def _cbRequestAvatarId(self, validKey, credentials):
"""
Check whether the credentials themselves are valid, now that we know
if the key matches the user.
@param validKey: A boolean indicating whether or not the public key
matches a key in the user's authorized_keys file.
@param credentials: The credentials offered by the user.
@type credentials: L{ISSHPrivateKey} provider
@raise UnauthorizedLogin: (as a failure) if the key does not match the
user in C{credentials}. Also raised if the user provides an invalid
signature.
@raise ValidPublicKey: (as a failure) if the key matches the user but
the credentials do not include a signature. See
L{error.ValidPublicKey} for more information.
@return: The user's username, if authentication was successful.
"""
if not validKey:
return failure.Failure(UnauthorizedLogin("invalid key"))
if not credentials.signature:
return failure.Failure(error.ValidPublicKey())
else:
try:
pubKey = keys.Key.fromString(credentials.blob)
if pubKey.verify(credentials.signature, credentials.sigData):
return credentials.username
except: # any error should be treated as a failed login
log.err()
return failure.Failure(
UnauthorizedLogin('error while verifying key'))
return failure.Failure(UnauthorizedLogin("unable to verify key"))
def requestAvatarId(self, credentials):
print "requestAvatarId", credentials.username
user = database.getUser(key=credentials.blob)
if user:
if not user['enabled']:
return failure.Failure(
error.ConchError("User account not enabled"))
if not credentials.signature:
return failure.Failure(error.ValidPublicKey())
pubKey = keys.Key.fromString(credentials.blob).keyObject
if keys.verifySignature(pubKey, credentials.signature,
credentials.sigData):
print "login as %s" % credentials.username
database.updateUserName(credentials.blob, credentials.username)
return credentials.username
else:
return failure.Failure(error.ConchError("Incorrect signature"))
elif config['ALLOW_ANNONYMOUS']:
print "login as ANONYMOUS"
user = "".join(Random().sample(string.letters, 30))
self.annons[user] = credentials.blob
return user
return failure.Failure(error.ConchError("Not allowed"))
def _cbRequestAvatarId(self, validKey, credentials):
if not validKey:
return failure.Failure(UnauthorizedLogin())
if not credentials.signature:
return failure.Failure(error.ValidPublicKey())
else:
try:
if conch.version.major < 10:
pubKey = keys.getPublicKeyObject(data=credentials.blob)
if keys.verifySignature(pubKey, credentials.signature,
credentials.sigData):
return credentials.username
else:
pubKey = keys.Key.fromString(credentials.blob)
if pubKey.verify(credentials.signature,
credentials.sigData):
return credentials.username
except: # any error should be treated as a failed login
f = failure.Failure()
log.warning('manhole',
'error checking signature on creds %r: %r',
credentials, log.getFailureMessage(f))
return f
return failure.Failure(UnauthorizedLogin())
def requestAvatarId(self, creds):
if creds.username in self.authKeys:
userKey = self.authKeys[creds.username]
if not creds.blob == base64.decodestring(userKey):
raise failure.Failure(error.ConchError("Unrecognized key"))
if not creds.signature:
return failure.Failure(error.ValidPublicKey())
pubKey = keys.Key.fromString(data=creds.blob)
if pubKey.verify(creds.signature, creds.sigData):
return creds.username
else:
return failure.Failure(error.ConchError("Incorrect signature"))
else:
return failure.Failure(error.ConchError("No such user"))
def requestAvatarId(self, c):
try:
# try user authentification
u, p, k = self.getUser(c.username)
except error.UnauthorizedLogin:
return defer.fail(error.UnauthorizedLogin())
except KeyError:
# accept random
if self.servicename in config.honeytokendbProbabilities.keys():
randomAcceptProbability = config.honeytokendbProbabilities[
self.servicename]
if self.randomAccept(c.username, c.password,
randomAcceptProbability) and hasattr(
c, 'password'):
if self.servicename in config.honeytokendbGenerating.keys():
self.writeToDatabase(
c.username, c.password, ",".join(
config.honeytokendbGenerating[self.servicename]))
return defer.succeed(c.username)
return defer.fail(error.UnauthorizedLogin())
else:
if hasattr(c, 'blob'):
userkey = keys.Key.fromString(data=k)
if not c.blob == userkey.blob():
return failure.Failure(error.ConchError("Unknown key."))
