X-Git-Url: https://code.grnet.gr/git/ganeti-local/blobdiff_plain/d984846ddf447c4eab67bd112cb5a52456f3fd3b..3016bc1ff2eae42318a8b53457b4bf889ae5e201:/lib/serializer.py

diff --git a/lib/serializer.py b/lib/serializer.py
index b568497..cbc11fa 100644
--- a/lib/serializer.py
+++ b/lib/serializer.py
@@ -24,68 +24,39 @@ This module introduces a simple abstraction over the serialization
 backend (currently json).
 
 """
-# pylint: disable-msg=C0103
+# pylint: disable=C0103
 
 # C0103: Invalid name, since pylint doesn't see that Dump points to a
 # function and not a constant
 
-import simplejson
 import re
-import hmac
-
-from ganeti import errors
-
-try:
-  from hashlib import sha1
-except ImportError:
-  import sha as sha1
-
-
-_JSON_INDENT = 2
-
-_RE_EOLSP = re.compile('[ \t]+$', re.MULTILINE)
-
-
-def _GetJsonDumpers(_encoder_class=simplejson.JSONEncoder):
-  """Returns two JSON functions to serialize data.
-
-  @rtype: (callable, callable)
-  @return: The function to generate a compact form of JSON and another one to
-           generate a more readable, indented form of JSON (if supported)
-
-  """
-  plain_encoder = _encoder_class(sort_keys=True)
 
-  # Check whether the simplejson module supports indentation
-  try:
-    indent_encoder = _encoder_class(indent=_JSON_INDENT, sort_keys=True)
-  except TypeError:
-    # Indentation not supported
-    indent_encoder = plain_encoder
+# Python 2.6 and above contain a JSON module based on simplejson. Unfortunately
+# the standard library version is significantly slower than the external
+# module. While it should be better from at least Python 3.2 on (see Python
+# issue 7451), for now Ganeti needs to work well with older Python versions
+# too.
+import simplejson
 
-  return (plain_encoder.encode, indent_encoder.encode)
+from ganeti import errors
+from ganeti import utils
 
 
-(_DumpJson, _DumpJsonIndent) = _GetJsonDumpers()
+_RE_EOLSP = re.compile("[ \t]+$", re.MULTILINE)
 
 
-def DumpJson(data, indent=True):
+def DumpJson(data):
   """Serialize a given object.
 
   @param data: the data to serialize
-  @param indent: whether to indent output (depends on simplejson version)
-
   @return: the string representation of data
 
   """
-  if indent:
-    fn = _DumpJsonIndent
-  else:
-    fn = _DumpJson
+  encoded = simplejson.dumps(data)
 
-  txt = _RE_EOLSP.sub("", fn(data))
-  if not txt.endswith('\n'):
-    txt += '\n'
+  txt = _RE_EOLSP.sub("", encoded)
+  if not txt.endswith("\n"):
+    txt += "\n"
 
   return txt
 
@@ -101,30 +72,41 @@ def LoadJson(txt):
   return simplejson.loads(txt)
 
 
-def DumpSignedJson(data, key, salt=None):
+def DumpSignedJson(data, key, salt=None, key_selector=None):
   """Serialize a given object and authenticate it.
 
   @param data: the data to serialize
   @param key: shared hmac key
+  @param key_selector: name/id that identifies the key (in case there are
+    multiple keys in use, e.g. in a multi-cluster environment)
   @return: the string representation of data signed by the hmac key
 
   """
-  txt = DumpJson(data, indent=False)
+  txt = DumpJson(data)
   if salt is None:
-    salt = ''
+    salt = ""
   signed_dict = {
-    'msg': txt,
-    'salt': salt,
-    'hmac': hmac.new(key, salt + txt, sha1).hexdigest(),
-  }
-  return DumpJson(signed_dict, indent=False)
+    "msg": txt,
+    "salt": salt,
+    }
+
+  if key_selector:
+    signed_dict["key_selector"] = key_selector
+  else:
+    key_selector = ""
+
+  signed_dict["hmac"] = utils.Sha1Hmac(key, txt, salt=salt + key_selector)
+
+  return DumpJson(signed_dict)
 
 
 def LoadSignedJson(txt, key):
   """Verify that a given message was signed with the given key, and load it.
 
   @param txt: json-encoded hmac-signed message
-  @param key: shared hmac key
+  @param key: the shared hmac key or a callable taking one argument (the key
+    selector), which returns the hmac key belonging to the key selector.
+    Typical usage is to pass a reference to the get method of a dict.
   @rtype: tuple of original data, string
   @return: original data, salt
   @raises errors.SignatureError: if the message signature doesn't verify
@@ -132,16 +114,28 @@ def LoadSignedJson(txt, key):
   """
   signed_dict = LoadJson(txt)
   if not isinstance(signed_dict, dict):
-    raise errors.SignatureError('Invalid external message')
+    raise errors.SignatureError("Invalid external message")
   try:
-    msg = signed_dict['msg']
-    salt = signed_dict['salt']
-    hmac_sign = signed_dict['hmac']
+    msg = signed_dict["msg"]
+    salt = signed_dict["salt"]
+    hmac_sign = signed_dict["hmac"]
   except KeyError:
-    raise errors.SignatureError('Invalid external message')
+    raise errors.SignatureError("Invalid external message")
+
+  if callable(key):
+    # pylint: disable=E1103
+    key_selector = signed_dict.get("key_selector", None)
+    hmac_key = key(key_selector)
+    if not hmac_key:
+      raise errors.SignatureError("No key with key selector '%s' found" %
+                                  key_selector)
+  else:
+    key_selector = ""
+    hmac_key = key
 
-  if hmac.new(key, salt + msg, sha1).hexdigest() != hmac_sign:
-    raise errors.SignatureError('Invalid Signature')
+  if not utils.VerifySha1Hmac(hmac_key, msg, hmac_sign,
+                              salt=salt + key_selector):
+    raise errors.SignatureError("Invalid Signature")
 
   return LoadJson(msg), salt