bug #847: Removed dependency for user/passwd access in server_cipher driver. The ServerCipherAuth can now be instantiated in driver and client modes

2025-03-21 14:50:08 +03:00 · 2011-10-25 00:10:52 +02:00 · 2011-10-25 00:10:52 +02:00 · 41c13d5905
commit 41c13d5905
parent 42ecd68dbf
4 changed files with 57 additions and 60 deletions
--- a/src/authm_mad/remotes/server_cipher/authenticate
+++ b/src/authm_mad/remotes/server_cipher/authenticate
@ -38,8 +38,8 @@ secret = ARGV[2] # Base64 encoded secret as obtained from login_token
 #OpenNebula.log_debug("Authenticating #{user}, with password #{pass} (#{secret})")

 begin
-    server_auth = ServerCipherAuth.new
-    rc,user = server_auth.authenticate(user, pass, secret)
+    server_auth = ServerCipherAuth.new_driver
+    rc = server_auth.authenticate(user, pass, secret)
 rescue => e
    OpenNebula.error_message e.message
    exit -1
@ -48,6 +48,6 @@ end
 if rc == true
    exit 0
 else
-    OpenNebula.error_message user 
+    OpenNebula.error_message rc
    exit -1
 end
--- a/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb
+++ b/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb
@ -32,69 +32,69 @@ class ServerCipherAuth

    ###########################################################################

-    def initialize(one_auth = nil)
-        begin 
-            if one_auth  
-                auth = one_auth
-            elsif ENV["ONE_AUTH"] and !ENV["ONE_AUTH"].empty? and 
-                  File.file?(ENV["ONE_AUTH"])
-                auth = File.read(ENV["ONE_AUTH"])
-            elsif File.file?(ENV["HOME"]+"/.one/one_auth")
-                auth = File.read(ENV["HOME"]+"/.one/one_auth")
-            else
-                raise "ONE_AUTH file not present"
-            end
-             
-            auth.rstrip! 
-            
-            @server_user, @passwd = auth.split(':')
-            @key =  Digest::SHA1.hexdigest(@passwd)
-   
-            @cipher = OpenSSL::Cipher::Cipher.new(CIPHER)
-        rescue
-            raise 
+    def initialize(srv_user, srv_passwd)
+        @srv_user   = srv_user
+        @srv_passwd = srv_passwd 
+
+        if !srv_passwd.empty?
+            @key = Digest::SHA1.hexdigest(@srv_passwd)
+        else
+            @key = ""
        end
+
+        @cipher = OpenSSL::Cipher::Cipher.new(CIPHER)
+    end
+
+    ###########################################################################
+    # Client side
+    ###########################################################################
+
+    # Creates a ServerCipher for client usage
+    def self.new_client(srv_user, srv_passwd)
+        self.new(srv_user, srv_passwd)
    end

    # Generates a login token in the form:
    #   - server_user:target_user:time_expires 
    # The token is then encrypted with the contents of one_auth
    def login_token(expire, target_user=nil)
-        target_user ||= @server_user
-        token_txt   =   "#{@server_user}:#{target_user}:#{expire}"
+        target_user ||= @srv_user
+        token_txt   =   "#{@srv_user}:#{target_user}:#{expire}"

-        token     = encrypt(token_txt)
-        token64   = Base64::encode64(token).strip.delete("\n")
+        token   = encrypt(token_txt)
+        token64 = Base64::encode64(token).strip.delete("\n")

-        return "#{@server_user}:#{target_user}:#{token64}"
+        return "#{@srv_user}:#{target_user}:#{token64}"
    end

    # Returns a valid password string to create a user using this auth driver
    def password
-        return @passwd
+        return @srv_passwd
    end

    ###########################################################################
-    # Server side
+    # Driver side
    ###########################################################################
+
+    # Creates a ServerCipher for driver usage
+    def self.new_driver()
+        self.new("","")
+    end
+
    # auth method for auth_mad
-    def authenticate(server_user,server_pass, signed_text)
+    def authenticate(srv_user,srv_pass, signed_text)
        begin
-            return false,"Server password missmatch" if server_pass != @key
+            @key = srv_pass
            
            s_user, t_user, expires = decrypt(signed_text).split(':')

-            if ( s_user != server_user || s_user != @server_user )
-                return false, "User name missmatch" 
-            end
-           
-            if Time.now.to_i >= expires.to_i 
-                return false, "login token expired"
-            end  
+            return "User name missmatch" if s_user != srv_user
+             
+            return "login token expired" if Time.now.to_i >= expires.to_i

            return true
        rescue => e
-            return false, e.message
+            return e.message
        end
    end

@ -119,4 +119,4 @@ class ServerCipherAuth

        return rc
    end
-end
+end
--- a/src/authm_mad/remotes/server_x509/server_x509_auth.conf
+++ b/src/authm_mad/remotes/server_x509/server_x509_auth.conf
@ -1,5 +1,6 @@
 # User to be used for x509 server authentication
-#:server_user: x509_server
+	
+#:srv_user: x509_server

 # Path to the certificate used by the OpenNebula Services
 # Certificates must be in PEM format
--- a/src/authm_mad/remotes/server_x509/server_x509_auth.rb
+++ b/src/authm_mad/remotes/server_x509/server_x509_auth.rb
@ -46,13 +46,12 @@ class ServerX509Auth < X509Auth
            certs = [ File.read(@options[:one_cert]) ]
            key   =   File.read(@options[:one_key])

-            super(:certs_pem => certs, 
-                  :key_pem   => key)
+            super(:certs_pem => certs, :key_pem => key)
        rescue
            raise
        end

-        if @options[:server_user] == nil || @options[:server_user].empty?
+        if @options[:srv_user] == nil || @options[:srv_user].empty?
           raise "User for x509 server not defined"  
        end
    end
@ -60,13 +59,13 @@ class ServerX509Auth < X509Auth
    # Generates a login token in the form:
    #   - server_user:target_user:time_expires 
    def login_token(expire, target_user=nil)
-        target_user ||= @options[:server_user]
-        token_txt   =   "#{@options[:server_user]}:#{target_user}:#{expire}"
+        target_user ||= @options[:srv_user]
+        token_txt   =   "#{@options[:srv_user]}:#{target_user}:#{expire}"

-        token     = encrypt(token_txt)
-        token64   = Base64::encode64(token).strip.delete("\n")
+        token   = encrypt(token_txt)
+        token64 = Base64::encode64(token).strip.delete("\n")

-        return "#{@options[:server_user]}:#{target_user}:#{token64}"
+        return "#{@options[:srv_user]}:#{target_user}:#{token64}"
    end

    ###########################################################################
@ -75,21 +74,18 @@ class ServerX509Auth < X509Auth
    # auth method for auth_mad
    def authenticate(server_user, server_pass, signed_text)
        begin           
-            return false,"Server password missmatch" if server_pass != password
-            
            s_user, t_user, expires = decrypt(signed_text).split(':')
+   
+            return "Server password missmatch" if server_pass != password

-            if ( s_user != server_user || s_user != @options[:server_user] )
-                return false, "User name missmatch" 
-            end
+            return "User name missmatch" if ( s_user != server_user || 
+                                              s_user != @options[:srv_user] )
           
-            if Time.now.to_i >= expires.to_i 
-                return false, "login token expired"
-            end  
+            return "login token expired" if Time.now.to_i >= expires.to_i

            return true
        rescue => e
            return e.message
        end
    end
-end
+end