auth client email with machine password

clientsdb.py

@@ -11,8 +11,8 @@ import bcrypt
 import ioconfig
 import utils
 
-def addclient(vmid, vmname, clientid, clientname, clientemail, srvpass):
-    """ add new client to the clientsdb.json """
+def addclient(vmid, vmname, clientid, clientname, clientemail, vmpass):
+    """ add new client with the requested vm to the clientsdb.json """
     clientsdb = readclientsdb()
 
     if str(clientid) in clientsdb:
@@ -24,50 +24,12 @@ def addclient(vmid, vmname, clientid, clientname, clientemail, srvpass):
         clientsdb.update(newclient)
     ioconfig.logger.info('clients> vmid {} owner set to {} (id: {}, email: {})'.format(vmid, clientname, clientid, clientemail))
 
-    vmdata = { 'hostname':str(vmname), 'vmid':str(vmid), 'ownerid':str(clientid), 'username':str(srvuser), 'password': str(srvpass) }
+    #create initial vm template
+    vmdata = { 'hostname':str(vmname), 'vmid':str(vmid), 'ownerid':str(clientid) }
     clientsdb[str(clientid)][str(vmid)] = vmdata
-
     writeclientsdb(clientsdb)
-
-
-def validate(vmname, srvpass):
-    """ return vmid or false if credentials match something in clientdb. useful for authing extrnal admin panels """
-    try:
-        clientsdb = readclientsdb()
-        path = utils.get_path(clientsdb, vmname)
-        c_id = str(path[0])
-        v_id = str(path[1])
-        #check the returned path with forward query
-        query = clientsdb[c_id][v_id]['hostname']
-    except:
-        return False
-
-    #double check
-    if query != vmname:
-        return None
-    else:
-        #try to capture the encrypted password
-        try:
-            encpass = clientsdb[c_id][v_id]['encpasswd']
-        except:
-            #cant query password
-            return None
-
-        #compare it with the requested password
-        b_srvpass = srvpass.encode('utf-8')
-        b_encpass = encpass.encode('utf-8')
-        if (hmac.compare_digest(bcrypt.hashpw(b_srvpass, b_encpass), b_encpass)):
-            #login successful
-            ioconfig.logger.info('clients> {} (clientid: {}, vmid: {}) was validated successfully!'.format(query, c_id, v_id))
-            #TODO: generate ticket for double check
-            generated_ticket = 'TODO'
-            response = { 'vpsid':v_id, 'ticket':generated_ticket }
-            return response
-        else:
-            ioconfig.logger.warning('clients> {} (clientid: {}, vmid: {}) ACCESS DENIED!'.format(query, c_id, v_id))
-            #cant compare password
-            return None
-    return None
+    #set password for the first time...
+    setencpasswd(vmname, vmpass)
 
 
 def setencpasswd(vmname, newpass):
@@ -89,6 +51,7 @@ def setencpasswd(vmname, newpass):
         raise
 
     if query != vmname:
+        ioconfig.logger.critical('clients> test query returns different vmname! check clients.json consistency!')
         raise
     else:
         clientsdb[c_id][v_id]['encpasswd'] = encpasswd
@@ -97,6 +60,46 @@ def setencpasswd(vmname, newpass):
         #TODO: change lxc container password
 
 
+def validate(clientemail, srvpass):
+    """ return vmid or false if credentials match something in clientdb. useful for authing extrnal admin panels """
+    try:
+        clientsdb = readclientsdb()
+        path = utils.get_path(clientsdb, clientemail) 
+        c_id = str(path[0])
+        #check the returned path with forward query
+        ioconfig.logger.info('clients> {} was found with clientid: {}'.format(clientemail, c_id))
+    except:
+        raise
+        ioconfig.logger.warning('clients> {} was not found in the database!'.format(clientemail))
+        #log bad ips here...
+        return False
+
+    vmlist = clientsdb[c_id]
+    #clear unused objects. perhaps there is a better way to do this but im kinda anxious today...
+    vmlist.pop('name')
+    vmlist.pop('email')
+
+    #try each vmid owned by this user for a password match
+    for vmid,data in vmlist.items():
+        print(vmid)
+        
+        print(data)
+        #try to capture the encrypted password
+        encpass = data['encpasswd']
+        b_srvpass = srvpass.encode('utf-8')
+        b_encpass = encpass.encode('utf-8')
+        if (hmac.compare_digest(bcrypt.hashpw(b_srvpass, b_encpass), b_encpass)):
+            #login successful
+            ioconfig.logger.info('clients> {} was validated successfully by {}'.format(vmid, clientemail))
+            response = { 'vmid':vmid }
+        else:
+            ioconfig.logger.warning('clients> {} ACCESS DENIED!'.format(vmid))
+            #cant compare password
+            response = { }
+    #TODO: this will require major rewrite again.. or it will fail to auth 2 machines with same password. lame..
+    return response
+
+
 def vmowner(vmid, vmname, verbose):
     """ find the owner of the vm """
     clientsdb = readclientsdb()
@@ -133,5 +136,5 @@ def writeclientsdb(clientsdb):
 
 
 if __name__ == '__main__':
-    setencpasswd('srv.test1.com', 'todos')
-    validate('srv.test1.com', 'todos')
+    #setencpasswd('srv.test1.com', 'todos')
+    validate('daniel@deflax.net', 'todos')

proxmaster.py

@@ -46,12 +46,12 @@ def apicheck(params):
 #API methods
 class Validate(object):
     def on_post(self, req, resp):
-        """ get domain name and mgmt pass and compare it with the client db and returns an authed object ID """
-        domain = req.params['domain']
+        """ get clientemail and mgmt pass and compare it with the client db and returns an authed object ID """
+        clientemail = req.params['clientemail']
         passwd = req.params['password']
-        logger.info('grid> access requested for {} with {}'.format(domain, passwd))
+        logger.info('grid> access requested for {} with {}'.format(clientemail, passwd))
         #apicheck_stat, apicheck_resp = apicheck(req.params)
-        response = clientsdb.validate(domain, passwd)
+        response = clientsdb.validate(clientemail, passwd)
         if response is not None:
             resp.status = falcon.HTTP_200
             resp.body =  response