Bug #4343: Remove default encoding, perform only as fallback

2025-03-19 06:50:07 +03:00 · 2016-08-25 15:57:23 +02:00 · 2016-08-25 15:57:23 +02:00 · 1a1d056d6c
commit 1a1d056d6c
parent 3d38bcc23a
3 changed files with 35 additions and 14 deletions
--- a/src/cloud/common/CloudAuth/OpenNebulaCloudAuth.rb
+++ b/src/cloud/common/CloudAuth/OpenNebulaCloudAuth.rb
@ -35,21 +35,44 @@ module OpenNebulaCloudAuth
        if auth.provided? && auth.basic?
            username, password = auth.credentials

-            if @conf[:encode_user_password]
+            authenticated = false
+
+            invalid_chars =
+                (User::INVALID_NAME_CHARS.any? {|char| username.include?(char) } ||
+                 User::INVALID_PASS_CHARS.any? {|char| password.include?(char) } )
+
+            # Try to authenticate the user with plain user:password. This step
+            # is skipped if an invalid character is found, since it's not possible
+            # for the authentication to succeed
+            if !invalid_chars
+                client = OpenNebula::Client.new("#{username}:#{password}", @conf[:one_xmlrpc])
+                user   = OpenNebula::User.new_with_id(OpenNebula::User::SELF, client)
+
+                rc = user.info
+
+                authenticated = !OpenNebula.is_error?(rc)
+            end
+
+            # Either the plain user:password auth failed, or the strings contain
+            # invalid chars. In both cases, try to authenticate encoding the
+            # strings. Some drivers such as ldap need this to work with chars
+            # that oned rejects
+            if !authenticated
                if defined?(URI::Parser)
                    parser=URI::Parser.new
                else
                    parser=URI
                end

-                username=parser.escape(username)
-                password=parser.escape(password)
+                username = parser.escape(username)
+                password = parser.escape(password)
+
+                client = OpenNebula::Client.new("#{username}:#{password}", @conf[:one_xmlrpc])
+                user   = OpenNebula::User.new_with_id(OpenNebula::User::SELF, client)
+
+                rc = user.info
            end

-            client = OpenNebula::Client.new("#{username}:#{password}", @conf[:one_xmlrpc])
-            user   = OpenNebula::User.new_with_id(OpenNebula::User::SELF, client)
-
-            rc = user.info
            if OpenNebula.is_error?(rc)
                if logger
                    logger.error{ "User #{username} could not be authenticated"}
@ -58,7 +81,7 @@ module OpenNebulaCloudAuth
                return nil
            end

-            return username
+            return user.name
        end

        return nil
--- a/src/oca/ruby/opennebula/user.rb
+++ b/src/oca/ruby/opennebula/user.rb
@ -54,6 +54,10 @@ module OpenNebula
        # Driver name for x509 proxy authentication
        X509_PROXY_AUTH = "x509_proxy"

+        # Same as User.cc
+        INVALID_NAME_CHARS = [" ", ":", "\t", "\n", "\v", "\f", "\r"]
+        INVALID_PASS_CHARS = [" ", "\t", "\n", "\v", "\f", "\r"]
+
        # Creates a User description with just its identifier
        # this method should be used to create plain User objects.
        # +id+ the id of the user
--- a/src/sunstone/etc/sunstone-server.conf
+++ b/src/sunstone/etc/sunstone-server.conf
@ -87,12 +87,6 @@
 #
 :core_auth: cipher

-# For external authentication drivers, such as LDAP. Performs a URL encoding
-# on the credentials sent to OpenNebula, e.g. secret%20password
-# This only works with "opennebula" auth.
-#
-#:encode_user_password: true
-
 ################################################################################
 # Check Upgrades
 ################################################################################