diff options
author | Simo Sorce <simo@redhat.com> | 2015-10-05 13:46:24 -0400 |
---|---|---|
committer | Simo Sorce <simo@redhat.com> | 2015-10-19 12:18:16 -0400 |
commit | 9f9e8ab04f7478688d41c9bcb6ec3e3a7913fd8d (patch) | |
tree | e3617ab8385306d652b3448b4219266e8c566f35 /custodia/httpd/authenticators.py | |
parent | a94ac9cec35e12765bba61409cf4db88f564af4c (diff) | |
download | custodia-9f9e8ab04f7478688d41c9bcb6ec3e3a7913fd8d.tar.gz custodia-9f9e8ab04f7478688d41c9bcb6ec3e3a7913fd8d.tar.xz custodia-9f9e8ab04f7478688d41c9bcb6ec3e3a7913fd8d.zip |
Add auditing to auth/authz modules
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
Diffstat (limited to 'custodia/httpd/authenticators.py')
-rw-r--r-- | custodia/httpd/authenticators.py | 34 |
1 files changed, 29 insertions, 5 deletions
diff --git a/custodia/httpd/authenticators.py b/custodia/httpd/authenticators.py index dbb34bd..bed2bc4 100644 --- a/custodia/httpd/authenticators.py +++ b/custodia/httpd/authenticators.py @@ -12,6 +12,7 @@ class HTTPAuthenticator(object): def __init__(self, config=None): self.config = config + self._auditlog = log.AuditLog(self.config) def handle(self, request): raise HTTPError(403) @@ -32,8 +33,14 @@ class SimpleCredsAuth(HTTPAuthenticator): uid = int(request['creds']['gid']) gid = int(request['creds']['uid']) if self._gid == gid or self._uid == uid: + self._auditlog.svc_access(log.AUDIT_SVC_AUTH_PASS, + request['creds']['pid'], + "SCA", "%d, %d" % (uid, gid)) return True else: + self._auditlog.svc_access(log.AUDIT_SVC_AUTH_FAIL, + request['creds']['pid'], + "SCA", "%d, %d" % (uid, gid)) return False @@ -57,13 +64,25 @@ class SimpleHeaderAuth(HTTPAuthenticator): pass elif isinstance(self.value, str): if value != self.value: + self._auditlog.svc_access(log.AUDIT_SVC_AUTH_FAIL, + request['creds']['pid'], + "SHA", value) return False elif isinstance(self.value, list): if value not in self.value: + self._auditlog.svc_access(log.AUDIT_SVC_AUTH_FAIL, + request['creds']['pid'], + "SHA", value) return False else: + self._auditlog.svc_access(log.AUDIT_SVC_AUTH_FAIL, + request['creds']['pid'], + "SHA", value) return False + self._auditlog.svc_access(log.AUDIT_SVC_AUTH_PASS, + request['creds']['pid'], + "SHA", value) request['remote_user'] = value return True @@ -77,7 +96,6 @@ class SimpleAuthKeys(HTTPAuthenticator): self.store_name = self.config['store'] self.store = None self.namespace = self.config.get('store_namespace', 'custodiaSAK') - self._auditlog = log.AuditLog(self.config) def _db_key(self, name): return os.path.join(self.namespace, name) @@ -96,14 +114,20 @@ class SimpleAuthKeys(HTTPAuthenticator): if constant_time.bytes_eq(val.encode('utf-8'), key.encode('utf-8')): validated = True - except Exception as err: - self._auditlog._log("AUTH ERROR: (%s) %s" % (name, err)) + except Exception: + self._auditlog.svc_access(log.AUDIT_SVC_AUTH_FAIL, + request['creds']['pid'], + "SAK", name) return False if validated: - self._auditlog._log("AUTH SUCCESS: %s" % name) + self._auditlog.svc_access(log.AUDIT_SVC_AUTH_PASS, + request['creds']['pid'], + "SAK", name) request['remote_user'] = name return True - self._auditlog._log("AUTH FAIL: %s" % name) + self._auditlog.svc_access(log.AUDIT_SVC_AUTH_FAIL, + request['creds']['pid'], + "SAK", name) return False |