Auth bypass when using an optimised build

[passcod]

Similar to this: https://twitter.com/AlecMuffett/status/950699975767482370

Oh, this is glorious: pysaml2 library uses an assert statement to check & reject users who use the wrong password; however when running with the optimiser enabled, all assert statements are stripped… so: anyone can log into anything with any password.

In here: https://github.com/ceph/shaman/blob/master/shaman/auth.py#L12-L13

username, password = decoded.split(':')
assert username == conf.api_user
assert password == conf.api_key

[passcod]

Also applicable to:

• prado https://github.com/ceph/prado/blob/master/prado/auth.py#L12-L13
• chacra https://github.com/ceph/chacra/blob/master/chacra/auth.py#L12-L13
• perhaps others...