From d94247cb9f7746f75b176cbed0a32e9e902e7e7d Mon Sep 17 00:00:00 2001 From: Magnus Ahltorp Date: Fri, 20 Jan 2017 00:32:45 +0100 Subject: API keys are now provided in the config file. Also added CA cert verification for internal TLS connections. --- tools/certtools.py | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) (limited to 'tools/certtools.py') diff --git a/tools/certtools.py b/tools/certtools.py index 0009d5d..0ccbcad 100644 --- a/tools/certtools.py +++ b/tools/certtools.py @@ -94,6 +94,12 @@ def get_root_cert(issuer): class sslparameters: cafile = None +class apikeys: + publickeys = {} + +def set_api_keys(config): + apikeys.publickeys = dict([(node["nodename"], base64.b64decode(node["publickey"])) for node in config["apikeys"]]) + def create_ssl_context(cafile=None): try: sslparameters.cafile = cafile @@ -256,32 +262,32 @@ def parse_auth_header(authheader): options = dict([(e.partition("=")[0], e.partition("=")[2]) for e in rawoptions]) return (base64.b64decode(signature), options) -def check_auth_header(authheader, expected_key, publickeydir, data, path): +def check_auth_header(authheader, expected_key, data, path): if expected_key == None: return True (signature, options) = parse_auth_header(authheader) + publickey = apikeys.publickeys[expected_key] keyname = options.get("key") if keyname != expected_key: raise Exception("Response claimed to come from %s, expected %s" % (keyname, expected_key)) - publickey = get_public_key_from_file(publickeydir + "/" + keyname + ".pem") vk = ecdsa.VerifyingKey.from_der(publickey) vk.verify(signature, "%s\0%s\0%s" % ("REPLY", path, data), hashfunc=hashlib.sha256, sigdecode=ecdsa.util.sigdecode_der) return True -def http_request(url, data=None, key=None, verifynode=None, publickeydir=".", params=None, session=None): +def http_request(url, data=None, key=None, verifynode=None, params=None, session=None): if session: - return http_request_session(url, data=data, key=key, verifynode=verifynode, publickeydir=publickeydir, params=params, session=session) + return http_request_session(url, data=data, key=key, verifynode=verifynode, params=params, session=session) else: with requests.sessions.Session() as session: - return http_request_session(url, data=data, key=key, verifynode=verifynode, publickeydir=publickeydir, params=params, session=session) + return http_request_session(url, data=data, key=key, verifynode=verifynode, params=params, session=session) def chunk_generator(data, maxsize): while len(data): yield data[:maxsize] data = data[maxsize:] -def http_request_session(url, data=None, key=None, verifynode=None, publickeydir=".", params=None, session=None): +def http_request_session(url, data=None, key=None, verifynode=None, params=None, session=None): (keyname, keyfile) = key privatekey = get_eckey_from_file(keyfile) sk = ecdsa.SigningKey.from_der(privatekey) @@ -312,7 +318,7 @@ def http_request_session(url, data=None, key=None, verifynode=None, publickeydir result.raise_for_status() authheader = result.headers.get('X-Catlfish-Auth') data = result.text - check_auth_header(authheader, verifynode, publickeydir, data, url_to_sign) + check_auth_header(authheader, verifynode, data, url_to_sign) return data def get_signature(baseurl, data, key=None): @@ -431,8 +437,10 @@ def timing_point(timer_dict=None, name=None): starttime = timer_dict["lasttime"] stoptime = t deltatime = stoptime - starttime - timer_dict["deltatimes"].append((name, deltatime.seconds * 1000000 + deltatime.microseconds)) + microseconds = deltatime.seconds * 1000000 + deltatime.microseconds + timer_dict["deltatimes"].append((name, microseconds)) timer_dict["lasttime"] = t + #print name, microseconds/1000000.0 return None else: timer_dict = {"deltatimes":[], "lasttime":t} -- cgit v1.1