Changeset 174

Timestamp:

07/25/12 01:41:34 (12 years ago)

Author:

atzm

Message:

• dynamic htpasswd loading support

File:

• etherws/trunk/etherws.py (modified) (7 diffs)

etherws/trunk/etherws.py

@@ -236 +236 @@
         except:
             traceback.print_exc()
-        tornado.ioloop.IOLoop.instance().stop()
+        tornado.ioloop.IOLoop.instance().stop()  # XXX: should unregister fd
 
     def _read(self):
@@ -268 +268 @@
 
 class EtherWebSocketClient(DebugMixIn):
-    def __init__(self, switch, url, user=None, passwd=None, debug=False):
+    def __init__(self, switch, url, cred=None, debug=False):
         self._switch = switch
         self._url = url
@@ -275 +275 @@
         self._options = {}
 
-        if user and passwd:
-            token = base64.b64encode('%s:%s' % (user, passwd))
+        if isinstance(cred, dict) and cred['user'] and cred['passwd']:
+            token = base64.b64encode('%s:%s' % (cred['user'], cred['passwd']))
             auth = ['Authorization: Basic %s' % token]
             self._options['header'] = auth
@@ -322 +322 @@
         except:
             traceback.print_exc()
-        tornado.ioloop.IOLoop.instance().stop()
+        tornado.ioloop.IOLoop.instance().stop()  # XXX: should unregister fd
+
+
+class Htpasswd(object):
+    def __init__(self, path):
+        self._path = path
+        self._stat = None
+        self._data = {}
+
+    def auth(self, name, passwd):
+        passwd = base64.b64encode(hashlib.sha1(passwd).digest())
+        return self._data.get(name) == passwd
+
+    def load(self):
+        old_stat = self._stat
+
+        with open(self._path) as fp:
+            self._stat = os.fstat(fp.fileno())
+
+            unchanged = old_stat and \
+                        old_stat.st_ino == self._stat.st_ino and \
+                        old_stat.st_dev == self._stat.st_dev and \
+                        old_stat.st_mtime == self._stat.st_mtime
+
+            if not unchanged:
+                self._data = self._parse(fp)
+
+    def _parse(self, fp):
+        data = {}
+        for line in fp:
+            line = line.strip()
+            if 0 <= line.find(':'):
+                name, passwd = line.split(':', 1)
+                if passwd.startswith('{SHA}'):
+                    data[name] = passwd[5:]
+        return data
+
+
+def wrap_basic_auth(handler_class, htpasswd_path):
+    if not htpasswd_path:
+        return handler_class
+
+    old_execute = handler_class._execute
+    htpasswd = Htpasswd(htpasswd_path)
+
+    def execute(self, transforms, *args, **kwargs):
+        def auth_required():
+            self.stream.write(tornado.escape.utf8(
+                'HTTP/1.1 401 Authorization Required\r\n'
+                'WWW-Authenticate: Basic realm=etherws\r\n\r\n'
+            ))
+            self.stream.close()
+
+        creds = self.request.headers.get('Authorization')
+
+        if not creds or not creds.startswith('Basic '):
+            return auth_required()
+
+        try:
+            name, passwd = base64.b64decode(creds[6:]).split(':', 1)
+            htpasswd.load()
+
+            if not htpasswd.auth(name, passwd):
+                return auth_required()
+
+            return old_execute(self, transforms, *args, **kwargs)
+
+        except:
+            return auth_required()
+
+    handler_class._execute = execute
+    return handler_class
 
