diff options
| author | Aleksey Lim <alsroot@sugarlabs.org> | 2012-01-16 20:33:33 (GMT) |
|---|---|---|
| committer | Aleksey Lim <alsroot@sugarlabs.org> | 2012-01-16 20:33:33 (GMT) |
| commit | 38eb3255e9f7ad163e44be1597d67e9621f6b949 (patch) | |
| tree | a4fac57895212185c503919fd40f219369a9892c | |
| parent | bacb29aee9124ea9cc7557e976d1c103d37da84b (diff) | |
To not fail in openssh-5.5- environment, add --trust-users to disable auth
| -rw-r--r-- | restful_document/env.py | 14 | ||||
| -rw-r--r-- | restful_document/user.py | 21 |
2 files changed, 28 insertions, 7 deletions
diff --git a/restful_document/env.py b/restful_document/env.py index f6d4fce..8b9bec0 100644 --- a/restful_document/env.py +++ b/restful_document/env.py @@ -14,6 +14,7 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. import json +import urllib import threading from urlparse import parse_qsl from gettext import gettext as _ @@ -51,6 +52,11 @@ rundir = util.Option( _('path to the directory to place pid files'), default='/var/run') +trust_users = util.Option( + _('switch off user credentials check; disabling this option will ' \ + 'require OpenSSH-5.6 or later.'), + default=False, type_cast=util.Option.bool_cast, action='store_true') + def pop_str(name, kwargs, default=_default): if name in kwargs: @@ -117,10 +123,12 @@ class Request(threading.local): def set(self, environ): self.environ = environ + path = environ['PATH_INFO'] or '/' + __, path = urllib.splittype(path) + __, path = urllib.splithost(path) + self.url = path + self.path = [i for i in path.strip('/').split('/') if i] self.method = environ['REQUEST_METHOD'] - self.url = environ['PATH_INFO'] or '/' - self.path = \ - [i for i in environ['PATH_INFO'].strip('/').split('/') if i] self.query = {} self.content = None self.content_stream = environ.get('wsgi.input') diff --git a/restful_document/user.py b/restful_document/user.py index 604bb72..6202171 100644 --- a/restful_document/user.py +++ b/restful_document/user.py @@ -14,6 +14,7 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. import hashlib +import logging from os.path import exists from gettext import gettext as _ @@ -28,6 +29,9 @@ from restful_document.metadata import restful_method from restful_document.document import Document +_logger = logging.getLogger('sugar_stats') + + class User(Document): def __init__(self, guid=None, manual_guid=None, *args, **kwargs): @@ -70,8 +74,10 @@ class User(Document): def verify(cls, guid, signature): # TODO Avoid direct access to pubkey property pubkey_path = cls.metadata.path(guid[:2], guid, 'pubkey') - enforce(exists(pubkey_path), env.Forbidden, + enforce(exists(pubkey_path), env.Unauthorized, _('Principal user does not exist')) + if env.trust_users.value: + return pubkey = DSA.load_pub_key(pubkey_path) data = hashlib.sha1(guid).digest() enforce(pubkey.verify_asn1(data, signature.decode('hex')), @@ -88,10 +94,17 @@ def _load_pubkey(pubkey): try: src_path = util.TempFilePath(text=pubkey) # SSH key needs to be converted to PKCS8 to ket M2Crypto read it - dst_pubkey = util.assert_call( + pubkey_pkcs8 = util.assert_call( ['ssh-keygen', '-f', src_path, '-e', '-m', 'PKCS8']) except Exception: message = _('Cannot read DSS public key gotten for registeration') util.exception(message) - raise env.Forbidden(message) - return str(hashlib.sha1(pubkey.split()[1]).hexdigest()), dst_pubkey + if env.trust_users.value: + _logger.warning(_('Failed to read registration pubkey, ' \ + 'but we trust users')) + # Keep SSH key for further converting to PKCS8 + pubkey_pkcs8 = pubkey + else: + raise env.Forbidden(message) + + return str(hashlib.sha1(pubkey.split()[1]).hexdigest()), pubkey_pkcs8 |