diff options
| author | Alexander Sulfrian <alexander@sulfrian.net> | 2015-02-24 18:05:13 +0100 |
|---|---|---|
| committer | Alexander Sulfrian <alexander@sulfrian.net> | 2015-02-24 22:50:40 +0100 |
| commit | deb8729a09d74d2efe5bdf86e3a2d3c1274590ab (patch) | |
| tree | 14038e7683e289b6376a33a79caf7f6f0e390be9 /src | |
| parent | 78cac1d0a6923ebc73ff221f8501885c36c112c1 (diff) | |
| download | bcfg2-deb8729a09d74d2efe5bdf86e3a2d3c1274590ab.tar.gz bcfg2-deb8729a09d74d2efe5bdf86e3a2d3c1274590ab.tar.bz2 bcfg2-deb8729a09d74d2efe5bdf86e3a2d3c1274590ab.zip | |
Server/Plugins/Metadata: Reject passwd clients, if auth_type is cert
If the auth type (either globally or specific for the client) is set to cert auth,
we have to reject clients that does not provide a cert.
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/Bcfg2/Server/Plugins/Metadata.py | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/src/lib/Bcfg2/Server/Plugins/Metadata.py b/src/lib/Bcfg2/Server/Plugins/Metadata.py index 1e5544c6b..f805772a7 100644 --- a/src/lib/Bcfg2/Server/Plugins/Metadata.py +++ b/src/lib/Bcfg2/Server/Plugins/Metadata.py @@ -1391,8 +1391,6 @@ class Metadata(Bcfg2.Server.Plugin.Metadata, # look at cert.cN client = certinfo['commonName'] self.debug_log("Got cN %s; using as client name" % client) - auth_type = self.auth.get(client, - self.core.setup['authentication']) elif user == 'root': id_method = 'address' try: @@ -1414,6 +1412,13 @@ class Metadata(Bcfg2.Server.Plugin.Metadata, # we have the client name self.debug_log("Authenticating client %s" % client) + # validate id_method + auth_type = self.auth.get(client, self.core.setup['authentication']) + if auth_type == 'cert' and id_method != 'cert': + self.logger.error("Client %s does not provide a cert, but only " + "cert auth is allowed" % client) + return False + # next we validate the address if (id_method != 'uuid' and not self.validate_client_address(client, address)): |