Add certificate verification code to HTTP AUTH

482fff01 · andrea-manzi · 9e428f68 · 482fff01 · 482fff01
Commit 482fff01 authored Dec 15, 2014 by andrea-manzi
--- a/dist/fts-rest.spec
+++ b/dist/fts-rest.spec
@@ -24,19 +24,19 @@ BuildRequires:  python-dateutil
 BuildRequires:  python-pylons
 BuildRequires:  scipy
 BuildRequires:  m2crypto
+BuildRequires:  python-m2ext
 BuildRequires:  python-coverage
 BuildRequires:  python-sqlalchemy
 BuildRequires:  python-requests
 BuildRequires:  pandoc

-Requires:     gridsite%{?_isa} >= 1.7
-Requires:     httpd%{?_isa}
-Requires:     mod_wsgi
-Requires:     python-fts = %{version}-%{release}
-Requires:     python-paste-deploy
-Requires:     python-dateutil
-Requires:     python-pylons
-Requires:     gfal2-python
+Requires:       gridsite%{?_isa} >= 1.7
+Requires:       httpd%{?_isa}
+Requires:       mod_wsgi
+Requires:       python-fts = %{version}-%{release}
+Requires:       python-paste-deploy
+Requires:       python-pylons
+Requires:       gfal2-python

 %description
 This package provides the FTS3 REST interface
@@ -63,6 +63,8 @@ FTS3 Rest OAuth2 provider
 Summary:        FTS3 Rest HTTP_AUTHORIZATION signed-cert method
 Group:          Application/Internet

+Requires:       python-dateutil
+Requires:       python-m2ext
 Requires:       fts-rest = %{version}-%{release}

 %description http-authz-signed-cert

--- a/src/fts3rest/fts3rest/lib/middleware/fts3auth/methods/http.py
+++ b/src/fts3rest/fts3rest/lib/middleware/fts3auth/methods/http.py
@@ -18,6 +18,7 @@
 import re, time, dateutil.parser, logging, urllib
 from base64 import b64decode
 from M2Crypto import X509, EVP
+from m2ext import SSL
 from fts3rest.lib.middleware.fts3auth.credentials import InvalidCredentials, vo_from_fqan, build_vo_from_dn, generate_delegation_id

 def do_authentication(credentials, env):
@@ -62,6 +63,12 @@ def do_authentication(credentials, env):
        log.info("Signature verification failed")
        raise InvalidCredentials()

+    ctx = SSL.Context()
+    ctx.load_verify_locations(capath = "/etc/grid-security/certificates");
+    if not ctx.validate_certificate(x509):
+        log.info("Certificate verification failed")
+        raise InvalidCredentials()
+
    credentials.user_dn = '/'+'/'.join(x509.get_subject().as_text().split(', '))
    credentials.dn.append(credentials.user_dn)
    if 'SSL_CLIENT_S_DN' in env: