From 20052a773d7002499802c8d6fc3bc440aa65df59 Mon Sep 17 00:00:00 2001 From: deflax Date: Thu, 31 Mar 2016 02:26:25 +0300 Subject: [PATCH] auth client email with machine password --- clientsdb.py | 95 ++++++++++++++++++++++++++------------------------- proxmaster.py | 8 ++--- 2 files changed, 53 insertions(+), 50 deletions(-) diff --git a/clientsdb.py b/clientsdb.py index 7be0ea2..62b3059 100644 --- a/clientsdb.py +++ b/clientsdb.py @@ -11,8 +11,8 @@ import bcrypt import ioconfig import utils -def addclient(vmid, vmname, clientid, clientname, clientemail, srvpass): - """ add new client to the clientsdb.json """ +def addclient(vmid, vmname, clientid, clientname, clientemail, vmpass): + """ add new client with the requested vm to the clientsdb.json """ clientsdb = readclientsdb() if str(clientid) in clientsdb: @@ -24,50 +24,12 @@ def addclient(vmid, vmname, clientid, clientname, clientemail, srvpass): clientsdb.update(newclient) ioconfig.logger.info('clients> vmid {} owner set to {} (id: {}, email: {})'.format(vmid, clientname, clientid, clientemail)) - vmdata = { 'hostname':str(vmname), 'vmid':str(vmid), 'ownerid':str(clientid), 'username':str(srvuser), 'password': str(srvpass) } + #create initial vm template + vmdata = { 'hostname':str(vmname), 'vmid':str(vmid), 'ownerid':str(clientid) } clientsdb[str(clientid)][str(vmid)] = vmdata - writeclientsdb(clientsdb) - - -def validate(vmname, srvpass): - """ return vmid or false if credentials match something in clientdb. useful for authing extrnal admin panels """ - try: - clientsdb = readclientsdb() - path = utils.get_path(clientsdb, vmname) - c_id = str(path[0]) - v_id = str(path[1]) - #check the returned path with forward query - query = clientsdb[c_id][v_id]['hostname'] - except: - return False - - #double check - if query != vmname: - return None - else: - #try to capture the encrypted password - try: - encpass = clientsdb[c_id][v_id]['encpasswd'] - except: - #cant query password - return None - - #compare it with the requested password - b_srvpass = srvpass.encode('utf-8') - b_encpass = encpass.encode('utf-8') - if (hmac.compare_digest(bcrypt.hashpw(b_srvpass, b_encpass), b_encpass)): - #login successful - ioconfig.logger.info('clients> {} (clientid: {}, vmid: {}) was validated successfully!'.format(query, c_id, v_id)) - #TODO: generate ticket for double check - generated_ticket = 'TODO' - response = { 'vpsid':v_id, 'ticket':generated_ticket } - return response - else: - ioconfig.logger.warning('clients> {} (clientid: {}, vmid: {}) ACCESS DENIED!'.format(query, c_id, v_id)) - #cant compare password - return None - return None + #set password for the first time... + setencpasswd(vmname, vmpass) def setencpasswd(vmname, newpass): @@ -89,6 +51,7 @@ def setencpasswd(vmname, newpass): raise if query != vmname: + ioconfig.logger.critical('clients> test query returns different vmname! check clients.json consistency!') raise else: clientsdb[c_id][v_id]['encpasswd'] = encpasswd @@ -97,6 +60,46 @@ def setencpasswd(vmname, newpass): #TODO: change lxc container password +def validate(clientemail, srvpass): + """ return vmid or false if credentials match something in clientdb. useful for authing extrnal admin panels """ + try: + clientsdb = readclientsdb() + path = utils.get_path(clientsdb, clientemail) + c_id = str(path[0]) + #check the returned path with forward query + ioconfig.logger.info('clients> {} was found with clientid: {}'.format(clientemail, c_id)) + except: + raise + ioconfig.logger.warning('clients> {} was not found in the database!'.format(clientemail)) + #log bad ips here... + return False + + vmlist = clientsdb[c_id] + #clear unused objects. perhaps there is a better way to do this but im kinda anxious today... + vmlist.pop('name') + vmlist.pop('email') + + #try each vmid owned by this user for a password match + for vmid,data in vmlist.items(): + print(vmid) + + print(data) + #try to capture the encrypted password + encpass = data['encpasswd'] + b_srvpass = srvpass.encode('utf-8') + b_encpass = encpass.encode('utf-8') + if (hmac.compare_digest(bcrypt.hashpw(b_srvpass, b_encpass), b_encpass)): + #login successful + ioconfig.logger.info('clients> {} was validated successfully by {}'.format(vmid, clientemail)) + response = { 'vmid':vmid } + else: + ioconfig.logger.warning('clients> {} ACCESS DENIED!'.format(vmid)) + #cant compare password + response = { } + #TODO: this will require major rewrite again.. or it will fail to auth 2 machines with same password. lame.. + return response + + def vmowner(vmid, vmname, verbose): """ find the owner of the vm """ clientsdb = readclientsdb() @@ -133,5 +136,5 @@ def writeclientsdb(clientsdb): if __name__ == '__main__': - setencpasswd('srv.test1.com', 'todos') - validate('srv.test1.com', 'todos') + #setencpasswd('srv.test1.com', 'todos') + validate('daniel@deflax.net', 'todos') diff --git a/proxmaster.py b/proxmaster.py index 5f88ca1..5d12c2e 100644 --- a/proxmaster.py +++ b/proxmaster.py @@ -46,12 +46,12 @@ def apicheck(params): #API methods class Validate(object): def on_post(self, req, resp): - """ get domain name and mgmt pass and compare it with the client db and returns an authed object ID """ - domain = req.params['domain'] + """ get clientemail and mgmt pass and compare it with the client db and returns an authed object ID """ + clientemail = req.params['clientemail'] passwd = req.params['password'] - logger.info('grid> access requested for {} with {}'.format(domain, passwd)) + logger.info('grid> access requested for {} with {}'.format(clientemail, passwd)) #apicheck_stat, apicheck_resp = apicheck(req.params) - response = clientsdb.validate(domain, passwd) + response = clientsdb.validate(clientemail, passwd) if response is not None: resp.status = falcon.HTTP_200 resp.body = response