More auth functionality where it belongs, simplified for reuse

warden3/warden_server/warden_server.py

@@ -304,6 +304,11 @@ class PlainAuthenticator(ObjectReq):
 
         logging.getLogger(__name__).info("authenticate: %s" % str(client))
 
+        # These args are not for handler
+        args.pop("client", None)
+        args.pop("secret", None)
+        args.pop("hostnames", None)
+
         return client
 
 
@@ -364,12 +369,20 @@ class X509Authenticator(PlainAuthenticator):
 
 class X509NameAuthenticator(PlainAuthenticator):
 
-    def get_cert_name(self, pem):
+    def authenticate(self, env, args):
+        try:
+            cert_name = env["SSL_CLIENT_S_DN_CN"]
+        except:
+            exception = self.req.error(message="authenticate: cannot get or parse certificate from env", error=403, exc=sys.exc_info(), env=env)
+            exception.log(logging.getLogger(__name__))
+            return None
 
-        cert = M2Crypto.X509.load_cert_string(pem)
+        if cert_name != args.setdefault("client", [cert_name])[0]:
+            exception = self.req.error(message="authenticate: client name does not correspond with certificate", error=403, cn = cert_name, args = args)
+            exception.log(logging.getLogger(__name__))
+            return None
 
-        subj = cert.get_subject()
-        commons = [n.get_data().as_text() for n in subj.get_entries_by_nid(subj.nid["CN"])]
+        return PlainAuthenticator.authenticate(self, env, args)
 
         return commons[0]
 
@@ -860,11 +873,6 @@ class Server(ObjectReq):
             if not auth:
                 raise self.req.error(message="I'm watching. Not authorized.", error=403, client=client.name)
 
-            # These args are not for handler
-            args.pop("client", None)
-            args.pop("secret", None)
-            args.pop("hostnames", None)
-
             args = self.sanitize_args(path, method, args)
 
             try: