Metadata: implement full debugging for client metadata authentication

git-svn-id: https://svn.mcs.anl.gov/repos/bcfg/trunk/bcfg2@5586 ce84e21b-d406-0410-9b95-82705330c041
author: Narayan Desai <desai@mcs.anl.gov> 2009-11-21 01:11:06 +0000
committer: Narayan Desai <desai@mcs.anl.gov> 2009-11-21 01:11:06 +0000
commit: a9c608cbc181011cdbb0467a8f1fe0a4097f4c92 (patch)
tree: e4ead72b8bf6ce24a70b6b59e1380a94562d4c26 /src
parent: 4c72dd74ad64c52fb1424416fe35f6235514e66d (diff)
download: bcfg2-a9c608cbc181011cdbb0467a8f1fe0a4097f4c92.tar.gz
bcfg2-a9c608cbc181011cdbb0467a8f1fe0a4097f4c92.tar.bz2
bcfg2-a9c608cbc181011cdbb0467a8f1fe0a4097f4c92.zip
1 files changed, 29 insertions, 21 deletions
diff --git a/src/lib/Server/Plugins/Metadata.py b/src/lib/Server/Plugins/Metadata.py
index 105d73125..e5b21e3fd 100644
--- a/src/lib/Server/Plugins/Metadata.py
+++ b/src/lib/Server/Plugins/Metadata.py
@@ -304,7 +304,7 @@ class Metadata(Bcfg2.Server.Plugin.Plugin,
         filename = event.filename.split('/')[-1]
         if filename in ['groups.xml', 'clients.xml']:
             dest = filename
-        elif filename in reduce(lambda x,y:x+y, self.extra.values()):
+        elif filename in reduce(lambda x, y:x+y, self.extra.values()):
             if event.code2str() == 'exists':
                 return
             dest = [key for key, value in self.extra.iteritems() if filename in value][0]
@@ -600,44 +600,47 @@ class Metadata(Bcfg2.Server.Plugin.Plugin,
             setattr(imd, source, data)
             imd.connectors.append(source)
 
-    def validate_client_address(self, client, address):
+    def validate_client_address(self, client, addresspair):
         '''Check address against client'''
+        address = addresspair[0]
         if client in self.floating:
+            self.debug_log("Client %s is floating" % client)
             return True
         if address in self.addresses:
             if client == self.addresses[address]:
+                self.debug_log("Client %s matches address %s" % (client, address))
                 return True
             else:
                 self.logger.error("Got request for non-float client %s from %s" \
                                   % (client, address))
                 return False
-        resolved = self.resolve_client(address)
+        resolved = self.resolve_client(addresspair)
         if resolved == client:
             return True
         else:
             self.logger.error("Got request for %s from incorrect address %s" \
                               % (client, address))
+            self.logger.error("Resolved to %s" % resolved)
             return False
 
     def AuthenticateConnection(self, cert, user, password, address):
         '''This function checks auth creds'''
         if cert:
+            id_method = 'cert'
             certinfo = dict([x[0] for x in cert['subject']])
             # look at cert.cN
             client = certinfo['commonName']
+            self.debug_log("Got cN %s; using as client name" % client)
             auth_type = self.auth.get(client, 'cert+password')
-            addr_check = self.validate_client_address(client, address)
-            if auth_type == 'cert':
-                # we can't continue to password auth
-                return addr_check
-        if user == 'root':
-            # we aren't using per-client keys
+        elif user == 'root':
+            id_method = 'address'
             try:
                 client = self.resolve_client(address)
             except MetadataConsistencyError:
-                self.logger.error("Client %s failed to authenticate due to metadata problem" % (address[0]))
+                self.logger.error("Client %s failed to resolve; metadata problem" % (address[0]))
                 return False
         else:
+            id_method = 'uuid'
             # user maps to client
             if user not in self.uuid:
                 client = user
@@ -645,17 +648,22 @@ class Metadata(Bcfg2.Server.Plugin.Plugin,
             else:
                 client = self.uuid[user]
 
-        # we have the client
-        if client not in self.floating and user != 'root':
-            if address[0] in self.addresses:
-                # we are using manual resolution
-                if client not in self.addresses[address[0]]:
-                    self.logger.error("Got request for non-floating UUID %s from %s" % (user, address[0]))
-                    return False
-            elif client != self.resolve_client(address):
-                self.logger.error("Got request for non-floating UUID %s from %s" \
-                                  % (user, address[0]))
-                return False
+        # we have the client name
+        self.debug_log("Authenticating client %s" % client)
+
+        # next we validate the address
+        if id_method == 'uuid':
+            addr_is_valid = True
+        else:
+            addr_is_valid = self.validate_client_address(client, address)
+
+        if not addr_is_valid:
+            return False
+
+        if id_method == 'cert' and auth_type != 'cert+password':
+            # we are done if cert+password not required
+            return True
+
         if client not in self.passwords:
             if client in self.secure:
                 self.logger.error("Client %s in secure mode but has no password" % (address[0]))
author	Narayan Desai <desai@mcs.anl.gov>	2009-11-21 01:11:06 +0000
committer	Narayan Desai <desai@mcs.anl.gov>	2009-11-21 01:11:06 +0000
commit	a9c608cbc181011cdbb0467a8f1fe0a4097f4c92 (patch)
tree	e4ead72b8bf6ce24a70b6b59e1380a94562d4c26 /src
parent	4c72dd74ad64c52fb1424416fe35f6235514e66d (diff)
download	bcfg2-a9c608cbc181011cdbb0467a8f1fe0a4097f4c92.tar.gz bcfg2-a9c608cbc181011cdbb0467a8f1fe0a4097f4c92.tar.bz2 bcfg2-a9c608cbc181011cdbb0467a8f1fe0a4097f4c92.zip