diff options
| author | Simo Sorce <simo@redhat.com> | 2015-03-23 15:41:35 -0400 |
|---|---|---|
| committer | Simo Sorce <simo@redhat.com> | 2015-03-23 15:41:35 -0400 |
| commit | f134e09fa91fd1e00f538ef3e403ff6a35d21e8e (patch) | |
| tree | d67a655a3eeb43cd362b5955494b70b048b59dfc | |
| parent | 26fbab88d505c8e9cd1aded7cdea85775ce635c8 (diff) | |
| download | custodia-f134e09fa91fd1e00f538ef3e403ff6a35d21e8e.tar.gz custodia-f134e09fa91fd1e00f538ef3e403ff6a35d21e8e.tar.xz custodia-f134e09fa91fd1e00f538ef3e403ff6a35d21e8e.zip | |
Add simple header auth module
This is useful when authentication is handled by a proxy sitting in
front of custodia.
Alternatively it can be used with shared secrets/bearer tokens sent
in plain text in the headers.
| -rw-r--r-- | custodia.conf | 13 | ||||
| -rw-r--r-- | custodia/http/authenticators.py | 31 |
2 files changed, 40 insertions, 4 deletions
diff --git a/custodia.conf b/custodia.conf index 78a0d26..296ab6d 100644 --- a/custodia.conf +++ b/custodia.conf @@ -1,10 +1,15 @@ [global] server_version = "Secret/0.0.7" -[auth:simple] -handler = custodia.http.authenticators.SimpleCredsAuth -uid = 48 -gid = 48 +#[auth:simple] +#handler = custodia.http.authenticators.SimpleCredsAuth +#uid = 48 +#gid = 48 + +[auth:header] +handler = custodia.http.authenticators.SimpleHeaderAuth +name = REMOTE_USER +value = simo [/] handler = custodia.root.Root diff --git a/custodia/http/authenticators.py b/custodia/http/authenticators.py index ad912c6..0a4d9c7 100644 --- a/custodia/http/authenticators.py +++ b/custodia/http/authenticators.py @@ -30,3 +30,34 @@ class SimpleCredsAuth(HTTPAuthenticator): request['valid_user'] = True else: raise HTTPError(403) + + +class SimpleHeaderAuth(HTTPAuthenticator): + + def __init__(self, config=None): + super(SimpleHeaderAuth, self).__init__(config) + self.name = 'REMOTE_USER' + self.value = None + if 'header' in self.config: + self.name = self.config['header'] + if 'value' in self.config: + self.value = self.config['value'] + + def handle(self, request): + if self.name not in request['headers']: + raise HTTPError(403) + value = request['headers'][self.name] + if self.value is None: + # Any value is accepted + pass + elif isinstance(self.value, str): + if value != self.value: + raise HTTPError(403) + elif isinstance(self.value, list): + if value not in self.value: + raise HTTPError(403) + else: + raise HTTPError(403) + + request['valid_user'] = True + request['valid_header'] = value |