auth client email with machine password
This commit is contained in:
parent
d1cd131250
commit
20052a773d
2 changed files with 53 additions and 50 deletions
95
clientsdb.py
95
clientsdb.py
|
@ -11,8 +11,8 @@ import bcrypt
|
||||||
import ioconfig
|
import ioconfig
|
||||||
import utils
|
import utils
|
||||||
|
|
||||||
def addclient(vmid, vmname, clientid, clientname, clientemail, srvpass):
|
def addclient(vmid, vmname, clientid, clientname, clientemail, vmpass):
|
||||||
""" add new client to the clientsdb.json """
|
""" add new client with the requested vm to the clientsdb.json """
|
||||||
clientsdb = readclientsdb()
|
clientsdb = readclientsdb()
|
||||||
|
|
||||||
if str(clientid) in clientsdb:
|
if str(clientid) in clientsdb:
|
||||||
|
@ -24,50 +24,12 @@ def addclient(vmid, vmname, clientid, clientname, clientemail, srvpass):
|
||||||
clientsdb.update(newclient)
|
clientsdb.update(newclient)
|
||||||
ioconfig.logger.info('clients> vmid {} owner set to {} (id: {}, email: {})'.format(vmid, clientname, clientid, clientemail))
|
ioconfig.logger.info('clients> vmid {} owner set to {} (id: {}, email: {})'.format(vmid, clientname, clientid, clientemail))
|
||||||
|
|
||||||
vmdata = { 'hostname':str(vmname), 'vmid':str(vmid), 'ownerid':str(clientid), 'username':str(srvuser), 'password': str(srvpass) }
|
#create initial vm template
|
||||||
|
vmdata = { 'hostname':str(vmname), 'vmid':str(vmid), 'ownerid':str(clientid) }
|
||||||
clientsdb[str(clientid)][str(vmid)] = vmdata
|
clientsdb[str(clientid)][str(vmid)] = vmdata
|
||||||
|
|
||||||
writeclientsdb(clientsdb)
|
writeclientsdb(clientsdb)
|
||||||
|
#set password for the first time...
|
||||||
|
setencpasswd(vmname, vmpass)
|
||||||
def validate(vmname, srvpass):
|
|
||||||
""" return vmid or false if credentials match something in clientdb. useful for authing extrnal admin panels """
|
|
||||||
try:
|
|
||||||
clientsdb = readclientsdb()
|
|
||||||
path = utils.get_path(clientsdb, vmname)
|
|
||||||
c_id = str(path[0])
|
|
||||||
v_id = str(path[1])
|
|
||||||
#check the returned path with forward query
|
|
||||||
query = clientsdb[c_id][v_id]['hostname']
|
|
||||||
except:
|
|
||||||
return False
|
|
||||||
|
|
||||||
#double check
|
|
||||||
if query != vmname:
|
|
||||||
return None
|
|
||||||
else:
|
|
||||||
#try to capture the encrypted password
|
|
||||||
try:
|
|
||||||
encpass = clientsdb[c_id][v_id]['encpasswd']
|
|
||||||
except:
|
|
||||||
#cant query password
|
|
||||||
return None
|
|
||||||
|
|
||||||
#compare it with the requested password
|
|
||||||
b_srvpass = srvpass.encode('utf-8')
|
|
||||||
b_encpass = encpass.encode('utf-8')
|
|
||||||
if (hmac.compare_digest(bcrypt.hashpw(b_srvpass, b_encpass), b_encpass)):
|
|
||||||
#login successful
|
|
||||||
ioconfig.logger.info('clients> {} (clientid: {}, vmid: {}) was validated successfully!'.format(query, c_id, v_id))
|
|
||||||
#TODO: generate ticket for double check
|
|
||||||
generated_ticket = 'TODO'
|
|
||||||
response = { 'vpsid':v_id, 'ticket':generated_ticket }
|
|
||||||
return response
|
|
||||||
else:
|
|
||||||
ioconfig.logger.warning('clients> {} (clientid: {}, vmid: {}) ACCESS DENIED!'.format(query, c_id, v_id))
|
|
||||||
#cant compare password
|
|
||||||
return None
|
|
||||||
return None
|
|
||||||
|
|
||||||
|
|
||||||
def setencpasswd(vmname, newpass):
|
def setencpasswd(vmname, newpass):
|
||||||
|
@ -89,6 +51,7 @@ def setencpasswd(vmname, newpass):
|
||||||
raise
|
raise
|
||||||
|
|
||||||
if query != vmname:
|
if query != vmname:
|
||||||
|
ioconfig.logger.critical('clients> test query returns different vmname! check clients.json consistency!')
