Change authenticators to return a result

Authenticators will not signal anymore validity by adding a request attributes. Instead they can return on of three values: - True, indicates positive authentication - False, indicate explicit failure - None, inicates neither success nor failure, not applicable
author: Simo Sorce <simo@redhat.com> 2015-04-07 22:23:47 -0400
committer: Simo Sorce <simo@redhat.com> 2015-04-07 22:57:49 -0400
commit: 0c8c416289514889ec095c203880a8ce1e4c23d4 (patch)
tree: 204aa7dde9538b7bc4acda4808507270b28e93a3
parent: 50abe3fd6ec1ed43a14fad94ad1fe2081f6e9cee (diff)
download: custodia-0c8c416289514889ec095c203880a8ce1e4c23d4.tar.gz
custodia-0c8c416289514889ec095c203880a8ce1e4c23d4.tar.xz
custodia-0c8c416289514889ec095c203880a8ce1e4c23d4.zip
3 files changed, 27 insertions, 16 deletions
diff --git a/custodia.conf b/custodia.conf
index cf24a93..15c86c4 100644
--- a/custodia.conf
+++ b/custodia.conf
@@ -1,10 +1,10 @@
 [global]
 server_version = "Secret/0.0.7"
 
-[auth:simple]
-handler = custodia.httpd.authenticators.SimpleCredsAuth
-uid = 48
-gid = 48
+#[auth:simple]
+#handler = custodia.httpd.authenticators.SimpleCredsAuth
+#uid = 48
+#gid = 48
 
 [auth:header]
 handler = custodia.httpd.authenticators.SimpleHeaderAuth
diff --git a/custodia/httpd/authenticators.py b/custodia/httpd/authenticators.py
index 1b76287..cf8402f 100644
--- a/custodia/httpd/authenticators.py
+++ b/custodia/httpd/authenticators.py
@@ -28,7 +28,9 @@ class SimpleCredsAuth(HTTPAuthenticator):
         uid = int(request['creds']['gid'])
         gid = int(request['creds']['uid'])
         if self._gid == gid or self._uid == uid:
-            request['valid_auth'] = True
+            return True
+        else:
+            return False
 
 
 class SimpleHeaderAuth(HTTPAuthenticator):
@@ -44,22 +46,22 @@ class SimpleHeaderAuth(HTTPAuthenticator):
 
     def handle(self, request):
         if self.name not in request['headers']:
-            return
+            return False
         value = request['headers'][self.name]
         if self.value is None:
             # Any value is accepted
             pass
         elif isinstance(self.value, str):
             if value != self.value:
-                return
+                return False
         elif isinstance(self.value, list):
             if value not in self.value:
-                return
+                return False
         else:
-            return
+            return False
 
-        request['valid_auth'] = True
         request['remote_user'] = value
+        return True
 
 
 class SimpleNULLAuth(HTTPAuthenticator):
@@ -74,8 +76,9 @@ class SimpleNULLAuth(HTTPAuthenticator):
         path = request.get('path', '')
         while path != '':
             if path in self.paths:
-                request['valid_auth'] = True
+                return True
             if path == '/':
                 path = ''
             else:
                 path, _ = os.path.split(path)
+        return None
diff --git a/custodia/httpd/server.py b/custodia/httpd/server.py
index 0e58f0d..a5e59a9 100644
--- a/custodia/httpd/server.py
+++ b/custodia/httpd/server.py
@@ -55,9 +55,12 @@ class ForkingLocalHTTPServer(ForkingMixIn, UnixStreamServer):
     correct consumer based on the server configuration, that is provided
     at initialization time.
 
-    When authentication is performed the request dictionary will have
-    a 'valid_auth' boolean member set to True if authentication was
-    successful. Additional attributes may be set by authentication plugins.
+    When authentication is performed all the authenticators are executed.
+    If any returns False, authentication fails and a 403 error is raised.
+    If none of them positively succeeds and they all return None then also
+    authentication fails and a 403 error is raised. Authentication plugins
+    can add attributes to the request object for use of authorization or
+    other plugins.
 
     Once authentication is successful the pipeline will parse the path
     component and find the consumer plugin that handles the provided path
@@ -92,9 +95,14 @@ class ForkingLocalHTTPServer(ForkingMixIn, UnixStreamServer):
         authers = self.config.get('authenticators')
         if authers is None:
             raise HTTPError(403)
+        valid_once = False
         for auth in authers:
-            authers[auth].handle(request)
-        if 'valid_auth' not in request or request['valid_auth'] is not True:
+            valid = authers[auth].handle(request)
+            if valid is False:
+                raise HTTPError(403)
+            elif valid is True:
+                valid_once = True
+        if valid_once is not True:
             raise HTTPError(403)
 
         # Select consumer
author	Simo Sorce <simo@redhat.com>	2015-04-07 22:23:47 -0400
committer	Simo Sorce <simo@redhat.com>	2015-04-07 22:57:49 -0400
commit	0c8c416289514889ec095c203880a8ce1e4c23d4 (patch)
tree	204aa7dde9538b7bc4acda4808507270b28e93a3
parent	50abe3fd6ec1ed43a14fad94ad1fe2081f6e9cee (diff)
download	custodia-0c8c416289514889ec095c203880a8ce1e4c23d4.tar.gz custodia-0c8c416289514889ec095c203880a8ce1e4c23d4.tar.xz custodia-0c8c416289514889ec095c203880a8ce1e4c23d4.zip