From 65606e7faf715a0d47d0f2346f3f87061236a62e Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Wed, 27 Jul 2011 11:27:16 +0200
Subject: [PATCH 01/63] feture-754: OpenNebula core sends information about the
 ACL authZ result to the driver. Improved formating of auth strings. Check
 trivial authZ requests.

---
 include/AuthManager.h             | 13 ++++++--
 include/AuthManagerDriver.h       |  6 ++--
 src/authm/AuthManager.cc          | 19 ++++++++---
 src/authm/AuthManagerDriver.cc    |  7 ++--
 src/authm/test/AuthManagerTest.cc | 53 +++++++++++++++++++++++++++++--
 5 files changed, 85 insertions(+), 13 deletions(-)

diff --git a/include/AuthManager.h b/include/AuthManager.h
index e2331d7cb9..60322e9a1f 100644
--- a/include/AuthManager.h
+++ b/include/AuthManager.h
@@ -385,17 +385,26 @@ public:
 
     /**
      *  Gets the authorization requests in a single string
-     *  @return a space separated list of auth requests.
+     *  @return a space separated list of auth requests, or an empty string if
+     *          no auth requests were added
      */
     string get_auths()
     {
         ostringstream oss;
+        unsigned int  i;
 
-        for (unsigned int i=0; i<auths.size(); i++)
+        if ( auths.empty() )
+        {
+            return string();
+        }
+
+        for (i=0; i<auths.size()-1; i++)
         {
             oss << auths[i] << " ";
         }
 
+        oss << auths[i];
+
         return oss.str();
     };
 
diff --git a/include/AuthManagerDriver.h b/include/AuthManagerDriver.h
index 872a5feb3a..a742371032 100644
--- a/include/AuthManagerDriver.h
+++ b/include/AuthManagerDriver.h
@@ -71,9 +71,11 @@ private:
      *    "AUTHORIZE  OPERATION_ID USER_ID REQUEST1 REQUEST2..."
      *    @param oid an id to identify the request.
      *    @param uid the user id.
-     *    @param requests space separated list of requests in the form OP:OBJ:ID
+     *    @param requests space separated list of requests in the form OP:OB:ID
+     *    @param acl is the authorization result using the ACL engine for
+     *           this request
      */
-    void authorize(int oid, int uid, const string& requests) const;
+    void authorize(int oid, int uid, const string& requests, bool acl) const;
 
     /**
      *  Sends an authorization request to the MAD:
diff --git a/src/authm/AuthManager.cc b/src/authm/AuthManager.cc
index 86d286b61c..46d079a89f 100644
--- a/src/authm/AuthManager.cc
+++ b/src/authm/AuthManager.cc
@@ -285,7 +285,8 @@ void AuthManager::authorize_action(AuthRequest * ar)
 
     if (authm_md == 0)
     {
-        goto error_driver;
+        ar->message = "Could not find Authorization driver";
+        goto error;
     }
 
     // ------------------------------------------------------------------------
@@ -300,15 +301,23 @@ void AuthManager::authorize_action(AuthRequest * ar)
 
     auths = ar->get_auths();
 
-    authm_md->authorize(ar->id, ar->uid, auths);
+    if ( auths.empty() )
+    {
+        ar->message = "Empty authorization string";
+        goto error;
+    }
+
+    authm_md->authorize(ar->id, ar->uid, auths, ar->self_authorize);
 
     return;
 
-error_driver:
-    ar->result  = false;
-    ar->message = "Could not find Authorization driver";
+error:
+    ar->result = false;
     ar->notify();
+
+    return;
 }
+
 /* -------------------------------------------------------------------------- */
 /* -------------------------------------------------------------------------- */
 
diff --git a/src/authm/AuthManagerDriver.cc b/src/authm/AuthManagerDriver.cc
index 43a29445f4..1722d0e14e 100644
--- a/src/authm/AuthManagerDriver.cc
+++ b/src/authm/AuthManagerDriver.cc
@@ -25,11 +25,14 @@
 /* Driver ASCII Protocol Implementation                                       */
 /* ************************************************************************** */
 
-void AuthManagerDriver::authorize(int oid, int uid, const string& reqs) const
+void AuthManagerDriver::authorize(int           oid, 
+                                  int           uid, 
+                                  const string& reqs, 
+                                  bool          acl) const
 {
     ostringstream os;
 
-    os << "AUTHORIZE " << oid << " " << uid << " " << reqs << endl;
+    os << "AUTHORIZE " << oid << " " << uid << " " << reqs << " " << acl <<endl;
 
     write(os);
 }
diff --git a/src/authm/test/AuthManagerTest.cc b/src/authm/test/AuthManagerTest.cc
index 1d0473e76e..3e0c871148 100644
--- a/src/authm/test/AuthManagerTest.cc
+++ b/src/authm/test/AuthManagerTest.cc
@@ -182,7 +182,7 @@ public:
         string astr = "VM:VGhpcyBpcyBhIHRlbXBsYXRlCg==:CREATE:-1:0:0 "
                       "IMAGE:2:USE:3:0:0 "
                       "NET:4:DELETE:5:1:0 "
-                      "HOST:6:MANAGE:7:1:0";
+                      "HOST:6:MANAGE:7:1:0 0";
 
         ar.add_auth(AuthRequest::VM,
                     "This is a template\n",
@@ -214,7 +214,6 @@ public:
 
         am->trigger(AuthManager::AUTHORIZE,&ar);
         ar.wait();
-
 /*
         if ( ar.result != false )
         {
@@ -229,6 +228,56 @@ public:
 //*/
         CPPUNIT_ASSERT(ar.result==false);
         CPPUNIT_ASSERT(ar.message==astr);
+
+        AuthRequest ar1(2, 2);
+
+        string astr1= "VM:VGhpcyBpcyBhIHRlbXBsYXRlCg==:CREATE:-1:0:0 0";
+
+        ar1.add_auth(AuthRequest::VM,
+                     "This is a template\n",
+                     0,
+                     AuthRequest::CREATE,
+                     -1,
+                     false);
+
+        am->trigger(AuthManager::AUTHORIZE,&ar1);
+        ar1.wait();
+ /*
+        if ( ar1.result != false )
+        {
+            cout << endl << "ar.result: " << ar1.result << endl;
+        }
+
+        if ( ar1.message != astr1 )
+        {
+            cout << endl << "ar.message: " << ar1.message;
+            cout << endl << "expected:   " << astr1 << endl;
+        }
+//*/
+        CPPUNIT_ASSERT(ar1.result==false);
+        CPPUNIT_ASSERT(ar1.message==astr1);
+
+        AuthRequest ar2(2, 2);
+
+        string astr2= "Empty authorization string";
+
+
+        am->trigger(AuthManager::AUTHORIZE,&ar2);
+        ar2.wait();
+/*
+        if ( ar1.result != false )
+        {
+            cout << endl << "ar.result: " << ar1.result << endl;
+        }
+
+        if ( ar1.message != astr1 )
+        {
+            cout << endl << "ar.message: " << ar1.message;
+            cout << endl << "expected:   " << astr1 << endl;
+        }
+//*/
+        CPPUNIT_ASSERT(ar2.result==false);
+        CPPUNIT_ASSERT(ar2.message==astr2);
     }
 
 

From 72008ecfb7113866703f2f5e319f3e453d32fbc1 Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Wed, 27 Jul 2011 17:50:49 +0200
Subject: [PATCH 02/63] feature-754: New auth driver. Minor indent changes.

---
 src/authm/AuthManagerDriver.cc   |   8 +-
 src/authm_mad/one_auth_mad.rb    | 170 +++++++++++++++++++------------
 src/mad/ruby/OpenNebulaDriver.rb |  18 ++--
 3 files changed, 118 insertions(+), 78 deletions(-)

diff --git a/src/authm/AuthManagerDriver.cc b/src/authm/AuthManagerDriver.cc
index 1722d0e14e..ab12138c94 100644
--- a/src/authm/AuthManagerDriver.cc
+++ b/src/authm/AuthManagerDriver.cc
@@ -38,10 +38,10 @@ void AuthManagerDriver::authorize(int           oid,
 }
 
 void AuthManagerDriver::authenticate(int           oid,
-                      int           uid,
-                      const string& username,
-                      const string& password,
-                      const string& session) const
+                                     int           uid,
+                                     const string& username,
+                                     const string& password,
+                                     const string& session) const
 {
     ostringstream os;
 
diff --git a/src/authm_mad/one_auth_mad.rb b/src/authm_mad/one_auth_mad.rb
index fbc9af163a..adccafdadb 100755
--- a/src/authm_mad/one_auth_mad.rb
+++ b/src/authm_mad/one_auth_mad.rb
@@ -28,87 +28,125 @@ end
 
 $: << RUBY_LIB_LOCATION
 
-require 'pp'
 
-require 'rubygems'
 require 'OpenNebulaDriver'
-require 'simple_auth'
-require 'simple_permissions'
-require 'yaml'
-require 'sequel'
-require 'ssh_auth'
+require 'getoptlong'
 
-class AuthorizationManager < OpenNebulaDriver
-    def initialize
+# This is a generic AuthZ/AuthN driver able to manage multiple authentication 
+# protocols (simultaneosly). It also supports the definition of custom 
+# authorization methods
+class AuthDriver < OpenNebulaDriver
+
+    # Auth Driver Protocol constants
+    ACTION = {
+        :authN => "AUTHENTICATE",
+        :authZ => "AUTHORIZE"
+    }
+
+    # Initialize an AuthDriver
+    #
+    # @param [String] the authorization method to be used, nil to use the 
+    #        built-in ACL engine
+    def initialize(authZ, nthreads)
         super(
-            :concurrency => 15,
-            :threaded => true
+            "auth",
+            :concurrency   => nthreads,
+            :threaded      => nthreads > 0,
+            :local_actions => {ACTION[:authN] => nil, ACTION[:authZ] => nil}
         )
+
+        register_action(ACTION[:authN].to_sym, method("authN"))
+        register_action(ACTION[:authZ].to_sym, method("authZ"))
+
+        if authZ != nil
+            @authZ_cmd = File.join(@local_scripts_path, authZ)
+            @authZ_cmd = File.join(@authZ_cmd, ACTION[:authZ].downcase)
+        else
+            @authZ_cmd = nil
+        end
+    end
+
+    # Authenticate a user based in a string of the form user:secret when using the 
+    # driver secret is protocol:token
+    # @param [String] the id for this request, used by OpenNebula core
+    #        to identify the request 
+    # @param [String] id of the user, "-1" if not in defined in OpenNebula
+    # @param [Strgin] user filed of the auth string
+    # @param [String] password of the user registered in OpenNebula "-" if none
+    # @param [String] secret filed of the auth string
+    def authN(request_id, user_id, user, password, secret)
+
+        secret_attr = secret.split(':')
+
+        if secret_attr.length == 1 
+            protocol = "plain"
+        else
+            protocol = secret_attr[0]
+            secret_attr.shift
+        end
+
+        #build path for the auth action
+        #/var/lib/one/remotes/auth/<protocol>/authenticate
+        authN_path = File.join(@local_scripts_path, protocol)
         
-        config_data=File.read(ETC_LOCATION+'/auth/auth.conf')
-        STDERR.puts(config_data)
-        @config=YAML::load(config_data)
+        command = File.join(authN_path,ACTION[:authN].downcase) 
+        command << ' ' << secret_attr.join(' ')
+
+        local_action(command, request_id, ACTION[:authN])
+    end
+    
+    # Authenticate a user based in a string of the form user:secret when using the 
+    # driver secret is protocol:token
+    # @param [String] the id for this request, used by OpenNebula core
+    #        to identify the request 
+    # @param [String] id of the user, "-1" if not in defined in OpenNebula
+    # @param [Array] of auth strings, last element is the ACL evaluation of 
+    #        the overall request (0 = denied, 1 = granted). Each request is in
+    #        the form:
+    #        OBJECT:<TEMPLATE_64|OBJECT_ID>:OPERATION:OWNER:PUBLIC:ACL_EVAL
+    def authZ(request_id, user_id, *requests)
         
-        STDERR.puts @config.inspect
-        
-        database_url=@config[:database]
-        @db=Sequel.connect(database_url)
-        
-        # Get authentication driver
-        begin
-            driver_prefix=@config[:authentication].capitalize
-            driver_name="#{driver_prefix}Auth"
-            driver=Kernel.const_get(driver_name.to_sym)
-            @authenticate=driver.new
+        requests.flatten!
+
+        if @authZ_cmd == nil
+            if requests[-1] == "1"
+                result = RESULT[:success]
+            else
+                result = RESULT[:failure]
+            end
+
+            send_message(ACTION[:authZ],result,request_id,"-")
+        else
+            command = @authZ_cmd
+            command << ' ' << requests.join(' ')
             
-            STDERR.puts "Using '#{driver_prefix}' driver for authentication"
-        rescue
-            STDERR.puts "Driver '#{driver_prefix}' not found, "<<
-                "using SimpleAuth instead"
-            @authenticate=SimpleAuth.new
-        end
-        
-        @permissions=SimplePermissions.new(@db, OpenNebula::Client.new,
-            @config)
-        
-        register_action(:AUTHENTICATE, method('action_authenticate'))
-        register_action(:AUTHORIZE, method('action_authorize'))
-    end
-    
-    def action_authenticate(request_id, user_id, user, password, token)
-        auth=@authenticate.auth(user_id, user, password, token)
-        if auth==true
-            send_message('AUTHENTICATE', RESULT[:success],
-                request_id, 'Successfully authenticated')
-        else
-            send_message('AUTHENTICATE', RESULT[:failure],
-                request_id, auth)
-        end
-    end
-    
-    def action_authorize(request_id, user_id, *tokens)
-        begin
-            auth=@permissions.auth(user_id, tokens.flatten)
-        rescue Exception => e
-            auth="Error: #{e}"
-        end
-        
-        if auth==true
-            send_message('AUTHORIZE', RESULT[:success],
-                request_id, 'success')
-        else
-            send_message('AUTHORIZE', RESULT[:failure],
-                request_id, auth)
+            local_action(command, request_id, ACTION[:authZ])
         end
     end
 end
 
+# Auth Driver Main program
+opts = GetoptLong.new(
+    [ '--threads',    '-t', GetoptLong::REQUIRED_ARGUMENT ],
+    [ '--authz',      '-z', GetoptLong::REQUIRED_ARGUMENT ]
+)
+
+threads = 15
+authz   = nil
+
 begin
-    am=AuthorizationManager.new
+    opts.each do |opt, arg|
+        case opt
+            when '--threads'
+                threads = arg.to_i
+            when '--authz'
+                authz   = arg
+        end
+    end
 rescue Exception => e
-    puts "Error: #{e}"
     exit(-1)
 end
 
-am.start_driver
+auth_driver = AuthDriver.new(authz, threads)
 
+auth_driver.start_driver
diff --git a/src/mad/ruby/OpenNebulaDriver.rb b/src/mad/ruby/OpenNebulaDriver.rb
index 7b32ad705a..6129795d3a 100644
--- a/src/mad/ruby/OpenNebulaDriver.rb
+++ b/src/mad/ruby/OpenNebulaDriver.rb
@@ -90,20 +90,22 @@ class OpenNebulaDriver < ActionManager
     def initialize(directory, options={})
         @options={
             :concurrency => 10,
-            :threaded => true,
-            :retries => 0,
+            :threaded    => true,
+            :retries     => 0,
             :local_actions => {}
         }.merge!(options)
 
         super(@options[:concurrency], @options[:threaded])
 
-        @retries = @options[:retries]
-        @send_mutex=Mutex.new
-        @local_actions=@options[:local_actions]
+        @retries       = @options[:retries]
+        @local_actions = @options[:local_actions]
+
+        @send_mutex    = Mutex.new
 
         # set default values
         @config = read_configuration
-        @remote_scripts_base_path=@config['SCRIPTS_REMOTE_DIR']
+        @remote_scripts_base_path = @config['SCRIPTS_REMOTE_DIR']
+
         if ENV['ONE_LOCATION'] == nil
             @local_scripts_base_path = "/var/lib/one/remotes"
         else
@@ -111,8 +113,8 @@ class OpenNebulaDriver < ActionManager
         end
 
         # dummy paths
-        @remote_scripts_path=File.join(@remote_scripts_base_path, directory)
-        @local_scripts_path=File.join(@local_scripts_base_path, directory)
+        @remote_scripts_path = File.join(@remote_scripts_base_path, directory)
+        @local_scripts_path  = File.join(@local_scripts_base_path, directory)
 
         register_action(:INIT, method("init"))
     end

From 0846bcea0b1517b16be4770893e5b47fe0823dc2 Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Thu, 28 Jul 2011 03:41:41 +0200
Subject: [PATCH 03/63] feature-754: use username instead of uids for a ssh
 proxy. Removed quota temporarily

---
 src/authm_mad/oneauth | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/authm_mad/oneauth b/src/authm_mad/oneauth
index 965cdb84cc..f5b7f610f7 100755
--- a/src/authm_mad/oneauth
+++ b/src/authm_mad/oneauth
@@ -35,7 +35,6 @@ require 'OpenNebula'
 
 require 'rubygems'
 require 'sequel'
-require 'quota'
 require 'ssh_auth'
 require 'yaml'
 
@@ -89,7 +88,7 @@ cmd=CommandParser::CmdParser.new(ARGV) do
         the expiration time in seconds
     EOT
 
-    command 'login', login_desc, :userid, :text do
+    command 'login', login_desc, :text, :text do
         user=args[0]
         time=args[1]
         pp args
@@ -106,7 +105,7 @@ cmd=CommandParser::CmdParser.new(ARGV) do
 
     command 'key', 'Gets public key' do
         ssh=SshAuth.new
-        puts ssh.extract_public_key
+        puts ssh.public_key
         exit_with_code 0
     end
-end
\ No newline at end of file
+end

From f725fe966799fd31564a0819495663a4e7fe20f7 Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Thu, 28 Jul 2011 03:43:50 +0200
Subject: [PATCH 04/63] feature-754: Work on one_auth. Added ssh authenticate.
 Place holder for other protocols

---
 install.sh                                    |  17 +--
 src/authm_mad/one_auth_mad.rb                 |   5 +-
 .../plain/authenticate}                       |   0
 .../{quota.rb => remotes/quota/authorize}     |   0
 src/authm_mad/remotes/ssh/authenticate        |  49 ++++++++
 src/authm_mad/ssh_auth.rb                     | 114 ------------------
 src/um/UserPool.cc                            |   3 +
 7 files changed, 66 insertions(+), 122 deletions(-)
 rename src/authm_mad/{simple_auth.rb => remotes/plain/authenticate} (100%)
 rename src/authm_mad/{quota.rb => remotes/quota/authorize} (100%)
 create mode 100755 src/authm_mad/remotes/ssh/authenticate
 delete mode 100644 src/authm_mad/ssh_auth.rb

diff --git a/install.sh b/install.sh
index b0801db3c6..709205e2d3 100755
--- a/install.sh
+++ b/install.sh
@@ -222,7 +222,9 @@ VAR_DIRS="$VAR_LOCATION/remotes \
           $VAR_LOCATION/remotes/hooks \
           $VAR_LOCATION/remotes/hooks/vnm \
           $VAR_LOCATION/remotes/image \
-          $VAR_LOCATION/remotes/image/fs"
+          $VAR_LOCATION/remotes/image/fs \
+          $VAR_LOCATION/remotes/auth \
+          $VAR_LOCATION/remotes/auth/ssh"
 
 SUNSTONE_DIRS="$SUNSTONE_LOCATION/models \
                $SUNSTONE_LOCATION/models/OpenNebulaJSON \
@@ -314,6 +316,7 @@ INSTALL_FILES=(
     IM_PROBES_KVM_FILES:$VAR_LOCATION/remotes/im/kvm.d
     IM_PROBES_XEN_FILES:$VAR_LOCATION/remotes/im/xen.d
     IM_PROBES_GANGLIA_FILES:$VAR_LOCATION/remotes/im/ganglia.d
+    AUTH_SSH_FILES:$VAR_LOCATION/remotes/auth/ssh
     VMM_EXEC_KVM_SCRIPTS:$VAR_LOCATION/remotes/vmm/kvm
     VMM_EXEC_XEN_SCRIPTS:$VAR_LOCATION/remotes/vmm/xen
     VMM_EXEC_XEN_KVM_POLL:$VAR_LOCATION/remotes/vmm/kvm/poll
@@ -478,11 +481,7 @@ RUBY_LIB_FILES="src/mad/ruby/ActionManager.rb \
                 src/mad/ruby/Ganglia.rb \
                 src/oca/ruby/OpenNebula.rb \
                 src/tm_mad/TMScript.rb \
-                src/authm_mad/one_usage.rb \
-                src/authm_mad/quota.rb \
-                src/authm_mad/simple_auth.rb \
-                src/authm_mad/simple_permissions.rb \
-                src/authm_mad/ssh_auth.rb"
+                src/authm_mad/remotes/ssh/ssh_auth.rb"
 
 #-----------------------------------------------------------------------------
 # MAD Script library files, to be installed under $LIB_LOCATION/<script lang>
@@ -556,7 +555,7 @@ VMM_EXEC_XEN_KVM_POLL="src/vmm_mad/remotes/poll_xen_kvm.rb"
 VMM_EXEC_GANGLIA_POLL="src/vmm_mad/remotes/poll_ganglia.rb"
 
 #-------------------------------------------------------------------------------
-# Information Manager Probes, to be installed under $LIB_LOCATION/remotes
+# Information Manager Probes, to be installed under $REMOTES_LOCATION/im
 #-------------------------------------------------------------------------------
 
 IM_PROBES_FILES="src/im_mad/remotes/run_probes"
@@ -573,6 +572,10 @@ IM_PROBES_KVM_FILES="src/im_mad/remotes/kvm.d/kvm.rb \
 
 IM_PROBES_GANGLIA_FILES="src/im_mad/remotes/ganglia.d/ganglia_probe"
 
+#-------------------------------------------------------------------------------
+# Auth Manager drivers to be installed under $REMOTES_LOCATION/auth
+#-------------------------------------------------------------------------------
+AUTH_SSH_FILES="src/authm_mad/remotes/ssh/authenticate"
 
 #-------------------------------------------------------------------------------
 # Transfer Manager commands, to be installed under $LIB_LOCATION/tm_commands
diff --git a/src/authm_mad/one_auth_mad.rb b/src/authm_mad/one_auth_mad.rb
index adccafdadb..233f58a4de 100755
--- a/src/authm_mad/one_auth_mad.rb
+++ b/src/authm_mad/one_auth_mad.rb
@@ -29,6 +29,7 @@ end
 $: << RUBY_LIB_LOCATION
 
 
+require 'scripts_common'
 require 'OpenNebulaDriver'
 require 'getoptlong'
 
@@ -76,6 +77,8 @@ class AuthDriver < OpenNebulaDriver
     # @param [String] secret filed of the auth string
     def authN(request_id, user_id, user, password, secret)
 
