From 23a9743910ef47c342b7f3bde1d1120908b37b4d Mon Sep 17 00:00:00 2001 From: "Ruben S. Montero" Date: Thu, 25 Aug 2011 18:20:00 +0200 Subject: [PATCH] feature #754: Removed unneeded files --- src/authm_mad/auth_mad | 1 - src/authm_mad/one_usage.rb | 90 -------- src/authm_mad/oneauth | 167 -------------- src/authm_mad/remotes/x509_proxy/authenticate | 56 ----- .../remotes/x509_proxy/x509_proxy_auth.rb | 214 ------------------ src/authm_mad/simple_permissions.rb | 112 --------- 6 files changed, 640 deletions(-) delete mode 100644 src/authm_mad/auth_mad delete mode 100644 src/authm_mad/one_usage.rb delete mode 100755 src/authm_mad/oneauth delete mode 100755 src/authm_mad/remotes/x509_proxy/authenticate delete mode 100644 src/authm_mad/remotes/x509_proxy/x509_proxy_auth.rb delete mode 100644 src/authm_mad/simple_permissions.rb diff --git a/src/authm_mad/auth_mad b/src/authm_mad/auth_mad deleted file mode 100644 index 8b13789179..0000000000 --- a/src/authm_mad/auth_mad +++ /dev/null @@ -1 +0,0 @@ - diff --git a/src/authm_mad/one_usage.rb b/src/authm_mad/one_usage.rb deleted file mode 100644 index 63938aba87..0000000000 --- a/src/authm_mad/one_usage.rb +++ /dev/null @@ -1,90 +0,0 @@ -# -------------------------------------------------------------------------- # -# Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org) # -# # -# Licensed under the Apache License, Version 2.0 (the "License"); you may # -# not use this file except in compliance with the License. You may obtain # -# a copy of the License at # -# # -# http://www.apache.org/licenses/LICENSE-2.0 # -# # -# Unless required by applicable law or agreed to in writing, software # -# distributed under the License is distributed on an "AS IS" BASIS, # -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # -# See the License for the specific language governing permissions and # -# limitations under the License. # -#--------------------------------------------------------------------------- # - -require 'OpenNebula' - -# This class holds usage information for a virtual machine or -# total usage for a user. Variables inside are cpu and memory -# consumption -class VmUsage - attr_accessor :cpu, :memory, :num_vms - def initialize(cpu, memory, num_vms=0) - @cpu=cpu - @memory=memory - @num_vms=num_vms - end -end - -# This class retrieves and caches vms and its consuption grouped -# by users. 'update_user' method should be called to fill data for -# a user before any calculation is made -class OneUsage - # 'client' is an OpenNebula::Client object used to connect - # to OpenNebula daemon. Ideally it should connect as user 0 - def initialize(client) - @client=client - @users=Hash.new - end - - # Gets information about VMs defined for a user. It caches new - # VMs and takes out from the cache deleted VMs - def update_user(user) - @users[user]=Hash.new if !@users[user] - - vmpool=OpenNebula::VirtualMachinePool.new(@client, user) - vmpool.info - - one_ids=vmpool.map {|vm| vm.id } - vms=@users[user] - user_ids=vms.keys - - deleted_vms=user_ids-one_ids - added_vms=one_ids-user_ids - - deleted_vms.each {|vmid| vms.delete(vmid) } - - added_vms.each do |vmid| - vm=OpenNebula::VirtualMachine.new( - OpenNebula::VirtualMachine.build_xml(vmid), @client) - vm.info - - usage=VmUsage.new(vm['TEMPLATE/CPU'].to_f, - vm['TEMPLATE/MEMORY'].to_i) - vms[vmid.to_i]=usage - end - end - - # Returns the cache of defined VMs for a user. It is a hash with - # VM id as key and VmUsage as value - def vms(user) - vms=@users[user] - @users[user]=vms=Hash.new if !vms - vms - end - - # Returns total consumption by a user into a VmUsage object - def total(user) - usage=VmUsage.new(0.0, 0, 0) - - @users[user].each do |id, vm| - usage.cpu+=vm.cpu - usage.memory+=vm.memory - usage.num_vms+=1 - end if @users[user] - - usage - end -end diff --git a/src/authm_mad/oneauth b/src/authm_mad/oneauth deleted file mode 100755 index ad3ef2f175..0000000000 --- a/src/authm_mad/oneauth +++ /dev/null @@ -1,167 +0,0 @@ -#!