|
||||||
raise
|
raise
|
||||||
else:
|
else:
|
||||||
clientsdb[c_id][v_id]['encpasswd'] = encpasswd
|
clientsdb[c_id][v_id]['encpasswd'] = encpasswd
|
||||||
|
@ -97,6 +60,46 @@ def setencpasswd(vmname, newpass):
|
||||||
#TODO: change lxc container password
|
#TODO: change lxc container password
|
||||||
|
|
||||||
|
|
||||||
|
def validate(clientemail, srvpass):
|
||||||
|
""" return vmid or false if credentials match something in clientdb. useful for authing extrnal admin panels """
|
||||||
|
try:
|
||||||
|
clientsdb = readclientsdb()
|
||||||
|
path = utils.get_path(clientsdb, clientemail)
|
||||||
|
c_id = str(path[0])
|
||||||
|
#check the returned path with forward query
|
||||||
|
ioconfig.logger.info('clients> {} was found with clientid: {}'.format(clientemail, c_id))
|
||||||
|
except:
|
||||||
|
raise
|
||||||
|
ioconfig.logger.warning('clients> {} was not found in the database!'.format(clientemail))
|
||||||
|
#log bad ips here...
|
||||||
|
return False
|
||||||
|
|
||||||
|
vmlist = clientsdb[c_id]
|
||||||
|
#clear unused objects. perhaps there is a better way to do this but im kinda anxious today...
|
||||||
|
vmlist.pop('name')
|
||||||
|
vmlist.pop('email')
|
||||||
|
|
||||||
|
#try each vmid owned by this user for a password match
|
||||||
|
for vmid,data in vmlist.items():
|
||||||
|
print(vmid)
|
||||||
|
|
||||||
|
print(data)
|
||||||
|
#try to capture the encrypted password
|
||||||
|
encpass = data['encpasswd']
|
||||||
|
b_srvpass = srvpass.encode('utf-8')
|
||||||
|
b_encpass = encpass.encode('utf-8')
|
||||||
|
if (hmac.compare_digest(bcrypt.hashpw(b_srvpass, b_encpass), b_encpass)):
|
||||||
|
#login successful
|
||||||
|
ioconfig.logger.info('clients> {} was validated successfully by {}'.format(vmid, clientemail))
|
||||||
|
response = { 'vmid':vmid }
|
||||||
|
else:
|
||||||
|
ioconfig.logger.warning('clients> {} ACCESS DENIED!'.format(vmid))
|
||||||
|
#cant compare password
|
||||||
|
response = { }
|
||||||
|
#TODO: this will require major rewrite again.. or it will fail to auth 2 machines with same password. lame..
|
||||||
|
return response
|
||||||
|
|
||||||
|
|
||||||
def vmowner(vmid, vmname, verbose):
|
def vmowner(vmid, vmname, verbose):
|
||||||
""" find the owner of the vm """
|
""" find the owner of the vm """
|
||||||
clientsdb = readclientsdb()
|
clientsdb = readclientsdb()
|
||||||
|
@ -133,5 +136,5 @@ def writeclientsdb(clientsdb):
|
||||||
|
|
||||||
|
|
||||||
if __name__ == '__main__':
|
if __name__ == '__main__':
|
||||||
setencpasswd('srv.test1.com', 'todos')
|
#setencpasswd('srv.test1.com', 'todos')
|
||||||
validate('srv.test1.com', 'todos')
|
validate('daniel@deflax.net', 'todos')
|
||||||
|
|
|
@ -46,12 +46,12 @@ def apicheck(params):
|
||||||
#API methods
|
#API methods
|
||||||
class Validate(object):
|
class Validate(object):
|
||||||
def on_post(self, req, resp):
|
def on_post(self, req, resp):
|
||||||
""" get domain name and mgmt pass and compare it with the client db and returns an authed object ID """
|
""" get clientemail and mgmt pass and compare it with the client db and returns an authed object ID """
|
||||||
domain = req.params['domain']
|
clientemail = req.params['clientemail']
|
||||||
passwd = req.params['password']
|
passwd = req.params['password']
|
||||||
logger.info('grid> access requested for {} with {}'.format(domain, passwd))
|
logger.info('grid> access requested for {} with {}'.format(clientemail, passwd))
|
||||||
#apicheck_stat, apicheck_resp = apicheck(req.params)
|
#apicheck_stat, apicheck_resp = apicheck(req.params)
|
||||||
response = clientsdb.validate(domain, passwd)
|
response = clientsdb.validate(clientemail, passwd)
|
||||||
if response is not None:
|
if response is not None:
|
||||||
resp.status = falcon.HTTP_200
|
resp.status = falcon.HTTP_200
|
||||||
resp.body = response
|
resp.body = response
|
||||||
|
|
Loading…
Reference in a new issue