+        #OpenNebula.log_debug("#{request_id} #{user_id} #{password} #{secret}")
+
         secret_attr = secret.split(':')
 
         if secret_attr.length == 1 
@@ -90,7 +93,7 @@ class AuthDriver < OpenNebulaDriver
         authN_path = File.join(@local_scripts_path, protocol)
         
         command = File.join(authN_path,ACTION[:authN].downcase) 
-        command << ' ' << secret_attr.join(' ')
+        command << ' ' << user << ' ' << password << ' ' << secret_attr.join(' ')
 
         local_action(command, request_id, ACTION[:authN])
     end
diff --git a/src/authm_mad/simple_auth.rb b/src/authm_mad/remotes/plain/authenticate
similarity index 100%
rename from src/authm_mad/simple_auth.rb
rename to src/authm_mad/remotes/plain/authenticate
diff --git a/src/authm_mad/quota.rb b/src/authm_mad/remotes/quota/authorize
similarity index 100%
rename from src/authm_mad/quota.rb
rename to src/authm_mad/remotes/quota/authorize
diff --git a/src/authm_mad/remotes/ssh/authenticate b/src/authm_mad/remotes/ssh/authenticate
new file mode 100755
index 0000000000..0892917738
--- /dev/null
+++ b/src/authm_mad/remotes/ssh/authenticate
@@ -0,0 +1,49 @@
+#!/usr/bin/env ruby
+
+# -------------------------------------------------------------------------- #
+# Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org)             #
+#                                                                            #
+# Licensed under the Apache License, Version 2.0 (the "License"); you may    #
+# not use this file except in compliance with the License. You may obtain    #
+# a copy of the License at                                                   #
+#                                                                            #
+# http://www.apache.org/licenses/LICENSE-2.0                                 #
+#                                                                            #
+# Unless required by applicable law or agreed to in writing, software        #
+# distributed under the License is distributed on an "AS IS" BASIS,          #
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #
+# See the License for the specific language governing permissions and        #
+# limitations under the License.                                             #
+#--------------------------------------------------------------------------- #
+
+ONE_LOCATION=ENV["ONE_LOCATION"]
+
+if !ONE_LOCATION
+    RUBY_LIB_LOCATION="/usr/lib/one/ruby"
+    ETC_LOCATION="/etc/one/"
+else
+    RUBY_LIB_LOCATION=ONE_LOCATION+"/lib/ruby"
+    ETC_LOCATION=ONE_LOCATION+"/etc/"
+end
+
+$: << RUBY_LIB_LOCATION
+
+require 'ssh_auth'
+require 'scripts_common'
+
+user   = ARGV[0]
+pass   = ARGV[1]
+secret = ARGV[2] 
+
+#OpenNebula.log_debug("Authenticating #{user}, with password #{pass} (#{secret})")
+
+ssh_auth = SshAuth.new(pass)
+
+rc = ssh_auth.authenticate(user,secret)
+
+if rc == true
+    exit 0
+else
+    OpenNebula.error_message rc 
+    exit -1
+end
diff --git a/src/authm_mad/ssh_auth.rb b/src/authm_mad/ssh_auth.rb
deleted file mode 100644
index d7ae2e3110..0000000000
--- a/src/authm_mad/ssh_auth.rb
+++ /dev/null
@@ -1,114 +0,0 @@
-# -------------------------------------------------------------------------- #
-# Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org)             #
-#                                                                            #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may    #
-# not use this file except in compliance with the License. You may obtain    #
-# a copy of the License at                                                   #
-#                                                                            #
-# http://www.apache.org/licenses/LICENSE-2.0                                 #
-#                                                                            #
-# Unless required by applicable law or agreed to in writing, software        #
-# distributed under the License is distributed on an "AS IS" BASIS,          #
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #
-# See the License for the specific language governing permissions and        #
-# limitations under the License.                                             #
-#--------------------------------------------------------------------------- #
-
-
-require 'pp'
-require 'openssl'
-require 'base64'
-require 'fileutils'
-
-# SSH key authentication class. It can be used as a driver for auth_mad
-# as auth method is defined. It also holds some helper methods to be used
-# by oneauth command
-class SshAuth
-    # Reads id_rsa file from user .ssh directory
-    def get_priv_key
-        path=ENV['HOME']+'/.ssh/id_rsa'
-        File.read(path)
-    end
-    
-    # Returns an opened file object to ~/.one/one_ssh
-    def get_proxy_file
-        proxy_dir=ENV['HOME']+'/.one'
-        
-        # Creates ~/.one directory if it does not exist
-        begin
-            FileUtils.mkdir_p(proxy_dir)
-        rescue Errno::EEXIST
-        end
-        
-        File.open(proxy_dir+'/one_ssh', "w")
-    end
-    
-    # Encrypts data with the private key of the user and returns
-    # base 64 encoded output
-    def encrypt(data)
-        rsa=OpenSSL::PKey::RSA.new(get_priv_key)
-        # base 64 output is joined into a single line as opennebula
-        # ascii protocol ends messages with newline
-        Base64::encode64(rsa.private_encrypt(data)).gsub!(/\n/, '').strip
-    end
-    
-    # Decrypts base 64 encoded data with pub_key (public key)
-    def decrypt(data, pub_key)
-        rsa=OpenSSL::PKey::RSA.new(Base64::decode64(pub_key))
-        rsa.public_decrypt(Base64::decode64(data))
-    end
-    
-    # Gets public key from user's private key file. ssh private keys are
-    # stored in a format not compatible with openssl. This method
-    # will be used by oneauth so users can extrar their public keys
-    # that the administrator then can add to the database
-    def extract_public_key
-        key=OpenSSL::PKey::RSA.new(get_priv_key)
-        public_key=key.public_key.to_pem.split("\n")
-        # gets rid of "---- BEGIN/END RSA PUBLIC KEY ----" lines and
-        # joins resuklt into a single line
-        public_key.reject {|l| l.match(/RSA PUBLIC KEY/) }.join('')
-    end
-    
-    # Creates the login file for ssh authentication at ~/.one/one_ssh.
-    # By default it is valid for 1 hour but it can be changed to any number
-    # of seconds with expire parameter (in seconds)
-    def login(user, expire=3600)
-        time=Time.now.to_i+expire
-        proxy_text="#{user}:#{time}"
-        proxy_crypted=encrypt(proxy_text)
-        proxy="#{user}:plain:#{proxy_crypted}"
-        file=get_proxy_file
-        file.write(proxy)
-        file.close
-        
-        # Help string
-        puts "export ONE_AUTH=#{ENV['HOME']}/.one/one_ssh"
-        
-        proxy_crypted
-    end
-    
-    # auth method for auth_mad
-    def auth(user_id, user, password, token)
-        begin
-            decrypted=decrypt(token, password)
-        
-            username, time=decrypted.split(':')
-            
-            pp [username, time]
-        
-            if user==username
-                if Time.now.to_i>=time.to_i
-                    "proxy expired, login again"
-                else
-                    true
-                end
-            else
-                "invalid credentials"
-            end
-        rescue
-            "error"
-        end
-    end
-    
-end
diff --git a/src/um/UserPool.cc b/src/um/UserPool.cc
index 746e898346..4adba6427b 100644
--- a/src/um/UserPool.cc
+++ b/src/um/UserPool.cc
@@ -253,6 +253,9 @@ bool UserPool::authenticate(const string& session,
 
     ar.add_authenticate(username,u_pass,secret);
 
+            NebulaLog::log("AuM********",Log::ERROR,username);
+            NebulaLog::log("AuM*********",Log::ERROR,u_pass);
+            NebulaLog::log("AuM**********",Log::ERROR,secret);
     if ( uid == 0 ) //oneadmin
     {
         if (ar.plain_authenticate())

From dfba42fa3867d739136607f22e04d5f882d6d302 Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Thu, 28 Jul 2011 03:51:25 +0200
Subject: [PATCH 05/63] feature-754: pass one_auth token as provided if it has
 more than two tokens

---
 src/oca/ruby/OpenNebula.rb | 17 ++++++-----------
 1 file changed, 6 insertions(+), 11 deletions(-)

diff --git a/src/oca/ruby/OpenNebula.rb b/src/oca/ruby/OpenNebula.rb
index c536eefe7a..60fdba8b75 100644
--- a/src/oca/ruby/OpenNebula.rb
+++ b/src/oca/ruby/OpenNebula.rb
@@ -96,19 +96,14 @@ module OpenNebula
                 raise "ONE_AUTH file not present"
             end
 
-            if !one_secret.match(".+:.+")
-                raise "Authorization file malformed"
-            end
+            tokens = one_secret.split(':')
 
-
-            one_secret=~/^(.+?):(.+)$/
-            user=$1
-            password=$2
-
-            if password.match(/^plain:/)
-                @one_auth = "#{user}:#{password.split(':').last}"
+            if tokens.length > 2
+                @one_auth = one_secret
+            elsif secret_tokens == 2
+                @one_auth = "#{tokens[0]}:#{Digest::SHA1.hexdigest(tokens[1])}"
             else
-                @one_auth = "#{user}:#{Digest::SHA1.hexdigest(password)}"
+                raise "Authorization file malformed"
             end
 
             if endpoint

From 2a0b2818d4996ef5311205d3dd49732a1b32514a Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Thu, 28 Jul 2011 12:23:59 +0200
Subject: [PATCH 06/63] feature #754: Fix bug creating client. Allows multiple
 ':' in auth string

---
 src/oca/ruby/OpenNebula.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/oca/ruby/OpenNebula.rb b/src/oca/ruby/OpenNebula.rb
index 60fdba8b75..54d616298d 100644
--- a/src/oca/ruby/OpenNebula.rb
+++ b/src/oca/ruby/OpenNebula.rb
@@ -96,11 +96,11 @@ module OpenNebula
                 raise "ONE_AUTH file not present"
             end
 
-            tokens = one_secret.split(':')
+            tokens = one_secret.chomp!.split(':')
 
             if tokens.length > 2
                 @one_auth = one_secret
-            elsif secret_tokens == 2
+            elsif tokens.length == 2
                 @one_auth = "#{tokens[0]}:#{Digest::SHA1.hexdigest(tokens[1])}"
             else
                 raise "Authorization file malformed"

From b421a874e08b0d200cd1fc6675c3d78bcacfea2d Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Thu, 28 Jul 2011 12:39:40 +0200
Subject: [PATCH 07/63] feature #754: simple driver that implements plain auth
 (that in OpenNebula core). Removed debug messages

---
 install.sh                               |  4 +++
 src/authm_mad/one_auth_mad.rb            |  2 ++
 src/authm_mad/remotes/plain/authenticate | 41 +++++++++++++++---------
 src/um/UserPool.cc                       |  3 --
 4 files changed, 31 insertions(+), 19 deletions(-)
 mode change 100644 => 100755 src/authm_mad/remotes/plain/authenticate

diff --git a/install.sh b/install.sh
index 709205e2d3..4f10e88013 100755
--- a/install.sh
+++ b/install.sh
@@ -224,6 +224,7 @@ VAR_DIRS="$VAR_LOCATION/remotes \
           $VAR_LOCATION/remotes/image \
           $VAR_LOCATION/remotes/image/fs \
           $VAR_LOCATION/remotes/auth \
+          $VAR_LOCATION/remotes/auth/plain \
           $VAR_LOCATION/remotes/auth/ssh"
 
 SUNSTONE_DIRS="$SUNSTONE_LOCATION/models \
@@ -317,6 +318,7 @@ INSTALL_FILES=(
     IM_PROBES_XEN_FILES:$VAR_LOCATION/remotes/im/xen.d
     IM_PROBES_GANGLIA_FILES:$VAR_LOCATION/remotes/im/ganglia.d
     AUTH_SSH_FILES:$VAR_LOCATION/remotes/auth/ssh
+    AUTH_PLAIN_FILES:$VAR_LOCATION/remotes/auth/plain
     VMM_EXEC_KVM_SCRIPTS:$VAR_LOCATION/remotes/vmm/kvm
     VMM_EXEC_XEN_SCRIPTS:$VAR_LOCATION/remotes/vmm/xen
     VMM_EXEC_XEN_KVM_POLL:$VAR_LOCATION/remotes/vmm/kvm/poll
@@ -577,6 +579,8 @@ IM_PROBES_GANGLIA_FILES="src/im_mad/remotes/ganglia.d/ganglia_probe"
 #-------------------------------------------------------------------------------
 AUTH_SSH_FILES="src/authm_mad/remotes/ssh/authenticate"
 
+AUTH_PLAIN_FILES="src/authm_mad/remotes/plain/authenticate"
+
 #-------------------------------------------------------------------------------
 # Transfer Manager commands, to be installed under $LIB_LOCATION/tm_commands
 #   - NFS TM, $LIB_LOCATION/tm_commands/nfs
diff --git a/src/authm_mad/one_auth_mad.rb b/src/authm_mad/one_auth_mad.rb
index 233f58a4de..43b52cd5ca 100755
--- a/src/authm_mad/one_auth_mad.rb
+++ b/src/authm_mad/one_auth_mad.rb
@@ -111,6 +111,8 @@ class AuthDriver < OpenNebulaDriver
         
         requests.flatten!
 
+        #OpenNebula.log_debug("#{request_id} #{user_id} #{requests}")
+
         if @authZ_cmd == nil
             if requests[-1] == "1"
                 result = RESULT[:success]
diff --git a/src/authm_mad/remotes/plain/authenticate b/src/authm_mad/remotes/plain/authenticate
old mode 100644
new mode 100755
index 749da483cb..98649b57d7
--- a/src/authm_mad/remotes/plain/authenticate
+++ b/src/authm_mad/remotes/plain/authenticate
@@ -1,3 +1,5 @@
+#!/usr/bin/env ruby
+
 # -------------------------------------------------------------------------- #
 # Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org)             #
 #                                                                            #
@@ -14,22 +16,29 @@
 # limitations under the License.                                             #
 #--------------------------------------------------------------------------- #
 
-# Password authentication module. This one just compares stored password
-# with the token sent by the client.
-class SimpleAuth
-    # Method called by authentication driver. It should awnser true if
-    # successful or a string with the error message if failure. All
-    # parameters are strings extracted from the authorization message.
-    #
-    # * user_id: OpenNebula user identifier
-    # * user: user name
-    # * password: password stored in OpenNebula dabatase
-    # * token: password sent by the client trying to connect
-    def auth(user_id, user, password, token)
-        auth=(password==token)
-        auth="Invalid credentials" if auth!=true or token=='-'
-        auth
-    end
+ONE_LOCATION=ENV["ONE_LOCATION"]
+
+if !ONE_LOCATION
+    RUBY_LIB_LOCATION="/usr/lib/one/ruby"
+    ETC_LOCATION="/etc/one/"
+else
+    RUBY_LIB_LOCATION=ONE_LOCATION+"/lib/ruby"
+    ETC_LOCATION=ONE_LOCATION+"/etc/"
 end
 
+$: << RUBY_LIB_LOCATION
 
+require 'scripts_common'
+
+user   = ARGV[0]
+pass   = ARGV[1]
+secret = ARGV[2] 
+
+#OpenNebula.log_debug("Authenticating #{user}, with password #{pass} (#{secret})")
+
+if pass == secret
+    exit 0
+else
+    OpenNebula.error_message "Invalid credentials"
+    exit -1
+end
diff --git a/src/um/UserPool.cc b/src/um/UserPool.cc
index 4adba6427b..746e898346 100644
--- a/src/um/UserPool.cc
+++ b/src/um/UserPool.cc
@@ -253,9 +253,6 @@ bool UserPool::authenticate(const string& session,
 
     ar.add_authenticate(username,u_pass,secret);
 
-            NebulaLog::log("AuM********",Log::ERROR,username);
-            NebulaLog::log("AuM*********",Log::ERROR,u_pass);
-            NebulaLog::log("AuM**********",Log::ERROR,secret);
     if ( uid == 0 ) //oneadmin
     {
         if (ar.plain_authenticate())

From 64fddb096eb66044d1585cdac4fb867f1a94f6ca Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Thu, 28 Jul 2011 12:53:24 +0200
Subject: [PATCH 08/63] feature #754: Missing ssh library for auth drivers

---
 src/authm_mad/remotes/ssh/ssh_auth.rb | 114 ++++++++++++++++++++++++++
 1 file changed, 114 insertions(+)
 create mode 100644 src/authm_mad/remotes/ssh/ssh_auth.rb

diff --git a/src/authm_mad/remotes/ssh/ssh_auth.rb b/src/authm_mad/remotes/ssh/ssh_auth.rb
new file mode 100644
index 0000000000..30c07f28bb
--- /dev/null
+++ b/src/authm_mad/remotes/ssh/ssh_auth.rb
@@ -0,0 +1,114 @@
+# -------------------------------------------------------------------------- #
+# Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org)             #
+#                                                                            #
+# Licensed under the Apache License, Version 2.0 (the "License"); you may    #
+# not use this file except in compliance with the License. You may obtain    #
+# a copy of the License at                                                   #
+#                                                                            #
+# http://www.apache.org/licenses/LICENSE-2.0                                 #
+#                                                                            #
+# Unless required by applicable law or agreed to in writing, software        #
+# distributed under the License is distributed on an "AS IS" BASIS,          #
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #
+# See the License for the specific language governing permissions and        #
+# limitations under the License.                                             #
+#--------------------------------------------------------------------------- #
+
+
+require 'pp'
+require 'openssl'
+require 'base64'
+require 'fileutils'
+
+# SSH key authentication class. It can be used as a driver for auth_mad
+# as auth method is defined. It also holds some helper methods to be used
+# by oneauth command
+class SshAuth
+    attr_reader :public_key
+                 
+    def initialize(pub_key = nil)
+        # Init proxy file path and creates ~/.one directory if needed
+        proxy_dir=ENV['HOME']+'/.one'
+        
+        begin
+            FileUtils.mkdir_p(proxy_dir)
+        rescue Errno::EEXIST
+        end
+       
+        @proxy_path  = proxy_dir + '/one_ssh'
+
+        # Init ssh keys using private key. public key is extracted in a 
+        # format compatible with openssl. The public key does not contain
+        # "---- BEGIN/END RSA PUBLIC KEY ----" and is in a single line
+        @private_key = File.read(ENV['HOME']+'/.ssh/id_rsa')
+
+        if pub_key == nil
+            key = OpenSSL::PKey::RSA.new(@private_key)
+
+            @public_key = key.public_key.to_pem.split("\n")
+            @public_key = @public_key.reject {|l| l.match(/RSA PUBLIC KEY/) }.join('')
+        else
+            @public_key = pub_key
+        end
+    end
+
+    # Creates the login file for ssh authentication at ~/.one/one_ssh.
+    # By default it is valid for 1 hour but it can be changed to any number
+    # of seconds with expire parameter (in seconds)
+    def login(user, expire=3600)
+        time = Time.now.to_i + expire
+
+        secret_plain   = "#{user}:#{time}"
+        secret_crypted = encrypt(secret_plain)
+
+        proxy = "#{user}:ssh:#{secret_crypted}"
+        
+        file = File.open(@proxy_path, "w")
+
+        file.write(proxy)
+
+        file.close
+        
+        # Help string
+        puts "export ONE_AUTH=#{ENV['HOME']}/.one/one_ssh"
+        
+        secret_crypted
+    end
+
+    # Checks the proxy created with the login method
+    def authenticate(user, token)
+        begin
+            token_plain = decrypt(token)
+            _user, time = token_plain.split(':')
+            
+            if user == _user
+                if Time.now.to_i >= time.to_i
+                    return "ssh proxy expired, login again to renew it"
+                else
+                    return true
+                end
+            else
+                return "invalid credentials"
+            end
+        rescue
+            return "error"
+        end
+    end
+
+private
+    ###########################################################################
+    #                       Methods to handle ssh keys
+    ###########################################################################
+    # Encrypts data with the private key of the user and returns
+    # base 64 encoded output in a single line 
+    def encrypt(data)
+        rsa=OpenSSL::PKey::RSA.new(@private_key)
+        Base64::encode64(rsa.private_encrypt(data)).gsub!(/\n/, '').strip
+    end
+
+    # Decrypts base 64 encoded data with pub_key (public key)
+    def decrypt(data)
+        rsa=OpenSSL::PKey::RSA.new(Base64::decode64(@public_key))
+        rsa.public_decrypt(Base64::decode64(data))
+    end
+end

From 6b7628c2e57fe59947f1131cc2131fd314b39995 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tino=20V=C3=A1zquez?= <tinova@fdi.ucm.es>
Date: Thu, 28 Jul 2011 19:49:30 +0200
Subject: [PATCH 09/63] feature #754: New dummy authN protocol

---
 install.sh                    | 9 +++++++--
 src/authm_mad/one_auth_mad.rb | 6 +++---
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/install.sh b/install.sh
index 4f10e88013..dbcfe6b5bf 100755
--- a/install.sh
+++ b/install.sh
@@ -225,7 +225,8 @@ VAR_DIRS="$VAR_LOCATION/remotes \
           $VAR_LOCATION/remotes/image/fs \
           $VAR_LOCATION/remotes/auth \
           $VAR_LOCATION/remotes/auth/plain \
-          $VAR_LOCATION/remotes/auth/ssh"
+          $VAR_LOCATION/remotes/auth/ssh \
+          $VAR_LOCATION/remotes/auth/dummy"
 
 SUNSTONE_DIRS="$SUNSTONE_LOCATION/models \
                $SUNSTONE_LOCATION/models/OpenNebulaJSON \
@@ -318,7 +319,8 @@ INSTALL_FILES=(
     IM_PROBES_XEN_FILES:$VAR_LOCATION/remotes/im/xen.d
     IM_PROBES_GANGLIA_FILES:$VAR_LOCATION/remotes/im/ganglia.d
     AUTH_SSH_FILES:$VAR_LOCATION/remotes/auth/ssh
-    AUTH_PLAIN_FILES:$VAR_LOCATION/remotes/auth/plain
+    AUTH_DUMMY_FILES:$VAR_LOCATION/remotes/auth/dummy
+    AUTH_PLAIN_FILES:$VAR_LOCATION/remotes/auth/plain    
     VMM_EXEC_KVM_SCRIPTS:$VAR_LOCATION/remotes/vmm/kvm
     VMM_EXEC_XEN_SCRIPTS:$VAR_LOCATION/remotes/vmm/xen
     VMM_EXEC_XEN_KVM_POLL:$VAR_LOCATION/remotes/vmm/kvm/poll
@@ -577,8 +579,11 @@ IM_PROBES_GANGLIA_FILES="src/im_mad/remotes/ganglia.d/ganglia_probe"
 #-------------------------------------------------------------------------------
 # Auth Manager drivers to be installed under $REMOTES_LOCATION/auth
 #-------------------------------------------------------------------------------
+
 AUTH_SSH_FILES="src/authm_mad/remotes/ssh/authenticate"
 
+AUTH_DUMMY_FILES="src/authm_mad/remotes/dummy/authenticate"
+
 AUTH_PLAIN_FILES="src/authm_mad/remotes/plain/authenticate"
 
 #-------------------------------------------------------------------------------
diff --git a/src/authm_mad/one_auth_mad.rb b/src/authm_mad/one_auth_mad.rb
index 43b52cd5ca..67bab4d7a1 100755
--- a/src/authm_mad/one_auth_mad.rb
+++ b/src/authm_mad/one_auth_mad.rb
@@ -77,7 +77,7 @@ class AuthDriver < OpenNebulaDriver
     # @param [String] secret filed of the auth string
     def authN(request_id, user_id, user, password, secret)
 
-        #OpenNebula.log_debug("#{request_id} #{user_id} #{password} #{secret}")
+        #OpenNebula.log_debug("authN: #{request_id} #{user_id} #{password} #{secret}")
 
         secret_attr = secret.split(':')
 
@@ -111,8 +111,8 @@ class AuthDriver < OpenNebulaDriver
         
         requests.flatten!
 