 
@@ -361 +432 @@
 
 def server_main(args):
-    def wrap_basic_auth(cls, users):
-        o_exec = cls._execute
-
-        if not users:
-            return cls
-
-        def execute(self, transforms, *args, **kwargs):
-            def auth_required():
-                self.stream.write(tornado.escape.utf8(
-                    'HTTP/1.1 401 Authorization Required\r\n'
-                    'WWW-Authenticate: Basic realm=etherws\r\n\r\n'
-                ))
-                self.stream.close()
-
-            creds = self.request.headers.get('Authorization')
-
-            if not creds or not creds.startswith('Basic '):
-                return auth_required()
-
-            try:
-                name, passwd = base64.b64decode(creds[6:]).split(':', 1)
-                passwd = base64.b64encode(hashlib.sha1(passwd).digest())
-
-                if name not in users or users[name] != passwd:
-                    return auth_required()
-
-                return o_exec(self, transforms, *args, **kwargs)
-
-            except:
-                return auth_required()
-
-        cls._execute = execute
-        return cls
-
-    def load_htpasswd(path):
-        users = {}
-        try:
-            with open(path) as fp:
-                for line in fp:
-                    line = line.strip()
-                    if 0 <= line.find(':'):
-                        name, passwd = line.split(':', 1)
-                        if passwd.startswith('{SHA}'):
-                            users[name] = passwd[5:]
-            if not users:
-                raise ValueError('no valid users found')
-        except TypeError:
-            pass
-        return users
-
     realpath(args, 'keyfile', 'certfile', 'htpasswd')
 
@@ -434 +455 @@
     fdb = FDB(ageout=args.ageout, debug=args.debug)
     switch = SwitchingHub(fdb, debug=args.debug)
-    taps = [TapHandler(switch, dev, debug=args.debug) for dev in args.device]
-
-    handler = wrap_basic_auth(EtherWebSocketHandler,
-                              load_htpasswd(args.htpasswd))
-    app = tornado.web.Application([
-        (args.path, handler, {'switch': switch, 'debug': args.debug}),
-    ])
+
+    handler = wrap_basic_auth(EtherWebSocketHandler, args.htpasswd)
+    srv = (args.path, handler, {'switch': switch, 'debug': args.debug})
+    app = tornado.web.Application([srv])
     server = tornado.httpserver.HTTPServer(app, ssl_options=ssl_options)
     server.listen(args.port, address=args.address)
 
-    for tap in taps:
+    for dev in args.device:
+        tap = TapHandler(switch, dev, debug=args.debug)
         tap.open()
         ioloop.add_handler(tap.fileno(), tap, ioloop.READ)
@@ -460 +479 @@
         websocket.enableTrace(True)
 
-    if not args.insecure:
+    if args.insecure:
+        websocket._SSLSocketWrapper = \
+            lambda s: ssl.wrap_socket(s)
+    else:
         websocket._SSLSocketWrapper = \
             lambda s: ssl.wrap_socket(s, cert_reqs=ssl.CERT_REQUIRED,
                                       ca_certs=args.cacerts)
-    else:
-        websocket._SSLSocketWrapper = \
-            lambda s: ssl.wrap_socket(s)
+
+    if args.ageout <= 0:
+        raise ValueError('invalid ageout: %s' % args.ageout)
 
     if args.user and args.passwd is None:
         args.passwd = getpass.getpass()
 
-    if args.ageout <= 0:
-        raise ValueError('invalid ageout: %s' % args.ageout)
-
+    cred = {'user': args.user, 'passwd': args.passwd}
     ioloop = tornado.ioloop.IOLoop.instance()
     fdb = FDB(ageout=args.ageout, debug=args.debug)
     switch = SwitchingHub(fdb, debug=args.debug)
-    taps = [TapHandler(switch, dev, debug=args.debug) for dev in args.device]
-
-    clients = [EtherWebSocketClient(switch, uri,
-                                    args.user, args.passwd, args.debug)
-               for uri in args.uri]
-
-    for client in clients:
+
+    for uri in args.uri:
+        client = EtherWebSocketClient(switch, uri, cred, args.debug)
         client.open()
         ioloop.add_handler(client.fileno(), client, ioloop.READ)
 
-    for tap in taps:
+    for dev in args.device:
+        tap = TapHandler(switch, dev, debug=args.debug)
         tap.open()
         ioloop.add_handler(tap.fileno(), tap, ioloop.READ)