def _cbRequestAvatarId(self, validKey, credentials): """ Check whether the credentials themselves are valid, now that we know if the key matches the user. @param validKey: A boolean indicating whether or not the public key matches a key in the user's authorized_keys file. @param credentials: The credentials offered by the user. @type credentials: L{ISSHPrivateKey} provider @raise UnauthorizedLogin: (as a failure) if the key does not match the user in C{credentials}. Also raised if the user provides an invalid signature. @raise ValidPublicKey: (as a failure) if the key matches the user but the credentials do not include a signature. See L{error.ValidPublicKey} for more information. @return: The user's username, if authentication was successful. """ if not validKey: return failure.Failure(UnauthorizedLogin("invalid key")) if not credentials.signature: return failure.Failure(error.ValidPublicKey()) else: try: pubKey = keys.Key.fromString(credentials.blob) if pubKey.verify(credentials.signature, credentials.sigData): return credentials.username except: # any error should be treated as a failed login log.err() return failure.Failure( UnauthorizedLogin('error while verifying key')) return failure.Failure(UnauthorizedLogin("unable to verify key"))
def requestAvatarId(self, credentials): print "requestAvatarId", credentials.username user = database.getUser(key=credentials.blob) if user: if not user['enabled']: return failure.Failure( error.ConchError("User account not enabled")) if not credentials.signature: return failure.Failure(error.ValidPublicKey()) pubKey = keys.Key.fromString(credentials.blob).keyObject if keys.verifySignature(pubKey, credentials.signature, credentials.sigData): print "login as %s" % credentials.username database.updateUserName(credentials.blob, credentials.username) return credentials.username else: return failure.Failure(error.ConchError("Incorrect signature")) elif config['ALLOW_ANNONYMOUS']: print "login as ANONYMOUS" user = "".join(Random().sample(string.letters, 30)) self.annons[user] = credentials.blob return user return failure.Failure(error.ConchError("Not allowed"))
def _cbRequestAvatarId(self, validKey, credentials): if not validKey: return failure.Failure(UnauthorizedLogin()) if not credentials.signature: return failure.Failure(error.ValidPublicKey()) else: try: if conch.version.major < 10: pubKey = keys.getPublicKeyObject(data=credentials.blob) if keys.verifySignature(pubKey, credentials.signature, credentials.sigData): return credentials.username else: pubKey = keys.Key.fromString(credentials.blob) if pubKey.verify(credentials.signature, credentials.sigData): return credentials.username except: # any error should be treated as a failed login f = failure.Failure() log.warning('manhole', 'error checking signature on creds %r: %r', credentials, log.getFailureMessage(f)) return f return failure.Failure(UnauthorizedLogin())
def requestAvatarId(self, creds): if creds.username in self.authKeys: userKey = self.authKeys[creds.username] if not creds.blob == base64.decodestring(userKey): raise failure.Failure(error.ConchError("Unrecognized key")) if not creds.signature: return failure.Failure(error.ValidPublicKey()) pubKey = keys.Key.fromString(data=creds.blob) if pubKey.verify(creds.signature, creds.sigData): return creds.username else: return failure.Failure(error.ConchError("Incorrect signature")) else: return failure.Failure(error.ConchError("No such user"))
def requestAvatarId(self, c): try: # try user authentification u, p, k = self.getUser(c.username) except error.UnauthorizedLogin: return defer.fail(error.UnauthorizedLogin()) except KeyError: # accept random if self.servicename in config.honeytokendbProbabilities.keys(): randomAcceptProbability = config.honeytokendbProbabilities[ self.servicename] if self.randomAccept(c.username, c.password, randomAcceptProbability) and hasattr( c, 'password'): if self.servicename in config.honeytokendbGenerating.keys(): self.writeToDatabase( c.username, c.password, ",".join( config.honeytokendbGenerating[self.servicename])) return defer.succeed(c.username) return defer.fail(error.UnauthorizedLogin()) else: if hasattr(c, 'blob'): userkey = keys.Key.fromString(data=k) if not c.blob == userkey.blob(): return failure.Failure(error.ConchError("Unknown key.")) if not c.signature: return defer.fail( # telling the cient to sign his authentication (else the public key is kind of pointless) concherror.ValidPublicKey()) if userkey.verify(c.signature, c.sigData): return defer.succeed(c.username) else: return failure.Failure( error.ConchError("Invalid Signature")) if not p: return defer.fail(error.UnauthorizedLogin() ) # don't allow login with empty passwords return defer.maybeDeferred(c.checkPassword, p).addCallback(self.password_match, u)
