diff --git a/warden3/warden_server/warden_server.py b/warden3/warden_server/warden_server.py
index 625eebb1d2df5dbf5b3ca5fbcbaaf54f73f1e892..92e1cef185ea00af85ee61aa50c87c19c7090604 100755
--- a/warden3/warden_server/warden_server.py
+++ b/warden3/warden_server/warden_server.py
@@ -304,6 +304,11 @@ class PlainAuthenticator(ObjectReq):
logging.getLogger(__name__).info("authenticate: %s" % str(client))
+ # These args are not for handler
+ args.pop("client", None)
+ args.pop("secret", None)
+ args.pop("hostnames", None)
+
return client
@@ -364,12 +369,20 @@ class X509Authenticator(PlainAuthenticator):
class X509NameAuthenticator(PlainAuthenticator):
- def get_cert_name(self, pem):
+ def authenticate(self, env, args):
+ try:
+ cert_name = env["SSL_CLIENT_S_DN_CN"]
+ except:
+ exception = self.req.error(message="authenticate: cannot get or parse certificate from env", error=403, exc=sys.exc_info(), env=env)
+ exception.log(logging.getLogger(__name__))
+ return None
- cert = M2Crypto.X509.load_cert_string(pem)
+ if cert_name != args.setdefault("client", [cert_name])[0]:
+ exception = self.req.error(message="authenticate: client name does not correspond with certificate", error=403, cn = cert_name, args = args)
+ exception.log(logging.getLogger(__name__))
+ return None
- subj = cert.get_subject()
- commons = [n.get_data().as_text() for n in subj.get_entries_by_nid(subj.nid["CN"])]
+ return PlainAuthenticator.authenticate(self, env, args)
return commons[0]
@@ -860,11 +873,6 @@ class Server(ObjectReq):
if not auth:
raise self.req.error(message="I'm watching. Not authorized.", error=403, client=client.name)
- # These args are not for handler
- args.pop("client", None)
- args.pop("secret", None)
- args.pop("hostnames", None)
-
args = self.sanitize_args(path, method, args)
try: