Revision 23ccba04
b/daemons/ganeti-rapi | ||
---|---|---|
118 | 118 |
|
119 | 119 |
req.private = ctx |
120 | 120 |
|
121 |
# Check for expected attributes |
|
122 |
assert req.private.handler |
|
123 |
assert req.private.handler_fn |
|
124 |
assert req.private.handler_access is not None |
|
125 |
|
|
121 | 126 |
return req.private |
122 | 127 |
|
123 |
def GetAuthRealm(self, req):
|
|
124 |
"""Override the auth realm for queries.
|
|
128 |
def AuthenticationRequired(self, req):
|
|
129 |
"""Determine whether authentication is required.
|
|
125 | 130 |
|
126 | 131 |
""" |
127 |
ctx = self._GetRequestContext(req) |
|
128 |
if ctx.handler_access: |
|
129 |
return self.AUTH_REALM |
|
130 |
else: |
|
131 |
return None |
|
132 |
return bool(self._GetRequestContext(req).handler_access) |
|
132 | 133 |
|
133 | 134 |
def Authenticate(self, req, username, password): |
134 | 135 |
"""Checks whether a user can access a resource. |
b/lib/http/auth.py | ||
---|---|---|
78 | 78 |
|
79 | 79 |
class HttpServerRequestAuthentication(object): |
80 | 80 |
# Default authentication realm |
81 |
AUTH_REALM = None
|
|
81 |
AUTH_REALM = "Unspecified"
|
|
82 | 82 |
|
83 | 83 |
# Schemes for passwords |
84 | 84 |
_CLEARTEXT_SCHEME = "{CLEARTEXT}" |
... | ... | |
87 | 87 |
def GetAuthRealm(self, req): |
88 | 88 |
"""Returns the authentication realm for a request. |
89 | 89 |
|
90 |
MAY be overridden by a subclass, which then can return different realms for |
|
91 |
different paths. Returning "None" means no authentication is needed for a |
|
92 |
request. |
|
90 |
May be overridden by a subclass, which then can return different realms for |
|
91 |
different paths. |
|
93 | 92 |
|
94 | 93 |
@type req: L{http.server._HttpServerRequest} |
95 | 94 |
@param req: HTTP request context |
96 |
@rtype: str or None
|
|
95 |
@rtype: string
|
|
97 | 96 |
@return: Authentication realm |
98 | 97 |
|
99 | 98 |
""" |
... | ... | |
102 | 101 |
# pylint: disable-msg=W0613 |
103 | 102 |
return self.AUTH_REALM |
104 | 103 |
|
104 |
def AuthenticationRequired(self, req): |
|
105 |
"""Determines whether authentication is required for a request. |
|
106 |
|
|
107 |
To enable authentication, override this function in a subclass and return |
|
108 |
C{True}. L{AUTH_REALM} must be set. |
|
109 |
|
|
110 |
@type req: L{http.server._HttpServerRequest} |
|
111 |
@param req: HTTP request context |
|
112 |
|
|
113 |
""" |
|
114 |
return False |
|
115 |
|
|
105 | 116 |
def PreHandleRequest(self, req): |
106 | 117 |
"""Called before a request is handled. |
107 | 118 |
|
... | ... | |
109 | 120 |
@param req: HTTP request context |
110 | 121 |
|
111 | 122 |
""" |
112 |
realm = self.GetAuthRealm(req) |
|
113 |
|
|
114 | 123 |
# Authentication not required, and no credentials given? |
115 |
if realm is None and http.HTTP_AUTHORIZATION not in req.request_headers: |
|
124 |
if not (self.AuthenticationRequired(req) or |
|
125 |
(req.request_headers and |
|
126 |
http.HTTP_AUTHORIZATION in req.request_headers)): |
|
116 | 127 |
return |
117 | 128 |
|
118 |
if realm is None: # in case we don't require auth but someone |
|
119 |
# passed the crendentials anyway |
|
120 |
realm = "Unspecified" |
|
129 |
realm = self.GetAuthRealm(req) |
|
130 |
|
|
131 |
if not realm: |
|
132 |
raise AssertionError("No authentication realm") |
|
121 | 133 |
|
122 | 134 |
# Check "Authorization" header |
123 | 135 |
if self._CheckAuthorization(req): |
... | ... | |
255 | 267 |
realm = self.GetAuthRealm(req) |
256 | 268 |
if not realm: |
257 | 269 |
# There can not be a valid password for this case |
258 |
return False
|
|
270 |
raise AssertionError("No authentication realm")
|
|
259 | 271 |
|
260 | 272 |
expha1 = md5() |
261 | 273 |
expha1.update("%s:%s:%s" % (username, realm, password)) |
b/test/ganeti.http_unittest.py | ||
---|---|---|
154 | 154 |
self.assert_(tvbap("This is only a test", "user", "pw", |
155 | 155 |
"{HA1}92ea58ae804481498c257b2f65561a17")) |
156 | 156 |
|
157 |
self.failIf(tvbap(None, "user", "pw",
|
|
158 |
"{HA1}92ea58ae804481498c257b2f65561a17"))
|
|
157 |
self.failUnlessRaises(AssertionError, tvbap, None, "user", "pw",
|
|
158 |
"{HA1}92ea58ae804481498c257b2f65561a17")
|
|
159 | 159 |
self.failIf(tvbap("Admin area", "user", "pw", |
160 | 160 |
"{HA1}92ea58ae804481498c257b2f65561a17")) |
161 | 161 |
self.failIf(tvbap("This is only a test", "someone", "pw", |
Also available in: Unified diff