/usr/bin/env ruby - -# -------------------------------------------------------------------------- # -# Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org) # -# # -# Licensed under the Apache License, Version 2.0 (the "License"); you may # -# not use this file except in compliance with the License. You may obtain # -# a copy of the License at # -# # -# http://www.apache.org/licenses/LICENSE-2.0 # -# # -# Unless required by applicable law or agreed to in writing, software # -# distributed under the License is distributed on an "AS IS" BASIS, # -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # -# See the License for the specific language governing permissions and # -# limitations under the License. # -#--------------------------------------------------------------------------- # - -ONE_LOCATION=ENV["ONE_LOCATION"] - -if !ONE_LOCATION - RUBY_LIB_LOCATION="/usr/lib/one/ruby" - ETC_LOCATION="/etc/one/" - VAR_LOCATION="/var/lib/one" -else - RUBY_LIB_LOCATION=ONE_LOCATION+"/lib/ruby" - ETC_LOCATION=ONE_LOCATION+"/etc/" - VAR_LOCATION="#{ONE_LOCATION}/var" -end - -$: << RUBY_LIB_LOCATION -$: << RUBY_LIB_LOCATION+'/cli' - -require 'OpenNebula' - -require 'rubygems' -require 'sequel' -require 'ssh_auth' -require 'x509_auth' -require 'yaml' - -require 'command_parser' -require 'one_helper' - -cmd=CommandParser::CmdParser.new(ARGV) do - usage "oneauth COMMAND [args..]" - - description "This command contains a set of utilities to " << - "manage authorization module." - - set :option, CommandParser::OPTIONS - - set :format, :userid, OpenNebulaHelper.name_to_id_desc("USER") do |arg| - OpenNebulaHelper.name_to_id(arg, "USER") - end - - # Helpers - def get_database - config_data=File.read(ETC_LOCATION+'/auth/auth.conf') - config=YAML::load(config_data) - - database_url=config[:database] - db=Sequel.connect(database_url) - end - - def add_quota(uid, cpu, memory, num_vms=nil) - db=get_database - quota=Quota.new(db, OpenNebula::Client.new) - quota.set(uid.to_i, cpu.to_f, memory.to_i, num_vms) - end - - # Commands - quotaset_desc = <<-EOT.unindent - Sets CPU, MEMORY and NUM_VMs quota for a given user - EOT - - command 'quota-set', quotaset_desc , :userid, :cpu, :memory, :num_vms do - Dir.chdir VAR_LOCATION - begin - add_quota(*args[1..4]) - rescue Exception => e - exit_with_code -1, "Error starting server: #{e}" - end - exit_with_code 0 - end - - login_desc = <<-EOT.unindent - Generates authentication proxy. The last argument specifies - the expiration time in seconds - EOT - - command 'login', login_desc, :text, :text do - user=args[0] - time=args[1] - pp args - if time - time=time.to_i - else - time=3600 - end - - ssh=SshAuth.new - ssh.login(user, time) - exit_with_code 0 - end - - loginx509_desc = <<-EOT.unindent - Generates an X509-based authenication proxy based on a user certificate. - oneauth x509_login [] [] [] - EOT - - command 'loginx509', loginx509_desc, :text, :text, :text, :text do - user = args[0] - time = Integer(args[1]) rescue false - certpath = args[2] - keypath = args[3] - - # Set default arguments - if !time - time=0 - certpath = args[1] - keypath = args[2] - end - - if !certpath - certpath=ENV["X509_PROXY_CERT"] - end - - if !certpath - certpath='/tmp/x509up_u' + Process.uid.to_s - end - - if !keypath - keypath=certpath - end - - if !keypath - exit_with_code 1 - end - - # Read in the certificates - if @options[:certpath] && File.readable?(@options[:certpath]) - certs_in = File.read(@options[:certpath]) - certs_pem = certs_in.scan(/-+BEGIN CERTIFICATE-+\n([^-]*)\n-+END CERTIFICATE-+/) - certs_pem.flatten! - end - - # Read in the key - if @options[:keypath] && File.readable?