From deb8729a09d74d2efe5bdf86e3a2d3c1274590ab Mon Sep 17 00:00:00 2001
From: Alexander Sulfrian <alexander@sulfrian.net>
Date: Tue, 24 Feb 2015 18:05:13 +0100
Subject: Server/Plugins/Metadata: Reject passwd clients, if auth_type is cert

If the auth type (either globally or specific for the client) is set to cert auth,
we have to reject clients that does not provide a cert.
---
 src/lib/Bcfg2/Server/Plugins/Metadata.py | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/lib/Bcfg2/Server/Plugins/Metadata.py b/src/lib/Bcfg2/Server/Plugins/Metadata.py
index 1e5544c6b..f805772a7 100644
--- a/src/lib/Bcfg2/Server/Plugins/Metadata.py
+++ b/src/lib/Bcfg2/Server/Plugins/Metadata.py
@@ -1391,8 +1391,6 @@ class Metadata(Bcfg2.Server.Plugin.Metadata,
             # look at cert.cN
             client = certinfo['commonName']
             self.debug_log("Got cN %s; using as client name" % client)
-            auth_type = self.auth.get(client,
-                                      self.core.setup['authentication'])
         elif user == 'root':
             id_method = 'address'
             try:
@@ -1414,6 +1412,13 @@ class Metadata(Bcfg2.Server.Plugin.Metadata,
         # we have the client name
         self.debug_log("Authenticating client %s" % client)
 
+        # validate id_method
+        auth_type = self.auth.get(client, self.core.setup['authentication'])
+        if auth_type == 'cert' and id_method != 'cert':
+            self.logger.error("Client %s does not provide a cert, but only "
+                              "cert auth is allowed" % client)
+            return False
+
         # next we validate the address
         if (id_method != 'uuid' and
             not self.validate_client_address(client, address)):
-- 
cgit v1.2.3-1-g7c22