diff options
author | Narayan Desai <desai@mcs.anl.gov> | 2009-05-06 01:27:27 +0000 |
---|---|---|
committer | Narayan Desai <desai@mcs.anl.gov> | 2009-05-06 01:27:27 +0000 |
commit | 902c5933e10843d67548bcd80b759abf4926275e (patch) | |
tree | 6a8ca0dc96987600dbd167134df42863f2175bff /src/lib | |
parent | 8a7bb7eeac0b154479835e7660ec05d631de5849 (diff) | |
download | bcfg2-902c5933e10843d67548bcd80b759abf4926275e.tar.gz bcfg2-902c5933e10843d67548bcd80b759abf4926275e.tar.bz2 bcfg2-902c5933e10843d67548bcd80b759abf4926275e.zip |
SSL: Implement certificate verification
git-svn-id: https://svn.mcs.anl.gov/repos/bcfg/trunk/bcfg2@5193 ce84e21b-d406-0410-9b95-82705330c041
Diffstat (limited to 'src/lib')
-rw-r--r-- | src/lib/Server/Plugins/Metadata.py | 32 | ||||
-rw-r--r-- | src/lib/Server/XMLRPC.py | 1 |
2 files changed, 30 insertions, 3 deletions
diff --git a/src/lib/Server/Plugins/Metadata.py b/src/lib/Server/Plugins/Metadata.py index f7cf196fc..e51135b7e 100644 --- a/src/lib/Server/Plugins/Metadata.py +++ b/src/lib/Server/Plugins/Metadata.py @@ -75,6 +75,7 @@ class Metadata(Bcfg2.Server.Plugin.Plugin, if watch_clients: self.states = {"groups.xml":False, "clients.xml":False} self.addresses = {} + self.auth = dict() self.clients = {} self.aliases = {} self.groups = {} @@ -206,6 +207,8 @@ class Metadata(Bcfg2.Server.Plugin.Plugin, self.addresses[caddr].append(clname) else: self.addresses[caddr] = [clname] + if 'auth' in client.attrib: + self.auth[client.get('name')] = client.get('auth') if 'uuid' in client.attrib: self.uuid[client.get('uuid')] = clname if client.get('secure', 'false') == 'true' : @@ -420,12 +423,37 @@ class Metadata(Bcfg2.Server.Plugin.Plugin, if not hasattr(imd, source): setattr(imd, source, data) imd.connectors.append(source) + + def validate_client_address(self, client, address): + '''Check address against client''' + if client in self.floating: + return True + if address in self.addresses: + if client == self.addresses[address]: + return True + else: + self.logger.error("Got request for non-float client %s from %s" \ + % (client, address)) + return False + resolved = self.resolve_client(address) + if resolved == client: + return True + else: + self.logger.error("Got request for %s from incorrect address %s" \ + % (client, address)) + return False def AuthenticateConnection(self, cert, user, password, address): '''This function checks auth creds''' if cert: - self.logger.error("Cert checking not yet implemented") - return False + certinfo = dict([x[0] for x in cert['subject']]) + # look at cert.cN + client = certinfo['commonName'] + auth_type = self.auth.get(client, 'cert+password') + addr_check = self.validate_client_address(client, address) + if auth_type == 'cert': + # we can't continue to password auth + return addr_check if user == 'root': # we aren't using per-client keys try: diff --git a/src/lib/Server/XMLRPC.py b/src/lib/Server/XMLRPC.py index 5788901cc..acc28517d 100644 --- a/src/lib/Server/XMLRPC.py +++ b/src/lib/Server/XMLRPC.py @@ -149,7 +149,6 @@ class bcfg2_server(Component, return "<ok/>" def authenticate(self, cert, user, password, address): - print cert, user, password, address return self.metadata.AuthenticateConnection(cert, user, password, address) @exposed |