-        #OpenNebula.log_debug("#{request_id} #{user_id} #{requests}")
-
+        #OpenNebula.log_debug("authZ: #{request_id} #{user_id} #{requests}")
+        
         if @authZ_cmd == nil
             if requests[-1] == "1"
                 result = RESULT[:success]

From 3c369e67f2f3a591099f9d3895865d4e76f6e620 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tino=20V=C3=A1zquez?= <tinova@fdi.ucm.es>
Date: Fri, 29 Jul 2011 13:43:25 +0200
Subject: [PATCH 10/63] feature #754: Add dummy authenticate script

---
 src/authm_mad/remotes/dummy/authenticate | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100755 src/authm_mad/remotes/dummy/authenticate

diff --git a/src/authm_mad/remotes/dummy/authenticate b/src/authm_mad/remotes/dummy/authenticate
new file mode 100755
index 0000000000..5ef03d7900
--- /dev/null
+++ b/src/authm_mad/remotes/dummy/authenticate
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+# -------------------------------------------------------------------------- #
+# Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org)             #
+#                                                                            #
+# Licensed under the Apache License, Version 2.0 (the "License"); you may    #
+# not use this file except in compliance with the License. You may obtain    #
+# a copy of the License at                                                   #
+#                                                                            #
+# http://www.apache.org/licenses/LICENSE-2.0                                 #
+#                                                                            #
+# Unless required by applicable law or agreed to in writing, software        #
+# distributed under the License is distributed on an "AS IS" BASIS,          #
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #
+# See the License for the specific language governing permissions and        #
+# limitations under the License.                                             #
+#--------------------------------------------------------------------------- #
+
+# $1 = username
+# $2 = password
+echo $*
+
+
+

From 7347a36990da0475aa3560f28c56f9828608dc44 Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Fri, 19 Aug 2011 03:13:50 +0200
Subject: [PATCH 11/63] feature #754: Basic X509 authorization

---
 install.sh                              |   7 +-
 src/authm_mad/remotes/x509/authenticate |  54 +++++++++++
 src/authm_mad/remotes/x509/x509_auth.rb | 124 ++++++++++++++++++++++++
 3 files changed, 184 insertions(+), 1 deletion(-)
 create mode 100755 src/authm_mad/remotes/x509/authenticate
 create mode 100644 src/authm_mad/remotes/x509/x509_auth.rb

diff --git a/install.sh b/install.sh
index dbcfe6b5bf..9bdd75f9e5 100755
--- a/install.sh
+++ b/install.sh
@@ -226,6 +226,7 @@ VAR_DIRS="$VAR_LOCATION/remotes \
           $VAR_LOCATION/remotes/auth \
           $VAR_LOCATION/remotes/auth/plain \
           $VAR_LOCATION/remotes/auth/ssh \
+          $VAR_LOCATION/remotes/auth/x509 \
           $VAR_LOCATION/remotes/auth/dummy"
 
 SUNSTONE_DIRS="$SUNSTONE_LOCATION/models \
@@ -319,6 +320,7 @@ INSTALL_FILES=(
     IM_PROBES_XEN_FILES:$VAR_LOCATION/remotes/im/xen.d
     IM_PROBES_GANGLIA_FILES:$VAR_LOCATION/remotes/im/ganglia.d
     AUTH_SSH_FILES:$VAR_LOCATION/remotes/auth/ssh
+    AUTH_X509_FILES:$VAR_LOCATION/remotes/auth/x509
     AUTH_DUMMY_FILES:$VAR_LOCATION/remotes/auth/dummy
     AUTH_PLAIN_FILES:$VAR_LOCATION/remotes/auth/plain    
     VMM_EXEC_KVM_SCRIPTS:$VAR_LOCATION/remotes/vmm/kvm
@@ -485,7 +487,8 @@ RUBY_LIB_FILES="src/mad/ruby/ActionManager.rb \
                 src/mad/ruby/Ganglia.rb \
                 src/oca/ruby/OpenNebula.rb \
                 src/tm_mad/TMScript.rb \
-                src/authm_mad/remotes/ssh/ssh_auth.rb"
+                src/authm_mad/remotes/ssh/ssh_auth.rb \
+                src/authm_mad/remotes/x509/x509_auth.rb"
 
 #-----------------------------------------------------------------------------
 # MAD Script library files, to be installed under $LIB_LOCATION/<script lang>
@@ -580,6 +583,8 @@ IM_PROBES_GANGLIA_FILES="src/im_mad/remotes/ganglia.d/ganglia_probe"
 # Auth Manager drivers to be installed under $REMOTES_LOCATION/auth
 #-------------------------------------------------------------------------------
 
+AUTH_X509_FILES="src/authm_mad/remotes/x509/authenticate"
+
 AUTH_SSH_FILES="src/authm_mad/remotes/ssh/authenticate"
 
 AUTH_DUMMY_FILES="src/authm_mad/remotes/dummy/authenticate"
diff --git a/src/authm_mad/remotes/x509/authenticate b/src/authm_mad/remotes/x509/authenticate
new file mode 100755
index 0000000000..6bbf96ffd4
--- /dev/null
+++ b/src/authm_mad/remotes/x509/authenticate
@@ -0,0 +1,54 @@
+#!/usr/bin/env ruby
+
+# -------------------------------------------------------------------------- #
+# Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org)             #
+#                                                                            #
+# Licensed under the Apache License, Version 2.0 (the "License"); you may    #
+# not use this file except in compliance with the License. You may obtain    #
+# a copy of the License at                                                   #
+#                                                                            #
+# http://www.apache.org/licenses/LICENSE-2.0                                 #
+#                                                                            #
+# Unless required by applicable law or agreed to in writing, software        #
+# distributed under the License is distributed on an "AS IS" BASIS,          #
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #
+# See the License for the specific language governing permissions and        #
+# limitations under the License.                                             #
+#--------------------------------------------------------------------------- #
+
+ONE_LOCATION=ENV["ONE_LOCATION"]
+
+if !ONE_LOCATION
+    RUBY_LIB_LOCATION="/usr/lib/one/ruby"
+    ETC_LOCATION="/etc/one/"
+else
+    RUBY_LIB_LOCATION=ONE_LOCATION+"/lib/ruby"
+    ETC_LOCATION=ONE_LOCATION+"/etc/"
+end
+
+$: << RUBY_LIB_LOCATION
+
+require 'x509_auth'
+require 'scripts_common'
+
+user   = ARGV[0] # username as registered in OpenNebula
+pass   = ARGV[1] # DN registered for this user
+secret = ARGV[2] # Base64 string in the form proxy:usercert, usercert is pem
+
+#OpenNebula.log_debug("Authenticating #{user}, with password #{pass} (#{secret})")
+
+#TODO Check errors in these operations
+
+dsecret     = Base64::decode64(secret)
+proxy, cert = dsecret.split(':')
+
+x509_auth   = X509Auth.new(:cert=>cert)
+
+rc = x509_auth.authenticate(user,pass,proxy)
+
+if rc == true
+    exit 0
+else
+    OpenNebula.error_message rc 
+    exit -1
+end
diff --git a/src/authm_mad/remotes/x509/x509_auth.rb b/src/authm_mad/remotes/x509/x509_auth.rb
new file mode 100644
index 0000000000..3010e58c2c
--- /dev/null
+++ b/src/authm_mad/remotes/x509/x509_auth.rb
@@ -0,0 +1,124 @@
+# -------------------------------------------------------------------------- #
+# Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org)             #
+#                                                                            #
+# Licensed under the Apache License, Version 2.0 (the "License"); you may    #
+# not use this file except in compliance with the License. You may obtain    #
+# a copy of the License at                                                   #
+#                                                                            #
+# http://www.apache.org/licenses/LICENSE-2.0                                 #
+#                                                                            #
+# Unless required by applicable law or agreed to in writing, software        #
+# distributed under the License is distributed on an "AS IS" BASIS,          #
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #
+# See the License for the specific language governing permissions and        #
+# limitations under the License.                                             #
+#--------------------------------------------------------------------------- #
+
+require 'openssl'
+require 'base64'
+require 'fileutils'
+
+# X509 authentication class. It can be used as a driver for auth_mad
+# as auth method is defined. It also holds some helper methods to be used
+# by oneauth command
+class X509Auth
+
+    # Initialize x509Auth object
+    #
+    # @param [Hash] default options for path
+    # @option options [String] :cert public cert for the user
+    # @option options [String] :key private key for the user
+    def initialize(options={})
+        @options={
+            :cert => nil,
+            :key  => nil 
+        }.merge!(options)
+
+        @cert = OpenSSL::X509::Certificate.new(@options[:cert])
+        @dn   = @cert.subject.to_s
+
+        if @options[:key]
+            @key  = OpenSSL::PKey::RSA.new(@options[:key])
+        end            
+    end
+
+    ###########################################################################
+    # Client side
+    ###########################################################################
+
+    # Creates the login file for x509 authentication at ~/.one/one_x509.
+    # By default it is valid for 1 hour but it can be changed to any number
+    # of seconds with expire parameter (in seconds)
+    def login(user, expire=3600)
+        # Init proxy file path and creates ~/.one directory if needed
+        # Set instance variables
+        proxy_dir=ENV['HOME']+'/.one'
+        
+        begin
+            FileUtils.mkdir_p(proxy_dir)
+        rescue Errno::EEXIST
+        end
+       
+        one_proxy_path = proxy_dir + '/one_x509'
+
+        #Create the x509 proxy
+        time = Time.now.to_i+expire
+        
+        text_to_sign = "#{@dn}:#{time}"
+        signed_text  = encrypt(text_to_sign)
+
+	    token   = "#{signed_text}:#{@cert.to_pem}"	
+	    token64 = Base64::encode64(token).strip.delete!("\n")
+
+        proxy="#{user}:x509:#{token64}"
+
+        file = File.open(one_proxy_path, "w")
+
+        file.write(proxy)
+        
+        file.close
+ 
+        # Help string
+        puts "export ONE_AUTH=#{ENV['HOME']}/.one/one_x509"
+        
+        token64
+    end
+    
+    ###########################################################################
+    # Server side
+    ###########################################################################
+    # auth method for auth_mad
+    def authenticate(user, pass, token)        
+        begin
+            plain = decrypt(token)
+        
+            subject, time_expire = plain.split(':')
+            
+            if ((subject != @dn) || (subject != pass))
+                return "Certificate subject missmatch"
+            elsif Time.now.to_i >= time_expire.to_i
+                return "x509 proxy expired, login again to renew it"
+            end
+
+            return true
+        rescue
+            return "Can not decrypt security token" 
+        end
+    end
+ 
+private
+    ###########################################################################
+    #                       Methods to handle ssh keys
+    ###########################################################################
+    # Encrypts data with the private key of the user and returns
+    # base 64 encoded output in a single line 
+    def encrypt(data)
+        return nil if !@key
+        Base64::encode64(@key.private_encrypt(data)).delete!("\n").strip
+    end
+
+    # Decrypts base 64 encoded data with pub_key (public key)
+    def decrypt(data)       
+        @cert.public_key.public_decrypt(Base64::decode64(data))
+    end      
+end      

From 15b9d5dae4ce931d524e2e7dd72d8d9dc0d311ee Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Fri, 19 Aug 2011 03:14:17 +0200
Subject: [PATCH 12/63] feature #754: Simple loginx509 option for oneauth.
 Needs merge with current login option

---
 src/authm_mad/oneauth | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/src/authm_mad/oneauth b/src/authm_mad/oneauth
index f5b7f610f7..4881fd596f 100755
--- a/src/authm_mad/oneauth
+++ b/src/authm_mad/oneauth
@@ -36,6 +36,7 @@ require 'OpenNebula'
 require 'rubygems'
 require 'sequel'
 require 'ssh_auth'
+require 'x509_auth'
 require 'yaml'
 
 require 'command_parser'
@@ -103,6 +104,24 @@ cmd=CommandParser::CmdParser.new(ARGV) do
         exit_with_code 0
     end
 
+    command 'loginx509', login_desc, :text, :text, :text, :text do
+        user = args[0]
+        cert = File.read(args[1])
+        key  = File.read(args[2])
+        time = args[3]
+
+        if time
+            time=time.to_i
+        else
+            time=3600
+        end
+
+        auth = X509Auth.new(:cert=>cert,:key=>key)
+        auth.login(user, time)
+
+        exit_with_code 0
+    end
+
     command 'key', 'Gets public key' do
         ssh=SshAuth.new
         puts ssh.public_key

From 7c362c64b45f80a4731bae7f93127b819603ed41 Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Fri, 19 Aug 2011 03:14:56 +0200
Subject: [PATCH 13/63] feature #754: Bug when parsing the ONE_AUTH file

---
 src/oca/ruby/OpenNebula.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/oca/ruby/OpenNebula.rb b/src/oca/ruby/OpenNebula.rb
index 54d616298d..7303999ce9 100644
--- a/src/oca/ruby/OpenNebula.rb
+++ b/src/oca/ruby/OpenNebula.rb
@@ -96,7 +96,7 @@ module OpenNebula
                 raise "ONE_AUTH file not present"
             end
 
-            tokens = one_secret.chomp!.split(':')
+            tokens = one_secret.chomp.split(':')
 
             if tokens.length > 2
                 @one_auth = one_secret

From 26387a9f880c1d76805b91389500a699bdc33a03 Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Fri, 19 Aug 2011 17:56:34 +0200
Subject: [PATCH 14/63] feature #754: Removed uneeded parameters for x509
 authenticate

---
 src/authm_mad/remotes/x509/authenticate | 2 +-
 src/authm_mad/remotes/x509/x509_auth.rb | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/authm_mad/remotes/x509/authenticate b/src/authm_mad/remotes/x509/authenticate
index 6bbf96ffd4..c3ae16bffb 100755
--- a/src/authm_mad/remotes/x509/authenticate
+++ b/src/authm_mad/remotes/x509/authenticate
@@ -44,7 +44,7 @@ proxy, cert = dsecret.split(':')
 
 x509_auth   = X509Auth.new(:cert=>cert)
 
-rc = x509_auth.authenticate(user,pass,proxy)
+rc = x509_auth.authenticate(pass,proxy)
 
 if rc == true
     exit 0
diff --git a/src/authm_mad/remotes/x509/x509_auth.rb b/src/authm_mad/remotes/x509/x509_auth.rb
index 3010e58c2c..386f0f8efa 100644
--- a/src/authm_mad/remotes/x509/x509_auth.rb
+++ b/src/authm_mad/remotes/x509/x509_auth.rb
@@ -88,7 +88,7 @@ class X509Auth
     # Server side
     ###########################################################################
     # auth method for auth_mad
-    def authenticate(user, pass, token)        
+    def authenticate(pass, token)        
         begin
             plain = decrypt(token)
         
@@ -108,7 +108,7 @@ class X509Auth
  
 private
     ###########################################################################
-    #                       Methods to handle ssh keys
+    #                       Methods to encrpyt/decrypt keys
     ###########################################################################
     # Encrypts data with the private key of the user and returns
     # base 64 encoded output in a single line 

From b4b5fc97aa0409804678fae07096b0697b9522e1 Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Fri, 19 Aug 2011 18:11:33 +0200
Subject: [PATCH 15/63] feature #754: Moved proxy path creation to login
 function

---
 src/authm_mad/remotes/ssh/ssh_auth.rb | 22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/src/authm_mad/remotes/ssh/ssh_auth.rb b/src/authm_mad/remotes/ssh/ssh_auth.rb
index 30c07f28bb..f6f9f8f704 100644
--- a/src/authm_mad/remotes/ssh/ssh_auth.rb
+++ b/src/authm_mad/remotes/ssh/ssh_auth.rb
@@ -27,15 +27,6 @@ class SshAuth
     attr_reader :public_key
                  
     def initialize(pub_key = nil)
-        # Init proxy file path and creates ~/.one directory if needed
-        proxy_dir=ENV['HOME']+'/.one'
-        
-        begin
-            FileUtils.mkdir_p(proxy_dir)
-        rescue Errno::EEXIST
-        end
-       
-        @proxy_path  = proxy_dir + '/one_ssh'
 
         # Init ssh keys using private key. public key is extracted in a 
         # format compatible with openssl. The public key does not contain
@@ -56,6 +47,17 @@ class SshAuth
     # By default it is valid for 1 hour but it can be changed to any number
     # of seconds with expire parameter (in seconds)
     def login(user, expire=3600)
+        # Init proxy file path and creates ~/.one directory if needed
+        proxy_dir=ENV['HOME']+'/.one'
+        
+        begin
+            FileUtils.mkdir_p(proxy_dir)
+        rescue Errno::EEXIST
+        end
+       
+        proxy_path  = proxy_dir + '/one_ssh'
+
+        # Generate security token
         time = Time.now.to_i + expire
 
         secret_plain   = "#{user}:#{time}"
@@ -63,7 +65,7 @@ class SshAuth
 
         proxy = "#{user}:ssh:#{secret_crypted}"
         
-        file = File.open(@proxy_path, "w")
+        file = File.open(proxy_path, "w")
 
         file.write(proxy)
 

From cc36e3858c06576ab2deff93449c1c1bafd6697b Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Fri, 19 Aug 2011 18:17:06 +0200
Subject: [PATCH 16/63] feature #754: Include also the username in the security
 token

---
 src/authm_mad/remotes/x509/authenticate |  2 +-
 src/authm_mad/remotes/x509/x509_auth.rb | 12 +++++++-----
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/src/authm_mad/remotes/x509/authenticate b/src/authm_mad/remotes/x509/authenticate
index c3ae16bffb..f7bc822af5 100755
--- a/src/authm_mad/remotes/x509/authenticate
+++ b/src/authm_mad/remotes/x509/authenticate
@@ -44,7 +44,7 @@ proxy, cert = dsecret.split(':')
 
 x509_auth   = X509Auth.new(:cert=>cert)
 
-rc = x509_auth.authenticate(pass,proxy)
+rc = x509_auth.authenticate(user, pass,proxy)
 
 if rc == true
     exit 0
diff --git a/src/authm_mad/remotes/x509/x509_auth.rb b/src/authm_mad/remotes/x509/x509_auth.rb
index 386f0f8efa..7ac30b71d3 100644
--- a/src/authm_mad/remotes/x509/x509_auth.rb
+++ b/src/authm_mad/remotes/x509/x509_auth.rb
@@ -64,7 +64,7 @@ class X509Auth
         #Create the x509 proxy
         time = Time.now.to_i+expire
         
-        text_to_sign = "#{@dn}:#{time}"
+        text_to_sign = "#{user}:#{@dn}:#{time}"
         signed_text  = encrypt(text_to_sign)
 
 	    token   = "#{signed_text}:#{@cert.to_pem}"	
@@ -88,13 +88,15 @@ class X509Auth
     # Server side
     ###########################################################################
     # auth method for auth_mad
-    def authenticate(pass, token)        
+    def authenticate(user, pass, token)        
         begin
             plain = decrypt(token)
         
-            subject, time_expire = plain.split(':')
-            
-            if ((subject != @dn) || (subject != pass))
+            _user, subject, time_expire = plain.split(':')
+
+            if (user != _user)
+                return "User name missmatch"
+            elsif ((subject != @dn) || (subject != pass))
                 return "Certificate subject missmatch"
             elsif Time.now.to_i >= time_expire.to_i
                 return "x509 proxy expired, login again to renew it"

From 5406c948ecac52a45a537287f7636760584addb4 Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Sun, 21 Aug 2011 01:42:15 +0200
Subject: [PATCH 17/63] feature #754: Authentication based on X509 proxy
 certificates

---
 src/authm_mad/remotes/x509_proxy/authenticate |  56 +++++
 .../remotes/x509_proxy/x509_proxy_auth.rb     | 219 ++++++++++++++++++
 2 files changed, 275 insertions(+)
 create mode 100755 src/authm_mad/remotes/x509_proxy/authenticate
 create mode 100644 src/authm_mad/remotes/x509_proxy/x509_proxy_auth.rb

