diff options
Diffstat (limited to 'custodia/httpd')
-rw-r--r-- | custodia/httpd/authenticators.py | 17 | ||||
-rw-r--r-- | custodia/httpd/server.py | 18 |
2 files changed, 23 insertions, 12 deletions
diff --git a/custodia/httpd/authenticators.py b/custodia/httpd/authenticators.py index 1b76287..cf8402f 100644 --- a/custodia/httpd/authenticators.py +++ b/custodia/httpd/authenticators.py @@ -28,7 +28,9 @@ class SimpleCredsAuth(HTTPAuthenticator): uid = int(request['creds']['gid']) gid = int(request['creds']['uid']) if self._gid == gid or self._uid == uid: - request['valid_auth'] = True + return True + else: + return False class SimpleHeaderAuth(HTTPAuthenticator): @@ -44,22 +46,22 @@ class SimpleHeaderAuth(HTTPAuthenticator): def handle(self, request): if self.name not in request['headers']: - return + return False value = request['headers'][self.name] if self.value is None: # Any value is accepted pass elif isinstance(self.value, str): if value != self.value: - return + return False elif isinstance(self.value, list): if value not in self.value: - return + return False else: - return + return False - request['valid_auth'] = True request['remote_user'] = value + return True class SimpleNULLAuth(HTTPAuthenticator): @@ -74,8 +76,9 @@ class SimpleNULLAuth(HTTPAuthenticator): path = request.get('path', '') while path != '': if path in self.paths: - request['valid_auth'] = True + return True if path == '/': path = '' else: path, _ = os.path.split(path) + return None diff --git a/custodia/httpd/server.py b/custodia/httpd/server.py index 0e58f0d..a5e59a9 100644 --- a/custodia/httpd/server.py +++ b/custodia/httpd/server.py @@ -55,9 +55,12 @@ class ForkingLocalHTTPServer(ForkingMixIn, UnixStreamServer): correct consumer based on the server configuration, that is provided at initialization time. - When authentication is performed the request dictionary will have - a 'valid_auth' boolean member set to True if authentication was - successful. Additional attributes may be set by authentication plugins. + When authentication is performed all the authenticators are executed. + If any returns False, authentication fails and a 403 error is raised. + If none of them positively succeeds and they all return None then also + authentication fails and a 403 error is raised. Authentication plugins + can add attributes to the request object for use of authorization or + other plugins. Once authentication is successful the pipeline will parse the path component and find the consumer plugin that handles the provided path @@ -92,9 +95,14 @@ class ForkingLocalHTTPServer(ForkingMixIn, UnixStreamServer): authers = self.config.get('authenticators') if authers is None: raise HTTPError(403) + valid_once = False for auth in authers: - authers[auth].handle(request) - if 'valid_auth' not in request or request['valid_auth'] is not True: + valid = authers[auth].handle(request) + if valid is False: + raise HTTPError(403) + elif valid is True: + valid_once = True + if valid_once is not True: raise HTTPError(403) # Select consumer |