Secret checking not needed anymore if authenticated by cert name (and its better for transition)

7af9a781 · Pavel Kácha · 974de254 · 7af9a781
Commit 7af9a781 authored Sep 16, 2016 by Pavel Kácha
--- a/warden3/warden_server/warden_server.py
+++ b/warden3/warden_server/warden_server.py
@@ -288,10 +288,9 @@ class PlainAuthenticator(ObjectBase):
        return "%s(req=%s, db=%s)" % (type(self).__name__, type(self.req).__name__, type(self.db).__name__)


-    def authenticate(self, env, args):
+    def authenticate(self, env, args, hostnames = None, check_secret = True):
        name = args.get("client", [None])[0]
-        secret =  args.get("secret", [None])[0]
-        hostnames = args.get("hostnames", [None])[0]
+        secret = args.get("secret", [None])[0] if check_secret else None

        client = self.db.get_client_by_name(hostnames, name, secret)

@@ -302,7 +301,7 @@ class PlainAuthenticator(ObjectBase):

        # Clients with 'secret' set must get authenticated by it.
        # No secret turns secret auth off for this particular client.
-        if client.secret is not None and secret is None:
+        if client.secret is not None and secret is None and check_secret:
            self.log.info("authenticate: missing secret argument")
            return None

@@ -311,7 +310,6 @@ class PlainAuthenticator(ObjectBase):
        # These args are not for handler
        args.pop("client", None)
        args.pop("secret", None)
-        args.pop("hostnames", None)

        return client

@@ -366,9 +364,7 @@ class X509Authenticator(PlainAuthenticator):
            exception.log(self.log)
            return None

-        args["hostnames"] = [cert_names]
-
-        return PlainAuthenticator.authenticate(self, env, args)
+        return PlainAuthenticator.authenticate(self, env, args, hostnames = cert_names)
        

 class X509NameAuthenticator(PlainAuthenticator):
@@ -386,7 +382,7 @@ class X509NameAuthenticator(PlainAuthenticator):
            exception.log(self.log)
            return None

-        return PlainAuthenticator.authenticate(self, env, args)
+        return PlainAuthenticator.authenticate(self, env, args, check_secret = False)


 class X509MixMatchAuthenticator(PlainAuthenticator):
@@ -421,7 +417,7 @@ class X509MixMatchAuthenticator(PlainAuthenticator):
        else:
            auth = self.hostname_auth

-        self.log.info("MixMatch is choosing %s" % type(auth).__name__)
+        self.log.info("MixMatch is choosing %s (name: %s, cert_name: %s)" % (type(auth).__name__, name, cert_name))
        return auth.authenticate(env, args)