diff options
| author | Simo Sorce <simo@redhat.com> | 2015-03-25 13:35:29 -0400 |
|---|---|---|
| committer | Simo Sorce <simo@redhat.com> | 2015-03-25 15:19:33 -0400 |
| commit | 136e1ae76a79ada048a5eb5808b40b8969c7aaf2 (patch) | |
| tree | e2cc86568cd67d239e156ebc04a1a6c7d5e6ee52 | |
| parent | f134e09fa91fd1e00f538ef3e403ff6a35d21e8e (diff) | |
| download | custodia-136e1ae76a79ada048a5eb5808b40b8969c7aaf2.tar.gz custodia-136e1ae76a79ada048a5eb5808b40b8969c7aaf2.tar.xz custodia-136e1ae76a79ada048a5eb5808b40b8969c7aaf2.zip | |
Require positive authentication in all cases
Provide a SimpleNULLAuth class for people that want to allow
unauthenticated access fto specific paths for whatever reason.
| -rw-r--r-- | custodia.conf | 8 | ||||
| -rw-r--r-- | custodia/http/authenticators.py | 34 | ||||
| -rw-r--r-- | custodia/http/server.py | 2 |
3 files changed, 32 insertions, 12 deletions
diff --git a/custodia.conf b/custodia.conf index 296ab6d..747c446 100644 --- a/custodia.conf +++ b/custodia.conf @@ -1,10 +1,10 @@ [global] server_version = "Secret/0.0.7" -#[auth:simple] -#handler = custodia.http.authenticators.SimpleCredsAuth -#uid = 48 -#gid = 48 +[auth:simple] +handler = custodia.http.authenticators.SimpleCredsAuth +uid = 48 +gid = 48 [auth:header] handler = custodia.http.authenticators.SimpleHeaderAuth diff --git a/custodia/http/authenticators.py b/custodia/http/authenticators.py index 0a4d9c7..8bd9284 100644 --- a/custodia/http/authenticators.py +++ b/custodia/http/authenticators.py @@ -1,6 +1,7 @@ # Copyright (C) 2015 Custodia Project Contributors - see LICENSE file from custodia.http.server import HTTPError +import os class HTTPAuthenticator(object): @@ -27,9 +28,7 @@ class SimpleCredsAuth(HTTPAuthenticator): uid = int(request['creds']['gid']) gid = int(request['creds']['uid']) if self._gid == gid or self._uid == uid: - request['valid_user'] = True - else: - raise HTTPError(403) + request['valid_auth'] = True class SimpleHeaderAuth(HTTPAuthenticator): @@ -45,19 +44,38 @@ class SimpleHeaderAuth(HTTPAuthenticator): def handle(self, request): if self.name not in request['headers']: - raise HTTPError(403) + return value = request['headers'][self.name] if self.value is None: # Any value is accepted pass elif isinstance(self.value, str): if value != self.value: - raise HTTPError(403) + return elif isinstance(self.value, list): if value not in self.value: - raise HTTPError(403) + return else: - raise HTTPError(403) + return - request['valid_user'] = True + request['valid_auth'] = True request['valid_header'] = value + + +class SimpleNULLAuth(HTTPAuthenticator): + + def __init__(self, config=None): + super(SimpleNULLAuth, self).__init__(config) + self.paths = [] + if 'paths' in self.config: + self.paths = self.config['paths'].split() + + def handle(self, request): + path = request.get('path', '') + while path != '': + if path in self.paths: + request['valid_auth'] = True + if path == '/': + path = '' + else: + path, _ = os.path.split(path) diff --git a/custodia/http/server.py b/custodia/http/server.py index 5b3ec30..423af9c 100644 --- a/custodia/http/server.py +++ b/custodia/http/server.py @@ -61,6 +61,8 @@ class ForkingLocalHTTPServer(ForkingMixIn, UnixStreamServer): raise HTTPError(403) for auth in authers: authers[auth].handle(request) + if 'valid_auth' not in request or request['valid_auth'] is not True: + raise HTTPError(403) # Select consumer path = request.get('path', '') |