[Mpuls-commits] r3097 - in base/trunk: . mpulsweb/lib
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Mon Jun 28 11:42:16 CEST 2010
Author: bh
Date: 2010-06-28 11:42:14 +0200 (Mon, 28 Jun 2010)
New Revision: 3097
Modified:
base/trunk/ChangeLog
base/trunk/mpulsweb/lib/security.py
Log:
* mpulsweb/lib/security.py (getDbName): Refactor into several
functions. Revert semantics back to the way they were before
r2407: The information from the SSL-client certificates takes
precedence and the value from the configuration file is used as
fallback. Giving the configuration precedence over the values
from the certificates can easily lead to misconfigurations. The
fall-back value from configuration is mainly used for testing and
is often even the same as the one in the test-certificates used
but will not work for the real users.
(get_dbname_from_http_header): New. Contains the HTTP-Header
decoding part of getDbName()
(get_dbname_from_config): New. Contains the configuration based
part of getDbName
Modified: base/trunk/ChangeLog
===================================================================
--- base/trunk/ChangeLog 2010-06-25 09:10:09 UTC (rev 3096)
+++ base/trunk/ChangeLog 2010-06-28 09:42:14 UTC (rev 3097)
@@ -1,3 +1,19 @@
+2010-06-28 Bernhard Herzog <bh at intevation.de>
+
+ * mpulsweb/lib/security.py (getDbName): Refactor into several
+ functions. Revert semantics back to the way they were before
+ r2407: The information from the SSL-client certificates takes
+ precedence and the value from the configuration file is used as
+ fallback. Giving the configuration precedence over the values
+ from the certificates can easily lead to misconfigurations. The
+ fall-back value from configuration is mainly used for testing and
+ is often even the same as the one in the test-certificates used
+ but will not work for the real users.
+ (get_dbname_from_http_header): New. Contains the HTTP-Header
+ decoding part of getDbName()
+ (get_dbname_from_config): New. Contains the configuration based
+ part of getDbName
+
2010-06-24 Bernhard Herzog <bh at intevation.de>
* mpulsweb/config/environment.py (load_environment): Take the
Modified: base/trunk/mpulsweb/lib/security.py
===================================================================
--- base/trunk/mpulsweb/lib/security.py 2010-06-25 09:10:09 UTC (rev 3096)
+++ base/trunk/mpulsweb/lib/security.py 2010-06-28 09:42:14 UTC (rev 3097)
@@ -227,44 +227,61 @@
else:
log.warning("No file mapping file found named: %r", fname)
+
+def get_dbname_from_http_header():
+ """Return the KA-specific part of the DB-name set in HTTP-Header fields.
+
+ This function expects the CN part of the Subject-DN from the
+ SSL-client-certificate in either the MPULS_DBNAME or the
+ SSL_CLIENT_S_DN_CN HTTP request header field. The CN must consist
+ of at least four whitespace separated words. The KA-specific part
+ of the database name is the fourth of those words.
+
+ If the value cannot be determined, which usually means that neither
+ of the header fields is set, the function returns None.
+ """
+ dbname = request.environ.get('MPULS_DBNAME')
+ if not dbname:
+ # MPULS_DBNAME not set or empty, fall back to older request
+ # header
+ log.info("No database name defined in http-header MPULS_DBNAME,"
+ " falling back to SSL_CLIENT_S_DN_CN")
+ dbname = request.environ.get('SSL_CLIENT_S_DN_CN')
+
+ if not dbname:
+ return None
+
+ return dbname.split(' ')[3].lower()
+
+
+def get_dbname_from_config():
+ """Return the KA-specific part of the database name from the configuration.
+ The return value is the value of the config entry 'mpuls.db.name'.
+ """
+ return config.get('mpuls.db.name')
+
+
def getDbName():
- '''Trys to get the name of the db to connect to. First try to get it from
- the ini file. If no name is defined try to read it from the http-header
- MPULS_DBNAME. If the dbname is not located in the http-header try to fetch
- it from the SSL_CLIENT_S_DN_CN'''
- dbname = None
+ """Return the KA-specific part of the database name.
+ The value is taken from HTTP-Headers containing information from the
+ SSL-client-certificate using get_dbname_from_http_header(). If
+ those headers are not set, the value is taken from the configuration
+ using get_dbname_from_config().
+ """
+ dbname = get_dbname_from_http_header()
- # 1. Try to get the dbname from the ini.file
- try:
- dbname = config.get('mpuls.db.name')
- if dbname is not None and len(dbname) > 0:
- return NEW_DBS.get(dbname, dbname)
- else: log.info("No database name defined in ini file")
- except:
- log.exception("Could not fetch database name from ini file")
+ if not dbname:
+ log.info("Could not determine database name from HTTP header,"
+ " falling back to config file")
+ dbname = get_dbname_from_config()
- # 2. Try to get the dbname from MPULS_DBNAME http-headers
- try:
- dbname = request.environ.get('MPULS_DBNAME')
- if dbname is not None and len(dbname) > 0:
- dbname = dbname.split(' ')[3].lower()
- return NEW_DBS.get(dbname, dbname)
- else: log.info("No database name defined in http-header file")
- except:
- log.exception("Could not get database name from http-headers")
- raise
+ if not dbname:
+ log.info("Could not determine database name from configuration file")
+ raise RuntimeError("Could not determine database name")
- # 3. Try to get the dbname from SSL_CLIENT_S_DN_CN from client certificate
- # This code is obsolete and should not be executed. In current versions of
- # mpuls the dbname is located in the MPULS_DBNAME http-header.
- try:
- log.warning('Trying obsolete method to fetch dbname from client certificates')
- dbname = request.environ['SSL_CLIENT_S_DN_CN'].split(' ')[3].lower()
- return NEW_DBS.get(dbname, dbname)
- except:
- log.exception("Could not get database name from client certificate")
- raise
+ return NEW_DBS.get(dbname, dbname)
+
def getKAName():
kaname = ""
# 1. Try to get app name from config.
More information about the Mpuls-commits
mailing list