Added combined X509MixMatchAuthenticator, which allows for logging in both...

Added combined X509MixMatchAuthenticator, which allows for logging in both clients with hostname cert and with client name cert

Added combined X509MixMatchAuthenticator, which allows for logging in both...
bb76dd78 · Pavel Kácha · 2b1b1400 · bb76dd78
Commit bb76dd78 authored 8 years ago by Pavel Kácha
--- a/warden3/warden_server/warden_server.py
+++ b/warden3/warden_server/warden_server.py
@@ -384,26 +384,40 @@ class X509NameAuthenticator(PlainAuthenticator):

        return PlainAuthenticator.authenticate(self, env, args)

-        return commons[0]
+
+class X509MixMatchAuthenticator(PlainAuthenticator):
+
+    def __init__(self, req, db):
+        PlainAuthenticator.__init__(self, req, db)
+        self.hostname_auth = X509Authenticator(req, db)
+        self.name_auth = X509Authenticator(req, db)


    def authenticate(self, env, args):
        try:
-            name = self.get_cert_name(env["SSL_CLIENT_CERT"])
+            cert_name = env["SSL_CLIENT_S_DN_CN"]
        except:
            exception = self.req.error(message="authenticate: cannot get or parse certificate from env", error=403, exc=sys.exc_info(), env=env)
            exception.log(logging.getLogger(__name__))
            return None
+        name = args.get("client", [None])[0]
+        secret =  args.get("secret", [None])[0]

-        client = self.db.get_client_by_name(None, name, None)
+        # Client names are in reverse notation than DNS, client name should
+        # thus never be the same as machine hostname (if it is, client
+        # admin does something very amiss).

-        if not client:
-            logging.info("authenticate: client not found by name: \"%s\"" % (name))
-            return None
+        # So, if client sends the same name in query as in the certificate,
+        # or sends no name or secret (which is necessary for hostname auth),
+        # use X509NameAuthenticator. Otherwise (names are different and there
+        # is name and/or secret in query) use (hostname) X509Authenticator.

-        logging.info("authenticate: %s" % str(client))
+        if name == cert_name or (name is None and secret is None):
+            auth = self.name_auth
+        else:
+            auth = self.hostname_auth

-        return client
+        return auth.authenticate(self, env, args)


 class NoValidator(ObjectReq):
@@ -1208,7 +1222,7 @@ def build_server(conf):
    section_def = {
        "log": ["FileLogger", "SysLogger"],
        "db": ["MySQL"],
-        "auth": ["X509Authenticator", "PlainAuthenticator", "X509NameAuthenticator"],
+        "auth": ["X509Authenticator", "PlainAuthenticator", "X509NameAuthenticator", "X509MixMatchAuthenticator"],
        "validator": ["JSONSchemaValidator", "NoValidator"],
        "handler": ["WardenHandler"],
        "server": ["Server"]