diff --git a/src/authm_mad/remotes/x509_proxy/authenticate b/src/authm_mad/remotes/x509_proxy/authenticate
new file mode 100755
index 0000000000..747d800d08
--- /dev/null
+++ b/src/authm_mad/remotes/x509_proxy/authenticate
@@ -0,0 +1,56 @@
+#!/usr/bin/env ruby
+# -------------------------------------------------------------------------- #
+# Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org)             #
+#                                                                            #
+# Licensed under the Apache License, Version 2.0 (the "License"); you may    #
+# not use this file except in compliance with the License. You may obtain    #
+# a copy of the License at                                                   #
+#                                                                            #
+# http://www.apache.org/licenses/LICENSE-2.0                                 #
+#                                                                            #
+# Unless required by applicable law or agreed to in writing, software        #
+# distributed under the License is distributed on an "AS IS" BASIS,          #
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #
+# See the License for the specific language governing permissions and        #
+# limitations under the License.                                             #
+#--------------------------------------------------------------------------- #
+
+ONE_LOCATION=ENV["ONE_LOCATION"]
+
+if !ONE_LOCATION
+    RUBY_LIB_LOCATION="/usr/lib/one/ruby"
+    ETC_LOCATION="/etc/one/"
+else
+    RUBY_LIB_LOCATION=ONE_LOCATION+"/lib/ruby"
+    ETC_LOCATION=ONE_LOCATION+"/etc/"
+end
+
+$: << RUBY_LIB_LOCATION
+
+require 'x509_proxy_auth'
+require 'scripts_common'
+
+user   = ARGV[0] # username as registered in OpenNebula
+pass   = ARGV[1] # DN registered for this user
+secret = ARGV[2] # Base64 string in the form token:proxy_cert:user_cert
+
+#OpenNebula.log_debug("Authenticating #{user}, with password #{pass} (#{secret})")
+
+#TODO Check errors in these operations
+
+dsecret = Base64::decode64(secret)
+token, pcert, ucert = dsecret.split(':')
+
+auth = X509ProxyAuth.new(:proxy      => nil,
+                         :proxy_cert => pcert,
+                         :user_cert  => ucert,
+                         :ca_dir     => nil)
+
+rc   = auth.authenticate(user, pass, token)
+
+if rc == true
+    exit 0
+else
+    OpenNebula.error_message rc 
+    exit -1
+end
diff --git a/src/authm_mad/remotes/x509_proxy/x509_proxy_auth.rb b/src/authm_mad/remotes/x509_proxy/x509_proxy_auth.rb
new file mode 100644
index 0000000000..9a6522420c
--- /dev/null
+++ b/src/authm_mad/remotes/x509_proxy/x509_proxy_auth.rb
@@ -0,0 +1,219 @@
+# -------------------------------------------------------------------------- #
+# Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org)             #
+#                                                                            #
+# Licensed under the Apache License, Version 2.0 (the "License"); you may    #
+# not use this file except in compliance with the License. You may obtain    #
+# a copy of the License at                                                   #
+#                                                                            #
+# http://www.apache.org/licenses/LICENSE-2.0                                 #
+#                                                                            #
+# Unless required by applicable law or agreed to in writing, software        #
+# distributed under the License is distributed on an "AS IS" BASIS,          #
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #
+# See the License for the specific language governing permissions and        #
+# limitations under the License.                                             #
+#--------------------------------------------------------------------------- #
+
+require 'openssl'
+require 'base64'
+require 'fileutils'
+
+# Authentication class based on x509 proxy certificate. 
+class X509ProxyAuth
+
+    # Initialize x509ProxyAuth object
+    #
+    # @param [Hash] default options for path
+    # @option options [String] :proxy ($X509_PROXY_CERT) 
+    #         proxy cert for the user
+    # @option options [String] :proxy_cert (nil) 
+    #         public cert of a user proxy
+    # @option options [String] :user_cert (nil) 
+    #         user cert, used to generate the proxy
+    # @option options [String] :ca_dir (/etc/grid-security/certificates) 
+    #         trusted CA directory. If nil it will not be used to verify
+    #         certificates
+    def initialize(options={})
+        @options={
+            :proxy      => ENV['X509_PROXY_CERT']
+            :proxy_cert => nil,
+            :user_cert  => nil,
+            :ca_dir     => "/etc/grid-security/certificates",
+        }.merge!(options)
+
+        proxy_cert_txt = @options[:proxy_cert]
+        user_cert_txt  = @options[:user_cert]
+
+        #Read certificates from a grid proxy file
+        if @options[:proxy] && File.readable?(@options[:proxy])
+            proxy = File.read(@options[:proxy])
+
+            rc = proxy.scan(/-+BEGIN CERTIFICATE-+\n([^-]*)\n-+END CERTIFICATE-+/)
+            rc.flatten!
+
+            proxy_cert_txt = rc[0]
+            user_cert_txt  = rc[1]
+ 
+            rc = proxy.match(/-+BEGIN RSA PRIVATE KEY-+\n([^-]*)\n-+END RSA PRIVATE KEY-+/)
+
+            proxy_key_txt  = rc[1]
+        end
+        
+        if !proxy_cert_txt || !user_cert_txt
+            raise "Can not get user or proxy certificates"
+        end
+        
+        @proxy_cert = OpenSSL::X509::Certificate.new(proxy_cert_txt)
+        @user_cert  = OpenSSL::X509::Certificate.new(user_cert_txt)
+        @dn         = @user_cert.subject.to_s
+        
+        if proxy_ket_txt
+            @poxy_key = OpenSSL::PKey::RSA.new(proxy_key_txt)
+        end
+
+        # Load configuration file
+        #@auth_conf_path  = ETC_LOCATION+'/auth/auth.conf'
+		
+        #if File.readable?(@auth_conf_path)
+        #     config = File.read(@auth_conf_path)
+        #     config = YAML::load(config_data)
+
+        #    @options.merge!(config)
+        #end	
+    end
+
+    ###########################################################################
+    # Client side
+    ###########################################################################
+
+    # Creates the login file for x509 authentication at ~/.one/one_x509.
+    # By default it is valid for 1 hour but it can be changed to any number
+    # of seconds with expire parameter (in seconds)
+    def login(user)
+        # Init proxy file path and creates ~/.one directory if needed
+        # Set instance variables
+        proxy_dir=ENV['HOME']+'/.one'
+        
+        begin
+            FileUtils.mkdir_p(proxy_dir)
+        rescue Errno::EEXIST
+        end
+       
+        one_proxy_path  = proxy_dir + '/one_grid'
+        
+        #Generate token for authentication
+        text_to_sign = "#{user}:#{@dn}"
+        signed_text  = encrypt(text_to_sign)
+
+	    token   = "#{signed_text}:#{@proxy_cert.to_pem}:#{@user_cert.to_pem}"	
+	    token64 = Base64::encode64(token).strip.delete!("\n")
+
+        proxy="#{user}:grid:#{token64}"
+
+        file = File.open(one_proxy_path, "w")
+
+        file.write(proxy)
+        
+        file.close
+ 
+        # Help string
+        puts "export ONE_AUTH=#{ENV['HOME']}/.one/one_grid"
+        
+        token64
+    end
+    
+    ###########################################################################
+    # Server side
+    ###########################################################################
+
+    # auth method for auth_mad
+    def authenticate(user, pass, token)        
+        begin
+            validate_chain
+
+            plain = decrypt(token)
+        
+            _user, subject = plain.split(':')
+
+            if (user != _user)
+                return "User name missmatch"
+            elsif ((subject != @dn) || (subject != pass))
+                return "Certificate subject missmatch"
+            end
+
+            return true
+        rescue => e
+            return e.message
+        end
+
+private
+    ###########################################################################
+    #                       Methods to encrpyt/decrypt keys
+    ###########################################################################
+    # Encrypts data with the private key of the user and returns
+    # base 64 encoded output in a single line 
+    def encrypt(data)
+        return nil if !@proxy_key
+        Base64::encode64(@proxy_key.private_encrypt(data)).delete!("\n").strip
+    end
+
+    # Decrypts base 64 encoded data with pub_key (public key)
+    def decrypt(data)       
+        @proxy_cert.public_key.public_decrypt(Base64::decode64(data))
+    end
+
+    ###########################################################################
+    # Validates the the certificate chain
+    ###########################################################################
+    def validate_chain
+ 	    now    = Time.now
+        failed = "Could not validate user credentials. "
+
+        # Check start time and end time of proxy
+        if @proxy_cert.not_before > now || @proxy_cert.not_after < now
+            raise failed +  "Certfacete not valid. Current time is " + 
+                  now.localtime.to_s + "."
+        end
+ 
+	    # Check that the issuer of the proxy is the same user as in the user certificate
+        if @proxy_cert.issuer.to_s != @user_cert.subject.to_s
+            raise failed + "Proxy with issuer " + @proxy_cert.issuer.to_s + 
+                  " does not match user " + @dn
+        end
+ 	
+    	# Check that the user signed the proxy
+        if !@proxy_cert.verify(@user_cert.public_key)
+            raise "Proxy with subject " + @proxy_cert.subject.to_s + 
+                  " was not verified by " + @dn + "."
+        end
+ 	
+ 	    # Check the rest of the certificate chain if specified
+        if !@options[:ca_dir]
+            return
+        end
+
+        begin
+            signee = @user_cert
+            
+            begin
+                ca_hash = signee.issuer.hash.to_s(16)
+                ca_path = @options[:ca_dir] + '/' + ca_hash + '.0'
+
+                ca_cert = OpenSSL::X509::Certificate.new(File.read(ca_path))
+                
+                if !((signee.issuer.to_s == ca_cert.subject.to_s) && 
+                     (signee.verify(ca_cert.public_key)))
+                    raise  failed + signee.subject.to_s + " with issuer " + 
+                           signee.issuer.to_s + " was not verified by " + 
+                           ca.subject.to_s + "."
+                end
+
+                signee = ca_cert
+            end while ca_cert.subject.to_s != ca_cert.issuer.to_s
+        rescue
+            raise  
+        end
+
+        end
+    end
+end

From 1488d536c3994a7dca9f4e92ac654d8c24a45367 Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Sun, 21 Aug 2011 01:55:00 +0200
Subject: [PATCH 18/63] feature #754: Validate X509 expiration times. Support
 for trusted CA's

---
 src/authm_mad/remotes/x509/x509_auth.rb       | 58 +++++++++++++++++--
 .../remotes/x509_proxy/x509_proxy_auth.rb     |  8 +--
 2 files changed, 55 insertions(+), 11 deletions(-)

diff --git a/src/authm_mad/remotes/x509/x509_auth.rb b/src/authm_mad/remotes/x509/x509_auth.rb
index 7ac30b71d3..7b067f151f 100644
--- a/src/authm_mad/remotes/x509/x509_auth.rb
+++ b/src/authm_mad/remotes/x509/x509_auth.rb
@@ -27,11 +27,14 @@ class X509Auth
     #
     # @param [Hash] default options for path
     # @option options [String] :cert public cert for the user
-    # @option options [String] :key private key for the user
+    # @option options [String] :key private key for the user. Needed
+    #                          to use login method
+    # @option options [String] :ca_dir directory of trusted CA's. Optional.
     def initialize(options={})
         @options={
-            :cert => nil,
-            :key  => nil 
+            :cert   => nil,
+            :key    => nil,
+            :ca_dir => nil
         }.merge!(options)
 
         @cert = OpenSSL::X509::Certificate.new(@options[:cert])
@@ -90,6 +93,8 @@ class X509Auth
     # auth method for auth_mad
     def authenticate(user, pass, token)        
         begin
+            validate
+
             plain = decrypt(token)
         
             _user, subject, time_expire = plain.split(':')
@@ -103,8 +108,8 @@ class X509Auth
             end
 
             return true
-        rescue
-            return "Can not decrypt security token" 
+        rescue => e
+            return e.message
         end
     end
  
@@ -123,4 +128,45 @@ private
     def decrypt(data)       
         @cert.public_key.public_decrypt(Base64::decode64(data))
     end      
-end      
+
+    ###########################################################################
+    # Validate the user certificate
+    ###########################################################################
+    def validate
+ 	    now    = Time.now
+        failed = "Could not validate user credentials: "
+
+        # Check start time and end time of certificate
+        if @cert.not_before > now || @cert.not_after < now
+            raise failed +  "Certificate not valid. Current time is " + 
+                  now.localtime.to_s + "."
+        end
+ 
+ 	    # Check the rest of the certificate chain if specified
+        if !@options[:ca_dir]
+            return
+        end
+
+        begin
+            signee = @cert
+            
+            begin
+                ca_hash = signee.issuer.hash.to_s(16)
+                ca_path = @options[:ca_dir] + '/' + ca_hash + '.0'
+
+                ca_cert = OpenSSL::X509::Certificate.new(File.read(ca_path))
+                
+                if !((signee.issuer.to_s == ca_cert.subject.to_s) && 
+                     (signee.verify(ca_cert.public_key)))
+                    raise  failed + signee.subject.to_s + " with issuer " + 
+                           signee.issuer.to_s + " was not verified by " + 
+                           ca.subject.to_s + "."
+                end
+
+                signee = ca_cert
+            end while ca_cert.subject.to_s != ca_cert.issuer.to_s
+        rescue
+            raise  
+        end
+    end
+end
diff --git a/src/authm_mad/remotes/x509_proxy/x509_proxy_auth.rb b/src/authm_mad/remotes/x509_proxy/x509_proxy_auth.rb
index 9a6522420c..ca2d3bfa9d 100644
--- a/src/authm_mad/remotes/x509_proxy/x509_proxy_auth.rb
+++ b/src/authm_mad/remotes/x509_proxy/x509_proxy_auth.rb
@@ -163,15 +163,15 @@ private
     end
 
     ###########################################################################
-    # Validates the the certificate chain
+    # Validates the certificate chain
     ###########################################################################
     def validate_chain
  	    now    = Time.now
-        failed = "Could not validate user credentials. "
+        failed = "Could not validate user credentials: "
 
         # Check start time and end time of proxy
         if @proxy_cert.not_before > now || @proxy_cert.not_after < now
-            raise failed +  "Certfacete not valid. Current time is " + 
+            raise failed +  "Certificate not valid. Current time is " + 
                   now.localtime.to_s + "."
         end
  
@@ -213,7 +213,5 @@ private
         rescue
             raise  
         end
-
-        end
     end
 end

From 2508c1fbe789c7a7ef990207871000599d1ea9ac Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Sun, 21 Aug 2011 02:03:37 +0200
Subject: [PATCH 19/63] feature #754: Rename proxy file name

---
 src/authm_mad/remotes/x509_proxy/x509_proxy_auth.rb | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/src/authm_mad/remotes/x509_proxy/x509_proxy_auth.rb b/src/authm_mad/remotes/x509_proxy/x509_proxy_auth.rb
index ca2d3bfa9d..8653788588 100644
--- a/src/authm_mad/remotes/x509_proxy/x509_proxy_auth.rb
+++ b/src/authm_mad/remotes/x509_proxy/x509_proxy_auth.rb
@@ -86,9 +86,7 @@ class X509ProxyAuth
     # Client side
     ###########################################################################
 
-    # Creates the login file for x509 authentication at ~/.one/one_x509.
-    # By default it is valid for 1 hour but it can be changed to any number
-    # of seconds with expire parameter (in seconds)
+    # Creates the login file for x509 authentication at ~/.one/one_x509_proxy.
     def login(user)
         # Init proxy file path and creates ~/.one directory if needed
         # Set instance variables
@@ -99,7 +97,7 @@ class X509ProxyAuth
         rescue Errno::EEXIST
         end
        
-        one_proxy_path  = proxy_dir + '/one_grid'
+        one_proxy_path  = proxy_dir + '/one_x509_proxy'
         
         #Generate token for authentication
         text_to_sign = "#{user}:#{@dn}"

From e7e96a9fab5984bab8102ed553959f32b1a66c8a Mon Sep 17 00:00:00 2001
From: Daniel Molina <danmolin@fdi.ucm.es>
Date: Tue, 23 Aug 2011 16:22:04 +0200
Subject: [PATCH 20/63] feature #754: Change initialize parameters for SshAuth

---
 src/authm_mad/remotes/ssh/authenticate |  8 ++++--
 src/authm_mad/remotes/ssh/ssh_auth.rb  | 35 +++++++++++++++++++-------
 2 files changed, 32 insertions(+), 11 deletions(-)

diff --git a/src/authm_mad/remotes/ssh/authenticate b/src/authm_mad/remotes/ssh/authenticate
index 0892917738..517d9033d2 100755
--- a/src/authm_mad/remotes/ssh/authenticate
+++ b/src/authm_mad/remotes/ssh/authenticate
@@ -36,8 +36,12 @@ pass   = ARGV[1]
 secret = ARGV[2] 
 
 #OpenNebula.log_debug("Authenticating #{user}, with password #{pass} (#{secret})")
-
-ssh_auth = SshAuth.new(pass)
+begin
+    ssh_auth = SshAuth.new(:public_key=>pass)
+rescue Exception => e
+    OpenNebula.error_message e.message
+    exit -1
+end
 
 rc = ssh_auth.authenticate(user,secret)
 
diff --git a/src/authm_mad/remotes/ssh/ssh_auth.rb b/src/authm_mad/remotes/ssh/ssh_auth.rb
index f6f9f8f704..85d38f313e 100644
--- a/src/authm_mad/remotes/ssh/ssh_auth.rb
+++ b/src/authm_mad/remotes/ssh/ssh_auth.rb
@@ -25,21 +25,38 @@ require 'fileutils'
 # by oneauth command
 class SshAuth
     attr_reader :public_key
-                 
-    def initialize(pub_key = nil)
 
-        # Init ssh keys using private key. public key is extracted in a 
-        # format compatible with openssl. The public key does not contain
-        # "---- BEGIN/END RSA PUBLIC KEY ----" and is in a single line
-        @private_key = File.read(ENV['HOME']+'/.ssh/id_rsa')
+    # Initialize SshAuth object
+    #
+    # @param [Hash] default options for path
+    # @option options [String] :public_key public key for the user
+    # @option options [String] :private_key key private key for the user.
+    def initialize(options={})
+        @private_key = nil
+        @public_key  = nil
 
-        if pub_key == nil
+        if options[:private_key]
+            begin
+                @private_key = File.read(options[:private_key])
+            rescue Exception => e
+                raise "Cannot read #{options[:private_key]}"
+            end
+        end
+
+        if options[:public_key]
+            @public_key = options[:public_key]
+        elsif @private_key != nil
+            # Init ssh keys using private key. public key is extracted in a
+            # format compatible with openssl. The public key does not contain
+            # "---- BEGIN/END RSA PUBLIC KEY ----" and is in a single line
             key = OpenSSL::PKey::RSA.new(@private_key)
 
             @public_key = key.public_key.to_pem.split("\n")
             @public_key = @public_key.reject {|l| l.match(/RSA PUBLIC KEY/) }.join('')
-        else
-            @public_key = pub_key
+        end
+
+        if @private_key.nil? && @public_key.nil?
+            raise "You have to define at least one of the keys"
         end
     end
 

From f0e959c77e108d2a7b541fe76f94585b037507c6 Mon Sep 17 00:00:00 2001
From: Daniel Molina <danmolin@fdi.ucm.es>
Date: Tue, 23 Aug 2011 16:24:03 +0200
Subject: [PATCH 21/63] feature #754: Add PROXY_PATH constant

---
 src/authm_mad/remotes/ssh/ssh_auth.rb         | 28 ++++---
 src/authm_mad/remotes/x509/x509_auth.rb       | 56 +++++++-------
 .../remotes/x509_proxy/x509_proxy_auth.rb     | 77 +++++++++----------
 3 files changed, 78 insertions(+), 83 deletions(-)

diff --git a/src/authm_mad/remotes/ssh/ssh_auth.rb b/src/authm_mad/remotes/ssh/ssh_auth.rb
index 85d38f313e..a0d2915be9 100644
--- a/src/authm_mad/remotes/ssh/ssh_auth.rb
+++ b/src/authm_mad/remotes/ssh/ssh_auth.rb
@@ -24,6 +24,8 @@ require 'fileutils'
 # as auth method is defined. It also holds some helper methods to be used
 # by oneauth command
 class SshAuth
+    PROXY_PATH = ENV['HOME']+'/.one/one_ssh'
+
     attr_reader :public_key
 
     # Initialize SshAuth object
@@ -64,33 +66,28 @@ class SshAuth
     # By default it is valid for 1 hour but it can be changed to any number
     # of seconds with expire parameter (in seconds)
     def login(user, expire=3600)
+        expire ||= 3600
+
         # Init proxy file path and creates ~/.one directory if needed
-        proxy_dir=ENV['HOME']+'/.one'
-        
+        proxy_dir = File.dirname(PROXY_PATH)
+
         begin
             FileUtils.mkdir_p(proxy_dir)
         rescue Errno::EEXIST
         end
-       
-        proxy_path  = proxy_dir + '/one_ssh'
 
         # Generate security token
-        time = Time.now.to_i + expire
+        time = Time.now.to_i + expire.to_i
 
         secret_plain   = "#{user}:#{time}"
         secret_crypted = encrypt(secret_plain)
 
         proxy = "#{user}:ssh:#{secret_crypted}"
-        
-        file = File.open(proxy_path, "w")
 
+        file = File.open(PROXY_PATH, "w")
         file.write(proxy)
-
         file.close
-        
-        # Help string
-        puts "export ONE_AUTH=#{ENV['HOME']}/.one/one_ssh"
-        
+
         secret_crypted
     end
 
@@ -99,7 +96,7 @@ class SshAuth
         begin
             token_plain = decrypt(token)
             _user, time = token_plain.split(':')
-            
+
             if user == _user
                 if Time.now.to_i >= time.to_i
                     return "ssh proxy expired, login again to renew it"
@@ -114,12 +111,13 @@ class SshAuth
         end
     end
 
-private
+    private
+
     ###########################################################################
     #                       Methods to handle ssh keys
     ###########################################################################
     # Encrypts data with the private key of the user and returns
-    # base 64 encoded output in a single line 
+    # base 64 encoded output in a single line
     def encrypt(data)
         rsa=OpenSSL::PKey::RSA.new(@private_key)
         Base64::encode64(rsa.private_encrypt(data)).gsub!(/\n/, '').strip
diff --git a/src/authm_mad/remotes/x509/x509_auth.rb b/src/authm_mad/remotes/x509/x509_auth.rb
index 7b067f151f..7e04c00566 100644
--- a/src/authm_mad/remotes/x509/x509_auth.rb
+++ b/src/authm_mad/remotes/x509/x509_auth.rb
@@ -22,6 +22,9 @@ require 'fileutils'
 # as auth method is defined. It also holds some helper methods to be used
 # by oneauth command
 class X509Auth
+    PROXY_PATH = ENV['HOME']+'/.one/one_x509'
+
+    attr_reader :dn
 
     # Initialize x509Auth object
     #
@@ -42,7 +45,7 @@ class X509Auth
 
         if @options[:key]
             @key  = OpenSSL::PKey::RSA.new(@options[:key])
-        end            
+        end
     end
 
     ###########################################################################
@@ -53,50 +56,45 @@ class X509Auth
     # By default it is valid for 1 hour but it can be changed to any number
     # of seconds with expire parameter (in seconds)
     def login(user, expire=3600)
+        expire ||= 3600
+
         # Init proxy file path and creates ~/.one directory if needed
         # Set instance variables
-        proxy_dir=ENV['HOME']+'/.one'
-        
+        proxy_dir = File.dirname(PROXY_PATH)
+
         begin
             FileUtils.mkdir_p(proxy_dir)
         rescue Errno::EEXIST
         end
-       
-        one_proxy_path = proxy_dir + '/one_x509'
 
         #Create the x509 proxy
         time = Time.now.to_i+expire
-        
+
         text_to_sign = "#{user}:#{@dn}:#{time}"
         signed_text  = encrypt(text_to_sign)
 
-	    token   = "#{signed_text}:#{@cert.to_pem}"	
+	    token   = "#{signed_text}:#{@cert.to_pem}"
 	    token64 = Base64::encode64(token).strip.delete!("\n")
 
         proxy="#{user}:x509:#{token64}"
 
-        file = File.open(one_proxy_path, "w")
-
+        file = File.open(PROXY_PATH, "w")
         file.write(proxy)
-        
         file.close
- 
-        # Help string
-        puts "export ONE_AUTH=#{ENV['HOME']}/.one/one_x509"
-        
+
         token64
     end
-    
+
     ###########################################################################
     # Server side
     ###########################################################################
     # auth method for auth_mad
-    def authenticate(user, pass, token)        
+    def authenticate(user, pass, token)
         begin
             validate
 
             plain = decrypt(token)
-        
+
             _user, subject, time_expire = plain.split(':')
 
             if (user != _user)
@@ -112,22 +110,22 @@ class X509Auth
             return e.message
         end
     end
- 
+
 private
     ###########################################################################
     #                       Methods to encrpyt/decrypt keys
     ###########################################################################
     # Encrypts data with the private key of the user and returns
-    # base 64 encoded output in a single line 
+    # base 64 encoded output in a single line
     def encrypt(data)
         return nil if !@key
         Base64::encode64(@key.private_encrypt(data)).delete!("\n").strip
     end
 
     # Decrypts base 64 encoded data with pub_key (public key)
-    def decrypt(data)       
+    def decrypt(data)
         @cert.public_key.public_decrypt(Base64::decode64(data))
-    end      
+    end
 
     ###########################################################################
     # Validate the user certificate
@@ -138,10 +136,10 @@ private
 
