From 7af9a78107fbda8d757629aecddc46be3416097b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20K=C3=A1cha?= <ph@cesnet.cz>
Date: Fri, 16 Sep 2016 14:28:47 +0200
Subject: [PATCH] Secret checking not needed anymore if authenticated by cert
 name (and its better for transition)

---
 warden3/warden_server/warden_server.py | 16 ++++++----------
 1 file changed, 6 insertions(+), 10 deletions(-)

diff --git a/warden3/warden_server/warden_server.py b/warden3/warden_server/warden_server.py
index 204790e..8f0b0b6 100755
--- a/warden3/warden_server/warden_server.py
+++ b/warden3/warden_server/warden_server.py
@@ -288,10 +288,9 @@ class PlainAuthenticator(ObjectBase):
         return "%s(req=%s, db=%s)" % (type(self).__name__, type(self.req).__name__, type(self.db).__name__)
 
 
-    def authenticate(self, env, args):
+    def authenticate(self, env, args, hostnames = None, check_secret = True):
         name = args.get("client", [None])[0]
-        secret =  args.get("secret", [None])[0]
-        hostnames = args.get("hostnames", [None])[0]
+        secret = args.get("secret", [None])[0] if check_secret else None
 
         client = self.db.get_client_by_name(hostnames, name, secret)
 
@@ -302,7 +301,7 @@ class PlainAuthenticator(ObjectBase):
 
         # Clients with 'secret' set must get authenticated by it.
         # No secret turns secret auth off for this particular client.
-        if client.secret is not None and secret is None:
+        if client.secret is not None and secret is None and check_secret:
             self.log.info("authenticate: missing secret argument")
             return None
 
@@ -311,7 +310,6 @@ class PlainAuthenticator(ObjectBase):
         # These args are not for handler
         args.pop("client", None)
         args.pop("secret", None)
-        args.pop("hostnames", None)
 
         return client
 
@@ -366,9 +364,7 @@ class X509Authenticator(PlainAuthenticator):
             exception.log(self.log)
             return None
 
-        args["hostnames"] = [cert_names]
-
-        return PlainAuthenticator.authenticate(self, env, args)
+        return PlainAuthenticator.authenticate(self, env, args, hostnames = cert_names)
         
 
 class X509NameAuthenticator(PlainAuthenticator):
@@ -386,7 +382,7 @@ class X509NameAuthenticator(PlainAuthenticator):
             exception.log(self.log)
             return None
 
-        return PlainAuthenticator.authenticate(self, env, args)
+        return PlainAuthenticator.authenticate(self, env, args, check_secret = False)
 
 
 class X509MixMatchAuthenticator(PlainAuthenticator):
@@ -421,7 +417,7 @@ class X509MixMatchAuthenticator(PlainAuthenticator):
         else:
             auth = self.hostname_auth
 
-        self.log.info("MixMatch is choosing %s" % type(auth).__name__)
+        self.log.info("MixMatch is choosing %s (name: %s, cert_name: %s)" % (type(auth).__name__, name, cert_name))
         return auth.authenticate(env, args)
 
 
-- 
GitLab