HTTP auth added to file_upload and jsonrpc

10 years ago · b84dda3c8e
parent e2f3d2aca8
commit b84dda3c8e
3 changed files with 26 additions and 3 deletions
--- a/gns3server/handlers/auth_handler.py
+++ b/gns3server/handlers/auth_handler.py
@ -22,6 +22,7 @@ Simple file upload & listing handler.

 import os
 import tornado.web
+import tornado.websocket

 import logging
 log = logging.getLogger(__name__)
@ -35,6 +36,16 @@ class GNS3BaseHandler(tornado.web.RequestHandler):
        if self.settings['required_user'] == user.decode("utf-8"):
          return user

+class GNS3WebSocketBaseHandler(tornado.websocket.WebSocketHandler):
+    def get_current_user(self):
+        user = self.get_secure_cookie("user")
+        if not user:
+          return None
+
+        if self.settings['required_user'] == user.decode("utf-8"):
+          return user
+
+
 class LoginHandler(tornado.web.RequestHandler):
    def get(self):
        self.write('<html><body><form action="/login" method="post">'
--- a/gns3server/handlers/file_upload_handler.py
+++ b/gns3server/handlers/file_upload_handler.py
@ -23,6 +23,7 @@ Simple file upload & listing handler.
 import os
 import stat
 import tornado.web
+from .auth_handler import GNS3BaseHandler
 from ..version import __version__
 from ..config import Config

@ -30,7 +31,7 @@ import logging
 log = logging.getLogger(__name__)


-class FileUploadHandler(tornado.web.RequestHandler):
+class FileUploadHandler(GNS3BaseHandler):
    """
    File upload handler.

@ -54,6 +55,7 @@ class FileUploadHandler(tornado.web.RequestHandler):
        except OSError as e:
            log.error("could not create the upload directory {}: {}".format(self._upload_dir, e))

+    @tornado.web.authenticated
    def get(self):
        """
        Invoked on GET request.
@ -70,6 +72,7 @@ class FileUploadHandler(tornado.web.RequestHandler):
                    path=path,
                    items=items)

+    @tornado.web.authenticated
    def post(self):
        """
        Invoked on POST request.
--- a/gns3server/handlers/jsonrpc_websocket.py
+++ b/gns3server/handlers/jsonrpc_websocket.py
@ -22,6 +22,7 @@ JSON-RPC protocol over Websockets.
 import zmq
 import uuid
 import tornado.websocket
+from .auth_handler import GNS3WebSocketBaseHandler
 from tornado.escape import json_decode
 from ..jsonrpc import JSONRPCParseError
 from ..jsonrpc import JSONRPCInvalidRequest
@ -33,7 +34,7 @@ import logging
 log = logging.getLogger(__name__)


-class JSONRPCWebSocket(tornado.websocket.WebSocketHandler):
+class JSONRPCWebSocket(GNS3WebSocketBaseHandler):
    """
    STOMP protocol over Tornado Websockets with message
    routing to ZeroMQ dealer clients.
@ -116,7 +117,15 @@ class JSONRPCWebSocket(tornado.websocket.WebSocketHandler):
        """

        log.info("Websocket client {} connected".format(self.session_id))
-        self.clients.add(self)
+
+        authenticated_user = self.get_current_user()
+
+        if authenticated_user:
+            self.clients.add(self)
+            log.info("Websocket authenticated user: %s" % (authenticated_user))
+        else:
+            self.close()
+            log.info("Websocket non-authenticated user attempt: %s" % (authenticated_user))

    def on_message(self, message):
        """