Exemplo n.º 1
0
 def _validate_user_and_project(self, user_id, project_id):
     user = db.user_get(context.get_admin_context(), user_id)
     if not user:
         raise exception.UserNotFound(user_id=user_id)
     project = db.project_get(context.get_admin_context(), project_id)
     if not project:
         raise exception.ProjectNotFound(project_id=project_id)
     return user, project
Exemplo n.º 2
0
def decrypt_text(project_id, text):
    private_key_file = key_path(project_id)
    if not os.path.exists(private_key_file):
        raise exception.ProjectNotFound(project_id=project_id)
    with open(private_key_file, 'rb') as f:
        data = f.read()
    try:
        priv_key = serialization.load_pem_private_key(
            data, None, backends.default_backend())
        return priv_key.decrypt(text, padding.PKCS1v15())
    except (ValueError, TypeError, exceptions.UnsupportedAlgorithm) as exc:
        raise exception.DecryptionFailure(reason=six.text_type(exc))
Exemplo n.º 3
0
def revoke_cert(project_id, file_name):
    """Revoke a cert by file name."""
    try:
        # NOTE(vish): potential race condition here
        utils.execute('openssl', 'ca', '-config', './openssl.cnf', '-revoke',
                      file_name, cwd=ca_folder(project_id))
        utils.execute('openssl', 'ca', '-gencrl', '-config', './openssl.cnf',
                      '-out', CONF.crl_file, cwd=ca_folder(project_id))
    except OSError:
        raise exception.ProjectNotFound(project_id=project_id)
    except processutils.ProcessExecutionError:
        raise exception.RevokeCertFailure(project_id=project_id)
Exemplo n.º 4
0
def decrypt_text(project_id, text):
    private_key = key_path(project_id)
    if not os.path.exists(private_key):
        raise exception.ProjectNotFound(project_id=project_id)
    try:
        dec, _err = utils.execute('openssl',
                                  'rsautl',
                                  '-decrypt',
                                  '-inkey', '%s' % private_key,
                                  process_input=text)
        return dec
    except processutils.ProcessExecutionError as exc:
        raise exception.DecryptionFailure(reason=exc.stderr)
Exemplo n.º 5
0
def revoke_cert(project_id, file_name):
    """Revoke a cert by file name."""
    start = os.getcwd()
    if not os.chdir(ca_folder(project_id)):
        raise exception.ProjectNotFound(project_id=project_id)
    try:
        # NOTE(vish): potential race condition here
        utils.execute('openssl', 'ca', '-config', './openssl.cnf', '-revoke',
                      file_name)
        utils.execute('openssl', 'ca', '-gencrl', '-config', './openssl.cnf',
                      '-out', CONF.crl_file)
    except processutils.ProcessExecutionError:
        raise exception.RevokeCertFailure(project_id=project_id)
    finally:
        os.chdir(start)
Exemplo n.º 6
0
    def authenticate(self, access, signature, params, verb='GET',
                     server_string='127.0.0.1:8773', path='/',
                     check_type='ec2', headers=None):
        """Authenticates AWS request using access key and signature

        If the project is not specified, attempts to authenticate to
        a project with the same name as the user. This way, older tools
        that have no project knowledge will still work.

        @type access: str
        @param access: Access key for user in the form "access:project".

        @type signature: str
        @param signature: Signature of the request.

        @type params: list of str
        @param params: Web paramaters used for the signature.

        @type verb: str
        @param verb: Web request verb ('GET' or 'POST').

        @type server_string: str
        @param server_string: Web request server string.

        @type path: str
        @param path: Web request path.

        @type check_type: str
        @param check_type: Type of signature to check. 'ec2' for EC2, 's3' for
                           S3. Any other value will cause signature not to be
                           checked.

        @type headers: list
        @param headers: HTTP headers passed with the request (only needed for
                        s3 signature checks)

        @rtype: tuple (User, Project)
        @return: User and project that the request represents.
        """
        # TODO(vish): check for valid timestamp
        (access_key, _sep, project_id) = access.partition(':')

        LOG.debug(_('Looking up user: %r'), access_key)
        user = self.get_user_from_access_key(access_key)
        LOG.debug('user: %r', user)
        if user is None:
            LOG.audit(_("Failed authorization for access key %s"), access_key)
            raise exception.AccessKeyNotFound(access_key=access_key)

        # NOTE(vish): if we stop using project name as id we need better
        #             logic to find a default project for user
        if project_id == '':
            LOG.debug(_("Using project name = user name (%s)"), user.name)
            project_id = user.name

        project = self.get_project(project_id)
        if project is None:
            pjid = project_id
            uname = user.name
            LOG.audit(_("failed authorization: no project named %(pjid)s"
                    " (user=%(uname)s)") % locals())
            raise exception.ProjectNotFound(project_id=project_id)
        if not self.is_admin(user) and not self.is_project_member(user,
                                                                  project):
            uname = user.name
            uid = user.id
            pjname = project.name
            pjid = project.id
            LOG.audit(_("Failed authorization: user %(uname)s not admin"
                    " and not member of project %(pjname)s") % locals())
            raise exception.ProjectMembershipNotFound(project_id=pjid,
                                                      user_id=uid)
        if check_type == 's3':
            sign = signer.Signer(user.secret.encode())
            expected_signature = sign.s3_authorization(headers, verb, path)
            LOG.debug(_('user.secret: %s'), user.secret)
            LOG.debug(_('expected_signature: %s'), expected_signature)
            LOG.debug(_('signature: %s'), signature)
            if signature != expected_signature:
                LOG.audit(_("Invalid signature for user %s"), user.name)
                raise exception.InvalidSignature(signature=signature,
                                                 user=user)
        elif check_type == 'ec2':
            # NOTE(vish): hmac can't handle unicode, so encode ensures that
            #             secret isn't unicode
            expected_signature = signer.Signer(user.secret.encode()).generate(
                    params, verb, server_string, path)
            LOG.debug(_('user.secret: %s'), user.secret)
            LOG.debug(_('expected_signature: %s'), expected_signature)
            LOG.debug(_('signature: %s'), signature)
            if signature != expected_signature:
                (addr_str, port_str) = utils.parse_server_string(server_string)
                # If the given server_string contains port num, try without it.
                if port_str != '':
                    host_only_signature = signer.Signer(
                        user.secret.encode()).generate(params, verb,
                                                       addr_str, path)
                    LOG.debug(_('host_only_signature: %s'),
                              host_only_signature)
                    if signature == host_only_signature:
                        return (user, project)
                LOG.audit(_("Invalid signature for user %s"), user.name)
                raise exception.InvalidSignature(signature=signature,
                                                 user=user)
        return (user, project)