X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=PLC%2FAuth.py;h=08c9d2cfbba144b7c7745b638e5ec083d24f5a30;hb=f8bce9cd90ecc06764de75af5bb0b456924d7cee;hp=a062b3ad803522b859cf1aaf9b214f45be4636f8;hpb=53c0a911837538bd54044440d11354183cd93726;p=plcapi.git diff --git a/PLC/Auth.py b/PLC/Auth.py index a062b3a..08c9d2c 100644 --- a/PLC/Auth.py +++ b/PLC/Auth.py @@ -4,11 +4,15 @@ # Mark Huang # Copyright (C) 2006 The Trustees of Princeton University # -# $Id: Auth.py,v 1.15 2007/02/01 22:28:48 mlhuang Exp $ +# $Id$ +# $URL$ # import crypt -import sha +try: + from hashlib import sha1 as sha +except ImportError: + import sha import hmac import time @@ -16,10 +20,28 @@ from PLC.Faults import * from PLC.Parameter import Parameter, Mixed from PLC.Persons import Persons from PLC.Nodes import Node, Nodes +from PLC.Interfaces import Interface, Interfaces from PLC.Sessions import Session, Sessions from PLC.Peers import Peer, Peers from PLC.Boot import notify_owners +def map_auth(auth): + if auth['AuthMethod'] == "session": + expected = SessionAuth() + elif auth['AuthMethod'] == "password" or \ + auth['AuthMethod'] == "capability": + expected = PasswordAuth() + elif auth['AuthMethod'] == "gpg": + expected = GPGAuth() + elif auth['AuthMethod'] == "hmac" or \ + auth['AuthMethod'] == "hmac_dummybox": + expected = BootAuth() + elif auth['AuthMethod'] == "anonymous": + expected = AnonymousAuth() + else: + raise PLCInvalidArgument("must be 'session', 'password', 'gpg', 'hmac', 'hmac_dummybox', or 'anonymous'", "AuthMethod") + return expected + class Auth(Parameter): """ Base class for all API authentication methods, as well as a class @@ -37,19 +59,7 @@ class Auth(Parameter): # mandatory fields were present. assert 'AuthMethod' in auth - if auth['AuthMethod'] == "session": - expected = SessionAuth() - elif auth['AuthMethod'] == "password" or \ - auth['AuthMethod'] == "capability": - expected = PasswordAuth() - elif auth['AuthMethod'] == "gpg": - expected = GPGAuth() - elif auth['AuthMethod'] == "hmac": - expected = BootAuth() - elif auth['AuthMethod'] == "anonymous": - expected = AnonymousAuth() - else: - raise PLCInvalidArgument("must be 'session', 'password', 'gpg', 'hmac', or 'anonymous'", "AuthMethod") + expected = map_auth(auth) # Re-check using the specified authentication method method.type_check("auth", auth, expected, (auth,) + args) @@ -146,7 +156,7 @@ class SessionAuth(Auth): person = persons[0] if not set(person['roles']).intersection(method.roles): - raise PLCAuthenticationFailure, "Not allowed to call method" + raise PLCPermissionDenied, "Not allowed to call method" method.caller = persons[0] @@ -223,22 +233,22 @@ class BootAuth(Auth): # on record for the node. key = node['boot_nonce'] - nodenetwork = None - if node['nodenetwork_ids']: - nodenetworks = NodeNetworks(method.api, node['nodenetwork_ids']) - for nodenetwork in nodenetworks: - if nodenetwork['is_primary']: + interface = None + if node['interface_ids']: + interfaces = Interfaces(method.api, node['interface_ids']) + for interface in interfaces: + if interface['is_primary']: break - if not nodenetwork or not nodenetwork['is_primary']: + if not interface or not interface['is_primary']: raise PLCAuthenticationFailure, "No primary network interface on record" if method.source is None: raise PLCAuthenticationFailure, "Cannot determine IP address of requestor" - if nodenetwork['ip'] != method.source[0]: + if interface['ip'] != method.source[0]: raise PLCAuthenticationFailure, "Requestor IP %s does not match node IP %s" % \ - (method.source[0], nodenetwork['ip']) + (method.source[0], interface['ip']) else: raise PLCAuthenticationFailure, "No node key or boot nonce" @@ -249,7 +259,8 @@ class BootAuth(Auth): # We encode in UTF-8 before calculating the HMAC, which is # an 8-bit algorithm. - digest = hmac.new(key, msg.encode('utf-8'), sha).hexdigest() + # python 2.6 insists on receiving a 'str' as opposed to a 'unicode' + digest = hmac.new(str(key), msg.encode('utf-8'), sha).hexdigest() if digest != auth['value']: raise PLCAuthenticationFailure, "Call could not be authenticated"