AuthServiceNotActivated,
AuthServiceUnavailable,
TwoFactorAuthFailed,
TwoFactorAuthResult,
TwoFactorAuthSuccess,
)
def prompt_int_range(message: str, default: str, min_val: int, max_val: int) -> int:
"""Prompt user for integer input within a range, similar to click.IntRange"""
while True:
try:
from foundation.string_utils import strip
response = strip(input(f"{message} [{default}]: ")) or default
value = int(response)
if min_val <= value <= max_val:
return value
else:
print(f"Invalid input: {value} is not in the range {min_val}-{max_val}")
except ValueError:
print(f"Invalid input: '{response}' is not a valid integer")
def prompt_string(message: str) -> str:
"""Prompt user for string input"""
return input(f"{message}: ")
# Pure validation functions for 2FA input
def is_empty_string(input: str) -> bool:
"""Check if input is empty string"""
return input == ""
def is_valid_device_index(input: str, device_count: int, alphabet: str) -> bool:
"""Check if input is a valid device index"""
is_single_char = len(input) == 1
is_in_alphabet = input in alphabet
is_valid_index = alphabet.index(input) <= device_count - 1 if input in alphabet else False
return is_single_char and is_in_alphabet and is_valid_index
def is_valid_six_digit_code(input: str) -> bool:
"""Check if input is a valid six-digit code"""
return len(input) == 6 and input.isdigit()
def echo(message: str) -> None:
"""Print message to stdout, similar to click.echo"""
print(message)
def authenticator(
logger: logging.Logger,
domain: str,
password_providers: Dict[str, Tuple[Callable[[str], str | None], Callable[[str, str], None]]],
mfa_provider: MFAProvider,
status_exchange: StatusExchange,
username: str,
notificator: Callable[[], None],
response_observer: Callable[[Mapping[str, Any]], None] | None = None,
cookie_directory: str | None = None,
client_id: str | None = None,
) -> AuthenticatorResult:
"""Authenticate with iCloud username and password"""
logger.debug("Authenticating...")
valid_password: List[str] = []
def password_provider(username: str, valid_password: List[str]) -> str | None:
for _, _pair in password_providers.items():
reader, _ = _pair
password = reader(username)
if password:
valid_password.append(password)
return password
return None
auth_result = PyiCloudService.create_pyicloud_service_adt(
domain=domain,
apple_id=username,
password_provider=partial(password_provider, username, valid_password),
response_observer=response_observer,
cookie_directory=cookie_directory,
client_id=client_id,
)
# Handle authentication result and extract service
match auth_result:
case AuthenticationSuccessWithService(service):
icloud = service
case AuthenticationFailed(error):
# Keep for backward compatibility
return AuthenticatorConnectionError(error)
case AuthPasswordNotProvided():
return AuthPasswordNotProvided()
case AuthInvalidCredentials():
return AuthInvalidCredentials()
case AuthServiceNotActivated(reason, code):
return AuthServiceNotActivated(reason, code)
case AuthServiceUnavailable(reason):
return AuthServiceUnavailable(reason)
case AuthAPIError(reason, code):
return AuthAPIError(reason, code)
case AuthConnectionError(error_message):
return AuthConnectionError(error_message)
case AuthRequires2SAWithService(service, _):
# 2SA is handled below, service is available
icloud = service
case AuthDomainMismatchError(domain_to_use):
msg = f"Apple insists on using {domain_to_use} for your request. Please use --domain parameter"
return AuthenticatorConnectionError(PyiCloudConnectionException(msg))
case _:
# This should never happen - let it crash with a clear error
raise ValueError(f"Unexpected auth result type: {type(auth_result)}")
if valid_password:
# save valid password to all providers
for _, _pair in password_providers.items():
_, writer = _pair
writer(username, valid_password[0])
if icloud.requires_2fa:
logger.info("Two-factor authentication is required (2fa)")
notificator()
if mfa_provider == MFAProvider.WEBUI:
result = request_2fa_web(icloud, logger, status_exchange)
else:
result = request_2fa(icloud, logger)
match result:
case TwoFactorAuthSuccess():
pass # Success, continue
case TwoFactorAuthFailed(error_msg):
return AuthenticatorMFAError(error_msg)
elif icloud.requires_2sa:
