diff --git a/src/authm_mad/remotes/server_cipher/authenticate b/src/authm_mad/remotes/server_cipher/authenticate index 0f39d35c97..cde4714266 100755 --- a/src/authm_mad/remotes/server_cipher/authenticate +++ b/src/authm_mad/remotes/server_cipher/authenticate @@ -46,7 +46,6 @@ rescue => e end if rc == true - puts user exit 0 else OpenNebula.error_message user diff --git a/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb b/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb index 07139b5a6a..cde0570d00 100644 --- a/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb +++ b/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb @@ -29,7 +29,6 @@ class ServerCipherAuth ########################################################################### CIPHER = "aes-256-cbc" - EXPIRE = 300 ########################################################################### @@ -60,34 +59,40 @@ class ServerCipherAuth # Generates a login token in the form: # - server_user:target_user:time_expires # The token is then encrypted with the contents of one_auth - def login_token(target_user=nil) + def login_token(expire, target_user=nil) target_user ||= @server_user - token_txt = "#{@server_user}:#{target_user}:#{Time.now.to_i + EXPIRE}" + token_txt = "#{@server_user}:#{target_user}:#{expire}" token = encrypt(token_txt) token64 = Base64::encode64(token).strip.delete("\n") - return "#{@server_user}:#{token64}" + return "#{@server_user}:#{target_user}:#{token64}" end # Returns a valid password string to create a user using this auth driver def password return @passwd end + ########################################################################### # Server side ########################################################################### # auth method for auth_mad - def authenticate(user, pass, signed_text) - begin - # Decryption demonstrates that the user posessed the private key. - s_user, t_user, expires = decrypt(signed_text,pass).split(':') + def authenticate(server_user,server_pass, signed_text) + begin + return false,"Server password missmatch" if server_pass != @key + + s_user, t_user, expires = decrypt(signed_text).split(':') - return "User name missmatch" if s_user != @server_user + if ( s_user != server_user || s_user != @server_user ) + return false, "User name missmatch" + end + + if Time.now.to_i >= expires.to_i + return false, "login token expired" + end - return "login token expired" if Time.now.to_i >= expires.to_i - - return true, t_user + return true rescue => e return false, e.message end @@ -105,9 +110,9 @@ class ServerCipherAuth return rc end - def decrypt(data,pass) + def decrypt(data) @cipher.decrypt - @cipher.key = pass + @cipher.key = @key rc = @cipher.update(Base64::decode64(data)) rc << @cipher.final diff --git a/src/authm_mad/remotes/server_x509/server_x509_auth.conf b/src/authm_mad/remotes/server_x509/server_x509_auth.conf index 57b669e4eb..120e2d4a54 100644 --- a/src/authm_mad/remotes/server_x509/server_x509_auth.conf +++ b/src/authm_mad/remotes/server_x509/server_x509_auth.conf @@ -1,3 +1,6 @@ +# User to be used for x509 server authentication +#:server_user: x509_server + # Path to the certificate used by the OpenNebula Services # Certificates must be in PEM format diff --git a/src/authm_mad/remotes/server_x509/server_x509_auth.rb b/src/authm_mad/remotes/server_x509/server_x509_auth.rb index ccf59f3214..09c0518acb 100644 --- a/src/authm_mad/remotes/server_x509/server_x509_auth.rb +++ b/src/authm_mad/remotes/server_x509/server_x509_auth.rb @@ -50,43 +50,42 @@ class ServerX509Auth < X509Auth :key_pem => key) rescue raise - end + end + + if @options[:server_user] == nil || @options[:server_user].empty? + raise "User for x509 server not defined" + end end # Generates a login token in the form: - # user_name:server:user_name:user_pass:time_expires - # - user_name:user_pass:time_expires is encrypted with the server certificate - def login_token(user, user_pass, expire) - - expires = Time.now.to_i+expire - - token_txt = "#{user}:#{user_pass}:#{expires}" + # - server_user:target_user:time_expires + def login_token(expire, target_user=nil) + target_user ||= @options[:server_user] + token_txt = "#{@options[:server_user]}:#{target_user}:#{expire}" token = encrypt(token_txt) token64 = Base64::encode64(token).strip.delete("\n") - login_out = "#{user}:#{token64}" - - login_out + return "#{@options[:server_user]}:#{target_user}:#{token64}" end ########################################################################### # Server side ########################################################################### # auth method for auth_mad - def authenticate(user, pass, signed_text) - begin - # Decryption demonstrates that the user posessed the private key. - _user, user_pass, expires = decrypt(signed_text).split(':') + def authenticate(server_user, server_pass, signed_text) + begin + return false,"Server password missmatch" if server_pass != password + + s_user, t_user, expires = decrypt(signed_text).split(':') - return "User name missmatch" if user != _user - - return "login token expired" if Time.now.to_i >= expires.to_i - - # Check that the signed password matches one for the user. - if !pass.split('|').include?(user_pass) - return "User password missmatch" + if ( s_user != server_user || s_user != @options[:server_user] ) + return false, "User name missmatch" end + + if Time.now.to_i >= expires.to_i + return false, "login token expired" + end return true rescue => e