         # Check start time and end time of certificate
         if @cert.not_before > now || @cert.not_after < now
-            raise failed +  "Certificate not valid. Current time is " + 
+            raise failed +  "Certificate not valid. Current time is " +
                   now.localtime.to_s + "."
         end
- 
+
  	    # Check the rest of the certificate chain if specified
         if !@options[:ca_dir]
             return
@@ -149,24 +147,24 @@ private
 
         begin
             signee = @cert
-            
+
             begin
                 ca_hash = signee.issuer.hash.to_s(16)
                 ca_path = @options[:ca_dir] + '/' + ca_hash + '.0'
 
                 ca_cert = OpenSSL::X509::Certificate.new(File.read(ca_path))
-                
-                if !((signee.issuer.to_s == ca_cert.subject.to_s) && 
+
+                if !((signee.issuer.to_s == ca_cert.subject.to_s) &&
                      (signee.verify(ca_cert.public_key)))
-                    raise  failed + signee.subject.to_s + " with issuer " + 
-                           signee.issuer.to_s + " was not verified by " + 
+                    raise  failed + signee.subject.to_s + " with issuer " +
+                           signee.issuer.to_s + " was not verified by " +
                            ca.subject.to_s + "."
                 end
 
                 signee = ca_cert
             end while ca_cert.subject.to_s != ca_cert.issuer.to_s
         rescue
-            raise  
+            raise
         end
     end
 end
diff --git a/src/authm_mad/remotes/x509_proxy/x509_proxy_auth.rb b/src/authm_mad/remotes/x509_proxy/x509_proxy_auth.rb
index 8653788588..2ed8b386b4 100644
--- a/src/authm_mad/remotes/x509_proxy/x509_proxy_auth.rb
+++ b/src/authm_mad/remotes/x509_proxy/x509_proxy_auth.rb
@@ -18,19 +18,20 @@ require 'openssl'
 require 'base64'
 require 'fileutils'
 
-# Authentication class based on x509 proxy certificate. 
+# Authentication class based on x509 proxy certificate.
 class X509ProxyAuth
+    PROXY_PATH = ENV['HOME']+'/.one/one_x509_proxy'
 
     # Initialize x509ProxyAuth object
     #
     # @param [Hash] default options for path
-    # @option options [String] :proxy ($X509_PROXY_CERT) 
+    # @option options [String] :proxy ($X509_PROXY_CERT)
     #         proxy cert for the user
-    # @option options [String] :proxy_cert (nil) 
+    # @option options [String] :proxy_cert (nil)
     #         public cert of a user proxy
-    # @option options [String] :user_cert (nil) 
+    # @option options [String] :user_cert (nil)
     #         user cert, used to generate the proxy
-    # @option options [String] :ca_dir (/etc/grid-security/certificates) 
+    # @option options [String] :ca_dir (/etc/grid-security/certificates)
     #         trusted CA directory. If nil it will not be used to verify
     #         certificates
     def initialize(options={})
@@ -53,33 +54,33 @@ class X509ProxyAuth
 
             proxy_cert_txt = rc[0]
             user_cert_txt  = rc[1]
- 
+
             rc = proxy.match(/-+BEGIN RSA PRIVATE KEY-+\n([^-]*)\n-+END RSA PRIVATE KEY-+/)
 
             proxy_key_txt  = rc[1]
         end
-        
+
         if !proxy_cert_txt || !user_cert_txt
             raise "Can not get user or proxy certificates"
         end
-        
+
         @proxy_cert = OpenSSL::X509::Certificate.new(proxy_cert_txt)
         @user_cert  = OpenSSL::X509::Certificate.new(user_cert_txt)
         @dn         = @user_cert.subject.to_s
-        
+
         if proxy_ket_txt
             @poxy_key = OpenSSL::PKey::RSA.new(proxy_key_txt)
         end
 
         # Load configuration file
         #@auth_conf_path  = ETC_LOCATION+'/auth/auth.conf'
-		
+
         #if File.readable?(@auth_conf_path)
         #     config = File.read(@auth_conf_path)
         #     config = YAML::load(config_data)
 
         #    @options.merge!(config)
-        #end	
+        #end
     end
 
     ###########################################################################
@@ -90,47 +91,45 @@ class X509ProxyAuth
     def login(user)
         # Init proxy file path and creates ~/.one directory if needed
         # Set instance variables
-        proxy_dir=ENV['HOME']+'/.one'
-        
+        proxy_dir=File.dirname(PROXY_PATH)
+
         begin
             FileUtils.mkdir_p(proxy_dir)
         rescue Errno::EEXIST
         end
-       
-        one_proxy_path  = proxy_dir + '/one_x509_proxy'
-        
+
         #Generate token for authentication
         text_to_sign = "#{user}:#{@dn}"
         signed_text  = encrypt(text_to_sign)
 
-	    token   = "#{signed_text}:#{@proxy_cert.to_pem}:#{@user_cert.to_pem}"	
+	    token   = "#{signed_text}:#{@proxy_cert.to_pem}:#{@user_cert.to_pem}"
 	    token64 = Base64::encode64(token).strip.delete!("\n")
 
         proxy="#{user}:grid:#{token64}"
 
-        file = File.open(one_proxy_path, "w")
+        file = File.open(PROXY_PATH, "w")
 
         file.write(proxy)
-        
+
         file.close
- 
+
         # Help string
-        puts "export ONE_AUTH=#{ENV['HOME']}/.one/one_grid"
-        
+        puts "export ONE_AUTH=#{ENV['HOME']}/.one/one_x509_proxy"
+
         token64
     end
-    
+
     ###########################################################################
     # Server side
     ###########################################################################
 
     # auth method for auth_mad
-    def authenticate(user, pass, token)        
+    def authenticate(user, pass, token)
         begin
             validate_chain
 
             plain = decrypt(token)
-        
+
             _user, subject = plain.split(':')
 
             if (user != _user)
@@ -149,14 +148,14 @@ private
     #                       Methods to encrpyt/decrypt keys
     ###########################################################################
     # Encrypts data with the private key of the user and returns
-    # base 64 encoded output in a single line 
+    # base 64 encoded output in a single line
     def encrypt(data)
         return nil if !@proxy_key
         Base64::encode64(@proxy_key.private_encrypt(data)).delete!("\n").strip
     end
 
     # Decrypts base 64 encoded data with pub_key (public key)
-    def decrypt(data)       
+    def decrypt(data)
         @proxy_cert.public_key.public_decrypt(Base64::decode64(data))
     end
 
@@ -169,22 +168,22 @@ private
 
         # Check start time and end time of proxy
         if @proxy_cert.not_before > now || @proxy_cert.not_after < now
-            raise failed +  "Certificate not valid. Current time is " + 
+            raise failed +  "Certificate not valid. Current time is " +
                   now.localtime.to_s + "."
         end
- 
+
 	    # Check that the issuer of the proxy is the same user as in the user certificate
         if @proxy_cert.issuer.to_s != @user_cert.subject.to_s
-            raise failed + "Proxy with issuer " + @proxy_cert.issuer.to_s + 
+            raise failed + "Proxy with issuer " + @proxy_cert.issuer.to_s +
                   " does not match user " + @dn
         end
- 	
+
     	# Check that the user signed the proxy
         if !@proxy_cert.verify(@user_cert.public_key)
-            raise "Proxy with subject " + @proxy_cert.subject.to_s + 
+            raise "Proxy with subject " + @proxy_cert.subject.to_s +
                   " was not verified by " + @dn + "."
         end
- 	
+
  	    # Check the rest of the certificate chain if specified
         if !@options[:ca_dir]
             return
@@ -192,24 +191,24 @@ private
 
         begin
             signee = @user_cert
-            
+
             begin
                 ca_hash = signee.issuer.hash.to_s(16)
                 ca_path = @options[:ca_dir] + '/' + ca_hash + '.0'
 
                 ca_cert = OpenSSL::X509::Certificate.new(File.read(ca_path))
-                
-                if !((signee.issuer.to_s == ca_cert.subject.to_s) && 
+
+                if !((signee.issuer.to_s == ca_cert.subject.to_s) &&
                      (signee.verify(ca_cert.public_key)))
-                    raise  failed + signee.subject.to_s + " with issuer " + 
-                           signee.issuer.to_s + " was not verified by " + 
+                    raise  failed + signee.subject.to_s + " with issuer " +
+                           signee.issuer.to_s + " was not verified by " +
                            ca.subject.to_s + "."
                 end
 
                 signee = ca_cert
             end while ca_cert.subject.to_s != ca_cert.issuer.to_s
         rescue
-            raise  
+            raise
         end
     end
 end

From 4ae6c2d8f04c98b89dc1ac3cd96079ea0b0aa39b Mon Sep 17 00:00:00 2001
From: Daniel Molina <danmolin@fdi.ucm.es>
Date: Tue, 23 Aug 2011 16:25:11 +0200
Subject: [PATCH 22/63] feature #754: Options can be defined without short
 value

---
 src/cli/command_parser.rb | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/src/cli/command_parser.rb b/src/cli/command_parser.rb
index 357d1082ab..ef59846023 100755
--- a/src/cli/command_parser.rb
+++ b/src/cli/command_parser.rb
@@ -166,6 +166,7 @@ EOT
 
             extra_options = comm[:options] if comm
             parse(extra_options)
+
             if comm
                 check_args!(comm_name, comm[:arity], comm[:args_format])
 
@@ -209,15 +210,23 @@ EOT
                         next
                     else
                         shown_opts << o[:name]
-                        short = o[:short].split(' ').first
-                        printf opt_format, "#{short}, #{o[:large]}", o[:description]
+
+                        str = ""
+                        str << o[:short].split(' ').first << ', ' if o[:short]
+                        str << o[:large]
+
+                        printf opt_format, str, o[:description]
                         puts
                     end
                 }
             }
 
             @opts.each{ |o|
-                printf opt_format, "#{o[:short]}, #{o[:large]}", o[:description]
+                str = ""
+                str << o[:short] if o[:short]
+                str << o[:large]
+
+                printf opt_format, str, o[:description]
                 puts
             }
         end

From 376965200610cc2d5eed1dd51c196fa6707e8de2 Mon Sep 17 00:00:00 2001
From: Daniel Molina <danmolin@fdi.ucm.es>
Date: Tue, 23 Aug 2011 16:29:38 +0200
Subject: [PATCH 23/63] feature #754: Add CLI functionality for ssh and x509

---
 src/cli/one_helper/oneuser_helper.rb | 61 +++++++++++++++++++++++
 src/cli/oneuser                      | 72 ++++++++++++++++++++++++++--
 2 files changed, 129 insertions(+), 4 deletions(-)

diff --git a/src/cli/one_helper/oneuser_helper.rb b/src/cli/one_helper/oneuser_helper.rb
index 24f2fd87e1..05255add83 100644
--- a/src/cli/one_helper/oneuser_helper.rb
+++ b/src/cli/one_helper/oneuser_helper.rb
@@ -47,6 +47,67 @@ class OneUserHelper < OpenNebulaHelper::OneHelper
         return 0, password
     end
 
+    def password(options)
+        if options[:ssh]
+            require 'ssh_auth'
+
+            options[:key] ||= ENV['HOME']+'/.ssh/id_rsa'
+
+            begin
+                sshauth = SshAuth.new(:private_key=>options[:key])
+            rescue Exception => e
+                return -1, e.message
+            end
+
+            return 0, sshauth.public_key
+        elsif options[:x509]
+            require 'x509_auth'
+
+            options[:cert] ||= ENV['X509_USER_CERT']
+
+            begin
+                x509auth = X509Auth.new(:cert=>options[:cert])
+            rescue Exception => e
+                return -1, e.message
+            end
+
+            return 0, x509auth.dn
+        else
+            return -1, "You have to specify an Auth method or define a password"
+        end
+    end
+
+    def login(username, options)
+        if options[:ssh]
+            require 'ssh_auth'
+
+            options[:key]  ||= ENV['HOME']+'/.ssh/id_rsa'
+
+            begin
+                auth = SshAuth.new(:private_key=>options[:key])
+            rescue Exception => e
+                return -1, e.message
+            end
+        elsif options[:x509]
+            require 'x509_auth'
+
+            options[:cert] ||= ENV['X509_USER_CERT']
+            options[:key]  ||= ENV['X509_USER_KEY']
+
+            begin
+                auth = X509Auth.new(:cert=>options[:cert], :key=>options[:key])
+            rescue Exception => e
+                return -1, e.message
+            end
+        else
+            return -1, "You have to specify an Auth method"
+        end
+
+        auth.login(username, options[:time])
+
+        return 0, 'export ONE_AUTH=' << auth.class::PROXY_PATH
+    end
+
     private
 
     def factory(id=nil)
diff --git a/src/cli/oneuser b/src/cli/oneuser
index ffb4346786..2273562ed7 100755
--- a/src/cli/oneuser
+++ b/src/cli/oneuser
@@ -59,7 +59,42 @@ cmd=CommandParser::CmdParser.new(ARGV) do
         :description => "Store plain password"
     }
 
-    create_options = [READ_FILE, PLAIN]
+    SSH={
+        :name => "ssh",
+        :large => "--ssh",
+        :description => "SSH Auth system"
+    }
+
+    X509={
+        :name => "x509",
+        :large => "--x509",
+        :description => "x509 Auth system"
+    }
+
+    KEY={
+        :name => "key",
+        :short => "-k private_key",
+        :large => "--key private_key",
+        :format => String,
+        :description => "Path to the Private Key of the User"
+    }
+
+    CERT={
+        :name => "cert",
+        :large => "--cert s",
+        :format => String,
+        :description => "Path to the Certificate of the User"
+    }
+
+    TIME={
+        :name  => "time",
+        :large => "--time x",
+        :format => Integer,
+        :description => "Token duration in hours, (default 1)"
+    }
+
+    create_options = [READ_FILE, PLAIN, SSH, X509, KEY, CERT]
+    login_options  = [SSH, X509, KEY, CERT, TIME]
 
     ########################################################################
     # Formatters for arguments
@@ -86,13 +121,42 @@ cmd=CommandParser::CmdParser.new(ARGV) do
 
     create_desc = <<-EOT.unindent
         Creates a new User
+        Examples:
+          oneuser create my_user my_password
+          oneuser create my_user /tmp/mypass -r
+          oneuser create my_user --ssh --key /tmp/id_rsa
+          oneuser create my_user --x509 --cert /tmp/my_cert.pem
     EOT
 
-    command :create, create_desc, :username, :password,
+    command :create, create_desc, :username, [:password, nil],
             :options=>create_options do
-        helper.create_resource(options) do |user|
-            user.allocate(args[0], args[1])
+        if args[1].nil?
+            rc = helper.password(options)
+            if rc.first == 0
+                pass = rc[1]
+            else
+                exit_with_code *rc
+            end
+        else
+            pass = args[1]
         end
+
+        helper.create_resource(options) do |user|
+            user.allocate(args[0], pass)
+        end
+    end
+
+    login_desc = <<-EOT.unindent
+        Creates the Login token for authentication
+        Examples:
+          oneuser login my_user --ssh --key /tmp/id_rsa --time 72000
+          oneuser login my_user --x509 --cert /tmp/my_cert.pem \
+                                --key /tmp/my_key.pk --time 72000
+    EOT
+
+    command :login, login_desc, :username, [:password, nil],
+            :options=>create_options do
+        helper.login(args[0], options)
     end
 
     delete_desc = <<-EOT.unindent

From f9f2ad176dec799c505c9ea968ab3d2e76523e32 Mon Sep 17 00:00:00 2001
From: Ted <tdh@camp5.townhouse>
Date: Tue, 23 Aug 2011 14:28:18 -0500
Subject: [PATCH 24/63] Made timespan an option. Added default proxy locations.
 read in certificate chain and key from files. Hold cert chain in array.

---
 src/authm_mad/oneauth | 57 +++++++++++++++++++++++++++++++++++--------
 1 file changed, 47 insertions(+), 10 deletions(-)

diff --git a/src/authm_mad/oneauth b/src/authm_mad/oneauth
index 4881fd596f..ad3ef2f175 100755
--- a/src/authm_mad/oneauth
+++ b/src/authm_mad/oneauth
@@ -103,20 +103,57 @@ cmd=CommandParser::CmdParser.new(ARGV) do
         ssh.login(user, time)
         exit_with_code 0
     end
+    
+    loginx509_desc = <<-EOT.unindent
+        Generates an X509-based authenication proxy based on a user certificate.
+        oneauth x509_login <username> [<lifetime in seconds>] [<cert or proxy path>] [<key path>]
+    EOT
 
-    command 'loginx509', login_desc, :text, :text, :text, :text do
+    command 'loginx509', loginx509_desc, :text, :text, :text, :text do
         user = args[0]
-        cert = File.read(args[1])
-        key  = File.read(args[2])
-        time = args[3]
-
-        if time
-            time=time.to_i
-        else
-            time=3600
+	time = Integer(args[1]) rescue false
+	certpath = args[2]
+        keypath  = args[3]
+        	
+	# Set default arguments
+	if !time
+            time=0
+	    certpath = args[1]
+            keypath  = args[2]         
         end
 
-        auth = X509Auth.new(:cert=>cert,:key=>key)
+        if !certpath
+            certpath=ENV["X509_PROXY_CERT"]
+        end
+	    
+	if !certpath
+            certpath='/tmp/x509up_u' + Process.uid.to_s
+        end
+	
+        if !keypath
+	    keypath=certpath
+	end
+	
+	if !keypath
+	    exit_with_code 1
+	end	
+	
+        # Read in the certificates
+        if @options[:certpath] && File.readable?(@options[:certpath])
+            certs_in = File.read(@options[:certpath])
+            certs_pem = certs_in.scan(/-+BEGIN CERTIFICATE-+\n([^-]*)\n-+END CERTIFICATE-+/)
+            certs_pem.flatten!                        
+        end
+	
+	# Read in the key
+        if @options[:keypath] && File.readable?(@options[:keypath])
+            key_in = File.read(@options[:keypath])
+	    rc = key_in.match(/-+BEGIN RSA PRIVATE KEY-+\n([^-]*)\n-+END RSA PRIVATE KEY-+/)
+	    key_pem  = rc[0]
+	end
+
+        # Invoke the login method
+        auth = X509Auth.new(:certs_pem=>certs_pem,:key_pem=>key_pem)
         auth.login(user, time)
 
         exit_with_code 0

From a6fb02f3a63d344778ba5bc5d51da4bc870ae8cf Mon Sep 17 00:00:00 2001
From: Ted <tdh@camp5.townhouse>
Date: Tue, 23 Aug 2011 14:28:50 -0500
Subject: [PATCH 25/63] .init: take cert chain array and key in pem form as
 inputs .login: remove superfluous dn in tbs text. add default max expiration
 time, put whole cert chain in token.

---
 src/authm_mad/remotes/x509/x509_auth.rb | 57 ++++++++++++++-----------
 1 file changed, 31 insertions(+), 26 deletions(-)

diff --git a/src/authm_mad/remotes/x509/x509_auth.rb b/src/authm_mad/remotes/x509/x509_auth.rb
index 7b067f151f..a8b8af2b05 100644
--- a/src/authm_mad/remotes/x509/x509_auth.rb
+++ b/src/authm_mad/remotes/x509/x509_auth.rb
@@ -26,22 +26,25 @@ class X509Auth
     # Initialize x509Auth object
     #
     # @param [Hash] default options for path
-    # @option options [String] :cert public cert for the user
-    # @option options [String] :key private key for the user. Needed
-    #                          to use login method
-    # @option options [String] :ca_dir directory of trusted CA's. Optional.
+    # @option options [String] :certs_pem
+    #         cert chain array in colon-separated pem format
+    # @option options [String] :key_pem
+    #         key in pem format
+    # @option options [String] :cadir
+    #         directory of trusted CA's. Needed for auth method, not for login.
     def initialize(options={})
         @options={
-            :cert   => nil,
-            :key    => nil,
-            :ca_dir => nil
+            :certs_pem   => nil,
+            :key_pem    => nil,
+            :cadir => nil
         }.merge!(options)
 
-        @cert = OpenSSL::X509::Certificate.new(@options[:cert])
-        @dn   = @cert.subject.to_s
+        @cert_chain = certs_pem.collect do |cert_pem|
+            OpenSSL::X509::Certificate.new(cert_pem)
+        end
 
-        if @options[:key]
-            @key  = OpenSSL::PKey::RSA.new(@options[:key])
+        if key_pem
+            @key  = OpenSSL::PKey::RSA.new(key_pem)
         end            
     end
 
@@ -52,33 +55,35 @@ class X509Auth
     # Creates the login file for x509 authentication at ~/.one/one_x509.
     # By default it is valid for 1 hour but it can be changed to any number
     # of seconds with expire parameter (in seconds)
-    def login(user, expire=3600)
-        # Init proxy file path and creates ~/.one directory if needed
+    def login(user, expire=0)
+        # Inits login file path and creates ~/.one directory if needed
         # Set instance variables
-        proxy_dir=ENV['HOME']+'/.one'
+        login_dir=ENV['HOME']+'/.one'
         
         begin
-            FileUtils.mkdir_p(proxy_dir)
+            FileUtils.mkdir_p(login_dir)
         rescue Errno::EEXIST
         end
        
-        one_proxy_path = proxy_dir + '/one_x509'
+        one_login_path = login_dir + '/one_x509'
 
-        #Create the x509 proxy
-        time = Time.now.to_i+expire
+        if expire!=0
+            expires = Time.now.to_i+expire
+	else
+	    expires = @cert_chain[0].not_after.to_i
+	end
         
-        text_to_sign = "#{user}:#{@dn}:#{time}"
+        text_to_sign = "#{user}:#{expires}"
         signed_text  = encrypt(text_to_sign)
 
-	    token   = "#{signed_text}:#{@cert.to_pem}"	
-	    token64 = Base64::encode64(token).strip.delete!("\n")
+        certs_pem = @cert_chain.collect{|cert| cert.to_pem}.join(":")
+	token   = "#{signed_text}:#{certs_pem}"	
+	token64 = Base64::encode64(token).strip.delete!("\n")
 
-        proxy="#{user}:x509:#{token64}"
+        login_out="#{user}:x509:#{token64}"
 
         file = File.open(one_proxy_path, "w")
-
-        file.write(proxy)
-        
+        file.write(login_out)        
         file.close
  
         # Help string
@@ -126,7 +131,7 @@ private
 
     # Decrypts base 64 encoded data with pub_key (public key)
     def decrypt(data)       
-        @cert.public_key.public_decrypt(Base64::decode64(data))
+        @cert_chain[0].public_key.public_decrypt(Base64::decode64(data))
     end      
 
     ###########################################################################

From 9dbbccb9d63be1761b02332863f2731afdc4f0d7 Mon Sep 17 00:00:00 2001
From: Ted <tdh@camp5.townhouse>
Date: Tue, 23 Aug 2011 14:29:36 -0500
Subject: [PATCH 26/63] Use pems as x509 class init parameters.

---
 src/authm_mad/remotes/x509/authenticate | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/authm_mad/remotes/x509/authenticate b/src/authm_mad/remotes/x509/authenticate
index f7bc822af5..735e2d8ba6 100755
--- a/src/authm_mad/remotes/x509/authenticate
+++ b/src/authm_mad/remotes/x509/authenticate
@@ -33,14 +33,14 @@ require 'scripts_common'
 
 user   = ARGV[0] # username as registered in OpenNebula
 pass   = ARGV[1] # DN registered for this user
-secret = ARGV[2] # Base64 string in the form proxy:usercert, usercert is pem
+secret = ARGV[2] # Base64 encoded text and certificate chain text:cert_0:cert_1:..., certs in pem format
 
 #OpenNebula.log_debug("Authenticating #{user}, with password #{pass} (#{secret})")
 
 #TODO Check errors in these operations
 
-dsecret     = Base64::decode64(secret)
-proxy, cert = dsecret.split(':')
+dsecret = Base64::decode64(secret)
+certs_pem = dsecret.split(':')
 
 x509_auth   = X509Auth.new(:cert=>cert)
 

From d4e96b2a5e46a09fc1defa8408c8d09edfa9106f Mon Sep 17 00:00:00 2001
From: Ted <tdh@camp5.townhouse>
Date: Wed, 24 Aug 2011 10:37:16 -0500
Subject: [PATCH 27/63] Replaced underscore in ca_dir.