(@options[:keypath]) - key_in = File.read(@options[:keypath]) - rc = key_in.match(/-+BEGIN RSA PRIVATE KEY-+\n([^-]*)\n-+END RSA PRIVATE KEY-+/) - key_pem = rc[0] - end - - # Invoke the login method - auth = X509Auth.new(:certs_pem=>certs_pem,:key_pem=>key_pem) - auth.login(user, time) - - exit_with_code 0 - end - - command 'key', 'Gets public key' do - ssh=SshAuth.new - puts ssh.public_key - exit_with_code 0 - end -end diff --git a/src/authm_mad/remotes/x509_proxy/authenticate b/src/authm_mad/remotes/x509_proxy/authenticate deleted file mode 100755 index 747d800d08..0000000000 --- a/src/authm_mad/remotes/x509_proxy/authenticate +++ /dev/null @@ -1,56 +0,0 @@ -#!/usr/bin/env ruby -# -------------------------------------------------------------------------- # -# Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org) # -# # -# Licensed under the Apache License, Version 2.0 (the "License"); you may # -# not use this file except in compliance with the License. You may obtain # -# a copy of the License at # -# # -# http://www.apache.org/licenses/LICENSE-2.0 # -# # -# Unless required by applicable law or agreed to in writing, software # -# distributed under the License is distributed on an "AS IS" BASIS, # -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # -# See the License for the specific language governing permissions and # -# limitations under the License. # -#--------------------------------------------------------------------------- # - -ONE_LOCATION=ENV["ONE_LOCATION"] - -if !ONE_LOCATION - RUBY_LIB_LOCATION="/usr/lib/one/ruby" - ETC_LOCATION="/etc/one/" -else - RUBY_LIB_LOCATION=ONE_LOCATION+"/lib/ruby" - ETC_LOCATION=ONE_LOCATION+"/etc/" -end - -$: << RUBY_LIB_LOCATION - -require 'x509_proxy_auth' -require 'scripts_common' - -user = ARGV[0] # username as registered in OpenNebula -pass = ARGV[1] # DN registered for this user -secret = ARGV[2] # Base64 string in the form token:proxy_cert:user_cert - -#OpenNebula.log_debug("Authenticating #{user}, with password #{pass} (#{secret})") - -#TODO Check errors in these operations - -dsecret = Base64::decode64(secret) -token, pcert, ucert = dsecret.split(':') - -auth = X509ProxyAuth.new(:proxy => nil, - :proxy_cert => pcert, - :user_cert => ucert, - :ca_dir => nil) - -rc = auth.authenticate(user, pass, token) - -if rc == true - exit 0 -else - OpenNebula.error_message rc - exit -1 -end diff --git a/src/authm_mad/remotes/x509_proxy/x509_proxy_auth.rb b/src/authm_mad/remotes/x509_proxy/x509_proxy_auth.rb deleted file mode 100644 index 2ed8b386b4..0000000000 --- a/src/authm_mad/remotes/x509_proxy/x509_proxy_auth.rb +++ /dev/null @@ -1,214 +0,0 @@ -# -------------------------------------------------------------------------- # -# Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org) # -# # -# Licensed under the Apache License, Version 2.0 (the "License"); you may # -# not use this file except in compliance with the License. You may obtain # -# a copy of the License at # -# # -# http://www.apache.org/licenses/LICENSE-2.0 # -# # -# Unless required by applicable law or agreed to in writing, software # -# distributed under the License is distributed on an "AS IS" BASIS, # -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # -# See the License for the specific language governing permissions and # -# limitations under the License. # -#--------------------------------------------------------------------------- # - -require 'openssl' -require 'base64' -require 'fileutils' - -# Authentication class based on x509 proxy certificate. -class X509ProxyAuth - PROXY_PATH = ENV['HOME']+'/.one/one_x509_proxy' - - # Initialize x509ProxyAuth object - # - # @param [Hash] default options for path - # @option options [String] :proxy ($X509_PROXY_CERT) - # proxy cert for the user - # @option options [String] :proxy_cert (nil) - # public cert of a user proxy - # @option options [String] :user_cert (nil) - # user cert, used to generate the proxy - # @option options [String] :ca_dir (/etc/grid-security/certificates) - # trusted CA directory. If nil it will not be used to verify - # certificates - def initialize(options={}) - @options={ - :proxy => ENV['X509_PROXY_CERT'] - :proxy_cert => nil, - :user_cert => nil, - :ca_dir => "/etc/grid-security/certificates", - }.merge!