X-Git-Url: https://code.grnet.gr/git/ganeti-local/blobdiff_plain/4e9dac14b3b010c8543ccc56e7b8157cde626595..6e7f0cd9e9ead56c60527647423422e384c20cbb:/lib/serializer.py diff --git a/lib/serializer.py b/lib/serializer.py index 34c5a3b..9a5f1ce 100644 --- a/lib/serializer.py +++ b/lib/serializer.py @@ -24,28 +24,46 @@ This module introduces a simple abstraction over the serialization backend (currently json). """ +# pylint: disable-msg=C0103 + +# C0103: Invalid name, since pylint doesn't see that Dump points to a +# function and not a constant import simplejson import re -import hmac from ganeti import errors +from ganeti import utils -try: - from hashlib import sha1 -except ImportError: - import sha as sha1 -# Check whether the simplejson module supports indentation _JSON_INDENT = 2 -try: - simplejson.dumps(1, indent=_JSON_INDENT) -except TypeError: - _JSON_INDENT = None _RE_EOLSP = re.compile('[ \t]+$', re.MULTILINE) +def _GetJsonDumpers(_encoder_class=simplejson.JSONEncoder): + """Returns two JSON functions to serialize data. + + @rtype: (callable, callable) + @return: The function to generate a compact form of JSON and another one to + generate a more readable, indented form of JSON (if supported) + + """ + plain_encoder = _encoder_class(sort_keys=True) + + # Check whether the simplejson module supports indentation + try: + indent_encoder = _encoder_class(indent=_JSON_INDENT, sort_keys=True) + except TypeError: + # Indentation not supported + indent_encoder = plain_encoder + + return (plain_encoder.encode, indent_encoder.encode) + + +(_DumpJson, _DumpJsonIndent) = _GetJsonDumpers() + + def DumpJson(data, indent=True): """Serialize a given object. @@ -55,14 +73,15 @@ def DumpJson(data, indent=True): @return: the string representation of data """ - if not indent or _JSON_INDENT is None: - txt = simplejson.dumps(data) + if indent: + fn = _DumpJsonIndent else: - txt = simplejson.dumps(data, indent=_JSON_INDENT) + fn = _DumpJson - txt = _RE_EOLSP.sub("", txt) + txt = _RE_EOLSP.sub("", fn(data)) if not txt.endswith('\n'): txt += '\n' + return txt @@ -77,11 +96,13 @@ def LoadJson(txt): return simplejson.loads(txt) -def DumpSignedJson(data, key, salt=None): +def DumpSignedJson(data, key, salt=None, key_selector=None): """Serialize a given object and authenticate it. @param data: the data to serialize @param key: shared hmac key + @param key_selector: name/id that identifies the key (in case there are + multiple keys in use, e.g. in a multi-cluster environment) @return: the string representation of data signed by the hmac key """ @@ -91,16 +112,25 @@ def DumpSignedJson(data, key, salt=None): signed_dict = { 'msg': txt, 'salt': salt, - 'hmac': hmac.new(key, salt + txt, sha1).hexdigest(), - } - return DumpJson(signed_dict) + } + + if key_selector: + signed_dict["key_selector"] = key_selector + else: + key_selector = "" + + signed_dict["hmac"] = utils.Sha1Hmac(key, txt, salt=salt + key_selector) + + return DumpJson(signed_dict, indent=False) def LoadSignedJson(txt, key): """Verify that a given message was signed with the given key, and load it. @param txt: json-encoded hmac-signed message - @param key: shared hmac key + @param key: the shared hmac key or a callable taking one argument (the key + selector), which returns the hmac key belonging to the key selector. + Typical usage is to pass a reference to the get method of a dict. @rtype: tuple of original data, string @return: original data, salt @raises errors.SignatureError: if the message signature doesn't verify @@ -116,7 +146,19 @@ def LoadSignedJson(txt, key): except KeyError: raise errors.SignatureError('Invalid external message') - if hmac.new(key, salt + msg, sha1).hexdigest() != hmac_sign: + if callable(key): + # pylint: disable-msg=E1103 + key_selector = signed_dict.get("key_selector", None) + hmac_key = key(key_selector) + if not hmac_key: + raise errors.SignatureError("No key with key selector '%s' found" % + key_selector) + else: + key_selector = "" + hmac_key = key + + if not utils.VerifySha1Hmac(hmac_key, msg, hmac_sign, + salt=salt + key_selector): raise errors.SignatureError('Invalid Signature') return LoadJson(msg), salt