diff options
Diffstat (limited to 'custodia/httpd/authenticators.py')
-rw-r--r-- | custodia/httpd/authenticators.py | 34 |
1 files changed, 29 insertions, 5 deletions
diff --git a/custodia/httpd/authenticators.py b/custodia/httpd/authenticators.py index dbb34bd..bed2bc4 100644 --- a/custodia/httpd/authenticators.py +++ b/custodia/httpd/authenticators.py @@ -12,6 +12,7 @@ class HTTPAuthenticator(object): def __init__(self, config=None): self.config = config + self._auditlog = log.AuditLog(self.config) def handle(self, request): raise HTTPError(403) @@ -32,8 +33,14 @@ class SimpleCredsAuth(HTTPAuthenticator): uid = int(request['creds']['gid']) gid = int(request['creds']['uid']) if self._gid == gid or self._uid == uid: + self._auditlog.svc_access(log.AUDIT_SVC_AUTH_PASS, + request['creds']['pid'], + "SCA", "%d, %d" % (uid, gid)) return True else: + self._auditlog.svc_access(log.AUDIT_SVC_AUTH_FAIL, + request['creds']['pid'], + "SCA", "%d, %d" % (uid, gid)) return False @@ -57,13 +64,25 @@ class SimpleHeaderAuth(HTTPAuthenticator): pass elif isinstance(self.value, str): if value != self.value: + self._auditlog.svc_access(log.AUDIT_SVC_AUTH_FAIL, + request['creds']['pid'], + "SHA", value) return False elif isinstance(self.value, list): if value not in self.value: + self._auditlog.svc_access(log.AUDIT_SVC_AUTH_FAIL, + request['creds']['pid'], + "SHA", value) return False else: + self._auditlog.svc_access(log.AUDIT_SVC_AUTH_FAIL, + request['creds']['pid'], + "SHA", value) return False + self._auditlog.svc_access(log.AUDIT_SVC_AUTH_PASS, + request['creds']['pid'], + "SHA", value) request['remote_user'] = value return True @@ -77,7 +96,6 @@ class SimpleAuthKeys(HTTPAuthenticator): self.store_name = self.config['store'] self.store = None self.namespace = self.config.get('store_namespace', 'custodiaSAK') - self._auditlog = log.AuditLog(self.config) def _db_key(self, name): return os.path.join(self.namespace, name) @@ -96,14 +114,20 @@ class SimpleAuthKeys(HTTPAuthenticator): if constant_time.bytes_eq(val.encode('utf-8'), key.encode('utf-8')): validated = True - except Exception as err: - self._auditlog._log("AUTH ERROR: (%s) %s" % (name, err)) + except Exception: + self._auditlog.svc_access(log.AUDIT_SVC_AUTH_FAIL, + request['creds']['pid'], + "SAK", name) return False if validated: - self._auditlog._log("AUTH SUCCESS: %s" % name) + self._auditlog.svc_access(log.AUDIT_SVC_AUTH_PASS, + request['creds']['pid'], + "SAK", name) request['remote_user'] = name return True - self._auditlog._log("AUTH FAIL: %s" % name) + self._auditlog.svc_access(log.AUDIT_SVC_AUTH_FAIL, + request['creds']['pid'], + "SAK", name) return False |