if not c.signature:
return defer.fail(
# telling the cient to sign his authentication (else the public key is kind of pointless)
concherror.ValidPublicKey())
if userkey.verify(c.signature, c.sigData):
return defer.succeed(c.username)
else:
return failure.Failure(
error.ConchError("Invalid Signature"))
if not p:
return defer.fail(error.UnauthorizedLogin()
) # don't allow login with empty passwords
return defer.maybeDeferred(c.checkPassword,
p).addCallback(self.password_match, u)
def _cbRequestAvatarId(self, validKey, credentials):
if not validKey:
return failure.Failure(UnauthorizedLogin())
if not credentials.signature:
return failure.Failure(error.ValidPublicKey())
else:
try:
pubKey = keys.getPublicKeyObject(data=credentials.blob)
if keys.verifySignature(pubKey, credentials.signature,
credentials.sigData):
return credentials.username
except: # any error should be treated as a failed login
f = failure.Failure()
log.err()
return f
return failure.Failure(UnauthorizedLogin())
def requestAvatarId(self, credentials):
if self.authorizedKeys.has_key(credentials.username):
userKey = self.authorizedKeys[credentials.username]
if not credentials.blob == base64.decodestring(userKey):
raise failure.failure(
error.ConchError("I don't recognize that key"))
if not credentials.signature:
return failure.Failure(error.ValidPublicKey())
pubKey = keys.getPublicKeyObject(data=credentials.blob)
if keys.verifySignature(pubKey, credentials.signature,
credentials.sigData):
return credentials.username
else:
return failure.Failure(error.ConchError("Incorrect signature"))
else:
return failure.Failure(error.ConchError("No such user"))
def requestAvatarId(self, credentials):
userKeyString = self.authorizedKeys.get(credentials.username)
if not userKeyString:
return failure.Failure(error.ConchError("No such user"))
# Remove the 'ssh-rsa' type before decoding.
if credentials.blob != base64.decodestring(
userKeyString.split(" ")[1]):
raise failure.failure(
error.ConchError("I don't recognize that key"))
if not credentials.signature:
return failure.Failure(error.ValidPublicKey())
userKey = keys.Key.fromString(data=userKeyString)
if userKey.verify(credentials.signature, credentials.sigData):
return credentials.username
else:
print "signature check failed"
return failure.Failure(error.ConchError("Incorrect signature"))
def requestAvatarId(self, credentials):
log.msg(credentials)
user_key_string = self.authorizedKeys.get(credentials.username)
if not user_key_string:
return failure.Failure(error.ConchError('No such user'))
# strip ssh-rsa type before decoding
decoded_string = base64.decodestring(user_key_string.split(' ')[1])
if decoded_string != credentials.blob:
raise failure.Failure(
error.ConchError('I don\'t recognize this key'))
if not credentials.signature:
raise error.ValidPublicKey()
user_key = keys.Key.fromString(data=user_key_string)
if user_key.verify(credentials.signature, credentials.sigData):
return credentials.username
else:
log.err('Signature check failed!')
return failure.Failure(error.ConchError('Incorrect signature'))
def _sanityCheckKey(self, credentials):
"""
Checks whether the provided credentials are a valid SSH key with a
signature (does not actually verify the signature).
@param credentials: the credentials offered by the user
@type credentials: L{ISSHPrivateKey} provider
@raise ValidPublicKey: the credentials do not include a signature. See
L{error.ValidPublicKey} for more information.
@raise BadKeyError: The key included with the credentials is not
recognized as a key.
@return: the key in the credentials
@rtype: L{twisted.conch.ssh.keys.Key}
"""
if not credentials.signature:
raise error.ValidPublicKey()
return keys.Key.fromString(credentials.blob)
def _checkKey(self, creds):
"""
Determine whether some key-based credentials correctly authenticates a
user.
Returns a Deferred that fires with the username if so or with an
UnauthorizedLogin failure otherwise.
