diff options
Diffstat (limited to 'gluster/swift/common')
-rw-r--r-- | gluster/swift/common/middleware/gswauth/swauth/authtypes.py | 77 | ||||
-rw-r--r-- | gluster/swift/common/middleware/gswauth/swauth/middleware.py | 13 |
2 files changed, 83 insertions, 7 deletions
diff --git a/gluster/swift/common/middleware/gswauth/swauth/authtypes.py b/gluster/swift/common/middleware/gswauth/swauth/authtypes.py index 90aad72..fbf532d 100644 --- a/gluster/swift/common/middleware/gswauth/swauth/authtypes.py +++ b/gluster/swift/common/middleware/gswauth/swauth/authtypes.py @@ -35,6 +35,7 @@ value or to a default value. """ import hashlib +import os #: Maximum length any valid token should ever be. @@ -80,6 +81,20 @@ class Sha1(object): must be capitalized. encode and match methods must be provided and are the only ones that will be used by swauth. """ + + def encode_w_salt(self, salt, key): + """ + Encodes a user key with salt into a particular format. The result of + this method will be used internally. + + :param salt: Salt for hashing + :param key: User's secret key + :returns: A string representing user credentials + """ + enc_key = '%s%s' % (salt, key) + enc_val = hashlib.sha1(enc_key).hexdigest() + return "sha1:%s$%s" % (salt, enc_val) + def encode(self, key): """ Encodes a user key into a particular format. The result of this method @@ -88,9 +103,8 @@ class Sha1(object): :param key: User's secret key :returns: A string representing user credentials """ - enc_key = '%s%s' % (self.salt, key) - enc_val = hashlib.sha1(enc_key).hexdigest() - return "sha1:%s$%s" % (self.salt, enc_val) + salt = self.salt or os.urandom(32).encode('base64').rstrip() + return self.encode_w_salt(salt, key) def match(self, key, creds): """ @@ -100,4 +114,59 @@ class Sha1(object): :param creds: User's stored credentials :returns: True if the supplied key is valid, False otherwise """ - return self.encode(key) == creds + + type, rest = creds.split(':') + salt, enc = rest.split('$') + + return self.encode_w_salt(salt, key) == creds + + +class Sha512(object): + """ + Provides a particular auth type for encoding format for encoding and + matching user keys. + + This class must be all lowercase except for the first character, which + must be capitalized. encode and match methods must be provided and are + the only ones that will be used by swauth. + """ + + def encode_w_salt(self, salt, key): + """ + Encodes a user key with salt into a particular format. The result of + this method will be used internal. + + :param salt: Salt for hashing + :param key: User's secret key + :returns: A string representing user credentials + """ + enc_key = '%s%s' % (salt, key) + enc_val = hashlib.sha512(enc_key).hexdigest() + return "sha512:%s$%s" % (salt, enc_val) + + def encode(self, key): + """ + Encodes a user key into a particular format. The result of this method + will be used by swauth for storing user credentials. + + If salt is not manually set in conf file, a random salt will be + generated and used. + + :param key: User's secret key + :returns: A string representing user credentials + """ + salt = self.salt or os.urandom(32).encode('base64').rstrip() + return self.encode_w_salt(salt, key) + + def match(self, key, creds): + """Checks whether the user-provided key matches the user's credentials + + :param key: User-supplied key + :param creds: User's stored credentials + :returns: True if the supplied key is valid, False otherwise + """ + + type, rest = creds.split(':') + salt, enc = rest.split('$') + + return self.encode_w_salt(salt, key) == creds diff --git a/gluster/swift/common/middleware/gswauth/swauth/middleware.py b/gluster/swift/common/middleware/gswauth/swauth/middleware.py index e181ece..745c6f1 100644 --- a/gluster/swift/common/middleware/gswauth/swauth/middleware.py +++ b/gluster/swift/common/middleware/gswauth/swauth/middleware.py @@ -1475,14 +1475,21 @@ class Swauth(object): def credentials_match(self, user_detail, key): """ Returns True if the key is valid for the user_detail. - It will use self.auth_encoder to check for a key match. + It will use auth_encoder type the password was encoded with, + to check for a key match. :param user_detail: The dict for the user. :param key: The key to validate for the user. :returns: True if the key is valid for the user, False if not. """ - return user_detail and self.auth_encoder().match( - key, user_detail.get('auth')) + if user_detail: + creds = user_detail.get('auth') + auth_type = creds.split(':')[0] + auth_encoder = getattr(authtypes, auth_type.title(), None) + if auth_encoder is None: + self.logger.error('Invalid auth_type %s' % auth_type) + return False + return user_detail and auth_encoder().match(key, creds) def is_user_changing_own_key(self, req, user): """ |