···
from http.server import BaseHTTPRequestHandler, HTTPServer
10
+
from urllib.parse import urlparse, parse_qs
SNAKEOIL_PUBLIC_KEY = os.environ['SNAKEOIL_PUBLIC_KEY']
sys.stderr.write(f"{msg}\n")
20
-
def gen_fingerprint(pubkey):
21
+
def gen_fingerprint(pubkey: str):
decoded_key = base64.b64decode(pubkey.encode("ascii").split()[1])
return hashlib.sha256(decoded_key).hexdigest()
24
-
def gen_email(username):
26
+
def gen_email(username: str):
"""username seems to be a 21 characters long number string, so mimic that in a reproducible way"""
return str(int(hashlib.sha256(username.encode()).hexdigest(), 16))[0:21]
def gen_mockuser(username: str, uid: str, gid: str, home_directory: str, snakeoil_pubkey: str) -> Dict:
snakeoil_pubkey_fingerprint = gen_fingerprint(snakeoil_pubkey)
···
class ReqHandler(BaseHTTPRequestHandler):
59
-
def _send_json_ok(self, data):
63
+
def _send_json_ok(self, data: dict):
self.send_header('Content-type', 'application/json')
···
71
+
def _send_json_success(self, success=True):
72
+
self.send_response(200)
73
+
self.send_header('Content-type', 'application/json')
75
+
out = json.dumps({"success": success}).encode()
77
+
self.wfile.write(out)
79
+
def _send_404(self):
80
+
self.send_response(404)
69
-
# mockuser and mockadmin are allowed to login, both use the same snakeoil public key
70
-
if p == '/computeMetadata/v1/oslogin/users?username=mockuser' \
71
-
or p == '/computeMetadata/v1/oslogin/users?uid=1009719690':
72
-
self._send_json_ok(gen_mockuser(username='mockuser', uid='1009719690', gid='1009719690',
73
-
home_directory='/home/mockuser', snakeoil_pubkey=SNAKEOIL_PUBLIC_KEY))
74
-
elif p == '/computeMetadata/v1/oslogin/users?username=mockadmin' \
75
-
or p == '/computeMetadata/v1/oslogin/users?uid=1009719691':
76
-
self._send_json_ok(gen_mockuser(username='mockadmin', uid='1009719691', gid='1009719691',
77
-
home_directory='/home/mockadmin', snakeoil_pubkey=SNAKEOIL_PUBLIC_KEY))
86
+
params = parse_qs(pu.query)
89
+
if pu.path == "/computeMetadata/v1/oslogin/users":
90
+
# mockuser and mockadmin are allowed to login, both use the same snakeoil public key
91
+
if params.get('username') == ['mockuser'] or params.get('uid') == ["1009719690"]:
92
+
username = "mockuser"
94
+
elif params.get('username') == ['mockadmin'] or params.get('uid') == ["1009719691"]:
95
+
username = "mockadmin"
79
-
# mockuser is allowed to login
80
-
elif p == f"/computeMetadata/v1/oslogin/authorize?email={gen_email('mockuser')}&policy=login":
81
-
self._send_json_ok({'success': True})
101
+
self._send_json_ok(gen_mockuser(username=username, uid=uid, gid=uid, home_directory=f"/home/{username}", snakeoil_pubkey=SNAKEOIL_PUBLIC_KEY))
83
-
# mockadmin may also become root
84
-
elif p == f"/computeMetadata/v1/oslogin/authorize?email={gen_email('mockadmin')}&policy=login" or p == f"/computeMetadata/v1/oslogin/authorize?email={gen_email('mockadmin')}&policy=adminLogin":
85
-
self._send_json_ok({'success': True})
104
+
# authorize endpoint
105
+
elif pu.path == "/computeMetadata/v1/oslogin/authorize":
106
+
# is user allowed to login?
107
+
if params.get("policy") == ["login"]:
108
+
# mockuser and mockadmin are allowed to login
109
+
if params.get('email') == [gen_email("mockuser")] or params.get('email') == [gen_email("mockadmin")]:
110
+
self._send_json_success()
112
+
self._send_json_success(False)
114
+
# is user allowed to become root?
115
+
elif params.get("policy") == ["adminLogin"]:
116
+
# only mockadmin is allowed to become admin
117
+
self._send_json_success((params['email'] == [gen_email("mockadmin")]))
119
+
# send 404 for other policies
sys.stderr.write(f"Unhandled path: {p}\n")
89
-
self.send_response(501)
126
+
self.send_response(404)
pyrox.dev