undersys/proxmaster
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

simplifying user management

Browse source
This commit is contained in:
deflax 2016-10-17 12:10:41 +03:00
parent 60401254cd
commit b9b2eb0781
2 changed files with 80 additions and 105 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

151
clientsdb.py
View file

@ -4,8 +4,6 @@
#import site packages #import site packages
import json import json
import hmac
import bcrypt
#import local packages #import local packages
import ioconfig import ioconfig
@ -20,12 +18,13 @@ def addclient(vmid, vmname, clientid, clientname, clientemail, vmpass):
else: else:
ioconfig.logger.info('client[{}]> does not exist. creating...'.format(clientid)) ioconfig.logger.info('client[{}]> does not exist. creating...'.format(clientid))
#generate password and send it to the client #generate password and send it to the client
newpass = utils.genpassword(30) #newpass = utils.genpassword(30)
ioconfig.logger.info('client[{}]> initial password is: {}'.format(clientid, newpass)) #ioconfig.logger.info('client[{}]> initial password is: {}'.format(clientid, newpass))
salt = bcrypt.gensalt() #salt = bcrypt.gensalt()
b_newpass = newpass.encode('ascii') #b_newpass = newpass.encode('ascii')
encpasswd = bcrypt.hashpw(b_newpass, salt).decode('ascii') #encpasswd = bcrypt.hashpw(b_newpass, salt).decode('ascii')
vcard = { 'name':str(clientname), 'email':str(clientemail), 'encpasswd':str(encpasswd), 'id':str(clientid) } #vcard = { 'name':str(clientname), 'email':str(clientemail), 'encpasswd':str(encpasswd), 'id':str(clientid) }
vcard = { 'name':str(clientname), 'email':str(clientemail), 'id':str(clientid) }
newclient = { str(clientid):vcard } newclient = { str(clientid):vcard }
clientsdb.update(newclient) clientsdb.update(newclient)
#Send initial email to the user as we will use the internal auth from now on. #Send initial email to the user as we will use the internal auth from now on.
@ -38,84 +37,25 @@ def addclient(vmid, vmname, clientid, clientname, clientemail, vmpass):
writeclientsdb(clientsdb) writeclientsdb(clientsdb)
def setencpasswd(clientemail, newpass): def inventory(clientid):
""" setup a new management password """
salt = bcrypt.gensalt()
b_newpass = newpass.encode('ascii')
encpasswd = bcrypt.hashpw(b_newpass, salt).decode('ascii')
try:
clientsdb = readclientsdb()
path = utils.get_path(clientsdb, clientemail)
c_id = str(path[0])
#check the returned path with forward query
query = clientsdb[c_id]['email']
#ioconfig.logger.info('client[{}]> path={}'.format(c_id, str(path)))
except:
ioconfig.logger.critical('clients> client {} not found'.format(clientemail))
raise
if query != clientemail:
ioconfig.logger.critical('clients> test query returns different vmname! check clients db for consistency!')
raise
else:
clientsdb[c_id]['encpasswd'] = encpasswd
ioconfig.logger.info('client[{}]> {} password changed!'.format(c_id, clientemail))
writeclientsdb(clientsdb)
#TODO: Send new email to the client to notify the password change. This time sending the password in plain text is not needed.
def checkin(clientid):
""" returns a list of owned vmids if client id matches the client database. (logged-in users)""" """ returns a list of owned vmids if client id matches the client database. (logged-in users)"""
#1. search for the client
try: try:
clientsdb = readclientsdb() clientsdb = readclientsdb()
c_id = clientsdb[str(clientid)] user = clientsdb[str(clientid)]
#c_id.pop('encpasswd') email = user['email']
email = c_id['email']
ioconfig.logger.info('client[{}]> {} active'.format(clientid, email))
return c_id
except:
ioconfig.logger.error('clients> user id: {} could not be checked.'.format(clientid))
return None
def validate(clientemail, password):
""" returns a list of owned vmids if credentials match an user from the database. (fresh logins)"""
#1. search for the client
try:
clientsdb = readclientsdb()
path = utils.get_path(clientsdb, clientemail)
c_id = str(path[0])
except:
ioconfig.logger.error('clients> {} was not found in the database!'.format(clientemail))
#log bad ips here...
return None
#2. check the password
encpass = clientsdb[c_id]['encpasswd']
b_srvpass = password.encode('ascii', 'ignore')
b_encpass = encpass.encode('ascii', 'ignore')
if (hmac.compare_digest(bcrypt.hashpw(b_srvpass, b_encpass), b_encpass)):
#login successful
ioconfig.logger.info('client[{}]> {} logged in successfully'.format(c_id, clientemail))
#TODO: Notify admin
#3. generate vmlist to return the owned ids to the client.
return clientvms(clientsdb[c_id])
else:
ioconfig.logger.warning('client[{}]> {} access denied!'.format(c_id, clientemail))
#cant compare password
#TODO: Log attempts and block.
return None
def clientvms(vmlist):
""" generate vmlist """
response = {} response = {}
for vmid,data in vmlist.items(): for vmid,data in user.items()
response[vmid] = data response[vmid] = data
response.pop('id')
response.pop('email')
response.pop('name')
ioconfig.logger.info('client[{}]> {} inventory sent.'.format(clientid, email))
return response return response
except:
ioconfig.logger.error('clients> user id: {} could not be listed.'.format(clientid))
return None
def vmowner(vmid, vmname, verbose): def vmowner(vmid, vmname, verbose):
@ -153,6 +93,57 @@ def writeclientsdb(clientsdb):
dbw.close() dbw.close()
if __name__ == '__main__': if __name__ == '__main__'
setencpasswd('fqdn', '123456') setencpasswd('fqdn', '123456')
#def validate(clientemail, password):
# """ returns a list of owned vmids if credentials match an user from the database. (fresh logins)"""
# #1. search for the client
# try:
# clientsdb = readclientsdb()
# path = utils.get_path(clientsdb, clientemail)
# c_id = str(path[0])
# except:
# ioconfig.logger.error('clients> {} was not found in the database!'.format(clientemail))
# #log bad ips here...
# return None
# #2. check the password
# encpass = clientsdb[c_id]['encpasswd']
# b_srvpass = password.encode('ascii', 'ignore')
# b_encpass = encpass.encode('ascii', 'ignore')
# if (hmac.compare_digest(bcrypt.hashpw(b_srvpass, b_encpass), b_encpass)):
# #login successful
# ioconfig.logger.info('client[{}]> {} logged in successfully'.format(c_id, clientemail))
# #3. generate vmlist to return the owned ids to the client.
# return clientvms(clientsdb[c_id])
# else:
# ioconfig.logger.warning('client[{}]> {} access denied!'.format(c_id, clientemail))
# #cant compare password
# return None
#
#
#def setencpasswd(clientemail, newpass):
# """ setup a new management password """
# salt = bcrypt.gensalt()
# b_newpass = newpass.encode('ascii')
# encpasswd = bcrypt.hashpw(b_newpass, salt).decode('ascii')
# try:
# clientsdb = readclientsdb()
# path = utils.get_path(clientsdb, clientemail)
# c_id = str(path[0])
# #check the returned path with forward query
# query = clientsdb[c_id]['email']
# #ioconfig.logger.info('client[{}]> path={}'.format(c_id, str(path)))
# except:
# ioconfig.logger.critical('clients> client {} not found'.format(clientemail))
# raise
#
# if query != clientemail:
# ioconfig.logger.critical('clients> test query returns different vmname! check clients db for consistency!')
# raise
# else:
# clientsdb[c_id]['encpasswd'] = encpasswd
# ioconfig.logger.info('client[{}]> {} password changed!'.format(c_id, clientemail))
# writeclientsdb(clientsdb)

