git://git.onelab.eu / plcapi.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Fix version output when missing.
[plcapi.git] / PLC / Auth.py
diff --git a/PLC/Auth.py b/PLC/Auth.py
index c21ec8c..dde0280 100644 (file)
--- a/PLC/Auth.py
+++ b/PLC/Auth.py
@@ -4,18 +4,24 @@
 # Mark Huang <mlhuang@cs.princeton.edu>
 # Copyright (C) 2006 The Trustees of Princeton University
 #
-# $Id: Auth.py,v 1.14 2007/01/31 22:41:00 mlhuang Exp $
+# $Id$
+# $URL$
 #
 
 import crypt
-import sha
+try:
+    from hashlib import sha1 as sha
+except ImportError:
+    import sha
 import hmac
 import time
+import os
 
 from PLC.Faults import *
 from PLC.Parameter import Parameter, Mixed
 from PLC.Persons import Persons
 from PLC.Nodes import Node, Nodes
+from PLC.Interfaces import Interface, Interfaces
 from PLC.Sessions import Session, Sessions
 from PLC.Peers import Peer, Peers
 from PLC.Boot import notify_owners
@@ -33,23 +39,17 @@ class Auth(Parameter):
         Parameter.__init__(self, auth, "API authentication structure")
 
     def check(self, method, auth, *args):
+        global auth_methods
+
         # Method.type_check() should have checked that all of the
         # mandatory fields were present.
         assert 'AuthMethod' in auth
 
-        if auth['AuthMethod'] == "session":
-            expected = SessionAuth()
-        elif auth['AuthMethod'] == "password" or \
-             auth['AuthMethod'] == "capability":
-            expected = PasswordAuth()
-        elif auth['AuthMethod'] == "gpg":
-            expected = GPGAuth()
-        elif auth['AuthMethod'] == "hmac":
-            expected = BootAuth()
-        elif auth['AuthMethod'] == "anonymous":
-            expected = AnonymousAuth()
+        if auth['AuthMethod'] in auth_methods:
+            expected = auth_methods[auth['AuthMethod']]()
         else:
-            raise PLCInvalidArgument("must be 'session', 'password', 'gpg', 'hmac', or 'anonymous'", "AuthMethod")
+            sm = "'" + "', '".join(auth_methods.keys()) + "'"
+            raise PLCInvalidArgument("must be " + sm, "AuthMethod")
 
         # Re-check using the specified authentication method
         method.type_check("auth", auth, expected, (auth,) + args)
@@ -146,7 +146,7 @@ class SessionAuth(Auth):
                 person = persons[0]
 
                 if not set(person['roles']).intersection(method.roles):
-                    raise PLCAuthenticationFailure, "Not allowed to call method"
+                    raise PLCPermissionDenied, "Not allowed to call method"
 
                 method.caller = persons[0]
 
@@ -223,22 +223,22 @@ class BootAuth(Auth):
                 # on record for the node.
                 key = node['boot_nonce']
 
-                nodenetwork = None
-                if node['nodenetwork_ids']:
-                    nodenetworks = NodeNetworks(method.api, node['nodenetwork_ids'])
-                    for nodenetwork in nodenetworks:
-                        if nodenetwork['is_primary']:
+                interface = None
+                if node['interface_ids']:
+                    interfaces = Interfaces(method.api, node['interface_ids'])
+                    for interface in interfaces:
+                        if interface['is_primary']:
                             break
-            
-                if not nodenetwork or not nodenetwork['is_primary']:
+
+                if not interface or not interface['is_primary']:
                     raise PLCAuthenticationFailure, "No primary network interface on record"
-            
+
                 if method.source is None:
                     raise PLCAuthenticationFailure, "Cannot determine IP address of requestor"
 
-                if nodenetwork['ip'] != method.source[0]:
+                if interface['ip'] != method.source[0]:
                     raise PLCAuthenticationFailure, "Requestor IP %s does not match node IP %s" % \
-                          (method.source[0], nodenetwork['ip'])
+                          (method.source[0], interface['ip'])
             else:
                 raise PLCAuthenticationFailure, "No node key or boot nonce"
 
@@ -249,7 +249,8 @@ class BootAuth(Auth):
 
             # We encode in UTF-8 before calculating the HMAC, which is
             # an 8-bit algorithm.
-            digest = hmac.new(key, msg.encode('utf-8'), sha).hexdigest()
+            # python 2.6 insists on receiving a 'str' as opposed to a 'unicode'
+            digest = hmac.new(str(key), msg.encode('utf-8'), sha).hexdigest()
 
             if digest != auth['value']:
                 raise PLCAuthenticationFailure, "Call could not be authenticated"
@@ -295,7 +296,7 @@ class PasswordAuth(Auth):
         assert auth.has_key('Username')
 
         # Get record (must be enabled)
-        persons = Persons(method.api, {'email': auth['Username'], 'enabled': True, 'peer_id': None})
+        persons = Persons(method.api, {'email': auth['Username'].lower(), 'enabled': True, 'peer_id': None})
         if len(persons) != 1:
             raise PLCAuthenticationFailure, "No such account"
 
@@ -329,3 +330,24 @@ class PasswordAuth(Auth):
             raise PLCAuthenticationFailure, "Not allowed to call method"
 
         method.caller = person
+
+auth_methods = {'session': SessionAuth,
+                'password': PasswordAuth,
+                'capability': PasswordAuth,
+                'gpg': GPGAuth,
+                'hmac': BootAuth,
+                'hmac_dummybox': BootAuth,
+                'anonymous': AnonymousAuth}
+
+path = os.path.dirname(__file__) + "/Auth.d"
+try:
+    extensions = os.listdir(path)
+except OSError, e:
+    extensions = []
+for extension in extensions:
+    if extension.startswith("."):
+        continue
+    if not extension.endswith(".py"):
+        continue
+    execfile("%s/%s" % (path, extension))
+del extensions
plcapi