def _cbRequestAvatarId(self, validKey, credentials): if not validKey: return failure.Failure(UnauthorizedLogin()) if not credentials.signature: return failure.Failure(error.ValidPublicKey()) else: try: pubKey = keys.getPublicKeyObject(data=credentials.blob) if keys.verifySignature(pubKey, credentials.signature, credentials.sigData): return credentials.username except: # any error should be treated as a failed login f = failure.Failure() log.err() return f return failure.Failure(UnauthorizedLogin())
def requestAvatarId(self, credentials): if self.authorizedKeys.has_key(credentials.username): userKey = self.authorizedKeys[credentials.username] if not credentials.blob == base64.decodestring(userKey): raise failure.failure( error.ConchError("I don't recognize that key")) if not credentials.signature: return failure.Failure(error.ValidPublicKey()) pubKey = keys.getPublicKeyObject(data=credentials.blob) if keys.verifySignature(pubKey, credentials.signature, credentials.sigData): return credentials.username else: return failure.Failure(error.ConchError("Incorrect signature")) else: return failure.Failure(error.ConchError("No such user"))
def requestAvatarId(self, credentials): userKeyString = self.authorizedKeys.get(credentials.username) if not userKeyString: return failure.Failure(error.ConchError("No such user")) # Remove the 'ssh-rsa' type before decoding. if credentials.blob != base64.decodestring( userKeyString.split(" ")[1]): raise failure.failure( error.ConchError("I don't recognize that key")) if not credentials.signature: return failure.Failure(error.ValidPublicKey()) userKey = keys.Key.fromString(data=userKeyString) if userKey.verify(credentials.signature, credentials.sigData): return credentials.username else: print "signature check failed" return failure.Failure(error.ConchError("Incorrect signature"))
def requestAvatarId(self, credentials): log.msg(credentials) user_key_string = self.authorizedKeys.get(credentials.username) if not user_key_string: return failure.Failure(error.ConchError('No such user')) # strip ssh-rsa type before decoding decoded_string = base64.decodestring(user_key_string.split(' ')[1]) if decoded_string != credentials.blob: raise failure.Failure( error.ConchError('I don\'t recognize this key')) if not credentials.signature: raise error.ValidPublicKey() user_key = keys.Key.fromString(data=user_key_string) if user_key.verify(credentials.signature, credentials.sigData): return credentials.username else: log.err('Signature check failed!') return failure.Failure(error.ConchError('Incorrect signature'))
def _sanityCheckKey(self, credentials): """ Checks whether the provided credentials are a valid SSH key with a signature (does not actually verify the signature). @param credentials: the credentials offered by the user @type credentials: L{ISSHPrivateKey} provider @raise ValidPublicKey: the credentials do not include a signature. See L{error.ValidPublicKey} for more information. @raise BadKeyError: The key included with the credentials is not recognized as a key. @return: the key in the credentials @rtype: L{twisted.conch.ssh.keys.Key} """ if not credentials.signature: raise error.ValidPublicKey() return keys.Key.fromString(credentials.blob)
def _checkKey(self, creds): """ Determine whether some key-based credentials correctly authenticates a user. Returns a Deferred that fires with the username if so or with an UnauthorizedLogin failure otherwise. """ # Is the public key indicated by the given credentials allowed to # authenticate the username in those credentials? if creds.blob == self.pubkeys.get(creds.username): if creds.signature is None: return defer.fail(conch_error.ValidPublicKey()) # Is the signature in the given credentials the correct # signature for the data in those credentials? key = keys.Key.fromString(creds.blob) if key.verify(creds.signature, creds.sigData): return defer.succeed(self._avatarId(creds.username)) return defer.fail(error.UnauthorizedLogin())