30
proxmaster.py
View file

@ -27,7 +27,7 @@ def welcome():
def selector(fn, req, vmid=0): def selector(fn, req, vmid=0):
""" try to exec commands """ """ try to exec commands """
json = req.context['doc'] json = req.context['doc']
#print(json) #TODO: remove debug print #print(json)
apipass = json['apikey'] apipass = json['apikey']
if apipass != config.get('general', 'apipass'): if apipass != config.get('general', 'apipass'):
status = falcon.HTTP_403 status = falcon.HTTP_403
@ -36,15 +36,9 @@ def selector(fn, req, vmid=0):
return status, body return status, body
try: try:
if fn == 'validate': if fn == 'inventory':
clientemail = json['clientemail']
passwd = json['password']
#logger.info('grid> access requested for {} with {}'.format(clientemail, passwd))
body = clientsdb.validate(clientemail, passwd)
elif fn == 'checkin':
clientid = json['clientid'] clientid = json['clientid']
body = clientsdb.checkin(clientid) body = clientsdb.inventory(clientid)
elif fn == 'vmcreate': elif fn == 'vmcreate':
body = plugin.vmcreate(json) body = plugin.vmcreate(json)
@ -147,18 +141,11 @@ def max_body(limit):
return hook return hook
class ValidateResource(object): class InventoryResource(object):
@falcon.before(max_body(64 * 1024))
def on_post(self, req, resp):
""" get clientemail and password, compare it with the client db and returns a list of managed objects """
resp.status, response = selector('validate', req)
req.context['result'] = response
class CheckInResource(object):
@falcon.before(max_body(64 * 1024)) @falcon.before(max_body(64 * 1024))
def on_post(self, req, resp): def on_post(self, req, resp):
""" get client id, compare it with the client db and returns a list of managed objects """ """ get client id, compare it with the client db and returns a list of managed objects """
resp.status, response = selector('checkin', req) resp.status, response = selector('inventory', req)
req.context['result'] = response req.context['result'] = response
class CreateResource(object): class CreateResource(object):
@ -250,11 +237,8 @@ wsgi_app = api = application = falcon.API(middleware=[
]) ])
# setup routes # setup routes
res_validate = ValidateResource() res_inventory = InventoryResource()
api.add_route('/validate', res_validate) api.add_route('/inventory', res_inventory)
res_checkin = CheckInResource()
api.add_route('/checkin', res_checkin)
res_create = CreateResource() res_create = CreateResource()
api.add_route('/vmcreate', res_create) api.add_route('/vmcreate', res_create)