Ticket #1411: sftp-auth-key-1411.patch

src/allmydata/frontends/auth.py

@@ -1 +1 @@
 import os
-from zope.interface import implements
+from zope.interface import implements, providedBy
 from twisted.web.client import getPage
 from twisted.internet import defer
 from twisted.cred import error, checkers, credentials
+from twisted.conch.ssh import keys
+from twisted.conch import error as conch_error
+from twisted.python import failure
 from allmydata.util import base32
 
 class NeedRootcapLookupScheme(Exception):
@@ -17 +20 @@
 
 class AccountFileChecker:
     implements(checkers.ICredentialsChecker)
-    credentialInterfaces = (credentials.IUsernamePassword,
+    credentialInterfaces = (credentials.ISSHPrivateKey,
+                            credentials.IUsernamePassword,
                             credentials.IUsernameHashedPassword)
     def __init__(self, client, accountfile):
         self.client = client
@@ -31 +35 @@
             name, passwd, rest = line.split(None, 2)
             if passwd in ("ssh-dss", "ssh-rsa"):
                 bits = rest.split()
-                keystring = " ".join(bits[-1])
+                keystring = " ".join(bits[:-1])
                 rootcap = bits[-1]
-                self.pubkeys[name] = keystring
+                if name not in self.pubkeys:
+                  self.pubkeys[name] = {}
+                self.pubkeys[name][keystring.decode('base64')] = rootcap
             else:
                 self.passwords[name] = passwd
                 rootcap = rest
-            self.rootcaps[name] = rootcap
+                self.rootcaps[name] = rootcap
 
     def _cbPasswordMatch(self, matched, username):
         if matched:
             return FTPAvatarID(username, self.rootcaps[username])
         raise error.UnauthorizedLogin
 
-    def requestAvatarId(self, credentials):
-        if credentials.username in self.passwords:
-            d = defer.maybeDeferred(credentials.checkPassword,
-                                    self.passwords[credentials.username])
-            d.addCallback(self._cbPasswordMatch, str(credentials.username))
+    def _cbCheckKey(self, matched, credentials):
+        if not credentials.signature:
+            return failure.Failure(conch_error.ValidPublicKey())
+        if matched:
+            pubKey = keys.Key.fromString(credentials.blob)
+            matched = pubKey.verify(credentials.signature, credentials.sigData)
+        if matched:
+            rootcap = self.pubkeys[credentials.username][credentials.blob]
+            return FTPAvatarID(username, rootcap)
+        raise error.UnauthorizedLogin
+
+    def checkKey(self, credentials):
+        return credentials.blob in self.pubkeys[credentials.username]
+
+    def requestAvatarId(self, s_credentials):
+        if (credentials.ISSHPrivateKey in providedBy(s_credentials)
+                and s_credentials.username in self.pubkeys):
+            d = defer.maybeDeferred(self.checkKey, s_credentials)
+            d.addCallback(self._cbCheckKey, s_credentials)
+            return d
+        if ((credentials.IUsernamePassword in providedBy(s_credentials) or
+             credentials.IUsernameHashedPassword in providedBy(s_credentials))
+                and s_credentials.username in self.passwords):
+            d = defer.maybeDeferred(s_credentials.checkPassword,
+                                    self.passwords[s_credentials.username])
+            d.addCallback(self._cbPasswordMatch, str(s_credentials.username))
             return d
         return defer.fail(error.UnauthorizedLogin())