Python & 的解决方法Selenium:针对 Active Directory 进行身份验证 [英] Workaround for Python & Selenium: authenticate against Active Directory
问题描述
我正在使用 Python (2.7) 和 Selenium (3.4.3) 通过 geckodriver (0.19.0) 驱动 Firefox (52.2.0 ESR) 以在 CentOS 7 机器上自动化进程.
我需要通过用户凭据对这种自动化进行完全无人值守的操作;不允许存放,也不允许闯入.
由于该过程所需的内部网站在 Active Directory 域中,而运行我的自动化的机器不在 Active Directory 域中,这一事实引起了戏剧性的一幕.我不需要验证用户,只需要以不需要人工交互或让该人成为机器上的本地用户的方式将凭据传递给网站.
I am using Python (2.7) and Selenium (3.4.3) to drive Firefox (52.2.0 ESR) via geckodriver (0.19.0) to automate a process on a CentOS 7 machine.
I need totally unattended operation of this automation with user credentials passed through; no storage allowed and no breaking in.
One piece of drama is being caused by the fact that the internal website required for the process is within an Active Directory domain while the machine running my automation is not. I have no need to validate the user, only pass the credentials to the website in such a way as to not require human interaction or for the person to be a local user on the machine.
我尝试了以下各种排列:
I have tried various permutations of:
- [协议]://[user,pass]@[url]
- driver.switch_to_alert() + send_keys
其中一些似乎只适用于 IE,我无法访问.
我已经检查了图书馆来处理这个问题,但都无济于事.
It seems some of those only work on IE, something I have no access to.
I have checked for libraries to handle this and all to no avail.
我可以将库添加到 python 并且我有机器的 sudo 访问权限 - 无法进行身份验证,因此无法进行 AD 集成.
I can add libraries to python and I have sudo access to the machine - can't touch authentication, so AD integration is not possible.
我怎样才能向这个 AD 网站提供任意用户的凭据,这样他们的凭据就不会在本地存储,也不需要用户交互?
How can I give this AD website the credentials of an arbitrary user such that no local storage of their credentials happens an no user interaction is required?
谢谢
编辑
我认为类似于代理的东西可以对用户进行身份验证,然后保留该身份验证以供 selenium 执行其操作...是否有简单的 LDAP/AD 代理可用?
I think something like a proxy which could authenticate the user then retain that authentication for selenium to do its thing ... Is there a simple LDAP/AD proxy available?
编辑 2
也许一种非常简单的表述方式是我想传递用户凭据并防止出现身份验证弹出窗口.
Perhaps a very simple way of stating this is that I want to pass user credentials and prevent the authentication popup from happening.
推荐答案
找到的解决方案:
我需要使用浏览器扩展程序.我的解决方案是为 Chrome 构建的,但它应该几乎不变地移植到 Firefox 和 也许 edge.
首先,您需要为浏览器提供 2 个 API:
First up, you need 2 APIs to be available for your browser:
webRequest.onAuthRequired- Chrome & Firefoxruntime.nativeMessaging- Chrome & Firefox
虽然这两个浏览器 API 非常相似,但它们确实有一些显着差异 - 例如 Chrome 的实现缺少 Promises.
While both browser APIs are very similar, they do have some significant differences - such as Chrome's implementation lacking Promises.
如果您将本地消息传递主机设置为发送格式正确的 JSON 字符串,则只需轮询一次.这意味着您可以使用一次对 runtime.sendNativeMessage() 的调用,并确保您的凭据是可解析的.双关语.
If you setup your Native Messaging Host to send a properly-formed JSON string, you need only poll it once. This means you can use a single call to runtime.sendNativeMessage() and be assured that your credentials are paresable. Pun intended.
接下来,我们需要看看我们应该如何处理 webRequest.onAuthRequired 事件.
Next, we need to look at how we're supposed to handle the webRequest.onAuthRequired event.
因为我在 Chromium 工作,所以我需要使用无承诺的 Chrome API.
Since I'm working in Chromium, I need to use the promise-less Chrome API.
chrome.webRequest.onAuthRequired.addListener(
callbackFunctionHere,
{urls:[targetUrls]},
['asyncBlocking'] // --> this line is important, too. Very.
变化:
我将调用我的函数 provideCredentials 因为我是一个大偷窃者并且使用了一个来自 这个 来源.寻找异步版本.
The Change:
I'll be calling my function provideCredentials because I'm a big stealy-stealer and used an example from this source. Look for the asynchronous version.
示例代码从 storage.local ...
The example code fetches the credentials from storage.local ...
chrome.storage.local.get(null, gotCredentials);
我们不想那样.没有.
我们希望从对 sendNativeMessage 的单个调用中获取凭据,因此我们将更改这一行.
We want to get the credentials from a single call to sendNativeMessage so we'll change that one line.
chrome.runtime.sendNativeMessage(hostName, { text: "Ready" }, gotCredentials);
仅此而已.严重地.只要您的主持人表现出色,这就是最大的秘密.我什至不会告诉你我花了多长时间才找到它!
That's all it takes. Seriously. As long as your Host plays nice, this is the big secret. I won't even tell you how long it took me to find it!
我的问题以及有用的链接:
My questions with helpful links:
- Here - Workaround for Authenticating against Active Directory
- Here - Also has some working code for a functional NM Host
- Here - Some enlightening material on promises
结果证明这是一个不平凡的问题.
So this turns out to be a non-trivial problem.
我还没有实施解决方案,但我知道如何实现...
I haven't implemented the solution, yet, but I know how to get there...
将值传递给扩展程序是第一步 - 这可以在 Chrome 和 Firefox 中完成.观察版本以确保所需的 API(nativeMessaging)确实存在于您的版本中.由于这个原因,我不得不改用铬.
Passing values to an extension is the first step - this can be done in both Chrome and Firefox. Watch the version to make sure the API required, nativeMessaging, actually exists in your version. I have had to switch to chromium for this reason.
或者,您可以使用存储 API 首先将值放入浏览器存储中.
Alternatively, one can use the storage API to put values in browser storage first. [edit: I did not go this way for security concerns]
接下来是使用来自 webRequest API 的 onAuthRequired 事件.在事件上设置监听器并传入您需要的值.
Next is to use the onAuthRequired event from the webRequest API . Setup a listener on the event and pass in the values you need.
注意事项:我已经为 nativeMessaging API 解决方案构建了扩展本身的所有内容,但在让脚本识别数据方面仍然存在问题.这几乎可以肯定是我的 JavaScript 技能与使这些 API 变得有意义所需的神秘知识发生冲突......我还没有尝试过这种存储方法,因为它不太安全(在我看来),但它似乎更简单.
Caveats: I have built everything right up to the extension itself for the nativeMessaging API solution and there's still a problem with getting the script to recognise the data. This is almost certainly my JavaScript skills clashing with the arcane knowledge required to make these APIs make much sense ... I have yet to attempt the storage method as it's less secure (in my mind) but it does seem to be simpler.
这篇关于Python & 的解决方法Selenium:针对 Active Directory 进行身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
