Mercurial > templog
changeset 211:59379b2bd056
key fingerprints are case- and whitespace-insensitive.
add some comments
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Thu, 26 Jun 2014 23:02:23 +0800 (2014-06-26) |
parents | 3f403e22c2e3 |
children | fbdd16b45b21 |
files | web/log.py web/secure.py web/templog.py |
diffstat | 3 files changed, 30 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/web/log.py Thu Jun 26 22:58:25 2014 +0800 +++ b/web/log.py Thu Jun 26 23:02:23 2014 +0800 @@ -328,7 +328,8 @@ def send_params(params): # 'templog_receive' is ignored due to authorized_keys - # restrictions + # restrictions. the rpi has authorized_keys with + # command="/home/matt/templog/venv/bin/python /home/matt/templog/py/receive.py",no-pty,no-port-forwarding,no-x11-forwarding,no-agent-forwarding ssh-rsa AAAAB3NzaC.... args = [config.SSH_PROG, '-i', config.SSH_KEYFILE, config.SSH_HOST, 'templog_receive'] try:
--- a/web/secure.py Thu Jun 26 22:58:25 2014 +0800 +++ b/web/secure.py Thu Jun 26 23:02:23 2014 +0800 @@ -1,3 +1,4 @@ +import re import os import time import fcntl @@ -10,11 +11,29 @@ import config -__all__ = ["get_csrf_blob", "check_csrf_blob", "setup_csrf", "get_user_hash"] +__all__ = ["get_csrf_blob", "check_csrf_blob", "setup_csrf", "get_user_hash", +"check_user_hash"] HASH=hashlib.sha1 +CLEAN_RE = re.compile('[^a-z0-9A-Z]') + +def clean_hash(h): + return CLEAN_RE.sub('', h.lower()) + def get_user_hash(): + """ + Uses the following apache config. + Needs a separate port or IP to no-certificate SSL, SNI isn't good enough. + + <location /~matt/templog/set> + Require all granted + SSLVerifyClient optional_no_ca + SSLVerifyDepth 1 + SSLOptions +StdEnvVars +ExportCertData +OptRenegotiate + </location> + """ + verify = bottle.request.environ.get('SSL_CLIENT_VERIFY', '') if not (verify == 'GENEROUS' or verify == 'SUCCESS'): return 'FAILVERIFY' @@ -27,6 +46,13 @@ return HASH(binascii.a2b_base64(b64)).hexdigest() +def check_user_hash(allowed_users): + current_hash = clean_hash(get_user_hash()) + for a in allowed_users: + if current_hash == clean_hash(a): + return True + return False + def setup_csrf(): NONCE_SIZE=16 global _csrf_fd, _csrf_key
--- a/web/templog.py Thu Jun 26 22:58:25 2014 +0800 +++ b/web/templog.py Thu Jun 26 23:02:23 2014 +0800 @@ -68,7 +68,7 @@ @route('/set') def set(): - allowed = ["false", "true"][secure.get_user_hash() in config.ALLOWED_USERS] + allowed = ["false", "true"][secure.check_user_hash(config.ALLOWED_USERS)] response.set_header('Cache-Control', 'no-cache') return bottle.template('set', inline_data = log.get_params(),