auth client email with machine password

This commit is contained in:
deflax 2016-03-31 02:26:25 +03:00
parent d1cd131250
commit 20052a773d
2 changed files with 53 additions and 50 deletions

View file

@ -11,8 +11,8 @@ import bcrypt
import ioconfig
import utils
def addclient(vmid, vmname, clientid, clientname, clientemail, srvpass):
""" add new client to the clientsdb.json """
def addclient(vmid, vmname, clientid, clientname, clientemail, vmpass):
""" add new client with the requested vm to the clientsdb.json """
clientsdb = readclientsdb()
if str(clientid) in clientsdb:
@ -24,50 +24,12 @@ def addclient(vmid, vmname, clientid, clientname, clientemail, srvpass):
clientsdb.update(newclient)
ioconfig.logger.info('clients> vmid {} owner set to {} (id: {}, email: {})'.format(vmid, clientname, clientid, clientemail))
vmdata = { 'hostname':str(vmname), 'vmid':str(vmid), 'ownerid':str(clientid), 'username':str(srvuser), 'password': str(srvpass) }
#create initial vm template
vmdata = { 'hostname':str(vmname), 'vmid':str(vmid), 'ownerid':str(clientid) }
clientsdb[str(clientid)][str(vmid)] = vmdata
writeclientsdb(clientsdb)
def validate(vmname, srvpass):
""" return vmid or false if credentials match something in clientdb. useful for authing extrnal admin panels """
try:
clientsdb = readclientsdb()
path = utils.get_path(clientsdb, vmname)
c_id = str(path[0])
v_id = str(path[1])
#check the returned path with forward query
query = clientsdb[c_id][v_id]['hostname']
except:
return False
#double check
if query != vmname:
return None
else:
#try to capture the encrypted password
try:
encpass = clientsdb[c_id][v_id]['encpasswd']
except:
#cant query password
return None
#compare it with the requested password
b_srvpass = srvpass.encode('utf-8')
b_encpass = encpass.encode('utf-8')
if (hmac.compare_digest(bcrypt.hashpw(b_srvpass, b_encpass), b_encpass)):
#login successful
ioconfig.logger.info('clients> {} (clientid: {}, vmid: {}) was validated successfully!'.format(query, c_id, v_id))
#TODO: generate ticket for double check
generated_ticket = 'TODO'
response = { 'vpsid':v_id, 'ticket':generated_ticket }
return response
else:
ioconfig.logger.warning('clients> {} (clientid: {}, vmid: {}) ACCESS DENIED!'.format(query, c_id, v_id))
#cant compare password
return None
return None
#set password for the first time...
setencpasswd(vmname, vmpass)
def setencpasswd(vmname, newpass):
@ -89,6 +51,7 @@ def setencpasswd(vmname, newpass):
raise
if query != vmname:
ioconfig.logger.critical('clients> test query returns different vmname! check clients.json consistency!')
raise
else:
clientsdb[c_id][v_id]['encpasswd'] = encpasswd
@ -97,6 +60,46 @@ def setencpasswd(vmname, newpass):
#TODO: change lxc container password
def validate(clientemail, srvpass):
""" return vmid or false if credentials match something in clientdb. useful for authing extrnal admin panels """
try:
clientsdb = readclientsdb()
path = utils.get_path(clientsdb, clientemail)
c_id = str(path[0])
#check the returned path with forward query
ioconfig.logger.info('clients> {} was found with clientid: {}'.format(clientemail, c_id))
except:
raise
ioconfig.logger.warning('clients> {} was not found in the database!'.format(clientemail))
#log bad ips here...
return False
vmlist = clientsdb[c_id]
#clear unused objects. perhaps there is a better way to do this but im kinda anxious today...
vmlist.pop('name')
vmlist.pop('email')
#try each vmid owned by this user for a password match
for vmid,data in vmlist.items():
print(vmid)
print(data)
#try to capture the encrypted password
encpass = data['encpasswd']
b_srvpass = srvpass.encode('utf-8')
b_encpass = encpass.encode('utf-8')
if (hmac.compare_digest(bcrypt.hashpw(b_srvpass, b_encpass), b_encpass)):
#login successful
ioconfig.logger.info('clients> {} was validated successfully by {}'.format(vmid, clientemail))
response = { 'vmid':vmid }
else:
ioconfig.logger.warning('clients> {} ACCESS DENIED!'.format(vmid))
#cant compare password
response = { }
#TODO: this will require major rewrite again.. or it will fail to auth 2 machines with same password. lame..
return response
def vmowner(vmid, vmname, verbose):
""" find the owner of the vm """
clientsdb = readclientsdb()
@ -133,5 +136,5 @@ def writeclientsdb(clientsdb):
if __name__ == '__main__':
setencpasswd('srv.test1.com', 'todos')
validate('srv.test1.com', 'todos')
#setencpasswd('srv.test1.com', 'todos')
validate('daniel@deflax.net', 'todos')

View file

@ -46,12 +46,12 @@ def apicheck(params):
#API methods
class Validate(object):
def on_post(self, req, resp):
""" get domain name and mgmt pass and compare it with the client db and returns an authed object ID """
domain = req.params['domain']
""" get clientemail and mgmt pass and compare it with the client db and returns an authed object ID """
clientemail = req.params['clientemail']
passwd = req.params['password']
logger.info('grid> access requested for {} with {}'.format(domain, passwd))
logger.info('grid> access requested for {} with {}'.format(clientemail, passwd))
#apicheck_stat, apicheck_resp = apicheck(req.params)
response = clientsdb.validate(domain, passwd)
response = clientsdb.validate(clientemail, passwd)
if response is not None:
resp.status = falcon.HTTP_200
resp.body = response