diff options
author | Simo Sorce <simo@redhat.com> | 2015-04-07 22:23:47 -0400 |
---|---|---|
committer | Simo Sorce <simo@redhat.com> | 2015-04-07 22:57:49 -0400 |
commit | 0c8c416289514889ec095c203880a8ce1e4c23d4 (patch) | |
tree | 204aa7dde9538b7bc4acda4808507270b28e93a3 | |
parent | 50abe3fd6ec1ed43a14fad94ad1fe2081f6e9cee (diff) | |
download | custodia-0c8c416289514889ec095c203880a8ce1e4c23d4.tar.gz custodia-0c8c416289514889ec095c203880a8ce1e4c23d4.tar.xz custodia-0c8c416289514889ec095c203880a8ce1e4c23d4.zip |
Change authenticators to return a result
Authenticators will not signal anymore validity by adding a request
attributes.
Instead they can return on of three values:
- True, indicates positive authentication
- False, indicate explicit failure
- None, inicates neither success nor failure, not applicable
-rw-r--r-- | custodia.conf | 8 | ||||
-rw-r--r-- | custodia/httpd/authenticators.py | 17 | ||||
-rw-r--r-- | custodia/httpd/server.py | 18 |
3 files changed, 27 insertions, 16 deletions
diff --git a/custodia.conf b/custodia.conf index cf24a93..15c86c4 100644 --- a/custodia.conf +++ b/custodia.conf @@ -1,10 +1,10 @@ [global] server_version = "Secret/0.0.7" -[auth:simple] -handler = custodia.httpd.authenticators.SimpleCredsAuth -uid = 48 -gid = 48 +#[auth:simple] +#handler = custodia.httpd.authenticators.SimpleCredsAuth +#uid = 48 +#gid = 48 [auth:header] handler = custodia.httpd.authenticators.SimpleHeaderAuth diff --git a/custodia/httpd/authenticators.py b/custodia/httpd/authenticators.py index 1b76287..cf8402f 100644 --- a/custodia/httpd/authenticators.py +++ b/custodia/httpd/authenticators.py @@ -28,7 +28,9 @@ class SimpleCredsAuth(HTTPAuthenticator): uid = int(request['creds']['gid']) gid = int(request['creds']['uid']) if self._gid == gid or self._uid == uid: - request['valid_auth'] = True + return True + else: + return False class SimpleHeaderAuth(HTTPAuthenticator): @@ -44,22 +46,22 @@ class SimpleHeaderAuth(HTTPAuthenticator): def handle(self, request): if self.name not in request['headers']: - return + return False value = request['headers'][self.name] if self.value is None: # Any value is accepted pass elif isinstance(self.value, str): if value != self.value: - return + return False elif isinstance(self.value, list): if value not in self.value: - return + return False else: - return + return False - request['valid_auth'] = True request['remote_user'] = value + return True class SimpleNULLAuth(HTTPAuthenticator): @@ -74,8 +76,9 @@ class SimpleNULLAuth(HTTPAuthenticator): path = request.get('path', '') while path != '': if path in self.paths: - request['valid_auth'] = True + return True if path == '/': path = '' else: path, _ = os.path.split(path) + return None diff --git a/custodia/httpd/server.py b/custodia/httpd/server.py index 0e58f0d..a5e59a9 100644 --- a/custodia/httpd/server.py +++ b/custodia/httpd/server.py @@ -55,9 +55,12 @@ class ForkingLocalHTTPServer(ForkingMixIn, UnixStreamServer): correct consumer based on the server configuration, that is provided at initialization time. - When authentication is performed the request dictionary will have - a 'valid_auth' boolean member set to True if authentication was - successful. Additional attributes may be set by authentication plugins. + When authentication is performed all the authenticators are executed. + If any returns False, authentication fails and a 403 error is raised. + If none of them positively succeeds and they all return None then also + authentication fails and a 403 error is raised. Authentication plugins + can add attributes to the request object for use of authorization or + other plugins. Once authentication is successful the pipeline will parse the path component and find the consumer plugin that handles the provided path @@ -92,9 +95,14 @@ class ForkingLocalHTTPServer(ForkingMixIn, UnixStreamServer): authers = self.config.get('authenticators') if authers is None: raise HTTPError(403) + valid_once = False for auth in authers: - authers[auth].handle(request) - if 'valid_auth' not in request or request['valid_auth'] is not True: + valid = authers[auth].handle(request) + if valid is False: + raise HTTPError(403) + elif valid is True: + valid_once = True + if valid_once is not True: raise HTTPError(403) # Select consumer |