def requestAvatarId(self, credentials): # 1.step get order content on chain order_id = credentials.username order = self.db.query( orm.Order).filter(orm.Order.name == order_id).one_or_none() if order is None: logging.error('order dont exist') return failure.Failure(error.ConchError('order dont exist')) if not credentials.signature: # user error (RSA fail) return failure.Failure(error.ValidPublicKey()) if credentials.blob is None: return failure.Failure( error.ConchError('I dont recognize public key')) is_rsa_verification_ok = False if order.public_key == '': # 通过public key判断首次登陆 ############################################## ####### read order complete info (chain) ##### ############################################## order_content = self.ctx.subgradient_chain_api.get( order_id=order_id) # launch user customized infomation on order custom_public_key = order_content[ 'public_key'] # public key of user on chain (after sign) order_status = order_content[ 'status'] # order status on chain (after sign) os_platform = order_content[ 'os_platform'] # user select os platform os_version = order_content['os_version'] # user select os version software_framework = order_content[ 'software_framework'] # user select basic software framework if custom_public_key == '' or order_status != 'sold': # system error, return all fee (manage on monitor_order_status()) logging.error('order has not been signed') order.status = -1 self.db.commit() return failure.Failure( error.ConchError('order has not been signed')) # rsa verification if credentials.blob != base64.decodestring( custom_public_key.split(" ")[1]): # user error (RSA fail) logging.error('public key not consistent') return failure.Failure( error.ConchError('I dont recognize public key')) user_key = keys.Key.fromString(data=custom_public_key) if not user_key.verify(credentials.signature, credentials.sigData): logging.error('public key not match') return failure.Failure('Incorrect signature') is_rsa_verification_ok = True support_gpu = False if order.stock.gpu_num > 0: support_gpu = True if ',' in software_framework: software_framework = software_framework.replace(',', ';') base_image = self.db.query(orm.ImageRepository).filter( and_( orm.ImageRepository.os_platform == os_platform, orm.ImageRepository.os_version == os_version, orm.ImageRepository.software_framework == software_framework, orm.ImageRepository.support_gpu == support_gpu)).one_or_none() if base_image is None: # system error, return all fee (manage on monitor_order_status()) logging.error('base image dont exist') order.status = -1 self.db.commit() return failure.Failure( error.ConchError('base image dont exist')) # fill missing info on order (from user) order.platform_config = { "os_platform": os_platform, 'os_version': os_version, 'software_framework': software_framework } order.running_config = {'ENV': {'IPFS_HOST': host_ip()}} order.public_key = custom_public_key # user name order.leaseholder = custom_public_key # user name order.image_name = '%s/%s' % ( order_content['os_platform'].lower(), time.strftime('%Y%m%d%H%M%S%f', time.localtime( time.time()))) # custom image name order.launch_time = float(order_content['launch_time']) # 签约时间 order.rental_time = float(order_content['rental_time']) # 租赁时间(小时) order.punish = order_content['punish'] self.db.commit() else: if order.status not in [0, 1, 2]: logging.error('invalid resource order') return failure.Failure( error.ConchError('invalid resource order')) if order.status == 2: logging.info('order is waiting to schedule') return failure.Failure(error.ConchError('waiting to schedule')) # here order.status == 0 or order.status == 1 # check whether order has arrived rental time # (if order.status != 1, container should already exited) ntp_now_time = self.ctx.ntp_time.time() if ntp_now_time is not None: if ntp_now_time > order.launch_time + order.rental_time * 60 * 60: # expire time order.status = 3 self.db.commit() logging.error('resource order has been expired') return failure.Failure( error.ConchError('order server has been stop')) # 2.step verificatino if not is_rsa_verification_ok: if credentials.blob != base64.decodestring( order.public_key.split(" ")[1]): # user error (RSA fail) logging.error('public key not consistent') return failure.Failure( error.ConchError('I dont recognize public key')) user_key = keys.Key.fromString(data=order.public_key) if user_key.verify(credentials.signature, credentials.sigData): return credentials.username else: # user error (RSA fail) logging.error('public key not match') return failure.Failure('Incorrect signature') return credentials.username