auth client email with machine password

This commit is contained in:
deflax 2016-03-31 02:26:25 +03:00
parent d1cd131250
commit 20052a773d
2 changed files with 53 additions and 50 deletions

View file

@ -11,8 +11,8 @@ import bcrypt
import ioconfig import ioconfig
import utils import utils
def addclient(vmid, vmname, clientid, clientname, clientemail, srvpass): def addclient(vmid, vmname, clientid, clientname, clientemail, vmpass):
""" add new client to the clientsdb.json """ """ add new client with the requested vm to the clientsdb.json """
clientsdb = readclientsdb() clientsdb = readclientsdb()
if str(clientid) in clientsdb: if str(clientid) in clientsdb:
@ -24,50 +24,12 @@ def addclient(vmid, vmname, clientid, clientname, clientemail, srvpass):
clientsdb.update(newclient) clientsdb.update(newclient)
ioconfig.logger.info('clients> vmid {} owner set to {} (id: {}, email: {})'.format(vmid, clientname, clientid, clientemail)) ioconfig.logger.info('clients> vmid {} owner set to {} (id: {}, email: {})'.format(vmid, clientname, clientid, clientemail))
vmdata = { 'hostname':str(vmname), 'vmid':str(vmid), 'ownerid':str(clientid), 'username':str(srvuser), 'password': str(srvpass) } #create initial vm template
vmdata = { 'hostname':str(vmname), 'vmid':str(vmid), 'ownerid':str(clientid) }
clientsdb[str(clientid)][str(vmid)] = vmdata clientsdb[str(clientid)][str(vmid)] = vmdata
writeclientsdb(clientsdb) writeclientsdb(clientsdb)
#set password for the first time...
setencpasswd(vmname, vmpass)
def validate(vmname, srvpass):
""" return vmid or false if credentials match something in clientdb. useful for authing extrnal admin panels """
try:
clientsdb = readclientsdb()
path = utils.get_path(clientsdb, vmname)
c_id = str(path[0])
v_id = str(path[1])
#check the returned path with forward query
query = clientsdb[c_id][v_id]['hostname']
except:
return False
#double check
if query != vmname:
return None
else:
#try to capture the encrypted password
try:
encpass = clientsdb[c_id][v_id]['encpasswd']
except:
#cant query password
return None
#compare it with the requested password
b_srvpass = srvpass.encode('utf-8')
b_encpass = encpass.encode('utf-8')
if (hmac.compare_digest(bcrypt.hashpw(b_srvpass, b_encpass), b_encpass)):
#login successful
ioconfig.logger.info('clients> {} (clientid: {}, vmid: {}) was validated successfully!'.format(query, c_id, v_id))
#TODO: generate ticket for double check
generated_ticket = 'TODO'
response = { 'vpsid':v_id, 'ticket':generated_ticket }
return response
else:
ioconfig.logger.warning('clients> {} (clientid: {}, vmid: {}) ACCESS DENIED!'.format(query, c_id, v_id))
#cant compare password
return None
return None
def setencpasswd(vmname, newpass): def setencpasswd(vmname, newpass):
@ -89,6 +51,7 @@ def setencpasswd(vmname, newpass):
raise raise
if query != vmname: if query != vmname:
ioconfig.logger.critical('clients> test query returns different vmname! check clients.json consistency!')
raise raise
else: else:
clientsdb[c_id][v_id]['encpasswd'] = encpasswd clientsdb[c_id][v_id]['encpasswd'] = encpasswd
@ -97,6 +60,46 @@ def setencpasswd(vmname, newpass):
#TODO: change lxc container password #TODO: change lxc container password
def validate(clientemail, srvpass):
""" return vmid or false if credentials match something in clientdb. useful for authing extrnal admin panels """
try:
clientsdb = readclientsdb()
path = utils.get_path(clientsdb, clientemail)
c_id = str(path[0])
#check the returned path with forward query
ioconfig.logger.info('clients> {} was found with clientid: {}'.format(clientemail, c_id))
except:
raise
ioconfig.logger.warning('clients> {} was not found in the database!'.format(clientemail))
#log bad ips here...
return False
vmlist = clientsdb[c_id]
#clear unused objects. perhaps there is a better way to do this but im kinda anxious today...
vmlist.pop('name')
vmlist.pop('email')
#try each vmid owned by this user for a password match
for vmid,data in vmlist.items():
print(vmid)
print(data)
#try to capture the encrypted password
encpass = data['encpasswd']
b_srvpass = srvpass.encode('utf-8')
b_encpass = encpass.encode('utf-8')
if (hmac.compare_digest(bcrypt.hashpw(b_srvpass, b_encpass), b_encpass)):
#login successful
ioconfig.logger.info('clients> {} was validated successfully by {}'.format(vmid, clientemail))
response = { 'vmid':vmid }
else:
ioconfig.logger.warning('clients> {} ACCESS DENIED!'.format(vmid))
#cant compare password
response = { }
#TODO: this will require major rewrite again.. or it will fail to auth 2 machines with same password. lame..
return response
def vmowner(vmid, vmname, verbose): def vmowner(vmid, vmname, verbose):
""" find the owner of the vm """ """ find the owner of the vm """
clientsdb = readclientsdb() clientsdb = readclientsdb()
@ -133,5 +136,5 @@ def writeclientsdb(clientsdb):
if __name__ == '__main__': if __name__ == '__main__':
setencpasswd('srv.test1.com', 'todos') #setencpasswd('srv.test1.com', 'todos')
validate('srv.test1.com', 'todos') validate('daniel@deflax.net', 'todos')

View file

@ -46,12 +46,12 @@ def apicheck(params):
#API methods #API methods
class Validate(object): class Validate(object):
def on_post(self, req, resp): def on_post(self, req, resp):
""" get domain name and mgmt pass and compare it with the client db and returns an authed object ID """ """ get clientemail and mgmt pass and compare it with the client db and returns an authed object ID """
domain = req.params['domain'] clientemail = req.params['clientemail']
passwd = req.params['password'] passwd = req.params['password']
logger.info('grid> access requested for {} with {}'.format(domain, passwd)) logger.info('grid> access requested for {} with {}'.format(clientemail, passwd))
#apicheck_stat, apicheck_resp = apicheck(req.params) #apicheck_stat, apicheck_resp = apicheck(req.params)
response = clientsdb.validate(domain, passwd) response = clientsdb.validate(clientemail, passwd)
if response is not None: if response is not None:
resp.status = falcon.HTTP_200 resp.status = falcon.HTTP_200
resp.body = response resp.body = response