summaryrefslogtreecommitdiffstats
path: root/src/lib
diff options
context:
space:
mode:
authorNarayan Desai <desai@mcs.anl.gov>2009-05-06 01:27:27 +0000
committerNarayan Desai <desai@mcs.anl.gov>2009-05-06 01:27:27 +0000
commit902c5933e10843d67548bcd80b759abf4926275e (patch)
tree6a8ca0dc96987600dbd167134df42863f2175bff /src/lib
parent8a7bb7eeac0b154479835e7660ec05d631de5849 (diff)
downloadbcfg2-902c5933e10843d67548bcd80b759abf4926275e.tar.gz
bcfg2-902c5933e10843d67548bcd80b759abf4926275e.tar.bz2
bcfg2-902c5933e10843d67548bcd80b759abf4926275e.zip
SSL: Implement certificate verification
git-svn-id: https://svn.mcs.anl.gov/repos/bcfg/trunk/bcfg2@5193 ce84e21b-d406-0410-9b95-82705330c041
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/Server/Plugins/Metadata.py32
-rw-r--r--src/lib/Server/XMLRPC.py1
2 files changed, 30 insertions, 3 deletions
diff --git a/src/lib/Server/Plugins/Metadata.py b/src/lib/Server/Plugins/Metadata.py
index f7cf196fc..e51135b7e 100644
--- a/src/lib/Server/Plugins/Metadata.py
+++ b/src/lib/Server/Plugins/Metadata.py
@@ -75,6 +75,7 @@ class Metadata(Bcfg2.Server.Plugin.Plugin,
if watch_clients:
self.states = {"groups.xml":False, "clients.xml":False}
self.addresses = {}
+ self.auth = dict()
self.clients = {}
self.aliases = {}
self.groups = {}
@@ -206,6 +207,8 @@ class Metadata(Bcfg2.Server.Plugin.Plugin,
self.addresses[caddr].append(clname)
else:
self.addresses[caddr] = [clname]
+ if 'auth' in client.attrib:
+ self.auth[client.get('name')] = client.get('auth')
if 'uuid' in client.attrib:
self.uuid[client.get('uuid')] = clname
if client.get('secure', 'false') == 'true' :
@@ -420,12 +423,37 @@ class Metadata(Bcfg2.Server.Plugin.Plugin,
if not hasattr(imd, source):
setattr(imd, source, data)
imd.connectors.append(source)
+
+ def validate_client_address(self, client, address):
+ '''Check address against client'''
+ if client in self.floating:
+ return True
+ if address in self.addresses:
+ if client == self.addresses[address]:
+ return True
+ else:
+ self.logger.error("Got request for non-float client %s from %s" \
+ % (client, address))
+ return False
+ resolved = self.resolve_client(address)
+ if resolved == client:
+ return True
+ else:
+ self.logger.error("Got request for %s from incorrect address %s" \
+ % (client, address))
+ return False
def AuthenticateConnection(self, cert, user, password, address):
'''This function checks auth creds'''
if cert:
- self.logger.error("Cert checking not yet implemented")
- return False
+ certinfo = dict([x[0] for x in cert['subject']])
+ # look at cert.cN
+ client = certinfo['commonName']
+ auth_type = self.auth.get(client, 'cert+password')
+ addr_check = self.validate_client_address(client, address)
+ if auth_type == 'cert':
+ # we can't continue to password auth
+ return addr_check
if user == 'root':
# we aren't using per-client keys
try:
diff --git a/src/lib/Server/XMLRPC.py b/src/lib/Server/XMLRPC.py
index 5788901cc..acc28517d 100644
--- a/src/lib/Server/XMLRPC.py
+++ b/src/lib/Server/XMLRPC.py
@@ -149,7 +149,6 @@ class bcfg2_server(Component,
return "<ok/>"
def authenticate(self, cert, user, password, address):
- print cert, user, password, address
return self.metadata.AuthenticateConnection(cert, user, password, address)
@exposed