authorizer: Don't log hashed MAC addresses.
Bonus: make hash_mac_addr easier to use from the command line, and add
tests for hashing since it's important to know this works consistently.
Change-Id: Idf8762a6275c5269ffdf06836181acc791441832
diff --git a/bouncer/.gitignore b/bouncer/.gitignore
index d82d8f5..2ad94f4 100644
--- a/bouncer/.gitignore
+++ b/bouncer/.gitignore
@@ -1,4 +1,6 @@
authorizer
host-authorizer
+hash_mac_addr
+host-hash_mac_addr
http_bouncer
host-http_bouncer
diff --git a/bouncer/Makefile b/bouncer/Makefile
index f579e10..bda3d81 100644
--- a/bouncer/Makefile
+++ b/bouncer/Makefile
@@ -9,7 +9,7 @@
fi \
)
-TARGETS=authorizer http_bouncer
+TARGETS=authorizer hash_mac_addr http_bouncer
HOST_TARGETS=$(addprefix host-,$(TARGETS))
diff --git a/bouncer/authorizer.py b/bouncer/authorizer.py
index ab727a0..f355917 100755
--- a/bouncer/authorizer.py
+++ b/bouncer/authorizer.py
@@ -67,7 +67,7 @@
def check(self):
"""Check if a remote service knows about a device with a supplied MAC."""
- logging.info('Checking TOS for %s', self.hashed_mac_addr)
+ logging.info('Checking TOS for %s', self.mac_addr)
http_client = tornado.httpclient.HTTPClient()
response = http_client.fetch(self.url, ca_certs=opt.ca_certs)
response_obj = tornado.escape.json_decode(response.body)
@@ -79,7 +79,7 @@
if accepted_time + (opt.max_age * 86400) > time.time():
accepted = True
if self.callback: self.callback.stop()
- logging.info('TOS accepted for %s', self.hashed_mac_addr)
+ logging.info('TOS accepted for %s', self.mac_addr)
known_users[self.mac_addr] = response_obj
result = ip46tables('-A', opt.filter_chain, '-m', 'mac',
@@ -91,12 +91,12 @@
self.mac_addr)
else:
logging.info('TOS accepted too long ago for %s: %r',
- self.hashed_mac_addr, accepted_time)
+ self.mac_addr, accepted_time)
elif self.callback and self.tries > MAX_TRIES:
if not accepted:
logging.info('TOS not accepted for %s before timeout.',
- self.hashed_mac_addr)
+ self.mac_addr)
self.callback.stop()
return response, accepted
diff --git a/bouncer/hash_mac_addr.py b/bouncer/hash_mac_addr.py
index 84fed1a..961bf10 100755
--- a/bouncer/hash_mac_addr.py
+++ b/bouncer/hash_mac_addr.py
@@ -6,14 +6,34 @@
import re
import sys
+import options
+
+optspec = """
+hash_mac_addr -a ##:##:##:##:##:##
+--
+a,addr= MAC address to hash
+"""
+
def hash_mac_addr(maybe_mac_addr):
if re.match('([0-9A-Fa-f]{2}:){5}[0-9A-Fa-f]{2}$', maybe_mac_addr):
mac_addr = maybe_mac_addr.lower()
else:
- raise ValueError('%r not a MAC address', maybe_mac_addr)
+ raise ValueError('%r not a MAC address' % maybe_mac_addr)
return mac_addr, hashlib.sha1(mac_addr).hexdigest()
+
if __name__ == '__main__':
- print 'SHA1(%s): %s' % hash_mac_addr(sys.argv[1])
+ o = options.Options(optspec)
+ opt, unused_flags, unused_extra = o.parse(sys.argv[1:])
+
+ if not opt.addr:
+ o.usage()
+
+ try:
+ _, hashed_mac_addr = hash_mac_addr(str(opt.addr))
+ print hashed_mac_addr
+ except ValueError as e:
+ print >>sys.stderr, 'error:', e.message
+ sys.exit(1)
diff --git a/bouncer/test-hash_mac_addr.sh b/bouncer/test-hash_mac_addr.sh
new file mode 100755
index 0000000..3c84424
--- /dev/null
+++ b/bouncer/test-hash_mac_addr.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+. ./wvtest/wvtest.sh
+
+WVSTART "hash_mac_addr test"
+
+HASH_MAC_ADDR=./host-hash_mac_addr
+
+WVFAIL $HASH_MAC_ADDR
+WVFAIL $HASH_MAC_ADDR -a nonsense
+
+WVPASSEQ "$($HASH_MAC_ADDR -a 00:00:00:00:00:00)" \
+ 85cce83032eb6bd39ddea68e0be917e4665b5d26
+
+WVPASSEQ "$($HASH_MAC_ADDR -a aa:bb:cc:dd:ee:ff)" \
+ "$($HASH_MAC_ADDR -a AA:BB:CC:DD:EE:FF)"