changeset 505:ad846b9bdd10

key fingerprints are case- and whitespace-insensitive. add some comments
author Matt Johnston <matt@ucc.asn.au>
date Thu, 26 Jun 2014 23:02:23 +0800
parents 028cf9bc3ee8
children cf52d5817709
files web/log.py web/secure.py web/templog.py
diffstat 3 files changed, 30 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/web/log.py	Thu Jun 26 22:58:25 2014 +0800
+++ b/web/log.py	Thu Jun 26 23:02:23 2014 +0800
@@ -328,7 +328,8 @@
 
 def send_params(params):
     # 'templog_receive' is ignored due to authorized_keys
-    # restrictions
+    # restrictions. the rpi has authorized_keys with
+    # command="/home/matt/templog/venv/bin/python /home/matt/templog/py/receive.py",no-pty,no-port-forwarding,no-x11-forwarding,no-agent-forwarding ssh-rsa AAAAB3NzaC....
     args = [config.SSH_PROG, '-i', config.SSH_KEYFILE,
         config.SSH_HOST, 'templog_receive']
     try:
--- a/web/secure.py	Thu Jun 26 22:58:25 2014 +0800
+++ b/web/secure.py	Thu Jun 26 23:02:23 2014 +0800
@@ -1,3 +1,4 @@
+import re
 import os
 import time
 import fcntl
@@ -10,11 +11,29 @@
 
 import config
 
-__all__ = ["get_csrf_blob", "check_csrf_blob", "setup_csrf", "get_user_hash"]
+__all__ = ["get_csrf_blob", "check_csrf_blob", "setup_csrf", "get_user_hash",
+"check_user_hash"]
 
 HASH=hashlib.sha1
 
+CLEAN_RE = re.compile('[^a-z0-9A-Z]')
+
+def clean_hash(h):
+    return CLEAN_RE.sub('', h.lower())
+
 def get_user_hash():
+    """
+    Uses the following apache config. 
+    Needs a separate port or IP to no-certificate SSL, SNI isn't good enough.
+
+    <location /~matt/templog/set>
+    Require all granted
+    SSLVerifyClient optional_no_ca
+    SSLVerifyDepth 1
+    SSLOptions +StdEnvVars +ExportCertData +OptRenegotiate
+    </location>
+    """
+
     verify = bottle.request.environ.get('SSL_CLIENT_VERIFY', '')
     if not (verify == 'GENEROUS' or verify == 'SUCCESS'):
         return 'FAILVERIFY'
@@ -27,6 +46,13 @@
 
     return HASH(binascii.a2b_base64(b64)).hexdigest()
 
+def check_user_hash(allowed_users):
+    current_hash = clean_hash(get_user_hash())
+    for a in allowed_users:
+        if current_hash == clean_hash(a):
+            return True
+    return False
+
 def setup_csrf():
     NONCE_SIZE=16
     global _csrf_fd, _csrf_key
--- a/web/templog.py	Thu Jun 26 22:58:25 2014 +0800
+++ b/web/templog.py	Thu Jun 26 23:02:23 2014 +0800
@@ -68,7 +68,7 @@
 
 @route('/set')
 def set():
-    allowed = ["false", "true"][secure.get_user_hash() in config.ALLOWED_USERS]
+    allowed = ["false", "true"][secure.check_user_hash(config.ALLOWED_USERS)]
     response.set_header('Cache-Control', 'no-cache')
     return bottle.template('set', 
         inline_data = log.get_params(),