Python&的解决方法硒:针对Active Directory进行身份验证 [英] Workaround for Python & Selenium: authenticate against Active Directory
问题描述
我正在使用Python(2.7)和Selenium(3.4.3)通过geckodriver(0.19.0)驱动Firefox(52.2.0 ESR)在CentOS 7机器上自动化进程。
我需要通过传递用户凭据来完全自动化的自动化操作。
一个事实是,该过程所需的内部网站位于Active Directory域内,而运行我的自动化设备的计算机不在这一事实中,这引起了戏剧性的变化。我不需要验证用户,只需将凭据传递到网站即可,无需人工干预,也不必让用户成为计算机上的本地用户。
I am using Python (2.7) and Selenium (3.4.3) to drive Firefox (52.2.0 ESR) via geckodriver (0.19.0) to automate a process on a CentOS 7 machine.
I need totally unattended operation of this automation with user credentials passed through; no storage allowed and no breaking in.
One piece of drama is being caused by the fact that the internal website required for the process is within an Active Directory domain while the machine running my automation is not. I have no need to validate the user, only pass the credentials to the website in such a way as to not require human interaction or for the person to be a local user on the machine.
我尝试了以下各种排列:
I have tried various permutations of:
- [协议]:// [user,pass] @ [url]
- driver.switch_to_alert()+ send_keys
似乎其中一些只能在IE上使用,而我却无权访问。
我已经检查了库来处理此问题,但都无济于事。
It seems some of those only work on IE, something I have no access to.
I have checked for libraries to handle this and all to no avail.
我可以在python中添加库,并且可以对机器进行sudo访问-无法进行身份验证,因此无法进行AD集成。
I can add libraries to python and I have sudo access to the machine - can't touch authentication, so AD integration is not possible.
我该如何给该AD网站上任意用户的凭据,这样就无需本地存储凭据,也不需要用户交互?
How can I give this AD website the credentials of an arbitrary user such that no local storage of their credentials happens an no user interaction is required?
谢谢
编辑
我认为像代理这样的东西可以对用户进行身份验证,然后保留对硒的身份验证以进行硒事情...
是否有可用的简单LDAP / AD代理?
I think something like a proxy which could authenticate the user then retain that authentication for selenium to do its thing ... Is there a simple LDAP/AD proxy available?
编辑2
每小时APS表示这一点的一种非常简单的方法是,我想传递用户凭据并防止身份验证弹出窗口发生。
Perhaps a very simple way of stating this is that I want to pass user credentials and prevent the authentication popup from happening.
推荐答案
解决方案找到:
我需要使用浏览器扩展程序。
我的解决方案是针对铬制成的,但对于Firefox和也许 edge,它的端口应该几乎保持不变。
Solution Found:
I needed to use a browser extension. My solution has been built for chromium but it should port almost-unchanged for Firefox and maybe edge.
首先,您需要2个可用于您的浏览器的API:
First up, you need 2 APIs to be available for your browser:
webRequest.onAuthRequired- Chrome & Firefoxruntime.nativeMessaging- Chrome & Firefox
虽然两个浏览器API都非常相似,但它们确实有一些显着差异-例如Chrome的实现缺少承诺。
While both browser APIs are very similar, they do have some significant differences - such as Chrome's implementation lacking Promises.
如果您将本机消息传递主机设置为发送格式正确的JSON字符串,则您只需要轮询一次。这意味着您可以使用一次对 runtime.sendNativeMessage()的调用,并确保您的凭据是可解析的。
If you setup your Native Messaging Host to send a properly-formed JSON string, you need only poll it once. This means you can use a single call to runtime.sendNativeMessage() and be assured that your credentials are paresable. Pun intended.
下一步,我们需要研究如何处理 webRequest.onAuthRequired 事件。
Next, we need to look at how we're supposed to handle the webRequest.onAuthRequired event.
由于我在Chromium中工作,因此我需要使用无承诺的Chrome API。
Since I'm working in Chromium, I need to use the promise-less Chrome API.
chrome.webRequest.onAuthRequired.addListener(
callbackFunctionHere,
{urls:[targetUrls]},
['asyncBlocking'] // --> this line is important, too. Very.
更改:
我将调用我的函数 provideCredentials ,因为我是一个大偷窃者,并使用了此源。查找异步版本。
The Change:
I'll be calling my function provideCredentials because I'm a big stealy-stealer and used an example from this source. Look for the asynchronous version.
示例代码从存储中获取凭据.local ...
chrome.storage.local.get(null, gotCredentials);
我们不想要那样。
我们希望通过一次调用 sendNativeMessage 来获取凭据,因此我们将其更改为一行
We want to get the credentials from a single call to sendNativeMessage so we'll change that one line.
chrome.runtime.sendNativeMessage(hostName, { text: "Ready" }, gotCredentials);
这就是全部。说真的只要主持人表现出色,这就是大秘密。我什至不告诉你我花了多长时间找到它!
That's all it takes. Seriously. As long as your Host plays nice, this is the big secret. I won't even tell you how long it took me to find it!
我的问题带有有用的链接:
My questions with helpful links:
- 此处-针对Active Directory进行身份验证的解决方法
- -还有功能正常的NM主机的一些工作代码
- 此处-关于承诺的一些启发性材料
- Here - Workaround for Authenticating against Active Directory
- Here - Also has some working code for a functional NM Host
- Here - Some enlightening material on promises
所以事实证明这不是一个小问题。
So this turns out to be a non-trivial problem.
我没有尚未实现该解决方案,但我知道如何实现该目标...
I haven't implemented the solution, yet, but I know how to get there...
将值传递给扩展程序是第一步-可以在两个Chrome浏览器中完成一个和Firefox。观察版本,以确保所需的API nativeMessaging实际上存在于您的版本中。由于这个原因,我不得不改用铬。
Passing values to an extension is the first step - this can be done in both Chrome and Firefox. Watch the version to make sure the API required, nativeMessaging, actually exists in your version. I have had to switch to chromium for this reason.
或者,可以使用存储API首先将值放入浏览器存储。
Alternatively, one can use the storage API to put values in browser storage first. [edit: I did not go this way for security concerns]
接下来是使用webRequest API中的onAuthRequired事件。在事件上设置侦听器并传递所需的值。
Next is to use the onAuthRequired event from the webRequest API . Setup a listener on the event and pass in the values you need.
注意事项:已经为nativeMessaging API解决方案构建了直到扩展本身的所有内容,但是让脚本识别数据仍然存在问题。几乎可以肯定,这是我的JavaScript技能与使这些API变得不可思议的奥秘知识发生冲突……
我尚未尝试使用存储方法,因为它的安全性较差(在我看来),但确实如此更简单。
Caveats: I have built everything right up to the extension itself for the nativeMessaging API solution and there's still a problem with getting the script to recognise the data. This is almost certainly my JavaScript skills clashing with the arcane knowledge required to make these APIs make much sense ... I have yet to attempt the storage method as it's less secure (in my mind) but it does seem to be simpler.
这篇关于Python&的解决方法硒:针对Active Directory进行身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
