From ba794763b95ebbb7786b7af49e9a359e403ae963 Mon Sep 17 00:00:00 2001
From: root
Date: Tue, 28 Sep 2010 11:26:24 +0200
Subject: Add HTTP authentication to the REST API

---
 src/mailman/config/schema.cfg |  5 +++++
 src/mailman/rest/root.py      | 16 ++++++++++++++--
 2 files changed, 19 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/mailman/config/schema.cfg b/src/mailman/config/schema.cfg
index 2c2aade12..2c903a485 100644
--- a/src/mailman/config/schema.cfg
+++ b/src/mailman/config/schema.cfg
@@ -298,6 +298,11 @@ show_tracebacks: yes
 # The API version number for the current API.
 api_version: 3.0
 
+# The administrative username.
+admin_user: restadmin
+
+# The administrative password.
+admin_pass: restpass
 
 [language.master]
 # Template for language definitions.  The section name must be [language.xx]
diff --git a/src/mailman/rest/root.py b/src/mailman/rest/root.py
index 6835586b8..581879869 100644
--- a/src/mailman/rest/root.py
+++ b/src/mailman/rest/root.py
@@ -25,7 +25,8 @@ __all__ = [
     ]
 
 
-from restish import http, resource
+from restish import http, resource, guard
+from base64 import b64decode
 
 from mailman.config import config
 from mailman.core.system import system
@@ -36,6 +37,16 @@ from mailman.rest.members import AllMembers
 
 
 
+def webservice_auth_checker(request, obj):
+    if "HTTP_AUTHORIZATION" in request.environ and request.environ["HTTP_AUTHORIZATION"].startswith("Basic "):
+        credentials = b64decode(request.environ["HTTP_AUTHORIZATION"][6:])
+        username, password = credentials.split(":", 1)
+
+        if username != config.webservice.admin_user or password != config.webservice.admin_pass:
+            raise guard.GuardError(str("User is not authorized for the REST api."))
+    else:
+        raise guard.GuardError(str("The REST api requires authentication."))
+
 class Root(resource.Resource):
     """The RESTful root resource.
 
@@ -44,11 +55,12 @@ class Root(resource.Resource):
     and we start at 3.0 to match the Mailman version number.  That may not
     always be the case though.
     """
+
     @resource.child(config.webservice.api_version)
+    @guard.guard(webservice_auth_checker)
     def api_version(self, request, segments):
         return TopLevel()
 
-
 class TopLevel(resource.Resource):
     """Top level collections and entries."""
 
-- 
cgit v1.2.3-70-g09d2