1
0
mirror of https://github.com/OpenNebula/one.git synced 2025-01-11 05:17:41 +03:00

feature #754: Fix problem parsing cert chains. Includes conf files for server and x509 authN methods

This commit is contained in:
Ruben S. Montero 2011-08-30 18:04:53 +02:00
parent 304b82f024
commit 43b79a3e3a
6 changed files with 44 additions and 28 deletions

View File

@ -706,7 +706,8 @@ HM_ETC_FILES="src/hm_mad/hmrc"
# Auth Manager drivers config. files, to be installed under $ETC_LOCATION/auth
#-------------------------------------------------------------------------------
AUTH_ETC_FILES="src/authm_mad/remotes/server/server_auth.conf"
AUTH_ETC_FILES="src/authm_mad/remotes/server/server_auth.conf \
src/authm_mad/remotes/x509/x509_auth.conf"
#-------------------------------------------------------------------------------
# Sample files, to be installed under $SHARE_LOCATION/examples

View File

@ -2,7 +2,3 @@
# Certificates must be in PEM format
:one_cert: "/etc/one/auth/cert.pem"
:one_key: "/etc/one/auth/pk.pem"
# Path to the trusted CA directory. It should contain the trusted CA's for
# the server, each CA certificate shoud be name CA_hash.0
:ca_dir:

View File

@ -17,7 +17,6 @@
require 'openssl'
require 'base64'
require 'fileutils'
require 'yaml'
require 'x509_auth'
@ -28,38 +27,27 @@ class ServerAuth < X509Auth
###########################################################################
#Constants with paths to relevant files and defaults
###########################################################################
if !ENV["ONE_LOCATION"]
ETC_LOCATION = "/etc/one"
else
ETC_LOCATION = ONE_LOCATION + "/etc"
end
SERVER_AUTH_CONF_PATH = ETC_LOCATION + "/auth/server_auth.conf"
DEFAULT_CERTS_PATH = {
SERVER_DEFAULTS = {
:one_cert => ETC_LOCATION + "/auth/cert.pem",
:one_key => ETC_LOCATION + "/auth/key.pem",
:ca_dir => ETC_LOCATION + "/auth/certificates",
:one_key => ETC_LOCATION + "/auth/key.pem"
}
###########################################################################
def initialize()
@options = DEFAULT_CERTS_PATH
@options = SERVER_DEFAULTS
load_options(SERVER_AUTH_CONF_PATH)
if File.readable?(SERVER_AUTH_CONF_PATH)
config = File.read(SERVER_AUTH_CONF_PATH)
@options.merge!(YAML::load(config))
end
begin
certs = [ File.read(@options[:one_cert]) ]
key = File.read(@options[:one_key])
super(:certs_pem => certs,
:key_pem => key,
:ca_dir => @options[:ca_dir])
:key_pem => key)
rescue
raise
end
@ -75,7 +63,7 @@ class ServerAuth < X509Auth
token_txt = "#{user}:#{user_pass}:#{expires}"
token = encrypt(token_txt)
token64 = Base64::encode64(token).strip.delete("\n")
token64 = Base64::encode64(token).strip.delete("\n")
login_out = "#{user}:server:#{token64}"
@ -97,7 +85,7 @@ class ServerAuth < X509Auth
# Check that the signed password matches one for the user.
if !pass.split('|').include?(user_pass)
return "User password missmatch"
return "User password missmatch"
end
return true

View File

@ -0,0 +1,3 @@
# Path to the trusted CA directory. It should contain the trusted CA's for
# the server, each CA certificate shoud be name CA_hash.0
:ca_dir: "/etc/one/auth/certificates"

View File

@ -17,13 +17,30 @@
require 'openssl'
require 'base64'
require 'fileutils'
require 'yaml'
# X509 authentication class. It can be used as a driver for auth_mad
# as auth method is defined. It also holds some helper methods to be used
# by oneauth command
class X509Auth
###########################################################################
#Constants with paths to relevant files and defaults
###########################################################################
if !ENV["ONE_LOCATION"]
ETC_LOCATION = "/etc/one"
else
ETC_LOCATION = ONE_LOCATION + "/etc"
end
LOGIN_PATH = ENV['HOME']+'/.one/one_x509'
X509_AUTH_CONF_PATH = ETC_LOCATION + "/auth/x509_auth.conf"
X509_DEFAULTS = {
:ca_dir => ETC_LOCATION + "/auth/certificates"
}
###########################################################################
# Initialize x509Auth object
#
# @param [Hash] default options for path
@ -37,9 +54,11 @@ class X509Auth
@options={
:certs_pem => nil,
:key_pem => nil,
:ca_dir => nil
:ca_dir => X509_DEFAULTS[:ca_dir]
}.merge!(options)
load_options(X509_AUTH_CONF_PATH)
@cert_chain = @options[:certs_pem].collect do |cert_pem|
OpenSSL::X509::Certificate.new(cert_pem)
end
@ -137,6 +156,15 @@ private
file.close
end
# Load class options form a configuration file (yaml syntax)
def load_options(conf_file)
if File.readable?(conf_file)
config = File.read(conf_file)
@options.merge!(YAML::load(config))
end
end
###########################################################################
# Methods to encrpyt/decrypt keys
###########################################################################

View File

@ -111,10 +111,10 @@ class OneUserHelper < OpenNebulaHelper::OneHelper
begin
proxy = File.read(options[:proxy])
rc = proxy.scan(/-+BEGIN CERTIFICATE-+\n([^-]*)\n-+END CERTIFICATE-+/)
rc = proxy.scan(/(-+BEGIN CERTIFICATE-+\n[^-]*\n-+END CERTIFICATE-+)/)
certs = rc.flatten!
rc = proxy.match(/-+BEGIN RSA PRIVATE KEY-+\n([^-]*)\n-+END RSA PRIVATE KEY-+/)
rc = proxy.match(/(-+BEGIN RSA PRIVATE KEY-+\n[^-]*\n-+END RSA PRIVATE KEY-+)/)
key = rc[1]