diff options
author | Simo Sorce <simo@redhat.com> | 2015-03-25 13:35:29 -0400 |
---|---|---|
committer | Simo Sorce <simo@redhat.com> | 2015-03-25 15:19:33 -0400 |
commit | 136e1ae76a79ada048a5eb5808b40b8969c7aaf2 (patch) | |
tree | e2cc86568cd67d239e156ebc04a1a6c7d5e6ee52 /custodia | |
parent | f134e09fa91fd1e00f538ef3e403ff6a35d21e8e (diff) | |
download | custodia-136e1ae76a79ada048a5eb5808b40b8969c7aaf2.tar.gz custodia-136e1ae76a79ada048a5eb5808b40b8969c7aaf2.tar.xz custodia-136e1ae76a79ada048a5eb5808b40b8969c7aaf2.zip |
Require positive authentication in all cases
Provide a SimpleNULLAuth class for people that want to allow
unauthenticated access fto specific paths for whatever reason.
Diffstat (limited to 'custodia')
-rw-r--r-- | custodia/http/authenticators.py | 34 | ||||
-rw-r--r-- | custodia/http/server.py | 2 |
2 files changed, 28 insertions, 8 deletions
diff --git a/custodia/http/authenticators.py b/custodia/http/authenticators.py index 0a4d9c7..8bd9284 100644 --- a/custodia/http/authenticators.py +++ b/custodia/http/authenticators.py @@ -1,6 +1,7 @@ # Copyright (C) 2015 Custodia Project Contributors - see LICENSE file from custodia.http.server import HTTPError +import os class HTTPAuthenticator(object): @@ -27,9 +28,7 @@ class SimpleCredsAuth(HTTPAuthenticator): uid = int(request['creds']['gid']) gid = int(request['creds']['uid']) if self._gid == gid or self._uid == uid: - request['valid_user'] = True - else: - raise HTTPError(403) + request['valid_auth'] = True class SimpleHeaderAuth(HTTPAuthenticator): @@ -45,19 +44,38 @@ class SimpleHeaderAuth(HTTPAuthenticator): def handle(self, request): if self.name not in request['headers']: - raise HTTPError(403) + return value = request['headers'][self.name] if self.value is None: # Any value is accepted pass elif isinstance(self.value, str): if value != self.value: - raise HTTPError(403) + return elif isinstance(self.value, list): if value not in self.value: - raise HTTPError(403) + return else: - raise HTTPError(403) + return - request['valid_user'] = True + request['valid_auth'] = True request['valid_header'] = value + + +class SimpleNULLAuth(HTTPAuthenticator): + + def __init__(self, config=None): + super(SimpleNULLAuth, self).__init__(config) + self.paths = [] + if 'paths' in self.config: + self.paths = self.config['paths'].split() + + def handle(self, request): + path = request.get('path', '') + while path != '': + if path in self.paths: + request['valid_auth'] = True + if path == '/': + path = '' + else: + path, _ = os.path.split(path) diff --git a/custodia/http/server.py b/custodia/http/server.py index 5b3ec30..423af9c 100644 --- a/custodia/http/server.py +++ b/custodia/http/server.py @@ -61,6 +61,8 @@ class ForkingLocalHTTPServer(ForkingMixIn, UnixStreamServer): raise HTTPError(403) for auth in authers: authers[auth].handle(request) + if 'valid_auth' not in request or request['valid_auth'] is not True: + raise HTTPError(403) # Select consumer path = request.get('path', '') |