(options) - - proxy_cert_txt = @options[:proxy_cert] - user_cert_txt = @options[:user_cert] - - #Read certificates from a grid proxy file - if @options[:proxy] && File.readable?(@options[:proxy]) - proxy = File.read(@options[:proxy]) - - rc = proxy.scan(/-+BEGIN CERTIFICATE-+\n([^-]*)\n-+END CERTIFICATE-+/) - rc.flatten! - - proxy_cert_txt = rc[0] - user_cert_txt = rc[1] - - rc = proxy.match(/-+BEGIN RSA PRIVATE KEY-+\n([^-]*)\n-+END RSA PRIVATE KEY-+/) - - proxy_key_txt = rc[1] - end - - if !proxy_cert_txt || !user_cert_txt - raise "Can not get user or proxy certificates" - end - - @proxy_cert = OpenSSL::X509::Certificate.new(proxy_cert_txt) - @user_cert = OpenSSL::X509::Certificate.new(user_cert_txt) - @dn = @user_cert.subject.to_s - - if proxy_ket_txt - @poxy_key = OpenSSL::PKey::RSA.new(proxy_key_txt) - end - - # Load configuration file - #@auth_conf_path = ETC_LOCATION+'/auth/auth.conf' - - #if File.readable?(@auth_conf_path) - # config = File.read(@auth_conf_path) - # config = YAML::load(config_data) - - # @options.merge!(config) - #end - end - - ########################################################################### - # Client side - ########################################################################### - - # Creates the login file for x509 authentication at ~/.one/one_x509_proxy. - def login(user) - # Init proxy file path and creates ~/.one directory if needed - # Set instance variables - proxy_dir=File.dirname(PROXY_PATH) - - begin - FileUtils.mkdir_p(proxy_dir) - rescue Errno::EEXIST - end - - #Generate token for authentication - text_to_sign = "#{user}:#{@dn}" - signed_text = encrypt(text_to_sign) - - token = "#{signed_text}:#{@proxy_cert.to_pem}:#{@user_cert.to_pem}" - token64 = Base64::encode64(token).strip.delete!("\n") - - proxy="#{user}:grid:#{token64}" - - file = File.open(PROXY_PATH, "w") - - file.write(proxy) - - file.close - - # Help string - puts "export ONE_AUTH=#{ENV['HOME']}/.one/one_x509_proxy" - - token64 - end - - ########################################################################### - # Server side - ########################################################################### - - # auth method for auth_mad - def authenticate(user, pass, token) - begin - validate_chain - - plain = decrypt(token) - - _user, subject = plain.split(':') - - if (user != _user) - return "User name missmatch" - elsif ((subject != @dn) || (subject != pass)) - return "Certificate subject missmatch" - end - - return true - rescue => e - return e.message - end - -private - ########################################################################### - # Methods to encrpyt/decrypt keys - ########################################################################### - # Encrypts data with the private key of the user and returns - # base 64 encoded output in a single line - def encrypt(data) - return nil if !@proxy_key - Base64::encode64(@proxy_key.private_encrypt(data)).delete!("\n").strip - end - - # Decrypts base 64 encoded data with pub_key (public key) - def decrypt(data) - @proxy_cert.public_key.public_decrypt(Base64::decode64(data)) - end - - ########################################################################### - # Validates the certificate chain - ########################################################################### - def validate_chain - now = Time.now - failed = "Could not validate user credentials: " - - # Check start time and end time of proxy - if @proxy_cert.not_before > now || @proxy_cert.not_after < now - raise failed + "Certificate not valid. Current time is " + - now.localtime.to_s + "." - end - - # Check that the issuer of the proxy is the same user as in the user certificate - if @proxy_cert.issuer.to_s != @user_cert.subject.to_s - raise failed + "Proxy with issuer " + @proxy_cert.issuer.to_s + - " does not match user " + @dn - end - - # Check that the user signed the proxy - if !