From b8ebd636ac3a5e2919b3e62041019f26acb1e2c0 Mon Sep 17 00:00:00 2001
From: "Chris St. Pierre" <chris.a.st.pierre@gmail.com>
Date: Thu, 7 Feb 2013 10:01:16 -0500
Subject: Metadata: allowed setting global default authentication type

---
 doc/appendix/guides/authentication.txt   | 33 ++++++++++++++++++++++----------
 doc/server/plugins/grouping/metadata.txt |  4 ++--
 src/lib/Bcfg2/Options.py                 |  8 +++++++-
 src/lib/Bcfg2/Server/Plugins/Metadata.py | 32 ++++++++++++-------------------
 4 files changed, 44 insertions(+), 33 deletions(-)

diff --git a/doc/appendix/guides/authentication.txt b/doc/appendix/guides/authentication.txt
index 3fd0e1e2d..b8ec82590 100644
--- a/doc/appendix/guides/authentication.txt
+++ b/doc/appendix/guides/authentication.txt
@@ -132,13 +132,26 @@ controlled through the use of the auth attribute in
 
 Allowed values are:
 
-    +---------------+------------------------------------------+
-    | **Auth Type** | **Meaning**                              |
-    +===============+==========================================+
-    | cert          | Certificates must be used                |
-    +---------------+------------------------------------------+
-    | cert+password | Certificate or password may be used      |
-    +---------------+------------------------------------------+
-    | bootstrap     | Password can be used for one client run, |
-    |               | after that certificate is required       |
-    +---------------+------------------------------------------+
++-------------------+------------------------------------------+
+| Auth Type         | Meaning                                  |
++===================+==========================================+
+| ``cert``          | Certificates must be used                |
++-------------------+------------------------------------------+
+| ``cert+password`` | Certificate or password may be used. If  |
+|                   | a certificate is used, the password must |
+|                   | also be used.                            |
++-------------------+------------------------------------------+
+| ``bootstrap``     | Password can be used for one client run, |
+|                   | after that only certificate is allowed   |
++-------------------+------------------------------------------+
+
+``cert+password`` is the default.  This can be changed by setting the
+``authentication`` parameter in the ``[communcation]`` section of
+``bcfg2.conf``.  For instance, to set ``bootstrap`` mode as the global
+default, you would add the following to ``bcfg2.conf``::
+
+    [communication]
+    authentication = bootstrap
+
+``bootstrap`` mode is currently incompatible with the
+:ref:`server-plugins-grouping-metadata-clients-database`.
diff --git a/doc/server/plugins/grouping/metadata.txt b/doc/server/plugins/grouping/metadata.txt
index 11b3d5496..f4c5cbcb3 100644
--- a/doc/server/plugins/grouping/metadata.txt
+++ b/doc/server/plugins/grouping/metadata.txt
@@ -32,7 +32,7 @@ clients.xml
 ===========
 
 The ``clients.xml`` file contains the mappings of Profile Groups
-to clients. The file is just a series of *<Client />* tags, each of which
+to clients. The file is just a series of ``<Client />`` tags, each of which
 describe one host. A sample file is below:
 
 .. code-block:: xml
@@ -43,7 +43,7 @@ describe one host. A sample file is below:
       <Client profile="kerberos-master" name="kdc.example.com"/>
       <Client profile="mail-server" name="mail.example.com"/>
       <Client name='foo' address='10.0.0.1'>
-          <Alias name='foo-mgmt' address='10.1.0.1'/>
+        <Alias name='foo-mgmt' address='10.1.0.1'/>
       </Client>
     </Clients>
 
diff --git a/src/lib/Bcfg2/Options.py b/src/lib/Bcfg2/Options.py
index 07d089f05..be3a4c7b3 100644
--- a/src/lib/Bcfg2/Options.py
+++ b/src/lib/Bcfg2/Options.py
@@ -582,6 +582,11 @@ SERVER_UMASK = \
            default='0077',
            odesc='<Server umask>',
            cf=('server', 'umask'))
+SERVER_AUTHENTICATION = \
+    Option('Default client authentication method',
+           default='cert+password',
+           odesc='{cert|bootstrap|cert+password}',
+           cf=('communication', 'authentication'))
 
 # database options
 DB_ENGINE = \
@@ -1115,7 +1120,8 @@ SERVER_COMMON_OPTIONS = dict(repo=SERVER_REPOSITORY,
                              protocol=SERVER_PROTOCOL,
                              web_configfile=WEB_CFILE,
                              backend=SERVER_BACKEND,
-                             vcs_root=SERVER_VCS_ROOT)
+                             vcs_root=SERVER_VCS_ROOT,
+                             authentication=SERVER_AUTHENTICATION)
 
 CRYPT_OPTIONS = dict(encrypt=ENCRYPT,
                      decrypt=DECRYPT,
diff --git a/src/lib/Bcfg2/Server/Plugins/Metadata.py b/src/lib/Bcfg2/Server/Plugins/Metadata.py
index df98e6ea8..bd02739d5 100644
--- a/src/lib/Bcfg2/Server/Plugins/Metadata.py
+++ b/src/lib/Bcfg2/Server/Plugins/Metadata.py
@@ -677,8 +677,7 @@ class Metadata(Bcfg2.Server.Plugin.Metadata,
                     self.raddresses[clname] = set()
                 self.raddresses[clname].add(caddr)
             if 'auth' in client.attrib:
-                self.auth[client.get('name')] = client.get('auth',
-                                                           'cert+password')
+                self.auth[client.get('name')] = client.get('auth')
             if 'uuid' in client.attrib:
                 self.uuid[client.get('uuid')] = clname
             if client.get('secure', 'false').lower() == 'true':
@@ -1192,7 +1191,8 @@ class Metadata(Bcfg2.Server.Plugin.Metadata,
             # look at cert.cN
             client = certinfo['commonName']
             self.debug_log("Got cN %s; using as client name" % client)
-            auth_type = self.auth.get(client, 'cert+password')
+            auth_type = self.auth.get(client,
+                                      self.core.setup['authentication'])
         elif user == 'root':
             id_method = 'address'
             try:
@@ -1215,12 +1215,8 @@ class Metadata(Bcfg2.Server.Plugin.Metadata,
         self.debug_log("Authenticating client %s" % client)
 
         # next we validate the address
-        if id_method == 'uuid':
-            addr_is_valid = True
-        else:
-            addr_is_valid = self.validate_client_address(client, address)
-
-        if not addr_is_valid:
+        if (id_method != 'uuid' and
+            not self.validate_client_address(client, address)):
             return False
 
         if id_method == 'cert' and auth_type != 'cert+password':
@@ -1230,23 +1226,19 @@ class Metadata(Bcfg2.Server.Plugin.Metadata,
             # we are done if cert+password not required
             return True
 
-        if client not in self.passwords:
-            if client in self.secure:
-                self.logger.error("Client %s in secure mode but has no "
-                                  "password" % address[0])
-                return False
-            if password != self.password:
-                self.logger.error("Client %s used incorrect global password" %
-                                  address[0])
-                return False
+        if client not in self.passwords and client in self.secure:
+            self.logger.error("Client %s in secure mode but has no password" %
+                              address[0])
+            return False
+
         if client not in self.secure:
             if client in self.passwords:
                 plist = [self.password, self.passwords[client]]
             else:
                 plist = [self.password]
             if password not in plist:
-                self.logger.error("Client %s failed to use either allowed "
-                                  "password" % address[0])
+                self.logger.error("Client %s failed to use an allowed password"
+                                  % address[0])
                 return False
         else:
             # client in secure mode and has a client password
-- 
cgit v1.2.3-1-g7c22