From 41c13d59050547c0c053e86e8c28723dbd949c69 Mon Sep 17 00:00:00 2001 From: "Ruben S. Montero" Date: Tue, 25 Oct 2011 00:10:52 +0200 Subject: [PATCH] bug #847: Removed dependency for user/passwd access in server_cipher driver. The ServerCipherAuth can now be instantiated in driver and client modes --- .../remotes/server_cipher/authenticate | 6 +- .../server_cipher/server_cipher_auth.rb | 78 +++++++++---------- .../remotes/server_x509/server_x509_auth.conf | 3 +- .../remotes/server_x509/server_x509_auth.rb | 30 ++++--- 4 files changed, 57 insertions(+), 60 deletions(-) diff --git a/src/authm_mad/remotes/server_cipher/authenticate b/src/authm_mad/remotes/server_cipher/authenticate index cde4714266..3bdcb496dc 100755 --- a/src/authm_mad/remotes/server_cipher/authenticate +++ b/src/authm_mad/remotes/server_cipher/authenticate @@ -38,8 +38,8 @@ secret = ARGV[2] # Base64 encoded secret as obtained from login_token #OpenNebula.log_debug("Authenticating #{user}, with password #{pass} (#{secret})") begin - server_auth = ServerCipherAuth.new - rc,user = server_auth.authenticate(user, pass, secret) + server_auth = ServerCipherAuth.new_driver + rc = server_auth.authenticate(user, pass, secret) rescue => e OpenNebula.error_message e.message exit -1 @@ -48,6 +48,6 @@ end if rc == true exit 0 else - OpenNebula.error_message user + OpenNebula.error_message rc exit -1 end \ No newline at end of file diff --git a/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb b/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb index cde0570d00..e25bb3e74e 100644 --- a/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb +++ b/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb @@ -32,69 +32,69 @@ class ServerCipherAuth ########################################################################### - def initialize(one_auth = nil) - begin - if one_auth - auth = one_auth - elsif ENV["ONE_AUTH"] and !ENV["ONE_AUTH"].empty? and - File.file?(ENV["ONE_AUTH"]) - auth = File.read(ENV["ONE_AUTH"]) - elsif File.file?(ENV["HOME"]+"/.one/one_auth") - auth = File.read(ENV["HOME"]+"/.one/one_auth") - else - raise "ONE_AUTH file not present" - end - - auth.rstrip! - - @server_user, @passwd = auth.split(':') - @key = Digest::SHA1.hexdigest(@passwd) - - @cipher = OpenSSL::Cipher::Cipher.new(CIPHER) - rescue - raise + def initialize(srv_user, srv_passwd) + @srv_user = srv_user + @srv_passwd = srv_passwd + + if !srv_passwd.empty? + @key = Digest::SHA1.hexdigest(@srv_passwd) + else + @key = "" end + + @cipher = OpenSSL::Cipher::Cipher.new(CIPHER) + end + + ########################################################################### + # Client side + ########################################################################### + + # Creates a ServerCipher for client usage + def self.new_client(srv_user, srv_passwd) + self.new(srv_user, srv_passwd) end # Generates a login token in the form: # - server_user:target_user:time_expires # The token is then encrypted with the contents of one_auth def login_token(expire, target_user=nil) - target_user ||= @server_user - token_txt = "#{@server_user}:#{target_user}:#{expire}" + target_user ||= @srv_user + token_txt = "#{@srv_user}:#{target_user}:#{expire}" - token = encrypt(token_txt) - token64 = Base64::encode64(token).strip.delete("\n") + token = encrypt(token_txt) + token64 = Base64::encode64(token).strip.delete("\n") - return "#{@server_user}:#{target_user}:#{token64}" + return "#{@srv_user}:#{target_user}:#{token64}" end # Returns a valid password string to create a user using this auth driver def password - return @passwd + return @srv_passwd end ########################################################################### - # Server side + # Driver side ########################################################################### + + # Creates a ServerCipher for driver usage + def self.new_driver() + self.new("","") + end + # auth method for auth_mad - def authenticate(server_user,server_pass, signed_text) + def authenticate(srv_user,srv_pass, signed_text) begin - return false,"Server password missmatch" if server_pass != @key + @key = srv_pass s_user, t_user, expires = decrypt(signed_text).split(':') - if ( s_user != server_user || s_user != @server_user ) - return false, "User name missmatch" - end - - if Time.now.to_i >= expires.to_i - return false, "login token expired" - end + return "User name missmatch" if s_user != srv_user + + return "login token expired" if Time.now.to_i >= expires.to_i return true rescue => e - return false, e.message + return e.message end end @@ -119,4 +119,4 @@ class ServerCipherAuth return rc end -end +end \ No newline at end of file diff --git a/src/authm_mad/remotes/server_x509/server_x509_auth.conf b/src/authm_mad/remotes/server_x509/server_x509_auth.conf index 120e2d4a54..e5d3598022 100644 --- a/src/authm_mad/remotes/server_x509/server_x509_auth.conf +++ b/src/authm_mad/remotes/server_x509/server_x509_auth.conf @@ -1,5 +1,6 @@ # User to be used for x509 server authentication -#:server_user: x509_server + +#:srv_user: x509_server # Path to the certificate used by the OpenNebula Services # Certificates must be in PEM format diff --git a/src/authm_mad/remotes/server_x509/server_x509_auth.rb b/src/authm_mad/remotes/server_x509/server_x509_auth.rb index 09c0518acb..6e7050e3c4 100644 --- a/src/authm_mad/remotes/server_x509/server_x509_auth.rb +++ b/src/authm_mad/remotes/server_x509/server_x509_auth.rb @@ -46,13 +46,12 @@ class ServerX509Auth < X509Auth certs = [ File.read(@options[:one_cert]) ] key = File.read(@options[:one_key]) - super(:certs_pem => certs, - :key_pem => key) + super(:certs_pem => certs, :key_pem => key) rescue raise end - if @options[:server_user] == nil || @options[:server_user].empty? + if @options[:srv_user] == nil || @options[:srv_user].empty? raise "User for x509 server not defined" end end @@ -60,13 +59,13 @@ class ServerX509Auth < X509Auth # Generates a login token in the form: # - server_user:target_user:time_expires def login_token(expire, target_user=nil) - target_user ||= @options[:server_user] - token_txt = "#{@options[:server_user]}:#{target_user}:#{expire}" + target_user ||= @options[:srv_user] + token_txt = "#{@options[:srv_user]}:#{target_user}:#{expire}" - token = encrypt(token_txt) - token64 = Base64::encode64(token).strip.delete("\n") + token = encrypt(token_txt) + token64 = Base64::encode64(token).strip.delete("\n") - return "#{@options[:server_user]}:#{target_user}:#{token64}" + return "#{@options[:srv_user]}:#{target_user}:#{token64}" end ########################################################################### @@ -75,21 +74,18 @@ class ServerX509Auth < X509Auth # auth method for auth_mad def authenticate(server_user, server_pass, signed_text) begin - return false,"Server password missmatch" if server_pass != password - s_user, t_user, expires = decrypt(signed_text).split(':') + + return "Server password missmatch" if server_pass != password - if ( s_user != server_user || s_user != @options[:server_user] ) - return false, "User name missmatch" - end + return "User name missmatch" if ( s_user != server_user || + s_user != @options[:srv_user] ) - if Time.now.to_i >= expires.to_i - return false, "login token expired" - end + return "login token expired" if Time.now.to_i >= expires.to_i return true rescue => e return e.message end end -end +end \ No newline at end of file