Please, consider the following interdiff:

--- a/lib/rapi/auth/pam.py
+++ b/lib/rapi/auth/pam.py
@@ -1,7 +1,7 @@
 #
 #

-# Copyright (C) 2015 Google Inc.
+# Copyright (C) 2015, 2016 Google Inc.
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -286,11 +286,12 @@ def ValidateRequest(cf, username, uri_access_rights,
password=None,

     """
     if num_msg > MAX_MSG_COUNT:
-      logging.info("Too many messages passed to conv function: [%d]",
num_msg)
+      logging.warning("Too many messages passed to conv function: [%d]",
+                      num_msg)
       return PAM_BUF_ERR
     response = cf.calloc(num_msg, c.sizeof(PamResponse))
     if not response:
-      logging.info("calloc failed in conv function")
+      logging.warning("calloc failed in conv function")
       return PAM_BUF_ERR
     resp[0] = c.cast(response, c.POINTER(PamResponse))
     for i in range(num_msg):
@@ -298,7 +299,7 @@ def ValidateRequest(cf, username, uri_access_rights,
password=None,
         continue
       resp.contents[i].resp = cf.strndup(password, len(password))
       if not resp.contents[i].resp:
-        logging.info("strndup failed in conv function")
+        logging.warning("strndup failed in conv function")
         for j in range(i):
           cf.free(c.cast(resp.contents[j].resp, c.c_void_p))
         cf.free(response)


On Thu, Jan 14, 2016 at 3:03 PM, 'Klaus Aehlig' via ganeti-devel <
[email protected]> wrote:

> On Wed, Jan 13, 2016 at 12:42:31PM +0100, 'Oleg Ponomarev' via
> ganeti-devel wrote:
> > As proposed in doc/design-rapi-pam.rst, implement ValidateRequest
> > function that interacts with PAM in order to perform authentication
> > and then authorization.
> >
> > Signed-off-by: Oleg Ponomarev <[email protected]>
> > ---
> >  Makefile.am             |   1 +
> >  lib/errors.py           |   6 +
> >  lib/rapi/auth/pam.py    | 366
> ++++++++++++++++++++++++++++++++++++++++++++++++
> >  src/Ganeti/Constants.hs |   7 +
> >  4 files changed, 380 insertions(+)
> >  create mode 100644 lib/rapi/auth/pam.py
>
> > diff --git a/lib/rapi/auth/pam.py b/lib/rapi/auth/pam.py
> > new file mode 100644
> > index 0000000..edecbab
> > --- /dev/null
> > +++ b/lib/rapi/auth/pam.py
> > @@ -0,0 +1,366 @@
> > +#
> > +#
> > +
> > +# Copyright (C) 2015 Google Inc.
>
> s/2015/2015, 2016/
>
> > +# All rights reserved.
> > +#
>
>
> > +def ValidateRequest(cf, username, uri_access_rights, password=None,
> > +                    service=DEFAULT_SERVICE_NAME, authtok=None,
> uri=None,
> > +                    method=None, body=None):
> > +  """Checks whether it's permitted to execute an rapi request.
> > +
> > +  Calls pam_authenticate and then pam_acct_mgmt in order to check
> whether a
> > +  request should be executed.
> > +
> > +  @param cf: An instance of CFunctions class containing necessary
> imports
> > +  @param username: username
> > +  @param uri_access_rights: handler access rights
> > +  @param password: password
> > +  @param service: a service name that will be used for the interaction
> with PAM
> > +  @param authtok: user's authentication token (e.g. some kind of
> signature)
> > +  @param uri: an uri of a target resource obtained from an http header
> > +  @param method: http method trying to access the uri
> > +  @param body: a body of an RAPI request
> > +
> > +  """
> > +  ValidateParams(username, uri_access_rights, password, service,
> authtok, uri,
> > +                 method, body)
> > +
> > +  def ConversationFunction(num_msg, msg, resp, _app_data_ptr):
> > +    """Conversation function that will be provided to PAM modules.
> > +
> > +    The function replies with a password for each message with
> > +    PAM_PROMPT_ECHO_OFF style and just ignores the others.
> > +
> > +    """
> > +    if num_msg > MAX_MSG_COUNT:
> > +      logging.info("Too many messages passed to conv function: [%d]",
> num_msg)
> > +      return PAM_BUF_ERR
> > +    response = cf.calloc(num_msg, c.sizeof(PamResponse))
> > +    if not response:
> > +      logging.info("calloc failed in conv function")
>
> s/info/warning/
>
> > +      return PAM_BUF_ERR
> > +    resp[0] = c.cast(response, c.POINTER(PamResponse))
> > +    for i in range(num_msg):
> > +      if msg[i].contents.msg_style != PAM_PROMPT_ECHO_OFF:
> > +        continue
> > +      resp.contents[i].resp = cf.strndup(password, len(password))
> > +      if not resp.contents[i].resp:
> > +        logging.info("strndup failed in conv function")
>
> s/info/warning/
>
> > +        for j in range(i):
> > +          cf.free(c.cast(resp.contents[j].resp, c.c_void_p))
> > +        cf.free(response)
> > +        return PAM_BUF_ERR
> > +      resp.contents[i].resp_retcode = 0
> > +    return PAM_SUCCESS
> > +
> > +  pam_handle = PamHandleT()
> > +  conv = PamConv(CONV_FUNC(ConversationFunction), 0)
> > +  ret = cf.pam_start(service, username, c.pointer(conv),
> c.pointer(pam_handle))
> > +  if ret != PAM_SUCCESS:
> > +    cf.pam_end(pam_handle, ret)
> > +    raise http.HttpInternalServerError("pam_start call failed [%d]" %
> ret)
> > +
> > +  Authenticate(cf, pam_handle, authtok)
> > +  Authorize(cf, pam_handle, uri_access_rights, uri, method, body)
> > +
> > +  cf.pam_end(pam_handle, PAM_SUCCESS)
>
> Rest LGTM
>
> --
> Klaus Aehlig
> Google Germany GmbH, Dienerstr. 12, 80331 Muenchen
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
> Geschaeftsfuehrer: Matthew Scott Sucherman, Paul Terence Manicle
>



-- 

Oleg Ponomarev

Software Engineering Intern

[email protected]
+7 903 5542505

Google Germany GmbH

Maximilianstraße 13

80539 München

Geschäftsführer: Matthew Scott Sucherman, Paul Terence Manicle

Registergericht und -nummer: Hamburg, HRB 86891

Sitz der Gesellschaft: Hamburg

Diese E-Mail ist vertraulich. Wenn Sie nicht der richtige Adressat sind,
leiten Sie diese bitte nicht weiter, informieren Sie den Absender und
löschen Sie die E-Mail und alle Anhänge. Vielen Dank.


This e-mail is confidential. If you are not the right addressee please do
not forward it, please inform the sender, and please erase this e-mail
including any attachments. Thanks.

Reply via email to