@proxy_cert.verify(@user_cert.public_key) - raise "Proxy with subject " + @proxy_cert.subject.to_s + - " was not verified by " + @dn + "." - end - - # Check the rest of the certificate chain if specified - if !@options[:ca_dir] - return - end - - begin - signee = @user_cert - - begin - ca_hash = signee.issuer.hash.to_s(16) - ca_path = @options[:ca_dir] + '/' + ca_hash + '.0' - - ca_cert = OpenSSL::X509::Certificate.new(File.read(ca_path)) - - if !((signee.issuer.to_s == ca_cert.subject.to_s) && - (signee.verify(ca_cert.public_key))) - raise failed + signee.subject.to_s + " with issuer " + - signee.issuer.to_s + " was not verified by " + - ca.subject.to_s + "." - end - - signee = ca_cert - end while ca_cert.subject.to_s != ca_cert.issuer.to_s - rescue - raise - end - end -end diff --git a/src/authm_mad/simple_permissions.rb b/src/authm_mad/simple_permissions.rb deleted file mode 100644 index 084073b6c5..0000000000 --- a/src/authm_mad/simple_permissions.rb +++ /dev/null @@ -1,112 +0,0 @@ -# -------------------------------------------------------------------------- # -# Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org) # -# # -# Licensed under the Apache License, Version 2.0 (the "License"); you may # -# not use this file except in compliance with the License. You may obtain # -# a copy of the License at # -# # -# http://www.apache.org/licenses/LICENSE-2.0 # -# # -# Unless required by applicable law or agreed to in writing, software # -# distributed under the License is distributed on an "AS IS" BASIS, # -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # -# See the License for the specific language governing permissions and # -# limitations under the License. # -#--------------------------------------------------------------------------- # - -require 'quota' -require 'base64' - -class SimplePermissions - - def initialize(database, client, conf={}) - @quota=Quota.new(database, client, conf[:quota] || {}) - @quota_enabled=conf[:quota][:enabled] - end - - # Returns message if result is false, true otherwise - def auth_message(result, message) - result ? true : message - end - - # Extracts cpu and memory resources from the VM template sent in - # authorization message - def get_vm_usage(data) - vm_xml=Base64::decode64(data) - vm=OpenNebula::VirtualMachine.new( - OpenNebula::XMLElement.build_xml(vm_xml, 'TEMPLATE'), - OpenNebula::Client.new) - - # Should set more sensible defaults or get driver configuration - cpu=vm['CPU'] - cpu||=1.0 - cpu=cpu.to_f - - memory=vm['MEMORY'] - memory||=64 - memory=memory.to_f - - VmUsage.new(cpu, memory) - end - - # Checks if the quota is enabled, and if it is not exceeded - def check_quota_enabled(uid, object, id, auth_result) - if @quota_enabled and object=='VM' and auth_result - STDERR.puts 'quota enabled' - @quota.update(uid.to_i) - if message=@quota.check(uid.to_i, get_vm_usage(id)) - auth_result=message - end - end - - return auth_result - end - - # Method called by authorization driver - def auth(uid, tokens) - result=true - - tokens.each do |token| - object, id, action, owner, pub=token.split(':') - result=auth_object(uid.to_s, object, id, action, owner, pub) - break result if result!=true - end - - result - end - - # Authorizes each of the tokens. All parameters are strings. Pub - # means public when "1" and private when "0" - def auth_object(uid, object, id, action, owner, pub) - return true if uid=='0' - - auth_result=false - - case action - when 'CREATE' - auth_result=true if %w{VM NET IMAGE TEMPLATE}.include? object - auth_result = check_quota_enabled(uid, object, id, auth_result) - - when 'INSTANTIATE' - auth_result = true if %w{VM}.include? object - auth_result = check_quota_enabled(uid, object, id, auth_result) - - when 'DELETE' - auth_result = (owner == uid) - - when 'USE' - if %w{VM NET IMAGE TEMPLATE}.include? object - auth_result = ((owner == uid) | (pub=='1')) - elsif object == 'HOST' - auth_result=true - end - - when 'MANAGE' - auth_result = (owner == uid) - - when 'INFO' - end - - return auth_result - end -end