From deb8729a09d74d2efe5bdf86e3a2d3c1274590ab Mon Sep 17 00:00:00 2001 From: Alexander Sulfrian Date: Tue, 24 Feb 2015 18:05:13 +0100 Subject: Server/Plugins/Metadata: Reject passwd clients, if auth_type is cert If the auth type (either globally or specific for the client) is set to cert auth, we have to reject clients that does not provide a cert. --- doc/releases/1.3.6.txt | 2 ++ src/lib/Bcfg2/Server/Plugins/Metadata.py | 9 +++++++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/doc/releases/1.3.6.txt b/doc/releases/1.3.6.txt index 757fbf6f5..f41320f1a 100644 --- a/doc/releases/1.3.6.txt +++ b/doc/releases/1.3.6.txt @@ -30,5 +30,7 @@ This is primarily a bugfix release. https://docs.djangoproject.com/en/1.7/ref/settings/#std:setting-OPTIONS +* Authentication: Reject passwd auth, if authentication is set to "cert" + Special thanks to the following contributors for this release: Michael Fenn, Matt Kemp, Alexander Sulfrian, Jonathan Billings. diff --git a/src/lib/Bcfg2/Server/Plugins/Metadata.py b/src/lib/Bcfg2/Server/Plugins/Metadata.py index 1e5544c6b..f805772a7 100644 --- a/src/lib/Bcfg2/Server/Plugins/Metadata.py +++ b/src/lib/Bcfg2/Server/Plugins/Metadata.py @@ -1391,8 +1391,6 @@ class Metadata(Bcfg2.Server.Plugin.Metadata, # look at cert.cN client = certinfo['commonName'] self.debug_log("Got cN %s; using as client name" % client) - auth_type = self.auth.get(client, - self.core.setup['authentication']) elif user == 'root': id_method = 'address' try: @@ -1414,6 +1412,13 @@ class Metadata(Bcfg2.Server.Plugin.Metadata, # we have the client name self.debug_log("Authenticating client %s" % client) + # validate id_method + auth_type = self.auth.get(client, self.core.setup['authentication']) + if auth_type == 'cert' and id_method != 'cert': + self.logger.error("Client %s does not provide a cert, but only " + "cert auth is allowed" % client) + return False + # next we validate the address if (id_method != 'uuid' and not self.validate_client_address(client, address)): -- cgit v1.2.3-1-g7c22