---
 src/authm_mad/remotes/x509/x509_auth.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/authm_mad/remotes/x509/x509_auth.rb b/src/authm_mad/remotes/x509/x509_auth.rb
index a8b8af2b05..7a4fe3e664 100644
--- a/src/authm_mad/remotes/x509/x509_auth.rb
+++ b/src/authm_mad/remotes/x509/x509_auth.rb
@@ -30,13 +30,13 @@ class X509Auth
     #         cert chain array in colon-separated pem format
     # @option options [String] :key_pem
     #         key in pem format
-    # @option options [String] :cadir
+    # @option options [String] :ca_dir
     #         directory of trusted CA's. Needed for auth method, not for login.
     def initialize(options={})
         @options={
             :certs_pem   => nil,
             :key_pem    => nil,
-            :cadir => nil
+            :ca_dir => nil
         }.merge!(options)
 
         @cert_chain = certs_pem.collect do |cert_pem|

From dd2b770b016c204a6d9ef103c7234220facd4efd Mon Sep 17 00:00:00 2001
From: Ted <tdh@camp5.townhouse>
Date: Wed, 24 Aug 2011 12:39:49 -0500
Subject: [PATCH 28/63] Always validate. Added steps to validate the proxy
 certificates. Check that some DN in the chain must matches DN in the
 password.

---
 src/authm_mad/remotes/x509/x509_auth.rb | 46 ++++++++++++++++---------
 1 file changed, 29 insertions(+), 17 deletions(-)

diff --git a/src/authm_mad/remotes/x509/x509_auth.rb b/src/authm_mad/remotes/x509/x509_auth.rb
index 09ed84a4c3..ce0f16e584 100644
--- a/src/authm_mad/remotes/x509/x509_auth.rb
+++ b/src/authm_mad/remotes/x509/x509_auth.rb
@@ -100,22 +100,28 @@ class X509Auth
     # Server side
     ###########################################################################
     # auth method for auth_mad
-    def authenticate(user, pass, token)
-        begin
-            validate
-
-            plain = decrypt(token)
-
-            _user, subject, time_expire = plain.split(':')
+    def authenticate(user, pass, signed_text)
+        begin            
+	    # Decryption demonstrates that the user posessed the private key.
+            _user, expires = decrypt(signed_text).split(':')
 
             if (user != _user)
                 return "User name missmatch"
-            elsif ((subject != @dn) || (subject != pass))
-                return "Certificate subject missmatch"
-            elsif Time.now.to_i >= time_expire.to_i
+            elsif Time.now.to_i >= expires.to_i
                 return "x509 proxy expired, login again to renew it"
             end
 
+	    # Some DN in the chain must match a DN in the password	    
+	    dn_ok = @cert_chain.each do |cert|
+                break true if pass.split('|').include?(cert.subject.to_s.gsub(/\s/, ''))
+            end
+	    
+	    unless dn_ok==true
+	        return "Certificate subject missmatch"
+            end
+	    
+	    validate
+
             return true
         rescue => e
             return e.message
@@ -151,14 +157,20 @@ private
                   now.localtime.to_s + "."
         end
 
- 	    # Check the rest of the certificate chain if specified
-        if !@options[:ca_dir]
-            return
-        end
-
         begin
-            signee = @cert
+	    # Validate the proxy certifcates
+            signee = @cert_chain.delete_at(0)
+	    @cert_chain.each do |cert|
+                if !((signee.issuer.to_s == cert.subject.to_s) &&
+                     (signee.verify(cert.public_key)))
+                    raise  failed + signee.subject.to_s + " with issuer " +
+                           signee.issuer.to_s + " was not verified by " +
+                           cert.subject.to_s + "."
+                end	        
+                signee = cert
+            end
 
+            # Validate the End Entity certificate
             begin
                 ca_hash = signee.issuer.hash.to_s(16)
                 ca_path = @options[:ca_dir] + '/' + ca_hash + '.0'
@@ -169,7 +181,7 @@ private
                      (signee.verify(ca_cert.public_key)))
                     raise  failed + signee.subject.to_s + " with issuer " +
                            signee.issuer.to_s + " was not verified by " +
-                           ca.subject.to_s + "."
+                           ca_cert.subject.to_s + "."
                 end
 
                 signee = ca_cert

From de067c3869e7b877816f3310f01e01915c58ea18 Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Wed, 24 Aug 2011 23:45:36 +0200
Subject: [PATCH 29/63] feature #754: removed unneeded reader attribute

---
 src/authm_mad/remotes/x509/x509_auth.rb | 2 --
 1 file changed, 2 deletions(-)

diff --git a/src/authm_mad/remotes/x509/x509_auth.rb b/src/authm_mad/remotes/x509/x509_auth.rb
index ce0f16e584..9c0aa24240 100644
--- a/src/authm_mad/remotes/x509/x509_auth.rb
+++ b/src/authm_mad/remotes/x509/x509_auth.rb
@@ -24,8 +24,6 @@ require 'fileutils'
 class X509Auth
     PROXY_PATH = ENV['HOME']+'/.one/one_x509'
 
-    attr_reader :dn
-
     # Initialize x509Auth object
     #
     # @param [Hash] default options for path

From 3364d10eb7edbd3258f69e59252a493d99fd3f47 Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Thu, 25 Aug 2011 00:03:36 +0200
Subject: [PATCH 30/63] feature #754: Some formatting. Changed delete! & simple
 gsub with delete. Make use of class constant LOGIN_PATH

---
 src/authm_mad/remotes/x509/x509_auth.rb | 49 ++++++++++++-------------
 1 file changed, 23 insertions(+), 26 deletions(-)

diff --git a/src/authm_mad/remotes/x509/x509_auth.rb b/src/authm_mad/remotes/x509/x509_auth.rb
index 9c0aa24240..63027867a6 100644
--- a/src/authm_mad/remotes/x509/x509_auth.rb
+++ b/src/authm_mad/remotes/x509/x509_auth.rb
@@ -22,7 +22,7 @@ require 'fileutils'
 # as auth method is defined. It also holds some helper methods to be used
 # by oneauth command
 class X509Auth
-    PROXY_PATH = ENV['HOME']+'/.one/one_x509'
+    LOGIN_PATH = ENV['HOME']+'/.one/one_x509'
 
     # Initialize x509Auth object
     #
@@ -35,9 +35,9 @@ class X509Auth
     #         directory of trusted CA's. Needed for auth method, not for login.
     def initialize(options={})
         @options={
-            :certs_pem   => nil,
-            :key_pem    => nil,
-            :ca_dir => nil
+            :certs_pem => nil,
+            :key_pem   => nil,
+            :ca_dir    => nil
         }.merge!(options)
 
         @cert_chain = certs_pem.collect do |cert_pem|
@@ -59,36 +59,32 @@ class X509Auth
     def login(user, expire=0)
         # Inits login file path and creates ~/.one directory if needed
         # Set instance variables
-        login_dir=ENV['HOME']+'/.one'
+        login_dir = File.dirname(LOGIN_PATH)
         
         begin
             FileUtils.mkdir_p(login_dir)
         rescue Errno::EEXIST
         end
-       
-        one_login_path = login_dir + '/one_x509'
 
         if expire!=0
             expires = Time.now.to_i+expire
-	else
-	    expires = @cert_chain[0].not_after.to_i
-	end
+	    else
+	        expires = @cert_chain[0].not_after.to_i
+	    end
         
         text_to_sign = "#{user}:#{expires}"
         signed_text  = encrypt(text_to_sign)
 
         certs_pem = @cert_chain.collect{|cert| cert.to_pem}.join(":")
-	token   = "#{signed_text}:#{certs_pem}"	
-	token64 = Base64::encode64(token).strip.delete!("\n")
 
-        login_out="#{user}:x509:#{token64}"
+	    token     = "#{signed_text}:#{certs_pem}"	
+	    token64   = Base64::encode64(token).strip.delete("\n")
 
-        file = File.open(one_proxy_path, "w")
+        login_out = "#{user}:x509:#{token64}"
+
+        file = File.open(LOGIN_PATH, "w")
         file.write(login_out)        
         file.close
- 
-        # Help string
-        puts "export ONE_AUTH=#{ENV['HOME']}/.one/one_x509"
         
         token64
     end
@@ -100,7 +96,7 @@ class X509Auth
     # auth method for auth_mad
     def authenticate(user, pass, signed_text)
         begin            
-	    # Decryption demonstrates that the user posessed the private key.
+	        # Decryption demonstrates that the user posessed the private key.
             _user, expires = decrypt(signed_text).split(':')
 
             if (user != _user)
@@ -109,16 +105,16 @@ class X509Auth
                 return "x509 proxy expired, login again to renew it"
             end
 
-	    # Some DN in the chain must match a DN in the password	    
-	    dn_ok = @cert_chain.each do |cert|
-                break true if pass.split('|').include?(cert.subject.to_s.gsub(/\s/, ''))
+	        # Some DN in the chain must match a DN in the password	    
+	        dn_ok = @cert_chain.each do |cert|
+                break true if pass.split('|').include?(cert.subject.to_s.delete("\s"))
             end
 	    
-	    unless dn_ok==true
-	        return "Certificate subject missmatch"
+	        unless dn_ok == true
+	            return "Certificate subject missmatch"
             end
 	    
-	    validate
+	        validate
 
             return true
         rescue => e
@@ -134,7 +130,7 @@ private
     # base 64 encoded output in a single line
     def encrypt(data)
         return nil if !@key
-        Base64::encode64(@key.private_encrypt(data)).delete!("\n").strip
+        Base64::encode64(@key.private_encrypt(data)).delete("\n").strip
     end
 
     # Decrypts base 64 encoded data with pub_key (public key)
@@ -158,7 +154,8 @@ private
         begin
 	    # Validate the proxy certifcates
             signee = @cert_chain.delete_at(0)
-	    @cert_chain.each do |cert|
+
+	        @cert_chain.each do |cert|
                 if !((signee.issuer.to_s == cert.subject.to_s) &&
                      (signee.verify(cert.public_key)))
                     raise  failed + signee.subject.to_s + " with issuer " +

From 8cdf5e06b4192815a290848bbe6bc1243bfa3c3b Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Thu, 25 Aug 2011 00:07:24 +0200
Subject: [PATCH 31/63] feature #754: minor change

---
 src/authm_mad/remotes/x509/x509_auth.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/authm_mad/remotes/x509/x509_auth.rb b/src/authm_mad/remotes/x509/x509_auth.rb
index 63027867a6..6dbd10321b 100644
--- a/src/authm_mad/remotes/x509/x509_auth.rb
+++ b/src/authm_mad/remotes/x509/x509_auth.rb
@@ -152,7 +152,7 @@ private
         end
 
         begin
-	    # Validate the proxy certifcates
+	        # Validate the proxy certifcates
             signee = @cert_chain.delete_at(0)
 
 	        @cert_chain.each do |cert|

From 7ad661b5f8a71bcd965688df5994d925d08a07f7 Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Thu, 25 Aug 2011 16:24:40 +0200
Subject: [PATCH 32/63] feature #754: Split login tokan generation and write
 login file

---
 src/authm_mad/remotes/x509/x509_auth.rb | 45 +++++++++++++++----------
 1 file changed, 28 insertions(+), 17 deletions(-)

diff --git a/src/authm_mad/remotes/x509/x509_auth.rb b/src/authm_mad/remotes/x509/x509_auth.rb
index 6dbd10321b..706469b8b3 100644
--- a/src/authm_mad/remotes/x509/x509_auth.rb
+++ b/src/authm_mad/remotes/x509/x509_auth.rb
@@ -54,19 +54,18 @@ class X509Auth
     ###########################################################################
 
     # Creates the login file for x509 authentication at ~/.one/one_x509.
-    # By default it is valid for 1 hour but it can be changed to any number
-    # of seconds with expire parameter (in seconds)
+    # By default it is valid as long as the certificate is valid. It can 
+    # be change to any number of seconds with expire parameter (sec.)
     def login(user, expire=0)
-        # Inits login file path and creates ~/.one directory if needed
-        # Set instance variables
-        login_dir = File.dirname(LOGIN_PATH)
-        
-        begin
-            FileUtils.mkdir_p(login_dir)
-        rescue Errno::EEXIST
-        end
+        write_login(login_token(user,expire)
+    end
 
-        if expire!=0
+    # Generates a login token in the form:
+    # user_name:x509:user_name:time_expires:cert_chain
+    #   - user_name:time_expires is encrypted with the user certificate
+    #   - user_name:time_expires:cert_chain is base64 encoded
+    def login_token(user, expire)
+        if expire != 0
             expires = Time.now.to_i+expire
 	    else
 	        expires = @cert_chain[0].not_after.to_i
@@ -81,15 +80,10 @@ class X509Auth
 	    token64   = Base64::encode64(token).strip.delete("\n")
 
         login_out = "#{user}:x509:#{token64}"
-
-        file = File.open(LOGIN_PATH, "w")
-        file.write(login_out)        
-        file.close
         
-        token64
+        login_out
     end
     
-
     ###########################################################################
     # Server side
     ###########################################################################
@@ -123,6 +117,23 @@ class X509Auth
     end
 
 private
+    # Writes a login_txt to the login file as defined in LOGIN_PATH 
+    # constant
+    def write_login(login_txt)
+        # Inits login file path and creates ~/.one directory if needed
+        # Set instance variables
+        login_dir = File.dirname(LOGIN_PATH)
+        
+        begin
+            FileUtils.mkdir_p(login_dir)
+        rescue Errno::EEXIST
+        end
+
+        file = File.open(LOGIN_PATH, "w")
+        file.write(login_txt)        
+        file.close
+    end
+
     ###########################################################################
     #                       Methods to encrpyt/decrypt keys
     ###########################################################################

From 50de4242d45c2dc2b164c6fb4ab0761ec1edafb6 Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Thu, 25 Aug 2011 17:08:46 +0200
Subject: [PATCH 33/63] feauture #754: Included check of expiration times for
 the complete cert chain (from Ted). Do not modify cert_chain in validation

---
 src/authm_mad/remotes/x509/x509_auth.rb | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/src/authm_mad/remotes/x509/x509_auth.rb b/src/authm_mad/remotes/x509/x509_auth.rb
index 706469b8b3..4bf98d0679 100644
--- a/src/authm_mad/remotes/x509/x509_auth.rb
+++ b/src/authm_mad/remotes/x509/x509_auth.rb
@@ -93,11 +93,9 @@ class X509Auth
 	        # Decryption demonstrates that the user posessed the private key.
             _user, expires = decrypt(signed_text).split(':')
 
-            if (user != _user)
-                return "User name missmatch"
-            elsif Time.now.to_i >= expires.to_i
-                return "x509 proxy expired, login again to renew it"
-            end
+            return "User name missmatch" if user != _user
+
+            return "x509 proxy expired"  if Time.now.to_i >= expires.to_i
 
 	        # Some DN in the chain must match a DN in the password	    
 	        dn_ok = @cert_chain.each do |cert|
@@ -157,16 +155,18 @@ private
         failed = "Could not validate user credentials: "
 
         # Check start time and end time of certificate
-        if @cert.not_before > now || @cert.not_after < now
-            raise failed +  "Certificate not valid. Current time is " +
+        @cert_chain.each do |cert|		
+            if cert.not_before > now || cert.not_after < now
+                raise failed +  "Certificate not valid. Current time is " + 
                   now.localtime.to_s + "."
-        end
+            end
+        end 
 
         begin
 	        # Validate the proxy certifcates
-            signee = @cert_chain.delete_at(0)
+            signee = @cert_chain[0]
 
-	        @cert_chain.each do |cert|
+	        @cert_chain[1..-1].each do |cert|
                 if !((signee.issuer.to_s == cert.subject.to_s) &&
                      (signee.verify(cert.public_key)))
                     raise  failed + signee.subject.to_s + " with issuer " +

From 84b3ff38afce5c013f120e20d0ffb3d1a1abbd94 Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Thu, 25 Aug 2011 17:10:17 +0200
Subject: [PATCH 34/63] feature #754: Added a server based authentication using
 x509 certificates

---
 src/authm_mad/remotes/server/server_auth.rb | 124 ++++++++++++++++++++
 1 file changed, 124 insertions(+)
 create mode 100644 src/authm_mad/remotes/server/server_auth.rb

diff --git a/src/authm_mad/remotes/server/server_auth.rb b/src/authm_mad/remotes/server/server_auth.rb
new file mode 100644
index 0000000000..91cc5c4b61
--- /dev/null
+++ b/src/authm_mad/remotes/server/server_auth.rb
@@ -0,0 +1,124 @@
+# -------------------------------------------------------------------------- #
+# Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org)             #
+#                                                                            #
+# Licensed under the Apache License, Version 2.0 (the "License"); you may    #
+# not use this file except in compliance with the License. You may obtain    #
+# a copy of the License at                                                   #
+#                                                                            #
+# http://www.apache.org/licenses/LICENSE-2.0                                 #
+#                                                                            #
+# Unless required by applicable law or agreed to in writing, software        #
+# distributed under the License is distributed on an "AS IS" BASIS,          #
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #
+# See the License for the specific language governing permissions and        #
+# limitations under the License.                                             #
+#--------------------------------------------------------------------------- #
+
+require 'openssl'
+require 'base64'
+require 'fileutils'
+
+ONE_LOCATION=ENV["ONE_LOCATION"]
+
+if !ONE_LOCATION
+    RUBY_LIB_LOCATION="/usr/lib/one/ruby"
+    ETC_LOCATION="/etc/one/"
+else
+    RUBY_LIB_LOCATION=ONE_LOCATION+"/lib/ruby"
+    ETC_LOCATION=ONE_LOCATION+"/etc/"
+end
+
+$: << RUBY_LIB_LOCATION
+
+require 'x509_auth'
+
+# Server authentication class. This authmethod can be used by opennebula services
+# to let access authenticated users by other means. It is based on x509 server 
+# certificates
+class ServerAuth < X509Auth
+    ###########################################################################
+    #Constants with paths to relevant files and defaults
+    ###########################################################################
+    if !ENV["ONE_LOCATION"]
+        ETC_LOCATION      = "/etc/one"
+    else
+        ETC_LOCATION      = ONE_LOCATION + "/etc"
+    end
+
+    SERVER_AUTH_CONF_PATH = ETC_LOCATION + "/auth/server_auth.conf"
+
+    DEFAULT_CERTS_PATH = {
+        :one_cert => ETC_LOCATION + "/auth/cert.pem",
+        :one_key  => ETC_LOCATION + "/auth/key.pem",
+        :ca_dir   => ETC_LOCATION + "/auth/certificates",
+    }
+
+    ###########################################################################
+
+    def initialize()
+        @options = DEFAULT_CERTS_PATH
+
+        if File.readable?(SERVER_AUTH_CONF_PATH)
+            config = File.read(SERVER_AUTH_CONF_PATH)
+             
+            @options.merge!(YAML::load(config))
+        end
+        
+        begin
+            certs    = Array.new
+            certs[0] = File.read(@options[:host_cert])
+
+            key = File.read(@options[:host_key])
+
+            super(:certs_pem => certs, 
+                  :key_pem   => key,
+                  :ca_dir    => @options[:ca_dir])
+        rescue
+            raise
+        end  
+    end
+
+    # Generates a login token in the form:
+    # user_name:x509:user_name:time_expires:cert_chain
+    #   - user_name:time_expires is encrypted with the user certificate
+    #   - user_name:time_expires:cert_chain is base64 encoded
+    def login_token(user, user_dn, expire)
+
+        expires = Time.now.to_i+expire
+        
+        token_txt = "#{user}:#{user_dn}:#{expires}"
+
+        token     = encrypt(token_txt)
+	    token64   = Base64::encode64(token).strip.delete("\n")
+
+        login_out = "#{user}:server:#{token64}"
+        
+        login_out
+    end
+
+    ###########################################################################
+    # Server side
+    ###########################################################################
+    # auth method for auth_mad
+    def authenticate(user, pass, signed_text)
+        begin            
+	        # Decryption demonstrates that the user posessed the private key.
+            _user, user_dn, expires = decrypt(signed_text).split(':')
+
+            return "User name missmatch" if user != _user
+
+            return "login token expired" if Time.now.to_i >= expires.to_i
+
+            # Check an explicitly-specified DN such as for a host-signed login 
+            if !pass.split('|').include?(cert.subject.to_s.delete("\s"))
+	            return "Certificate subject missmatch"
+            end
+
+	        validate
+
+            return true
+        rescue => e
+            return e.message
+        end
+    end
+end

From d44282c982ffab65c09b8ca385febc1d7b4ca8fa Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Thu, 25 Aug 2011 17:42:13 +0200
Subject: [PATCH 35/63] feature #754: Support for proxy certificates in oneuser

---
 src/cli/one_helper/oneuser_helper.rb | 26 +++++++++++++++++++++++++-
 src/cli/oneuser                      | 25 ++++++++++++++++++++-----
 2 files changed, 45 insertions(+), 6 deletions(-)

diff --git a/src/cli/one_helper/oneuser_helper.rb b/src/cli/one_helper/oneuser_helper.rb
index 05255add83..c0033c8e9f 100644
--- a/src/cli/one_helper/oneuser_helper.rb
+++ b/src/cli/one_helper/oneuser_helper.rb
@@ -95,10 +95,34 @@ class OneUserHelper < OpenNebulaHelper::OneHelper
             options[:key]  ||= ENV['X509_USER_KEY']
 
             begin
-                auth = X509Auth.new(:cert=>options[:cert], :key=>options[:key])
+                certs    = Array.new
+                certs[0] = File.read(options[:cert])
+                
+                key = File.read(options[:key])
+
+                auth = X509Auth.new(:cert=>certs, :key=>key)
             rescue Exception => e
                 return -1, e.message
             end
+        elsif options[:x509_proxy]
+            require 'x509_auth'
+
+            options[:proxy] ||= ENV['X509_PROXY_CERT']
+            
+            begin  
+                proxy = File.read(options[:proxy])
+
+                rc = proxy.scan(/-+BEGIN CERTIFICATE-+\n([^-]*)\n-+END CERTIFICATE-+/)
+                certs = rc.flatten!
+
+                rc = proxy.match(/-+BEGIN RSA PRIVATE KEY-+\n([^-]*)\n-+END RSA PRIVATE KEY-+/)
+
+                key  = rc[1]
+
+                auth = X509Auth.new(:cert=>certs, :key=>key)
+            rescue => e
+                return -1, e.message
+            end
         else
             return -1, "You have to specify an Auth method"
         end
diff --git a/src/cli/oneuser b/src/cli/oneuser
index 2273562ed7..4beb1bb7a2 100755
--- a/src/cli/oneuser
+++ b/src/cli/oneuser
@@ -68,24 +68,37 @@ cmd=CommandParser::CmdParser.new(ARGV) do
     X509={
         :name => "x509",
         :large => "--x509",
-        :description => "x509 Auth system"
+        :description => "x509 Auth system for x509 certificates"
+    }
+
+    X509_PROXY={
+        :name => "x509_proxy",
+        :large => "--x509_proxy",
+        :description => "x509 Auth system based on x509 proxy certificates"
     }
 
