feature #754: Fix problem parsing cert chains. Includes conf files for server and x509 authN methods

2025-01-11 05:17:41 +03:00 · 2011-08-30 18:04:53 +02:00 · 2011-08-30 18:04:53 +02:00 · 43b79a3e3a
commit 43b79a3e3a
parent 304b82f024
6 changed files with 44 additions and 28 deletions
--- a/install.sh
+++ b/install.sh
@ -706,7 +706,8 @@ HM_ETC_FILES="src/hm_mad/hmrc"
 # Auth Manager drivers config. files, to be installed under $ETC_LOCATION/auth
 #-------------------------------------------------------------------------------

-AUTH_ETC_FILES="src/authm_mad/remotes/server/server_auth.conf"
+AUTH_ETC_FILES="src/authm_mad/remotes/server/server_auth.conf \
+                src/authm_mad/remotes/x509/x509_auth.conf"

 #-------------------------------------------------------------------------------
 # Sample files, to be installed under $SHARE_LOCATION/examples
--- a/src/authm_mad/remotes/server/server_auth.conf
+++ b/src/authm_mad/remotes/server/server_auth.conf
@ -2,7 +2,3 @@
 # Certificates must be in PEM format
 :one_cert: "/etc/one/auth/cert.pem"
 :one_key: "/etc/one/auth/pk.pem"
-
-# Path to the trusted CA directory. It should contain the trusted CA's for
-# the server, each CA certificate shoud be name CA_hash.0
-:ca_dir: 
--- a/src/authm_mad/remotes/server/server_auth.rb
+++ b/src/authm_mad/remotes/server/server_auth.rb
@ -17,7 +17,6 @@
 require 'openssl'
 require 'base64'
 require 'fileutils'
-require 'yaml'

 require 'x509_auth'

@ -28,38 +27,27 @@ class ServerAuth < X509Auth
    ###########################################################################
    #Constants with paths to relevant files and defaults
    ###########################################################################
-    if !ENV["ONE_LOCATION"]
-        ETC_LOCATION      = "/etc/one"
-    else
-        ETC_LOCATION      = ONE_LOCATION + "/etc"
-    end

    SERVER_AUTH_CONF_PATH = ETC_LOCATION + "/auth/server_auth.conf"

-    DEFAULT_CERTS_PATH = {
+    SERVER_DEFAULTS = {
        :one_cert => ETC_LOCATION + "/auth/cert.pem",
-        :one_key  => ETC_LOCATION + "/auth/key.pem",
-        :ca_dir   => ETC_LOCATION + "/auth/certificates",
+        :one_key  => ETC_LOCATION + "/auth/key.pem"
    }

    ###########################################################################

    def initialize()
-        @options = DEFAULT_CERTS_PATH
+        @options = SERVER_DEFAULTS
       
-        if File.readable?(SERVER_AUTH_CONF_PATH)
-            config = File.read(SERVER_AUTH_CONF_PATH)
-             
-            @options.merge!(YAML::load(config))
-        end
+        load_options(SERVER_AUTH_CONF_PATH)

        begin
            certs = [ File.read(@options[:one_cert]) ]
            key   =   File.read(@options[:one_key])

            super(:certs_pem => certs, 
-                  :key_pem   => key,
-                  :ca_dir    => @options[:ca_dir])
+                  :key_pem   => key)
        rescue
            raise
        end  
--- a/src/authm_mad/remotes/x509/x509_auth.conf
+++ b/src/authm_mad/remotes/x509/x509_auth.conf
@ -0,0 +1,3 @@
+# Path to the trusted CA directory. It should contain the trusted CA's for
+# the server, each CA certificate shoud be name CA_hash.0
+:ca_dir: "/etc/one/auth/certificates"
--- a/src/authm_mad/remotes/x509/x509_auth.rb
+++ b/src/authm_mad/remotes/x509/x509_auth.rb
@ -17,13 +17,30 @@
 require 'openssl'
 require 'base64'
 require 'fileutils'
+require 'yaml'

 # X509 authentication class. It can be used as a driver for auth_mad
 # as auth method is defined. It also holds some helper methods to be used
 # by oneauth command
 class X509Auth
+    ###########################################################################
+    #Constants with paths to relevant files and defaults
+    ###########################################################################
+    if !ENV["ONE_LOCATION"]
+        ETC_LOCATION      = "/etc/one"
+    else
+        ETC_LOCATION      = ONE_LOCATION + "/etc"
+    end
+
    LOGIN_PATH = ENV['HOME']+'/.one/one_x509'

+    X509_AUTH_CONF_PATH = ETC_LOCATION + "/auth/x509_auth.conf"
+
+    X509_DEFAULTS = {
+        :ca_dir   => ETC_LOCATION + "/auth/certificates"
+    }
+
+    ###########################################################################
    # Initialize x509Auth object
    #
    # @param [Hash] default options for path
@ -37,9 +54,11 @@ class X509Auth
        @options={
            :certs_pem => nil,
            :key_pem   => nil,
-            :ca_dir    => nil
+            :ca_dir    => X509_DEFAULTS[:ca_dir]
        }.merge!(options)

+        load_options(X509_AUTH_CONF_PATH)
+
        @cert_chain = @options[:certs_pem].collect do |cert_pem|
            OpenSSL::X509::Certificate.new(cert_pem)
        end
@ -137,6 +156,15 @@ private
        file.close
    end

+    # Load class options form a configuration file (yaml syntax)
+    def load_options(conf_file)
+        if File.readable?(conf_file)
+            config = File.read(conf_file)
+             
+            @options.merge!(YAML::load(config))
+        end
+    end
+
    ###########################################################################
    #                       Methods to encrpyt/decrypt keys
    ###########################################################################
--- a/src/cli/one_helper/oneuser_helper.rb
+++ b/src/cli/one_helper/oneuser_helper.rb
@ -111,10 +111,10 @@ class OneUserHelper < OpenNebulaHelper::OneHelper
            begin  
                proxy = File.read(options[:proxy])

-                rc = proxy.scan(/-+BEGIN CERTIFICATE-+\n([^-]*)\n-+END CERTIFICATE-+/)
+                rc = proxy.scan(/(-+BEGIN CERTIFICATE-+\n[^-]*\n-+END CERTIFICATE-+)/)
                certs = rc.flatten!

-                rc = proxy.match(/-+BEGIN RSA PRIVATE KEY-+\n([^-]*)\n-+END RSA PRIVATE KEY-+/)
+                rc = proxy.match(/(-+BEGIN RSA PRIVATE KEY-+\n[^-]*\n-+END RSA PRIVATE KEY-+)/)

                key  = rc[1]