Skip to content

Commit

Permalink
Implement certificate based authentication.
Browse files Browse the repository at this point in the history
  • Loading branch information
JonSeverinsson committed Mar 10, 2014
1 parent 2f102f4 commit 2a253cc
Show file tree
Hide file tree
Showing 12 changed files with 76 additions and 116 deletions.
28 changes: 18 additions & 10 deletions contrib/tanglu/eg/debile-tanglu.init.yaml.example
Original file line number Diff line number Diff line change
@@ -1,22 +1,30 @@
---
Users: # Users of Debile
- name: Matthias Klumpp
username: mak
key: 57DC4BD33F73E0CDBA98D22AF7EBEE8EB7982329
email: [email protected]
password: s3kr37
pgp: 57DC4BD33F73E0CDBA98D22AF7EBEE8EB7982329
ssl: 0000000000000000DEADBEEF0000000000000000

- name: Jon Severinsson
email: [email protected]
pgp: 32623A6F42F5DA4B0DBD5B2BCDBBA39E78415AD2
ssl: 0000000000000000DEADBEEF0000000000000000

- name: Debian Archive Kit
username: dak
key: 0000000000000000DADADA000000000000000000
email: [email protected]
password: s3kr37
pgp: 0000000000000000DEADBEEF0000000000000000
ssl: 0000000000000000DEADBEEF0000000000000000

Builders: # Machines that can build
- name: helium.buildd.tanglu.org
key: 367D333376945BAE75CB466779A21745EC78A01D
maintainer: mak
password: s3kr37
maintainer: [email protected]
pgp: 367D333376945BAE75CB466779A21745EC78A01D
ssl: 0000000000000000DEADBEEF0000000000000000

- name: caesium.buildd.tanglu.org
maintainer: [email protected]
pgp: 517884F17B4964C46EEE3D56FFF33867C01E4D5A
ssl: 9B625D4D2B2C6913216B0DB3251141B32DA8E82F

Suites:
- name: aequorea-updates
Expand Down Expand Up @@ -46,7 +54,7 @@ Checks:

Groups:
- name: default
maintainer: mak
maintainer: mak@debian.org

suites:
- suite: staging
Expand Down
2 changes: 1 addition & 1 deletion contrib/tanglu/update-jobs.py
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ def __init__(self, suite):

@staticmethod
def create_debile_source(session, group, suite, component_name, dsc_fname):
user = session.query(Person).filter_by(username="dak").one()
user = session.query(Person).filter_by(email="dak@ftp-master.tanglu.org").one()

group_suite = session.query(GroupSuite).filter(
Group.name==group,
Expand Down
21 changes: 3 additions & 18 deletions debile/master/dimport.py
Original file line number Diff line number Diff line change
Expand Up @@ -47,25 +47,10 @@ def import_dict(obj):

with session() as s:
for user in users:
existing = None
try:
existing = s.query(Person).filter_by(
username=user['username']
).one()
except NoResultFound:
pass

p = Person(**user)

if existing:
p.id = existing.id
s.merge(p)
else:
s.add(p)
s.add(Person(**user))

for builder in builders:
username = builder.pop('maintainer')
who = s.query(Person).filter_by(username=username).one()
who = s.query(Person).filter_by(email=builder['maintainer']).one()
builder['maintainer'] = who
builder['last_ping'] = datetime.utcnow()
s.add(Builder(**builder))
Expand All @@ -85,7 +70,7 @@ def import_dict(obj):
for group in groups:
suites = group.pop('suites')

who = s.query(Person).filter_by(username=group['maintainer']).one()
who = s.query(Person).filter_by(email=group['maintainer']).one()
group['maintainer'] = who
group = Group(**group)
s.add(group)
Expand Down
6 changes: 3 additions & 3 deletions debile/master/incoming_changes.py
Original file line number Diff line number Diff line change
Expand Up @@ -59,22 +59,22 @@ def process_changes(session, path):
return reject_changes(session, changes, "invalid-group")

try:
key = changes.validate_signature()
fingerprint = changes.validate_signature()
except ChangesFileException:
return reject_changes(session, changes, "invalid-signature")

#### Sourceful Uploads
if changes.is_source_only_upload():
try:
user = session.query(Person).filter_by(key=key).one()
user = session.query(Person).filter_by(pgp=fingerprint).one()
except NoResultFound:
return reject_changes(session, changes, "invalid-user")
return accept_source_changes(session, changes, user)

