X-Git-Url: https://code.grnet.gr/git/ganeti-local/blobdiff_plain/fe26718807f5cd6b8a30aa93770b060753ab91ff..31155d60eed6d14d25979c41c031f746e51d3c7d:/lib/serializer.py diff --git a/lib/serializer.py b/lib/serializer.py index a5a9ca4..9a5f1ce 100644 --- a/lib/serializer.py +++ b/lib/serializer.py @@ -32,17 +32,38 @@ backend (currently json). import simplejson import re +from ganeti import errors +from ganeti import utils + -# Check whether the simplejson module supports indentation _JSON_INDENT = 2 -try: - simplejson.dumps(1, indent=_JSON_INDENT) -except TypeError: - _JSON_INDENT = None _RE_EOLSP = re.compile('[ \t]+$', re.MULTILINE) +def _GetJsonDumpers(_encoder_class=simplejson.JSONEncoder): + """Returns two JSON functions to serialize data. + + @rtype: (callable, callable) + @return: The function to generate a compact form of JSON and another one to + generate a more readable, indented form of JSON (if supported) + + """ + plain_encoder = _encoder_class(sort_keys=True) + + # Check whether the simplejson module supports indentation + try: + indent_encoder = _encoder_class(indent=_JSON_INDENT, sort_keys=True) + except TypeError: + # Indentation not supported + indent_encoder = plain_encoder + + return (plain_encoder.encode, indent_encoder.encode) + + +(_DumpJson, _DumpJsonIndent) = _GetJsonDumpers() + + def DumpJson(data, indent=True): """Serialize a given object. @@ -52,14 +73,15 @@ def DumpJson(data, indent=True): @return: the string representation of data """ - if not indent or _JSON_INDENT is None: - txt = simplejson.dumps(data) + if indent: + fn = _DumpJsonIndent else: - txt = simplejson.dumps(data, indent=_JSON_INDENT) + fn = _DumpJson - txt = _RE_EOLSP.sub("", txt) + txt = _RE_EOLSP.sub("", fn(data)) if not txt.endswith('\n'): txt += '\n' + return txt @@ -74,5 +96,75 @@ def LoadJson(txt): return simplejson.loads(txt) +def DumpSignedJson(data, key, salt=None, key_selector=None): + """Serialize a given object and authenticate it. + + @param data: the data to serialize + @param key: shared hmac key + @param key_selector: name/id that identifies the key (in case there are + multiple keys in use, e.g. in a multi-cluster environment) + @return: the string representation of data signed by the hmac key + + """ + txt = DumpJson(data, indent=False) + if salt is None: + salt = '' + signed_dict = { + 'msg': txt, + 'salt': salt, + } + + if key_selector: + signed_dict["key_selector"] = key_selector + else: + key_selector = "" + + signed_dict["hmac"] = utils.Sha1Hmac(key, txt, salt=salt + key_selector) + + return DumpJson(signed_dict, indent=False) + + +def LoadSignedJson(txt, key): + """Verify that a given message was signed with the given key, and load it. + + @param txt: json-encoded hmac-signed message + @param key: the shared hmac key or a callable taking one argument (the key + selector), which returns the hmac key belonging to the key selector. + Typical usage is to pass a reference to the get method of a dict. + @rtype: tuple of original data, string + @return: original data, salt + @raises errors.SignatureError: if the message signature doesn't verify + + """ + signed_dict = LoadJson(txt) + if not isinstance(signed_dict, dict): + raise errors.SignatureError('Invalid external message') + try: + msg = signed_dict['msg'] + salt = signed_dict['salt'] + hmac_sign = signed_dict['hmac'] + except KeyError: + raise errors.SignatureError('Invalid external message') + + if callable(key): + # pylint: disable-msg=E1103 + key_selector = signed_dict.get("key_selector", None) + hmac_key = key(key_selector) + if not hmac_key: + raise errors.SignatureError("No key with key selector '%s' found" % + key_selector) + else: + key_selector = "" + hmac_key = key + + if not utils.VerifySha1Hmac(hmac_key, msg, hmac_sign, + salt=salt + key_selector): + raise errors.SignatureError('Invalid Signature') + + return LoadJson(msg), salt + + Dump = DumpJson Load = LoadJson +DumpSigned = DumpSignedJson +LoadSigned = LoadSignedJson