     KEY={
         :name => "key",
-        :short => "-k private_key",
-        :large => "--key private_key",
+        :short => "-k path_to_private_key_pem",
+        :large => "--key path_to_private_key_pem",
         :format => String,
         :description => "Path to the Private Key of the User"
     }
 
     CERT={
         :name => "cert",
-        :large => "--cert s",
+        :large => "--cert path_to_user_cert_pem",
         :format => String,
         :description => "Path to the Certificate of the User"
     }
 
+    PROXY={
+        :name => "proxy",
+        :large => "--proxy path_to_user_proxy_pem",
+        :format => String,
+        :description => "Path to the user proxy certificate"
+    }
+
     TIME={
         :name  => "time",
         :large => "--time x",
@@ -94,7 +107,7 @@ cmd=CommandParser::CmdParser.new(ARGV) do
     }
 
     create_options = [READ_FILE, PLAIN, SSH, X509, KEY, CERT]
-    login_options  = [SSH, X509, KEY, CERT, TIME]
+    login_options  = [SSH, X509, X509_PROXY, KEY, CERT, PROXY, TIME]
 
     ########################################################################
     # Formatters for arguments
@@ -152,6 +165,8 @@ cmd=CommandParser::CmdParser.new(ARGV) do
           oneuser login my_user --ssh --key /tmp/id_rsa --time 72000
           oneuser login my_user --x509 --cert /tmp/my_cert.pem \
                                 --key /tmp/my_key.pk --time 72000
+          oneuser login my_user --x509_proxy --proxy /tmp/my_cert.pem \
+                                --time 72000
     EOT
 
     command :login, login_desc, :username, [:password, nil],

From f3f2925b0da7065aacde0329da748731d9b58b62 Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Thu, 25 Aug 2011 17:43:55 +0200
Subject: [PATCH 36/63] feature #754: Do not check trusted CA's if directory
 not specified

---
 src/authm_mad/remotes/x509/x509_auth.rb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/authm_mad/remotes/x509/x509_auth.rb b/src/authm_mad/remotes/x509/x509_auth.rb
index 4bf98d0679..5a12f6a3ba 100644
--- a/src/authm_mad/remotes/x509/x509_auth.rb
+++ b/src/authm_mad/remotes/x509/x509_auth.rb
@@ -177,6 +177,10 @@ private
             end
 
             # Validate the End Entity certificate
+	        if !@options[:ca_dir]
+                return
+            end
+
             begin
                 ca_hash = signee.issuer.hash.to_s(16)
                 ca_path = @options[:ca_dir] + '/' + ca_hash + '.0'

From cfbe1f18e4e5b1ba3bdc1f57369c8b7ac5eb909b Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Thu, 25 Aug 2011 17:52:22 +0200
Subject: [PATCH 37/63] feature #754: Install server auth files

---
 install.sh | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/install.sh b/install.sh
index 9bdd75f9e5..64584dc5eb 100755
--- a/install.sh
+++ b/install.sh
@@ -227,6 +227,7 @@ VAR_DIRS="$VAR_LOCATION/remotes \
           $VAR_LOCATION/remotes/auth/plain \
           $VAR_LOCATION/remotes/auth/ssh \
           $VAR_LOCATION/remotes/auth/x509 \
+          $VAR_LOCATION/remotes/auth/server \
           $VAR_LOCATION/remotes/auth/dummy"
 
 SUNSTONE_DIRS="$SUNSTONE_LOCATION/models \
@@ -321,6 +322,7 @@ INSTALL_FILES=(
     IM_PROBES_GANGLIA_FILES:$VAR_LOCATION/remotes/im/ganglia.d
     AUTH_SSH_FILES:$VAR_LOCATION/remotes/auth/ssh
     AUTH_X509_FILES:$VAR_LOCATION/remotes/auth/x509
+    AUTH_SERVER_FILES:$VAR_LOCATION/remotes/auth/server
     AUTH_DUMMY_FILES:$VAR_LOCATION/remotes/auth/dummy
     AUTH_PLAIN_FILES:$VAR_LOCATION/remotes/auth/plain    
     VMM_EXEC_KVM_SCRIPTS:$VAR_LOCATION/remotes/vmm/kvm
@@ -488,6 +490,7 @@ RUBY_LIB_FILES="src/mad/ruby/ActionManager.rb \
                 src/oca/ruby/OpenNebula.rb \
                 src/tm_mad/TMScript.rb \
                 src/authm_mad/remotes/ssh/ssh_auth.rb \
+                src/authm_mad/remotes/server/server_auth.rb"
                 src/authm_mad/remotes/x509/x509_auth.rb"
 
 #-----------------------------------------------------------------------------
@@ -583,6 +586,8 @@ IM_PROBES_GANGLIA_FILES="src/im_mad/remotes/ganglia.d/ganglia_probe"
 # Auth Manager drivers to be installed under $REMOTES_LOCATION/auth
 #-------------------------------------------------------------------------------
 
+AUTH_SERVER_FILES="src/authm_mad/remotes/server/authenticate"
+
 AUTH_X509_FILES="src/authm_mad/remotes/x509/authenticate"
 
 AUTH_SSH_FILES="src/authm_mad/remotes/ssh/authenticate"

From 606ff23435d99a76ed10e98a1b9be98a68163363 Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Thu, 25 Aug 2011 18:10:38 +0200
Subject: [PATCH 38/63] feature #754: Update authenticate to make use of new
 x509 auth class

---
 src/authm_mad/remotes/x509/authenticate | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/src/authm_mad/remotes/x509/authenticate b/src/authm_mad/remotes/x509/authenticate
index 735e2d8ba6..bd593ee9a4 100755
--- a/src/authm_mad/remotes/x509/authenticate
+++ b/src/authm_mad/remotes/x509/authenticate
@@ -37,14 +37,20 @@ secret = ARGV[2] # Base64 encoded text and certificate chain text:cert_0:cert_1:
 
 #OpenNebula.log_debug("Authenticating #{user}, with password #{pass} (#{secret})")
 
-#TODO Check errors in these operations
+begin
+    dsecret = Base64::decode64(secret)
+    asecret = dsecret.split(':')
 
-dsecret = Base64::decode64(secret)
-certs_pem = dsecret.split(':')
+    token = asecret[0]
+    certs = asecret[1..-1]
 
-x509_auth   = X509Auth.new(:cert=>cert)
+    x509_auth = X509Auth.new(:certs_pem=>certs)
 
-rc = x509_auth.authenticate(user, pass,proxy)
+    rc = x509_auth.authenticate(user, pass, token)
+rescue => e
+    OpenNebula.error_message e.message
+    exit -1
+end
 
 if rc == true
     exit 0

From 23a9743910ef47c342b7f3bde1d1120908b37b4d Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Thu, 25 Aug 2011 18:20:00 +0200
Subject: [PATCH 39/63] feature #754: Removed unneeded files

---
 src/authm_mad/auth_mad                        |   1 -
 src/authm_mad/one_usage.rb                    |  90 --------
 src/authm_mad/oneauth                         | 167 --------------
 src/authm_mad/remotes/x509_proxy/authenticate |  56 -----
 .../remotes/x509_proxy/x509_proxy_auth.rb     | 214 ------------------
 src/authm_mad/simple_permissions.rb           | 112 ---------
 6 files changed, 640 deletions(-)
 delete mode 100644 src/authm_mad/auth_mad
 delete mode 100644 src/authm_mad/one_usage.rb
 delete mode 100755 src/authm_mad/oneauth
 delete mode 100755 src/authm_mad/remotes/x509_proxy/authenticate
 delete mode 100644 src/authm_mad/remotes/x509_proxy/x509_proxy_auth.rb
 delete mode 100644 src/authm_mad/simple_permissions.rb

diff --git a/src/authm_mad/auth_mad b/src/authm_mad/auth_mad
deleted file mode 100644
index 8b13789179..0000000000
--- a/src/authm_mad/auth_mad
+++ /dev/null
@@ -1 +0,0 @@
-
diff --git a/src/authm_mad/one_usage.rb b/src/authm_mad/one_usage.rb
deleted file mode 100644
index 63938aba87..0000000000
--- a/src/authm_mad/one_usage.rb
+++ /dev/null
@@ -1,90 +0,0 @@
-# -------------------------------------------------------------------------- #
-# Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org)             #
-#                                                                            #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may    #
-# not use this file except in compliance with the License. You may obtain    #
-# a copy of the License at                                                   #
-#                                                                            #
-# http://www.apache.org/licenses/LICENSE-2.0                                 #
-#                                                                            #
-# Unless required by applicable law or agreed to in writing, software        #
-# distributed under the License is distributed on an "AS IS" BASIS,          #
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #
-# See the License for the specific language governing permissions and        #
-# limitations under the License.                                             #
-#--------------------------------------------------------------------------- #
-
-require 'OpenNebula'
-
-# This class holds usage information for a virtual machine or
-# total usage for a user. Variables inside are cpu and memory
-# consumption
-class VmUsage
-    attr_accessor :cpu, :memory, :num_vms
-    def initialize(cpu, memory, num_vms=0)
-        @cpu=cpu
-        @memory=memory
-        @num_vms=num_vms
-    end
-end
-
-# This class retrieves and caches vms and its consuption grouped
-# by users. 'update_user' method should be called to fill data for
-# a user before any calculation is made
-class OneUsage
-    # 'client' is an OpenNebula::Client object used to connect
-    # to OpenNebula daemon. Ideally it should connect as user 0
-    def initialize(client)
-        @client=client
-        @users=Hash.new
-    end
-    
-    # Gets information about VMs defined for a user. It caches new
-    # VMs and takes out from the cache deleted VMs
-    def update_user(user)
-        @users[user]=Hash.new if !@users[user]
-        
-        vmpool=OpenNebula::VirtualMachinePool.new(@client, user)
-        vmpool.info
-        
-        one_ids=vmpool.map {|vm| vm.id }
-        vms=@users[user]
-        user_ids=vms.keys
-        
-        deleted_vms=user_ids-one_ids
-        added_vms=one_ids-user_ids
-        
-        deleted_vms.each {|vmid| vms.delete(vmid) }
-        
-        added_vms.each do |vmid|
-            vm=OpenNebula::VirtualMachine.new(
-                OpenNebula::VirtualMachine.build_xml(vmid), @client)
-            vm.info
-            
-            usage=VmUsage.new(vm['TEMPLATE/CPU'].to_f,
-                vm['TEMPLATE/MEMORY'].to_i)
-            vms[vmid.to_i]=usage
-        end
-    end
-    
-    # Returns the cache of defined VMs for a user. It is a hash with
-    # VM id as key and VmUsage as value
-    def vms(user)
-        vms=@users[user]
-        @users[user]=vms=Hash.new if !vms
-        vms
-    end
-    
-    # Returns total consumption by a user into a VmUsage object
-    def total(user)
-        usage=VmUsage.new(0.0, 0, 0)
-        
-        @users[user].each do |id, vm|
-            usage.cpu+=vm.cpu
-            usage.memory+=vm.memory
-            usage.num_vms+=1
-        end if @users[user]
-        
-        usage
-    end
-end
diff --git a/src/authm_mad/oneauth b/src/authm_mad/oneauth
deleted file mode 100755
index ad3ef2f175..0000000000
--- a/src/authm_mad/oneauth
+++ /dev/null
@@ -1,167 +0,0 @@
-#!/usr/bin/env ruby
-
-# -------------------------------------------------------------------------- #
-# Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org)             #
-#                                                                            #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may    #
-# not use this file except in compliance with the License. You may obtain    #
-# a copy of the License at                                                   #
-#                                                                            #
-# http://www.apache.org/licenses/LICENSE-2.0                                 #
-#                                                                            #
-# Unless required by applicable law or agreed to in writing, software        #
-# distributed under the License is distributed on an "AS IS" BASIS,          #
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #
-# See the License for the specific language governing permissions and        #
-# limitations under the License.                                             #
-#--------------------------------------------------------------------------- #
-
-ONE_LOCATION=ENV["ONE_LOCATION"]
-
-if !ONE_LOCATION
-    RUBY_LIB_LOCATION="/usr/lib/one/ruby"
-    ETC_LOCATION="/etc/one/"
-    VAR_LOCATION="/var/lib/one"
-else
-    RUBY_LIB_LOCATION=ONE_LOCATION+"/lib/ruby"
-    ETC_LOCATION=ONE_LOCATION+"/etc/"
-    VAR_LOCATION="#{ONE_LOCATION}/var"
-end
-
-$: << RUBY_LIB_LOCATION
-$: << RUBY_LIB_LOCATION+'/cli'
-
-require 'OpenNebula'
-
-require 'rubygems'
-require 'sequel'
-require 'ssh_auth'
-require 'x509_auth'
-require 'yaml'
-
-require 'command_parser'
-require 'one_helper'
-
-cmd=CommandParser::CmdParser.new(ARGV) do
-    usage "oneauth COMMAND [args..]"
-
-    description "This command contains a set of utilities to " <<
-                "manage authorization module."
-
-    set :option, CommandParser::OPTIONS
-
-    set :format, :userid, OpenNebulaHelper.name_to_id_desc("USER") do |arg|
-        OpenNebulaHelper.name_to_id(arg, "USER")
-    end
-
-    # Helpers
-    def get_database
-        config_data=File.read(ETC_LOCATION+'/auth/auth.conf')
-        config=YAML::load(config_data)
-
-        database_url=config[:database]
-        db=Sequel.connect(database_url)
-    end
-
-    def add_quota(uid, cpu, memory, num_vms=nil)
-        db=get_database
-        quota=Quota.new(db, OpenNebula::Client.new)
-        quota.set(uid.to_i, cpu.to_f, memory.to_i, num_vms)
-    end
-
-    # Commands
-    quotaset_desc = <<-EOT.unindent
-        Sets CPU, MEMORY and NUM_VMs quota for a given user
-    EOT
-
-    command 'quota-set', quotaset_desc , :userid, :cpu, :memory, :num_vms do
-        Dir.chdir VAR_LOCATION
-        begin
-            add_quota(*args[1..4])
-        rescue Exception => e
-            exit_with_code -1, "Error starting server: #{e}"
-        end
-        exit_with_code 0
-    end
-
-    login_desc = <<-EOT.unindent
-        Generates authentication proxy. The last argument specifies 
-        the expiration time in seconds
-    EOT
-
-    command 'login', login_desc, :text, :text do
-        user=args[0]
-        time=args[1]
-        pp args
-        if time
-            time=time.to_i
-        else
-            time=3600
-        end
-
-        ssh=SshAuth.new
-        ssh.login(user, time)
-        exit_with_code 0
-    end
-    
-    loginx509_desc = <<-EOT.unindent
-        Generates an X509-based authenication proxy based on a user certificate.
-        oneauth x509_login <username> [<lifetime in seconds>] [<cert or proxy path>] [<key path>]
-    EOT
-
-    command 'loginx509', loginx509_desc, :text, :text, :text, :text do
-        user = args[0]
-	time = Integer(args[1]) rescue false
-	certpath = args[2]
-        keypath  = args[3]
-        	
-	# Set default arguments
-	if !time
-            time=0
-	    certpath = args[1]
-            keypath  = args[2]         
-        end
-
-        if !certpath
-            certpath=ENV["X509_PROXY_CERT"]
-        end
-	    
-	if !certpath
-            certpath='/tmp/x509up_u' + Process.uid.to_s
-        end
-	
-        if !keypath
-	    keypath=certpath
-	end
-	
-	if !keypath
-	    exit_with_code 1
-	end	
-	
-        # Read in the certificates
-        if @options[:certpath] && File.readable?(@options[:certpath])
-            certs_in = File.read(@options[:certpath])
-            certs_pem = certs_in.scan(/-+BEGIN CERTIFICATE-+\n([^-]*)\n-+END CERTIFICATE-+/)
-            certs_pem.flatten!                        
-        end
-	
-	# Read in the key
-        if @options[:keypath] && File.readable?(@options[:keypath])
-            key_in = File.read(@options[:keypath])
-	    rc = key_in.match(/-+BEGIN RSA PRIVATE KEY-+\n([^-]*)\n-+END RSA PRIVATE KEY-+/)
-	    key_pem  = rc[0]
-	end
-
-        # Invoke the login method
-        auth = X509Auth.new(:certs_pem=>certs_pem,:key_pem=>key_pem)
-        auth.login(user, time)
-
-        exit_with_code 0
-    end
-
-    command 'key', 'Gets public key' do
-        ssh=SshAuth.new
-        puts ssh.public_key
-        exit_with_code 0
-    end
-end
diff --git a/src/authm_mad/remotes/x509_proxy/authenticate b/src/authm_mad/remotes/x509_proxy/authenticate
deleted file mode 100755
index 747d800d08..0000000000
--- a/src/authm_mad/remotes/x509_proxy/authenticate
+++ /dev/null
@@ -1,56 +0,0 @@
-#!/usr/bin/env ruby
-# -------------------------------------------------------------------------- #
-# Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org)             #
-#                                                                            #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may    #
-# not use this file except in compliance with the License. You may obtain    #
-# a copy of the License at                                                   #
-#                                                                            #
-# http://www.apache.org/licenses/LICENSE-2.0                                 #
-#                                                                            #
-# Unless required by applicable law or agreed to in writing, software        #
-# distributed under the License is distributed on an "AS IS" BASIS,          #
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #
-# See the License for the specific language governing permissions and        #
-# limitations under the License.                                             #
-#--------------------------------------------------------------------------- #
-
-ONE_LOCATION=ENV["ONE_LOCATION"]
-
-if !ONE_LOCATION
-    RUBY_LIB_LOCATION="/usr/lib/one/ruby"
-    ETC_LOCATION="/etc/one/"
-else
-    RUBY_LIB_LOCATION=ONE_LOCATION+"/lib/ruby"
-    ETC_LOCATION=ONE_LOCATION+"/etc/"
-end
-
-$: << RUBY_LIB_LOCATION
-
-require 'x509_proxy_auth'
-require 'scripts_common'
-
-user   = ARGV[0] # username as registered in OpenNebula
-pass   = ARGV[1] # DN registered for this user
-secret = ARGV[2] # Base64 string in the form token:proxy_cert:user_cert
-
-#OpenNebula.log_debug("Authenticating #{user}, with password #{pass} (#{secret})")
-
-#TODO Check errors in these operations
-
-dsecret = Base64::decode64(secret)
-token, pcert, ucert = dsecret.split(':')
-
-auth = X509ProxyAuth.new(:proxy      => nil,
-                         :proxy_cert => pcert,
-                         :user_cert  => ucert,
-                         :ca_dir     => nil)
-
-rc   = auth.authenticate(user, pass, token)
-
-if rc == true
-    exit 0
-else
-    OpenNebula.error_message rc 
-    exit -1
-end
diff --git a/src/authm_mad/remotes/x509_proxy/x509_proxy_auth.rb b/src/authm_mad/remotes/x509_proxy/x509_proxy_auth.rb
deleted file mode 100644
index 2ed8b386b4..0000000000
--- a/src/authm_mad/remotes/x509_proxy/x509_proxy_auth.rb
+++ /dev/null
@@ -1,214 +0,0 @@
-# -------------------------------------------------------------------------- #
-# Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org)             #
-#                                                                            #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may    #
-# not use this file except in compliance with the License. You may obtain    #
-# a copy of the License at                                                   #
-#                                                                            #
-# http://www.apache.org/licenses/LICENSE-2.0                                 #
-#                                                                            #
-# Unless required by applicable law or agreed to in writing, software        #
-# distributed under the License is distributed on an "AS IS" BASIS,          #
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #
-# See the License for the specific language governing permissions and        #
-# limitations under the License.                                             #
-#--------------------------------------------------------------------------- #
-
-require 'openssl'
-require 'base64'
-require 'fileutils'
-
-# Authentication class based on x509 proxy certificate.
-class X509ProxyAuth
-    PROXY_PATH = ENV['HOME']+'/.one/one_x509_proxy'
-
-    # Initialize x509ProxyAuth object
-    #
-    # @param [Hash] default options for path
-    # @option options [String] :proxy ($X509_PROXY_CERT)
-    #         proxy cert for the user
-    # @option options [String] :proxy_cert (nil)
-    #         public cert of a user proxy
-    # @option options [String] :user_cert (nil)
-    #         user cert, used to generate the proxy
-    # @option options [String] :ca_dir (/etc/grid-security/certificates)
-    #         trusted CA directory. If nil it will not be used to verify
-    #         certificates
-    def initialize(options={})
-        @options={
-            :proxy      => ENV['X509_PROXY_CERT']
-            :proxy_cert => nil,
-            :user_cert  => nil,
-            :ca_dir     => "/etc/grid-security/certificates",
-        }.merge!(options)
-
-        proxy_cert_txt = @options[:proxy_cert]
-        user_cert_txt  = @options[:user_cert]
-
-        #Read certificates from a grid proxy file
-        if @options[:proxy] && File.readable?(@options[:proxy])
-            proxy = File.read(@options[:proxy])
-
-            rc = proxy.scan(/-+BEGIN CERTIFICATE-+\n([^-]*)\n-+END CERTIFICATE-+/)
-            rc.flatten!
-
-            proxy_cert_txt = rc[0]
-            user_cert_txt  = rc[1]
-
-            rc = proxy.match(/-+BEGIN RSA PRIVATE KEY-+\n([^-]*)\n-+END RSA PRIVATE KEY-+/)
-
-            proxy_key_txt  = rc[1]
-        end
-
-        if !proxy_cert_txt || !user_cert_txt
-            raise "Can not get user or proxy certificates"
-        end
-
-        @proxy_cert = OpenSSL::X509::Certificate.new(proxy_cert_txt)
-        @user_cert  = OpenSSL::X509::Certificate.new(user_cert_txt)
-        @dn         = @user_cert.subject.to_s
-
-        if proxy_ket_txt
-            @poxy_key = OpenSSL::PKey::RSA.new(proxy_key_txt)
-        end
-
-        # Load configuration file
-        #@auth_conf_path  = ETC_LOCATION+'/auth/auth.conf'
-
-        #if File.readable?(@auth_conf_path)
-        #     config = File.read(@auth_conf_path)
-        #     config = YAML::load(config_data)
-
-        #    @options.merge!(config)
-        #end
-    end
-
-    ###########################################################################
-    # Client side
-    ###########################################################################
-
-    # Creates the login file for x509 authentication at ~/.one/one_x509_proxy.
-    def login(user)
-        # Init proxy file path and creates ~/.one directory if needed
-        # Set instance variables
-        proxy_dir=File.dirname(PROXY_PATH)
-
-        begin
-            FileUtils.mkdir_p(proxy_dir)
-        rescue Errno::EEXIST
-        end
-
-        #Generate token for authentication
-        text_to_sign = "#{user}:#{@dn}"
-        signed_text  = encrypt(text_to_sign)
-
-	    token   = "#{signed_text}:#{@proxy_cert.to_pem}:#{@user_cert.to_pem}"
-	    token64 = Base64::encode64(token).strip.delete!("\n")
-
-        proxy="#{user}:grid:#{token64}"
-
-        file = File.open(PROXY_PATH, "w")
-
-        file.write(proxy)
-
-        file.close
-
-        # Help string
-        puts "export ONE_AUTH=#{ENV['HOME']}/.one/one_x509_proxy"
-
-        token64
-    end
-
-    ###########################################################################
-    # Server side
-    ###########################################################################
-
-    # auth method for auth_mad
-    def authenticate(user, pass, token)
-        begin
-            validate_chain
-
-            plain = decrypt(token)
-
-            _user, subject = plain.split(':')
-
-            if (user != _user)
-                return "User name missmatch"
-            elsif ((subject != @dn) || (subject != pass))
-                return "Certificate subject missmatch"
-            end
-
-            return true
-        rescue => e
-            return e.message
-        end
-
-private
-    ###########################################################################
-    #                       Methods to encrpyt/decrypt keys
-    ###########################################################################
-    # Encrypts data with the private key of the user and returns
-    # base 64 encoded output in a single line
-    def encrypt(data)
-        return nil if !@proxy_key
-        Base64::encode64(@proxy_key.private_encrypt(data)).delete!("\n").strip
-    end
-
-    # Decrypts base 64 encoded data with pub_key (public key)
-    def decrypt(data)
-        @proxy_cert.public_key.public_decrypt(Base64::decode64(data))
-    end
-
-    ###########################################################################
-    # Validates the certificate chain
-    ###########################################################################
-    def validate_chain
- 	    now    = Time.now
-        failed = "Could not validate user credentials: "
-
-        # Check start time and end time of proxy
-        if @proxy_cert.not_before > now || @proxy_cert.not_after < now
-            raise failed +  "Certificate not valid. Current time is " +
-                  now.localtime.to_s + "."
-        end
-
-	    # Check that the issuer of the proxy is the same user as in the user certificate
-        if @proxy_cert.issuer.to_s != @user_cert.subject.to_s
-            raise failed + "Proxy with issuer " + @proxy_cert.issuer.to_s +
-                  " does not match user " + @dn
-        end
-
-    	# Check that the user signed the proxy
-        if !@proxy_cert.verify(@user_cert.public_key)
-            raise "Proxy with subject " + @proxy_cert.subject.to_s +
-                  " was not verified by " + @dn + "."
-        end
-
- 	    # Check the rest of the certificate chain if specified
-        if !@options[:ca_dir]
-            return
-        end
-
-        begin
-            signee = @user_cert
-
-            begin
-                ca_hash = signee.issuer.hash.to_s(16)
-                ca_path = @options[:ca_dir] + '/' + ca_hash + '.0'
-
-                ca_cert = OpenSSL::X509::Certificate.new(File.read(ca_path))
-
-                if !((signee.issuer.to_s == ca_cert.subject.to_s) &&
-                     (signee.verify(ca_cert.public_key)))
-                    raise  failed + signee.subject.to_s + " with issuer " +
-                           signee.issuer.to_s + " was not verified by " +
-                           ca.subject.to_s + "."
-                end
-
-                signee = ca_cert
-            end while ca_cert.subject.to_s != ca_cert.issuer.to_s
-        rescue
-            raise
-        end
-    end
-end
diff --git a/src/authm_mad/simple_permissions.rb b/src/authm_mad/simple_permissions.rb
deleted file mode 100644
index 084073b6c5..0000000000
--- a/src/authm_mad/simple_permissions.rb
+++ /dev/null
@@ -1,112 +0,0 @@
-# -------------------------------------------------------------------------- #
-# Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org)             #
-#                                                                            #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may    #
-# not use this file except in compliance with the License. You may obtain    #
-# a copy of the License at                                                   #
-#                                                                            #
-# http://www.apache.org/licenses/LICENSE-2.0                                 #
-#                                                                            #
-# Unless required by applicable law or agreed to in writing, software        #
-# distributed under the License is distributed on an "AS IS" BASIS,          #
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #
-# See the License for the specific language governing permissions and        #
-# limitations under the License.                                             #
-#--------------------------------------------------------------------------- #
-
-require 'quota'
-require 'base64'
-
-class SimplePermissions
-    
-    def initialize(database, client, conf={})
-        @quota=Quota.new(database, client, conf[:quota] || {})
-        @quota_enabled=conf[:quota][:enabled]
-    end
-    
-    # Returns message if result is false, true otherwise
-    def auth_message(result, message)
-        result ? true : message
-    end
-    
-    # Extracts cpu and memory resources from the VM template sent in
-    # authorization message
-    def get_vm_usage(data)
-        vm_xml=Base64::decode64(data)
-        vm=OpenNebula::VirtualMachine.new(
-            OpenNebula::XMLElement.build_xml(vm_xml, 'TEMPLATE'),
-            OpenNebula::Client.new)
-        
-        # Should set more sensible defaults or get driver configuration
-        cpu=vm['CPU']
-        cpu||=1.0
-        cpu=cpu.to_f
-        
-        memory=vm['MEMORY']
-        memory||=64
-        memory=memory.to_f
-        
-        VmUsage.new(cpu, memory)
-    end
-
-    # Checks if the quota is enabled, and if it is not exceeded
-    def check_quota_enabled(uid, object, id, auth_result)
-        if @quota_enabled and object=='VM' and auth_result
-            STDERR.puts 'quota enabled'
-            @quota.update(uid.to_i)
-            if message=@quota.check(uid.to_i, get_vm_usage(id))
-                auth_result=message
-            end
-        end
-
-        return auth_result
-    end
-
-    # Method called by authorization driver
-    def auth(uid, tokens)
-        result=true
-        
-        tokens.each do |token|
-            object, id, action, owner, pub=token.split(':')
-            result=auth_object(uid.to_s, object, id, action, owner, pub)
-            break result if result!=true
-        end
-        
-        result
-    end
-    
-    # Authorizes each of the tokens. All parameters are strings. Pub
-    # means public when "1" and private when "0"
-    def auth_object(uid, object, id, action, owner, pub)
-        return true if uid=='0'
-        
-        auth_result=false
-        
-        case action
-        when 'CREATE'
-            auth_result=true if %w{VM NET IMAGE TEMPLATE}.include? object
-            auth_result = check_quota_enabled(uid, object, id, auth_result)
-
-        when 'INSTANTIATE'
-            auth_result = true if %w{VM}.include? object
-            auth_result = check_quota_enabled(uid, object, id, auth_result)
-
-        when 'DELETE'
-            auth_result = (owner == uid)
-            
-        when 'USE'
-            if %w{VM NET IMAGE TEMPLATE}.include? object
-                auth_result = ((owner == uid) | (pub=='1'))
-            elsif object == 'HOST'
-                auth_result=true
-            end
-            
-        when 'MANAGE'
-            auth_result = (owner == uid)
-            
-        when 'INFO'
-        end
-        
-        return auth_result
-    end
-end