#### Binary Uploads
if changes.is_binary_only_upload():
try:
builder = session.query(Builder).filter_by(key=key).one()
builder = session.query(Builder).filter_by(pgp=fingerprint).one()
except NoResultFound:
return reject_changes(session, changes, "invalid-builder")
return accept_binary_changes(session, changes, builder)
Expand Down
7 changes: 5 additions & 2 deletions debile/master/incoming_dud.py
Original file line number Diff line number Diff line change
Expand Up @@ -53,10 +53,13 @@ def process_dud(session, path):
except DudFileException as e:
return reject_dud(session, dud, "invalid-dud-upload")

key = dud.validate_signature()
try:
fingerprint = dud.validate_signature()
except DudFileException as e:
return reject_dud(session, dud, "invalid-signature")

try:
builder = session.query(Builder).filter_by(key=key).one()
builder = session.query(Builder).filter_by(pgp=fingerprint).one()
except NoResultFound:
return reject_dud(session, dud, "invalid-dud-builder")

Expand Down
40 changes: 18 additions & 22 deletions debile/master/orm.py
Original file line number Diff line number Diff line change
Expand Up @@ -57,52 +57,47 @@ def getthing(obj, name):

class Person(Base):
__tablename__ = 'people'
__table_args__ = (UniqueConstraint('username'),)
__table_args__ = (UniqueConstraint('email'),)
_debile_objs = {
"id": "id",
"username": "username",
"name": "name",
"email": "email",
"key": "key",
"pgp": "pgp",
"ssl": "ssl",
}
debilize = _debilize

id = Column(Integer, primary_key=True)
username = Column(String(255)) # Unique

name = Column(String(255))
email = Column(String(255))
key = Column(String(255))
password = Column(String(255)) # Weak password. Not actually critical.

def validate(self, password):
return self.password == password
pgp = Column(String(40), nullable=True)
ssl = Column(String(40), nullable=True)


class Builder(Base):
__table_args__ = (UniqueConstraint('name'),)
__tablename__ = 'builders'
_debile_objs = {
"id": "id",
"maintainer_id": "maintainer.username",
"maintainer": "maintainer.name",
"name": "name",
"key": "key",
"last_ping": "last_ping",
"maintainer_name": "maintainer.name",
"maintainer_email": "maintainer.email",
"pgp": "pgp",
"ssl": "ssl",
}
debilize = _debilize

id = Column(Integer, primary_key=True)
name = Column(String(255))
last_ping = Column(DateTime, nullable=False)

maintainer_id = Column(Integer, ForeignKey('people.id'))
maintainer = relationship("Person", foreign_keys=[maintainer_id])

name = Column(String(255))
key = Column(String(255))
password = Column(String(255)) # Weak password. Not actually critical.
last_ping = Column(DateTime, nullable=False)

def validate(self, password):
return self.password == password
pgp = Column(String(40), nullable=True)
ssl = Column(String(40), nullable=True)


class Suite(Base):
Expand Down Expand Up @@ -172,8 +167,8 @@ class Group(Base):
_debile_objs = {
"id": "id",
"name": "name",
"maintainer_id": "maintainer.username",
"maintainer": "maintainer.name",
"maintainer_name": "maintainer.name",
"maintainer_email": "maintainer.email",
"repo_path": "repo_path",
"repo_url": "repo_url",
"files_path": "files_path",
Expand Down Expand Up @@ -293,7 +288,8 @@ class Source(Base):
"suite": "group_suite.suite.name",
"component": "component.name",
"group_id": "group_suite.group_id",
"uploader": "uploader.username",
"uploader_name": "uploader.name",
"uploader_email": "uploader.email",
"uploaded_at": "uploaded_at",
}
debilize = _debilize
Expand Down
43 changes: 7 additions & 36 deletions debile/master/server.py
Original file line number Diff line number Diff line change
Expand Up @@ -22,21 +22,20 @@
from SimpleXMLRPCServer import SimpleXMLRPCServer
from SimpleXMLRPCServer import SimpleXMLRPCRequestHandler

from sqlalchemy.orm.exc import NoResultFound
from sqlalchemy.orm import Session, sessionmaker

import debile.master.core
from debile.master.utils import session
from debile.master.orm import Person, Builder, Job
from debile.master.orm import Person, Builder

from base64 import b64decode
import datetime as dt
import SocketServer
import threading
import logging
from logging.handlers import SysLogHandler
import os
import ssl
import hashlib

from debile.master.core import config

Expand Down Expand Up @@ -90,41 +89,13 @@ def authenticate(self):
if not hasattr(NAMESPACE, 'session'):
set_session()