logger.info("Two-step authentication is required (2sa)")
notificator()
result = request_2sa(icloud, logger)
match result:
case TwoFactorAuthSuccess():
pass # Success, continue
case TwoFactorAuthFailed(_):
# For 2SA, need to exit with code 1 for backward compatibility
return AuthenticatorTwoSAExit()
return AuthenticatorSuccess(icloud)
def request_2sa(icloud: PyiCloudService, logger: logging.Logger) -> TwoFactorAuthResult:
"""Request two-step authentication. Prompts for SMS or device"""
from pyicloud_ipd.response_types import (
Response2SARequired,
ResponseAPIError,
ResponseServiceNotActivated,
ResponseServiceUnavailable,
TrustedDevicesSuccess,
)
devices_result = icloud.get_trusted_devices()
match devices_result:
case TrustedDevicesSuccess(devices):
pass # Continue with devices
case (
Response2SARequired(_)
| ResponseServiceNotActivated(_, _)
| ResponseAPIError(_, _)
| ResponseServiceUnavailable(_)
):
return TwoFactorAuthFailed("Failed to get trusted devices")
devices_count = len(devices)
device_index: int = 0
if devices_count > 0:
for i, device in enumerate(devices):
number = device["phoneNumber"]
alt_name = f"SMS to {number}"
name = device.get("deviceName", alt_name)
echo(f" {i}: {name}")
device_index = prompt_int_range("Please choose an option:", "0", 0, devices_count - 1)
device = devices[device_index]
from pyicloud_ipd.response_types import (
SendVerificationCodeSuccess,
ValidateVerificationCodeSuccess,
)
send_result = icloud.send_verification_code(device)
match send_result:
case SendVerificationCodeSuccess(success):
if not success:
logger.error("Failed to send two-step authentication code")
return TwoFactorAuthFailed("Failed to send two-step authentication code")
case _:
logger.error("Failed to send two-step authentication code")
return TwoFactorAuthFailed("Failed to send two-step authentication code")
code = prompt_string("Please enter two-step authentication code")
validate_result = icloud.validate_verification_code(device, code)
match validate_result:
case ValidateVerificationCodeSuccess(success):
if not success:
logger.error("Failed to verify two-step authentication code")
return TwoFactorAuthFailed("Failed to verify two-step authentication code")
case _:
logger.error("Failed to verify two-step authentication code")
return TwoFactorAuthFailed("Failed to verify two-step authentication code")
logger.info(
"Great, you're all set up. The script can now be run without "
"user interaction until 2SA expires.\n"
"You can set up email notifications for when "
"the two-step authentication expires.\n"
"(Use --help to view information about SMTP options.)"
)
return TwoFactorAuthSuccess()
def request_2fa(icloud: PyiCloudService, logger: logging.Logger) -> TwoFactorAuthResult:
"""Request two-factor authentication."""
from pyicloud_ipd.response_types import (
Response2SARequired,
ResponseAPIError,
ResponseServiceNotActivated,
ResponseServiceUnavailable,
TrustedPhoneNumbersSuccess,
)
devices_result = icloud.get_trusted_phone_numbers()
match devices_result:
case TrustedPhoneNumbersSuccess(devices):
pass # Continue with devices
case (
Response2SARequired(_)
| ResponseServiceNotActivated(_, _)
| ResponseAPIError(_, _)
| ResponseServiceUnavailable(_)
):
return TwoFactorAuthFailed("Failed to get trusted phone numbers")
devices_count = len(devices)
device_index_alphabet = "abcdefghijklmnopqrstuvwxyz"
if devices_count > 0:
if devices_count > len(device_index_alphabet):
return TwoFactorAuthFailed("Too many trusted devices for authentication")
for i, device in enumerate(devices):
echo(f" {device_index_alphabet[i]}: {device.obfuscated_number}")
index_str = f"..{device_index_alphabet[devices_count - 1]}" if devices_count > 1 else ""
index_or_code: str = ""
while True:
from foundation.string_utils import strip_and_lower
index_or_code = strip_and_lower(
prompt_string(
f"Please enter two-factor authentication code or device index ({device_index_alphabet[0]}{index_str}) to send SMS with a code"
)
)
# Use pure validation functions
if is_empty_string(index_or_code):
echo("Empty string. Try again")
continue
if is_valid_device_index(index_or_code, devices_count, device_index_alphabet):
break
if is_valid_six_digit_code(index_or_code):
