diff options
author | Alexander Sulfrian <alexander@sulfrian.net> | 2015-02-24 18:05:13 +0100 |
---|---|---|
committer | Alexander Sulfrian <alexander@sulfrian.net> | 2015-02-24 22:50:40 +0100 |
commit | deb8729a09d74d2efe5bdf86e3a2d3c1274590ab (patch) | |
tree | 14038e7683e289b6376a33a79caf7f6f0e390be9 | |
parent | 78cac1d0a6923ebc73ff221f8501885c36c112c1 (diff) | |
download | bcfg2-deb8729a09d74d2efe5bdf86e3a2d3c1274590ab.tar.gz bcfg2-deb8729a09d74d2efe5bdf86e3a2d3c1274590ab.tar.bz2 bcfg2-deb8729a09d74d2efe5bdf86e3a2d3c1274590ab.zip |
Server/Plugins/Metadata: Reject passwd clients, if auth_type is cert
If the auth type (either globally or specific for the client) is set to cert auth,
we have to reject clients that does not provide a cert.
-rw-r--r-- | doc/releases/1.3.6.txt | 2 | ||||
-rw-r--r-- | src/lib/Bcfg2/Server/Plugins/Metadata.py | 9 |
2 files changed, 9 insertions, 2 deletions
diff --git a/doc/releases/1.3.6.txt b/doc/releases/1.3.6.txt index 757fbf6f5..f41320f1a 100644 --- a/doc/releases/1.3.6.txt +++ b/doc/releases/1.3.6.txt @@ -30,5 +30,7 @@ This is primarily a bugfix release. https://docs.djangoproject.com/en/1.7/ref/settings/#std:setting-OPTIONS +* Authentication: Reject passwd auth, if authentication is set to "cert" + Special thanks to the following contributors for this release: Michael Fenn, Matt Kemp, Alexander Sulfrian, Jonathan Billings. diff --git a/src/lib/Bcfg2/Server/Plugins/Metadata.py b/src/lib/Bcfg2/Server/Plugins/Metadata.py index 1e5544c6b..f805772a7 100644 --- a/src/lib/Bcfg2/Server/Plugins/Metadata.py +++ b/src/lib/Bcfg2/Server/Plugins/Metadata.py @@ -1391,8 +1391,6 @@ class Metadata(Bcfg2.Server.Plugin.Metadata, # look at cert.cN client = certinfo['commonName'] self.debug_log("Got cN %s; using as client name" % client) - auth_type = self.auth.get(client, - self.core.setup['authentication']) elif user == 'root': id_method = 'address' try: @@ -1414,6 +1412,13 @@ class Metadata(Bcfg2.Server.Plugin.Metadata, # we have the client name self.debug_log("Authenticating client %s" % client) + # validate id_method + auth_type = self.auth.get(client, self.core.setup['authentication']) + if auth_type == 'cert' and id_method != 'cert': + self.logger.error("Client %s does not provide a cert, but only " + "cert auth is allowed" % client) + return False + # next we validate the address if (id_method != 'uuid' and not self.validate_client_address(client, address)): |