(basic, _, encoded) = self.headers.get('Authorization').partition(' ')
if basic.lower() != 'basic':
self.send_error(401, 'Only allowed basic type thing')
entity, password = b64decode(encoded.encode()).decode().split(":", 1)
cert = self.connection.getpeercert(True)
fingerprint = hashlib.sha1(cert).hexdigest().upper()

actor_auth_methods = {
"@": self.authenticate_user,
"%": self.authenticate_machine,
}
NAMESPACE.machine = NAMESPACE.session.query(Builder).filter_by(ssl=fingerprint).first()
NAMESPACE.user = NAMESPACE.session.query(Person).filter_by(ssl=fingerprint).first()

actor_type = entity[0]
entity = entity[1:]

try:
method = actor_auth_methods[actor_type]
except KeyError:
return False

return method(NAMESPACE.session, entity, password)

def authenticate_user(self, session, entity, password):
try:
luser = session.query(Person).filter_by(username=entity).one()
NAMESPACE.user = luser
return luser.validate(password)
except NoResultFound:
return False

def authenticate_machine(self, session, entity, password):
try:
machine = session.query(Builder).filter_by(name=entity).one()
NAMESPACE.machine = machine
return machine.validate(password)
except NoResultFound:
return False
return NAMESPACE.machine or NAMESPACE.user

def parse_request(self, *args):
if SimpleXMLRPCRequestHandler.parse_request(self, *args):
Expand Down
4 changes: 1 addition & 3 deletions debile/utils/xmlrpc.py
Original file line number Diff line number Diff line change
Expand Up @@ -90,9 +90,7 @@ def get_proxy(config):
raise Exception("No xmlrpc found in slave yaml")

proxy = xmlrpclib.ServerProxy(
"https://{user}:{password}@{host}:{port}/".format(
user=xml['user'],
password=xml['password'],
"https://{host}:{port}/".format(
host=xml['host'],
port=xml['port'],
), transport=DebileSafeTransport(
Expand Down
24 changes: 11 additions & 13 deletions eg/debile.yaml
Original file line number Diff line number Diff line change
@@ -1,27 +1,25 @@
---
Users: # Users of Debile
- name: Paul Tagliamonte
username: paultag
key: 57DC4BD33F73E0CDBA98D22AF7EBEE8EB7982329
email: [email protected]
password: s3kr37
pgp: 57DC4BD33F73E0CDBA98D22AF7EBEE8EB7982329
ssl: 0000000000000000DEADBEEF0000000000000000

- name: Archive Rebuilder
username: rebuild
key: 2EA5C67F0A37D37C64C7B5EDC0A1FC9FD80D7B69
email: [email protected]
password: s3kr37
pgp: 2EA5C67F0A37D37C64C7B5EDC0A1FC9FD80D7B69
ssl: 0000000000000000DEADBEEF0000000000000000

Builders: # Machines that can build
- name: leliel.pault.ag
key: 21CAF89F520676541CD7088849E9153AF7901FAE
maintainer: paultag
password: s3kr37
maintainer: [email protected]
pgp: 21CAF89F520676541CD7088849E9153AF7901FAE
ssl: 0000000000000000DEADBEEF0000000000000000

- name: helios.pault.ag
key: 0C267E932994895CDE7B6B3ECB4315D1BC490D41
maintainer: paultag
password: s3kr375
maintainer: [email protected]
pgp: 0C267E932994895CDE7B6B3ECB4315D1BC490D41
ssl: 0000000000000000DEADBEEF0000000000000000

Suites:
- name: unstable
Expand Down Expand Up @@ -51,7 +49,7 @@ Checks:

Groups:
- name: default
maintainer: paultag
maintainer: paultag@debian.org

suites:
- suite: unstable
Expand Down
7 changes: 4 additions & 3 deletions eg/etc/debile/master.yaml
Original file line number Diff line number Diff line change
@@ -1,14 +1,15 @@
---
database: sqlite:////home/tag/debile.db
database: sqlite:////srv/debile/debile.db
filerepo_chmod_mode: 660

affinity_preference: ['amd64', 'i386']

xmlrpc:
addr: 0.0.0.0
port: 22017
keyfile: /home/tag/debile.key
certfile: /home/tag/debile.crt
keyfile: /srv/debile/master.key
certfile: /srv/debile/master.crt
ca_certs: /srv/debile/clients.pem

repo:
# custom_resolver: devnull.foo.resolver
Expand Down
6 changes: 3 additions & 3 deletions eg/etc/debile/slave.yaml
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
---
xmlrpc:
user: "%leliel.pault.ag"
password: s3kr37
host: debile-master
port: 22017
keyfile: /etc/debile/leliel.key
certfile: /etc/debile/leliel.crt

gpg: GPGFINGERPRINTGOESHEREATSOMEPOINTSOONISH
gpg: 0000000000000000DEADBEEF00000000000000000

dput:
host: debile-master
Expand Down
4 changes: 2 additions & 2 deletions eg/etc/debile/user.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
xmlrpc:
user: "@paultag"
password: s3kr37
host: localhost
port: 22017
keyfile: /home/paultag/.debile/paultag.key
certfile: /home/paultag/.debile/paultag.crt

0 comments on commit 2a253cc

Please sign in to comment.