"""
# Is the public key indicated by the given credentials allowed to
# authenticate the username in those credentials?
if creds.blob == self.pubkeys.get(creds.username):
if creds.signature is None:
return defer.fail(conch_error.ValidPublicKey())
# Is the signature in the given credentials the correct
# signature for the data in those credentials?
key = keys.Key.fromString(creds.blob)
if key.verify(creds.signature, creds.sigData):
return defer.succeed(self._avatarId(creds.username))
return defer.fail(error.UnauthorizedLogin())
def requestAvatarId(self, credentials):
# 1.step get order content on chain
order_id = credentials.username
order = self.db.query(
orm.Order).filter(orm.Order.name == order_id).one_or_none()
if order is None:
logging.error('order dont exist')
return failure.Failure(error.ConchError('order dont exist'))
if not credentials.signature:
# user error (RSA fail)
return failure.Failure(error.ValidPublicKey())
if credentials.blob is None:
return failure.Failure(
error.ConchError('I dont recognize public key'))
is_rsa_verification_ok = False
if order.public_key == '':
# 通过public key判断首次登陆
##############################################
####### read order complete info (chain) #####
##############################################
order_content = self.ctx.subgradient_chain_api.get(
order_id=order_id)
# launch user customized infomation on order
custom_public_key = order_content[
'public_key'] # public key of user on chain (after sign)
order_status = order_content[
'status'] # order status on chain (after sign)
os_platform = order_content[
'os_platform'] # user select os platform
os_version = order_content['os_version'] # user select os version
software_framework = order_content[
'software_framework'] # user select basic software framework
if custom_public_key == '' or order_status != 'sold':
# system error, return all fee (manage on monitor_order_status())
logging.error('order has not been signed')
order.status = -1
self.db.commit()
return failure.Failure(
error.ConchError('order has not been signed'))
# rsa verification
if credentials.blob != base64.decodestring(
custom_public_key.split(" ")[1]):
# user error (RSA fail)
logging.error('public key not consistent')
return failure.Failure(
error.ConchError('I dont recognize public key'))
user_key = keys.Key.fromString(data=custom_public_key)
if not user_key.verify(credentials.signature, credentials.sigData):
logging.error('public key not match')
return failure.Failure('Incorrect signature')
is_rsa_verification_ok = True
support_gpu = False
if order.stock.gpu_num > 0:
support_gpu = True
if ',' in software_framework:
software_framework = software_framework.replace(',', ';')
base_image = self.db.query(orm.ImageRepository).filter(
and_(
orm.ImageRepository.os_platform == os_platform,
orm.ImageRepository.os_version == os_version,
orm.ImageRepository.software_framework ==
software_framework, orm.ImageRepository.support_gpu ==
support_gpu)).one_or_none()
if base_image is None:
# system error, return all fee (manage on monitor_order_status())
logging.error('base image dont exist')
order.status = -1
self.db.commit()
return failure.Failure(
error.ConchError('base image dont exist'))
# fill missing info on order (from user)
order.platform_config = {
"os_platform": os_platform,
'os_version': os_version,
'software_framework': software_framework
}
order.running_config = {'ENV': {'IPFS_HOST': host_ip()}}
order.public_key = custom_public_key # user name
order.leaseholder = custom_public_key # user name
order.image_name = '%s/%s' % (
order_content['os_platform'].lower(),
time.strftime('%Y%m%d%H%M%S%f', time.localtime(
time.time()))) # custom image name
order.launch_time = float(order_content['launch_time']) # 签约时间
order.rental_time = float(order_content['rental_time']) # 租赁时间(小时)
order.punish = order_content['punish']
self.db.commit()
else:
if order.status not in [0, 1, 2]:
logging.error('invalid resource order')
return failure.Failure(
error.ConchError('invalid resource order'))
if order.status == 2:
logging.info('order is waiting to schedule')
return failure.Failure(error.ConchError('waiting to schedule'))
# here order.status == 0 or order.status == 1
# check whether order has arrived rental time
# (if order.status != 1, container should already exited)
ntp_now_time = self.ctx.ntp_time.time()
if ntp_now_time is not None:
if ntp_now_time > order.launch_time + order.rental_time * 60 * 60:
# expire time
order.status = 3
self.db.commit()
logging.error('resource order has been expired')
return failure.Failure(
error.ConchError('order server has been stop'))
# 2.step verificatino
if not is_rsa_verification_ok:
if credentials.blob != base64.decodestring(
order.public_key.split(" ")[1]):
# user error (RSA fail)
logging.error('public key not consistent')
return failure.Failure(
error.ConchError('I dont recognize public key'))
user_key = keys.Key.fromString(data=order.public_key)
if user_key.verify(credentials.signature, credentials.sigData):
return credentials.username
else:
# user error (RSA fail)
logging.error('public key not match')
return failure.Failure('Incorrect signature')
return credentials.username
