From b84dda3c8ec309423fd4f4d6400cf9da082bf5a7 Mon Sep 17 00:00:00 2001
From: Michael <gale.michael@gmail.com>
Date: Wed, 3 Sep 2014 22:12:34 -0600
Subject: [PATCH] HTTP auth added to file_upload and jsonrpc

---
 gns3server/handlers/auth_handler.py        | 11 +++++++++++
 gns3server/handlers/file_upload_handler.py |  5 ++++-
 gns3server/handlers/jsonrpc_websocket.py   | 13 +++++++++++--
 3 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/gns3server/handlers/auth_handler.py b/gns3server/handlers/auth_handler.py
index 0bedb40b..f136ab02 100644
--- a/gns3server/handlers/auth_handler.py
+++ b/gns3server/handlers/auth_handler.py
@@ -22,6 +22,7 @@ Simple file upload & listing handler.
 
 import os
 import tornado.web
+import tornado.websocket
 
 import logging
 log = logging.getLogger(__name__)
@@ -35,6 +36,16 @@ class GNS3BaseHandler(tornado.web.RequestHandler):
         if self.settings['required_user'] == user.decode("utf-8"):
           return user
 
+class GNS3WebSocketBaseHandler(tornado.websocket.WebSocketHandler):
+    def get_current_user(self):
+        user = self.get_secure_cookie("user")
+        if not user:
+          return None
+
+        if self.settings['required_user'] == user.decode("utf-8"):
+          return user
+
+
 class LoginHandler(tornado.web.RequestHandler):
     def get(self):
         self.write('<html><body><form action="/login" method="post">'
diff --git a/gns3server/handlers/file_upload_handler.py b/gns3server/handlers/file_upload_handler.py
index c819a401..15673604 100644
--- a/gns3server/handlers/file_upload_handler.py
+++ b/gns3server/handlers/file_upload_handler.py
@@ -23,6 +23,7 @@ Simple file upload & listing handler.
 import os
 import stat
 import tornado.web
+from .auth_handler import GNS3BaseHandler
 from ..version import __version__
 from ..config import Config
 
@@ -30,7 +31,7 @@ import logging
 log = logging.getLogger(__name__)
 
 
-class FileUploadHandler(tornado.web.RequestHandler):
+class FileUploadHandler(GNS3BaseHandler):
     """
     File upload handler.
 
@@ -54,6 +55,7 @@ class FileUploadHandler(tornado.web.RequestHandler):
         except OSError as e:
             log.error("could not create the upload directory {}: {}".format(self._upload_dir, e))
 
+    @tornado.web.authenticated
     def get(self):
         """
         Invoked on GET request.
@@ -70,6 +72,7 @@ class FileUploadHandler(tornado.web.RequestHandler):
                     path=path,
                     items=items)
 
+    @tornado.web.authenticated
     def post(self):
         """
         Invoked on POST request.
diff --git a/gns3server/handlers/jsonrpc_websocket.py b/gns3server/handlers/jsonrpc_websocket.py
index 5b18496c..a226be78 100644
--- a/gns3server/handlers/jsonrpc_websocket.py
+++ b/gns3server/handlers/jsonrpc_websocket.py
@@ -22,6 +22,7 @@ JSON-RPC protocol over Websockets.
 import zmq
 import uuid
 import tornado.websocket
+from .auth_handler import GNS3WebSocketBaseHandler
 from tornado.escape import json_decode
 from ..jsonrpc import JSONRPCParseError
 from ..jsonrpc import JSONRPCInvalidRequest
@@ -33,7 +34,7 @@ import logging
 log = logging.getLogger(__name__)
 
 
-class JSONRPCWebSocket(tornado.websocket.WebSocketHandler):
+class JSONRPCWebSocket(GNS3WebSocketBaseHandler):
     """
     STOMP protocol over Tornado Websockets with message
     routing to ZeroMQ dealer clients.
@@ -116,7 +117,15 @@ class JSONRPCWebSocket(tornado.websocket.WebSocketHandler):
         """
 
         log.info("Websocket client {} connected".format(self.session_id))
-        self.clients.add(self)
+
+        authenticated_user = self.get_current_user()
+
+        if authenticated_user:
+            self.clients.add(self)
+            log.info("Websocket authenticated user: %s" % (authenticated_user))
+        else:
+            self.close()
+            log.info("Websocket non-authenticated user attempt: %s" % (authenticated_user))
 
     def on_message(self, message):
         """