break
# Handle invalid input cases
if len(index_or_code) == 1:
echo(f"Invalid index, should be ({device_index_alphabet[0]}{index_str}). Try again")
continue
elif len(index_or_code) == 6:
echo("Invalid code, should be six digits. Try again")
continue
echo(
f"Should be index ({device_index_alphabet[0]}{index_str}) or six-digit code. Try again"
)
if index_or_code in device_index_alphabet:
# need to send code
device_index = device_index_alphabet.index(index_or_code)
device = devices[device_index]
from pyicloud_ipd.response_types import Send2FACodeSMSSuccess
send_result = icloud.send_2fa_code_sms(device.id)
match send_result:
case Send2FACodeSMSSuccess(success):
if not success:
return TwoFactorAuthFailed("Failed to send two-factor authentication code")
case _:
return TwoFactorAuthFailed("Failed to send two-factor authentication code")
while True:
from foundation.string_utils import strip
code: str = strip(
prompt_string(
"Please enter two-factor authentication code that you received over SMS"
)
)
if len(code) == 6 and code.isdigit():
break
echo("Invalid code, should be six digits. Try again")
from pyicloud_ipd.response_types import Validate2FACodeSMSSuccess
validate_result = icloud.validate_2fa_code_sms(device.id, code)
match validate_result:
case Validate2FACodeSMSSuccess(success):
if not success:
return TwoFactorAuthFailed(
"Failed to verify two-factor authentication code"
)
case _:
return TwoFactorAuthFailed("Failed to verify two-factor authentication code")
else:
from pyicloud_ipd.response_types import Validate2FACodeSuccess
validate_2fa_result = icloud.validate_2fa_code(index_or_code)
match validate_2fa_result:
case Validate2FACodeSuccess(success):
if not success:
return TwoFactorAuthFailed(
"Failed to verify two-factor authentication code"
)
case _:
return TwoFactorAuthFailed("Failed to verify two-factor authentication code")
else:
while True:
from foundation.string_utils import strip
code = strip(prompt_string("Please enter two-factor authentication code"))
if len(code) == 6 and code.isdigit():
break
echo("Invalid code, should be six digits. Try again")
from pyicloud_ipd.response_types import Validate2FACodeSuccess
validate_2fa_result = icloud.validate_2fa_code(code)
match validate_2fa_result:
case Validate2FACodeSuccess(success):
if not success:
return TwoFactorAuthFailed("Failed to verify two-factor authentication code")
case _:
return TwoFactorAuthFailed("Failed to verify two-factor authentication code")
logger.info(
"Great, you're all set up. The script can now be run without "
"user interaction until 2FA expires.\n"
"You can set up email notifications for when "
"the two-factor authentication expires.\n"
"(Use --help to view information about SMTP options.)"
)
return TwoFactorAuthSuccess()
def request_2fa_web(
icloud: PyiCloudService, logger: logging.Logger, status_exchange: StatusExchange
) -> TwoFactorAuthResult:
"""Request two-factor authentication through Webui."""
if not status_exchange.replace_status(Status.NO_INPUT_NEEDED, Status.NEED_MFA):
return TwoFactorAuthFailed(
f"Expected NO_INPUT_NEEDED, but got {status_exchange.get_status()}"
)
# wait for input
while True:
status = status_exchange.get_status()
if status == Status.NEED_MFA:
time.sleep(1)
continue
else:
pass
if status_exchange.replace_status(Status.SUPPLIED_MFA, Status.CHECKING_MFA):
code = status_exchange.get_payload()
if not code:
return TwoFactorAuthFailed(
"Internal error: did not get code for SUPPLIED_MFA status"
)
if not icloud.validate_2fa_code(code):
if status_exchange.set_error("Failed to verify two-factor authentication code"):
# that will loop forever
# TODO give user an option to restart auth in case they missed code
continue
else:
return TwoFactorAuthFailed("Failed to change status of invalid code")
else:
status_exchange.replace_status(Status.CHECKING_MFA, Status.NO_INPUT_NEEDED) # done
logger.info(
"Great, you're all set up. The script can now be run without "
"user interaction until 2FA expires.\n"
"You can set up email notifications for when "
"the two-factor authentication expires.\n"
"(Use --help to view information about SMTP options.)"
)
return TwoFactorAuthSuccess()
else:
return TwoFactorAuthFailed("Failed to change status")