Modified authentication to accept only secret, without client.

63ad23ac · Pavel Kácha · a84f6d4c · 63ad23ac · 63ad23ac · 63ad23ac
Commit 63ad23ac authored 10 years ago by Pavel Kácha
--- a/warden3/warden_client/warden_client.py
+++ b/warden3/warden_client/warden_client.py
@@ -254,8 +254,9 @@ class Client(object):

    def sendRequest(self, func="", payload=None, **kwargs):

-        kwargs["client"] = self.name
-        if self.secret is not None:
+        if self.secret is None:
+            kwargs["client"] = self.name
+        else:
            kwargs["secret"] = self.secret

        if kwargs:

--- a/warden3/warden_client/warden_curl_test.sh
+++ b/warden3/warden_client/warden_curl_test.sh
@@ -44,7 +44,7 @@ curl \
    "$url/getEvents?client=$client"
 echo

-echo "Test  403 - no client"
+echo "Test  403 - no client, no secret"
 curl \
    --key $keyfile \
    --cert $certfile \
@@ -64,6 +64,36 @@ curl \
    "$url/getEvents?client=asdf.blefub"
 echo

+echo "Test  403 - wrong client, right secret"
+curl \
+    --key $keyfile \
+    --cert $certfile \
+    --cacert $cafile \
+    --connect-timeout 3 \
+    --request POST \
+    "$url/getEvents?client=asdf.blefub&secret=$secret"
+echo
+
+echo "Test  403 - right client, wrong secret"
+curl \
+    --key $keyfile \
+    --cert $certfile \
+    --cacert $cafile \
+    --connect-timeout 3 \
+    --request POST \
+    "$url/getEvents?client=$client&secret=ASDFblefub"
+echo
+
+echo "Test - no client, but secret, should be ok"
+curl \
+    --key $keyfile \
+    --cert $certfile \
+    --cacert $cafile \
+    --connect-timeout 3 \
+    --request POST \
+    "$url/getEvents?secret=$secret"
+echo
+
 echo "Test  Deserialization"
 curl \
    --key $keyfile \

--- a/warden3/warden_server/warden_server.py
+++ b/warden3/warden_server/warden_server.py
@@ -286,37 +286,28 @@ class X509Authenticator(NoAuthenticator):


    def authenticate (self, env, args):
-        try:
-            identity = args["client"][0]
-        except KeyError:
-            logging.info("authenticate: bad or missing client argument")
-            return None
-
        try:
            cert_names = self.get_cert_dns_names(env["SSL_CLIENT_CERT"])
        except:
            logging.info("authenticate: cannot get or parse certificate from env")
            return None
-            
-        client = self.db.get_client_by_name(identity, cert_names)
+
+        identity = args.get("client", [None])[0]
+        secret =  args.get("secret", [None])[0]
+        args["secret"] = ["..."]    # Prevent to spill it over logs
+
+        client = self.db.get_client_by_name(cert_names, identity, secret)

        if not client:
-            logging.info("authenticate: client not found")
+            logging.info("authenticate: client not found by identity: \"%s\", secret: %s, cert_names: %s" % (
+                identity, "..." if secret else "None", str(cert_names)))
            return None
        
        # Clients with 'secret' set muset get authorized by it.
        # No secret turns auth off for this particular client.
-        if client.secret is not None:
-            try:
-                secret = args["secret"][0]
-            except KeyError:
-                logging.info("authenticate: missing secret argument")
-                return None
-            if secret != client.secret:
-                logging.info("authenticate: wrong credentials")
-                return None
-            # Already checked, prevent to spill it over logs
-            args["secret"] = ["..."]
+        if client.secret is not None and secret is None:
+            logging.info("authenticate: missing secret argument")
+            return None

        logging.info("authenticate: %s" % str(client))

@@ -421,19 +412,26 @@ class MySQL(ObjectReq):
            type(self).__name__, type(self.req).__name__, self.host, self.user, self.dbname, self.port, self.catmap_filename, self.tagmap_filename)


-    def get_client_by_name(self, identity, cert_names):
-        format_strings = ','.join(['%s'] * len(cert_names))
-        query = "SELECT id, registered, requestor, hostname, service, note, identity, secret, `read`, debug, `write`, test FROM clients WHERE valid = 1 AND identity = %%s AND hostname IN (%s)" % format_strings
-        self.crs.execute(query, [identity] + cert_names)
+    def get_client_by_name(self, cert_names, identity=None, secret=None):
+        query = ["SELECT id, registered, requestor, hostname, service, note, identity, secret, `read`, debug, `write`, test FROM clients WHERE valid = 1"]
+        params = []
+        if identity:
+            query.append(" AND identity = %s")
+            params.append(identity)
+        if secret:
+            query.append(" AND secret = %s")
+            params.append(secret)
+        query.append(" AND hostname IN (%s)" % ','.join(['%s'] * len(cert_names)))
+        params.extend(cert_names)
+        self.crs.execute("".join(query), params)
        rows = self.crs.fetchall()

        if len(rows)>1:
-            logging.warn("get_client_by_name: query returned more than one result: %s" % str(rows))
+            logging.warn("get_client_by_name: query returned more than one result: %s" % ", ".join(
+                [str(Client(**row)) for row in rows]))
            return None

-        client = Client(**rows[0]) if rows else None
-
-        return client
+        return Client(**rows[0]) if rows else None


    def get_debug(self):