bug-847: Updated server auth drivers to new token format

src/authm_mad/remotes/server_cipher/authenticate

@@ -46,7 +46,6 @@ rescue => e
 end
 
 if rc == true
-    puts user
     exit 0
 else
     OpenNebula.error_message user 

src/authm_mad/remotes/server_cipher/server_cipher_auth.rb

@@ -29,7 +29,6 @@ class ServerCipherAuth
     ###########################################################################
 
     CIPHER = "aes-256-cbc"
-    EXPIRE = 300
 
     ###########################################################################
 
@@ -60,34 +59,40 @@ class ServerCipherAuth
     # Generates a login token in the form:
     #   - server_user:target_user:time_expires 
     # The token is then encrypted with the contents of one_auth
-    def login_token(target_user=nil)
+    def login_token(expire, target_user=nil)
         target_user ||= @server_user
-        token_txt = "#{@server_user}:#{target_user}:#{Time.now.to_i + EXPIRE}"
+        token_txt   =   "#{@server_user}:#{target_user}:#{expire}"
 
         token     = encrypt(token_txt)
         token64   = Base64::encode64(token).strip.delete("\n")
 
-        return "#{@server_user}:#{token64}"
+        return "#{@server_user}:#{target_user}:#{token64}"
     end
 
     # Returns a valid password string to create a user using this auth driver
     def password
         return @passwd
     end
+
     ###########################################################################
     # Server side
     ###########################################################################
     # auth method for auth_mad
-    def authenticate(user, pass, signed_text)
-        begin            
-            # Decryption demonstrates that the user posessed the private key.
-            s_user, t_user, expires = decrypt(signed_text,pass).split(':')
+    def authenticate(server_user,server_pass, signed_text)
+        begin
+            return false,"Server password missmatch" if server_pass != @key
+            
+            s_user, t_user, expires = decrypt(signed_text).split(':')
 
-            return "User name missmatch" if s_user != @server_user
+            if ( s_user != server_user || s_user != @server_user )
+                return false, "User name missmatch" 
+            end
+           
+            if Time.now.to_i >= expires.to_i 
+                return false, "login token expired"
+            end  
 
-            return "login token expired" if Time.now.to_i >= expires.to_i
-
-            return true, t_user
+            return true
         rescue => e
             return false, e.message
         end
@@ -105,9 +110,9 @@ class ServerCipherAuth
         return rc
     end
 
-    def decrypt(data,pass) 
+    def decrypt(data) 
         @cipher.decrypt
-        @cipher.key = pass
+        @cipher.key = @key
         
         rc = @cipher.update(Base64::decode64(data))
         rc << @cipher.final

src/authm_mad/remotes/server_x509/server_x509_auth.conf

@@ -1,3 +1,6 @@
+# User to be used for x509 server authentication
+#:server_user: x509_server
+
 # Path to the certificate used by the OpenNebula Services
 # Certificates must be in PEM format
 

src/authm_mad/remotes/server_x509/server_x509_auth.rb

@@ -50,43 +50,42 @@ class ServerX509Auth < X509Auth
                   :key_pem   => key)
         rescue
             raise
-        end  
+        end
+
+        if @options[:server_user] == nil || @options[:server_user].empty?
+           raise "User for x509 server not defined"  
+        end
     end
 
     # Generates a login token in the form:
-    # user_name:server:user_name:user_pass:time_expires
-    #   - user_name:user_pass:time_expires is encrypted with the server certificate
-    def login_token(user, user_pass, expire)
-
-        expires = Time.now.to_i+expire
-        
-        token_txt = "#{user}:#{user_pass}:#{expires}"
+    #   - server_user:target_user:time_expires 
+    def login_token(expire, target_user=nil)
+        target_user ||= @options[:server_user]
+        token_txt   =   "#{@options[:server_user]}:#{target_user}:#{expire}"
 
         token     = encrypt(token_txt)
         token64   = Base64::encode64(token).strip.delete("\n")
 
-        login_out = "#{user}:#{token64}"
-        
-        login_out
+        return "#{@options[:server_user]}:#{target_user}:#{token64}"
     end
 
     ###########################################################################
     # Server side
     ###########################################################################
     # auth method for auth_mad
-    def authenticate(user, pass, signed_text)
-        begin            
-            # Decryption demonstrates that the user posessed the private key.
-            _user, user_pass, expires = decrypt(signed_text).split(':')
+    def authenticate(server_user, server_pass, signed_text)
+        begin           
+            return false,"Server password missmatch" if server_pass != password
+            
+            s_user, t_user, expires = decrypt(signed_text).split(':')
 
-            return "User name missmatch" if user != _user
-
-            return "login token expired" if Time.now.to_i >= expires.to_i
-
-            # Check that the signed password matches one for the user.
-            if !pass.split('|').include?(user_pass)
-                return "User password missmatch"
+            if ( s_user != server_user || s_user != @options[:server_user] )
+                return false, "User name missmatch" 
             end
+           
+            if Time.now.to_i >= expires.to_i 
+                return false, "login token expired"
+            end  
 
             return true
         rescue => e