From 986dcbbf283119259592e1c6a63b9d6dcbea59cc Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Thu, 25 Aug 2011 23:48:54 +0200
Subject: [PATCH 40/63] feature #754: Better names for varibles.

---
 src/authm_mad/remotes/server/server_auth.rb | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/src/authm_mad/remotes/server/server_auth.rb b/src/authm_mad/remotes/server/server_auth.rb
index 91cc5c4b61..0f699bef2d 100644
--- a/src/authm_mad/remotes/server/server_auth.rb
+++ b/src/authm_mad/remotes/server/server_auth.rb
@@ -79,14 +79,13 @@ class ServerAuth < X509Auth
     end
 
     # Generates a login token in the form:
-    # user_name:x509:user_name:time_expires:cert_chain
-    #   - user_name:time_expires is encrypted with the user certificate
-    #   - user_name:time_expires:cert_chain is base64 encoded
-    def login_token(user, user_dn, expire)
+    # user_name:server:user_name:user_pass:time_expires
+    #   - user_name:user_pass:time_expires is encrypted with the server certificate
+    def login_token(user, user_pass, expire)
 
         expires = Time.now.to_i+expire
         
-        token_txt = "#{user}:#{user_dn}:#{expires}"
+        token_txt = "#{user}:#{user_pass}:#{expires}"
 
         token     = encrypt(token_txt)
 	    token64   = Base64::encode64(token).strip.delete("\n")
@@ -103,15 +102,15 @@ class ServerAuth < X509Auth
     def authenticate(user, pass, signed_text)
         begin            
 	        # Decryption demonstrates that the user posessed the private key.
-            _user, user_dn, expires = decrypt(signed_text).split(':')
+            _user, user_pass, expires = decrypt(signed_text).split(':')
 
             return "User name missmatch" if user != _user
 
             return "login token expired" if Time.now.to_i >= expires.to_i
 
             # Check an explicitly-specified DN such as for a host-signed login 
-            if !pass.split('|').include?(cert.subject.to_s.delete("\s"))
-	            return "Certificate subject missmatch"
+            if !pass.split('|').include?(user_pass)
+	            return "User password missmatch"
             end
 
 	        validate

From 3531a0f5eb0e348e8235cde091ec49e9ccbfb26a Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Thu, 25 Aug 2011 23:49:14 +0200
Subject: [PATCH 41/63] feature #754: Authenticate file for server auth

---
 src/authm_mad/remotes/server/authenticate | 54 +++++++++++++++++++++++
 1 file changed, 54 insertions(+)
 create mode 100755 src/authm_mad/remotes/server/authenticate

diff --git a/src/authm_mad/remotes/server/authenticate b/src/authm_mad/remotes/server/authenticate
new file mode 100755
index 0000000000..5cb282c1d8
--- /dev/null
+++ b/src/authm_mad/remotes/server/authenticate
@@ -0,0 +1,54 @@
+#!/usr/bin/env ruby
+
+# -------------------------------------------------------------------------- #
+# Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org)             #
+#                                                                            #
+# Licensed under the Apache License, Version 2.0 (the "License"); you may    #
+# not use this file except in compliance with the License. You may obtain    #
+# a copy of the License at                                                   #
+#                                                                            #
+# http://www.apache.org/licenses/LICENSE-2.0                                 #
+#                                                                            #
+# Unless required by applicable law or agreed to in writing, software        #
+# distributed under the License is distributed on an "AS IS" BASIS,          #
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #
+# See the License for the specific language governing permissions and        #
+# limitations under the License.                                             #
+#--------------------------------------------------------------------------- #
+
+ONE_LOCATION=ENV["ONE_LOCATION"]
+
+if !ONE_LOCATION
+    RUBY_LIB_LOCATION="/usr/lib/one/ruby"
+    ETC_LOCATION="/etc/one/"
+else
+    RUBY_LIB_LOCATION=ONE_LOCATION+"/lib/ruby"
+    ETC_LOCATION=ONE_LOCATION+"/etc/"
+end
+
+$: << RUBY_LIB_LOCATION
+
+require 'server_auth'
+require 'scripts_common'
+
+user   = ARGV[0] # username as registered in OpenNebula
+pass   = ARGV[1] # password for this user
+secret = ARGV[2] # Base64 encoded secret as obtained from login_token
+
+#OpenNebula.log_debug("Authenticating #{user}, with password #{pass} (#{secret})")
+
+begin
+    server_auth = ServerAuth.new
+
+    rc = server_auth.authenticate(user, pass, secret)
+rescue => e
+    OpenNebula.error_message e.message
+    exit -1
+end
+
+if rc == true
+    exit 0
+else
+    OpenNebula.error_message rc 
+    exit -1
+end

From 5d45fc93918b81cfce33cfa3ad922bb57b62a5bf Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Fri, 26 Aug 2011 00:02:32 +0200
Subject: [PATCH 42/63] feature #754: fix install bugs

---
 install.sh | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/install.sh b/install.sh
index 64584dc5eb..9bde8267e5 100755
--- a/install.sh
+++ b/install.sh
@@ -466,8 +466,7 @@ BIN_FILES="src/nebula/oned \
            src/cli/onetemplate \
            src/cli/oneacl \
            src/onedb/onedb \
-           share/scripts/one \
-           src/authm_mad/oneauth"
+           share/scripts/one"
 
 #-------------------------------------------------------------------------------
 # C/C++ OpenNebula API Library & Development files
@@ -490,7 +489,7 @@ RUBY_LIB_FILES="src/mad/ruby/ActionManager.rb \
                 src/oca/ruby/OpenNebula.rb \
                 src/tm_mad/TMScript.rb \
                 src/authm_mad/remotes/ssh/ssh_auth.rb \
-                src/authm_mad/remotes/server/server_auth.rb"
+                src/authm_mad/remotes/server/server_auth.rb \
                 src/authm_mad/remotes/x509/x509_auth.rb"
 
 #-----------------------------------------------------------------------------
@@ -707,8 +706,7 @@ HM_ETC_FILES="src/hm_mad/hmrc"
 # Hook Manager driver config. files, to be installed under $ETC_LOCATION/hm
 #-------------------------------------------------------------------------------
 
-AUTH_ETC_FILES="src/authm_mad/auth_mad \
-                src/authm_mad/auth.conf"
+AUTH_ETC_FILES="src/authm_mad/auth.conf"
 
 #-------------------------------------------------------------------------------
 # Sample files, to be installed under $SHARE_LOCATION/examples

From 304a888415c7cd7f0dcee49421bbdf28e273bd01 Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Fri, 26 Aug 2011 00:37:06 +0200
Subject: [PATCH 43/63] feature #754: Fixing bugs...

---
 src/authm_mad/remotes/x509/x509_auth.rb | 11 ++++++++---
 src/cli/one_helper/oneuser_helper.rb    |  3 ++-
 src/cli/oneuser                         |  3 ++-
 3 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/src/authm_mad/remotes/x509/x509_auth.rb b/src/authm_mad/remotes/x509/x509_auth.rb
index 5a12f6a3ba..43ffce6127 100644
--- a/src/authm_mad/remotes/x509/x509_auth.rb
+++ b/src/authm_mad/remotes/x509/x509_auth.rb
@@ -40,11 +40,11 @@ class X509Auth
             :ca_dir    => nil
         }.merge!(options)
 
-        @cert_chain = certs_pem.collect do |cert_pem|
+        @cert_chain = @options[:certs_pem].collect do |cert_pem|
             OpenSSL::X509::Certificate.new(cert_pem)
         end
 
-        if key_pem
+        if @options[:key_pem]
             @key  = OpenSSL::PKey::RSA.new(key_pem)
         end            
     end
@@ -57,7 +57,12 @@ class X509Auth
     # By default it is valid as long as the certificate is valid. It can 
     # be change to any number of seconds with expire parameter (sec.)
     def login(user, expire=0)
-        write_login(login_token(user,expire)
+        write_login(login_token(user,expire))
+    end
+
+    # Returns the dn of the user certificate
+    def dn
+        @cert_chain[0].subject.to_s
     end
 
     # Generates a login token in the form:
diff --git a/src/cli/one_helper/oneuser_helper.rb b/src/cli/one_helper/oneuser_helper.rb
index c0033c8e9f..999755ec98 100644
--- a/src/cli/one_helper/oneuser_helper.rb
+++ b/src/cli/one_helper/oneuser_helper.rb
@@ -66,7 +66,8 @@ class OneUserHelper < OpenNebulaHelper::OneHelper
             options[:cert] ||= ENV['X509_USER_CERT']
 
             begin
-                x509auth = X509Auth.new(:cert=>options[:cert])
+                cert     = [File.read(options[:cert])]
+                x509auth = X509Auth.new(:certs_pem=>cert)
             rescue Exception => e
                 return -1, e.message
             end
diff --git a/src/cli/oneuser b/src/cli/oneuser
index 4beb1bb7a2..2394319ae8 100755
--- a/src/cli/oneuser
+++ b/src/cli/oneuser
@@ -87,6 +87,7 @@ cmd=CommandParser::CmdParser.new(ARGV) do
 
     CERT={
         :name => "cert",
+        :short => "-c path_to_user_cert_pem",
         :large => "--cert path_to_user_cert_pem",
         :format => String,
         :description => "Path to the Certificate of the User"
@@ -143,7 +144,7 @@ cmd=CommandParser::CmdParser.new(ARGV) do
 
     command :create, create_desc, :username, [:password, nil],
             :options=>create_options do
-        if args[1].nil?
+        if options[:ssh] or options[:x509]
             rc = helper.password(options)
             if rc.first == 0
                 pass = rc[1]

From 2534cea8ae4d80f1f74efe896cdc06121ceabddd Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Fri, 26 Aug 2011 00:45:46 +0200
Subject: [PATCH 44/63] feature #754: Fixing bugs. login and create users based
 on x509 works

---
 src/authm_mad/remotes/ssh/ssh_auth.rb   |  6 +++---
 src/authm_mad/remotes/x509/x509_auth.rb |  4 ++--
 src/cli/one_helper/oneuser_helper.rb    | 10 ++++------
 src/cli/oneuser                         |  2 +-
 4 files changed, 10 insertions(+), 12 deletions(-)

diff --git a/src/authm_mad/remotes/ssh/ssh_auth.rb b/src/authm_mad/remotes/ssh/ssh_auth.rb
index a0d2915be9..c26f50da9c 100644
--- a/src/authm_mad/remotes/ssh/ssh_auth.rb
+++ b/src/authm_mad/remotes/ssh/ssh_auth.rb
@@ -24,7 +24,7 @@ require 'fileutils'
 # as auth method is defined. It also holds some helper methods to be used
 # by oneauth command
 class SshAuth
-    PROXY_PATH = ENV['HOME']+'/.one/one_ssh'
+    LOGIN_PATH = ENV['HOME']+'/.one/one_ssh'
 
     attr_reader :public_key
 
@@ -69,7 +69,7 @@ class SshAuth
         expire ||= 3600
 
         # Init proxy file path and creates ~/.one directory if needed
-        proxy_dir = File.dirname(PROXY_PATH)
+        proxy_dir = File.dirname(LOGIN_PATH)
 
         begin
             FileUtils.mkdir_p(proxy_dir)
@@ -84,7 +84,7 @@ class SshAuth
 
         proxy = "#{user}:ssh:#{secret_crypted}"
 
-        file = File.open(PROXY_PATH, "w")
+        file = File.open(LOGIN_PATH, "w")
         file.write(proxy)
         file.close
 
diff --git a/src/authm_mad/remotes/x509/x509_auth.rb b/src/authm_mad/remotes/x509/x509_auth.rb
index 43ffce6127..4fba744a26 100644
--- a/src/authm_mad/remotes/x509/x509_auth.rb
+++ b/src/authm_mad/remotes/x509/x509_auth.rb
@@ -45,7 +45,7 @@ class X509Auth
         end
 
         if @options[:key_pem]
-            @key  = OpenSSL::PKey::RSA.new(key_pem)
+            @key  = OpenSSL::PKey::RSA.new(@options[:key_pem])
         end            
     end
 
@@ -71,7 +71,7 @@ class X509Auth
     #   - user_name:time_expires:cert_chain is base64 encoded
     def login_token(user, expire)
         if expire != 0
-            expires = Time.now.to_i+expire
+            expires = Time.now.to_i + expire.to_i
 	    else
 	        expires = @cert_chain[0].not_after.to_i
 	    end
diff --git a/src/cli/one_helper/oneuser_helper.rb b/src/cli/one_helper/oneuser_helper.rb
index 999755ec98..878abd442d 100644
--- a/src/cli/one_helper/oneuser_helper.rb
+++ b/src/cli/one_helper/oneuser_helper.rb
@@ -96,12 +96,10 @@ class OneUserHelper < OpenNebulaHelper::OneHelper
             options[:key]  ||= ENV['X509_USER_KEY']
 
             begin
-                certs    = Array.new
-                certs[0] = File.read(options[:cert])
-                
-                key = File.read(options[:key])
+                certs = [File.read(options[:cert])]
+                key   = File.read(options[:key])
 
-                auth = X509Auth.new(:cert=>certs, :key=>key)
+                auth = X509Auth.new(:certs_pem=>certs, :key_pem=>key)
             rescue Exception => e
                 return -1, e.message
             end
@@ -130,7 +128,7 @@ class OneUserHelper < OpenNebulaHelper::OneHelper
 
         auth.login(username, options[:time])
 
-        return 0, 'export ONE_AUTH=' << auth.class::PROXY_PATH
+        return 0, 'export ONE_AUTH=' << auth.class::LOGIN_PATH
     end
 
     private
diff --git a/src/cli/oneuser b/src/cli/oneuser
index 2394319ae8..753d3bb388 100755
--- a/src/cli/oneuser
+++ b/src/cli/oneuser
@@ -171,7 +171,7 @@ cmd=CommandParser::CmdParser.new(ARGV) do
     EOT
 
     command :login, login_desc, :username, [:password, nil],
-            :options=>create_options do
+            :options=>login_options do
         helper.login(args[0], options)
     end
 

From 3409f9d6b425fe84a6fa166f10e9da6714f8049d Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Fri, 26 Aug 2011 01:15:08 +0200
Subject: [PATCH 45/63] feature #754: Default for expiration time

---
 src/cli/one_helper/oneuser_helper.rb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/cli/one_helper/oneuser_helper.rb b/src/cli/one_helper/oneuser_helper.rb
index 878abd442d..94a2ba003d 100644
--- a/src/cli/one_helper/oneuser_helper.rb
+++ b/src/cli/one_helper/oneuser_helper.rb
@@ -125,6 +125,8 @@ class OneUserHelper < OpenNebulaHelper::OneHelper
         else
             return -1, "You have to specify an Auth method"
         end
+        
+        options[:time] ||= 3600
 
         auth.login(username, options[:time])
 

From bbe32d837581cdcdae4875372675d3341582b8dc Mon Sep 17 00:00:00 2001
From: Daniel Molina <danmolin@fdi.ucm.es>
Date: Fri, 26 Aug 2011 12:17:26 +0200
Subject: [PATCH 46/63] Allow large options in the CLI without defining the
 short version

---
 src/cli/command_parser.rb | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/cli/command_parser.rb b/src/cli/command_parser.rb
index ef59846023..fb78759722 100755
--- a/src/cli/command_parser.rb
+++ b/src/cli/command_parser.rb
@@ -301,7 +301,13 @@ EOT
                 merge = @opts
                 merge = @opts + extra_options if extra_options
                 merge.flatten.each do |e|
-                    opts.on(e[:short],e[:large], e[:format],e[:description]) do |o|
+                    args = []
+                    args << e[:short] if e[:short]
+                    args << e[:large]
+                    args << e[:format]
+                    args << e[:description]
+
+                    opts.on(*args) do |o|
                         if e[:proc]
                             e[:proc].call(o, @options)
                         elsif e[:name]=="help"

From 48c0e0654497a0736fb76e15d8a422f68d181ee4 Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Fri, 26 Aug 2011 16:34:17 +0200
Subject: [PATCH 47/63] feature #754: Fix bugs for server authN

---
 src/authm_mad/remotes/server/authenticate   |  3 ++-
 src/authm_mad/remotes/server/server_auth.rb | 18 ++----------------
 2 files changed, 4 insertions(+), 17 deletions(-)

diff --git a/src/authm_mad/remotes/server/authenticate b/src/authm_mad/remotes/server/authenticate
index 5cb282c1d8..20f0a2ebe8 100755
--- a/src/authm_mad/remotes/server/authenticate
+++ b/src/authm_mad/remotes/server/authenticate
@@ -39,8 +39,9 @@ secret = ARGV[2] # Base64 encoded secret as obtained from login_token
 
 begin
     server_auth = ServerAuth.new
+    dsecret     = Base64::decode64(secret)
 
-    rc = server_auth.authenticate(user, pass, secret)
+    rc = server_auth.authenticate(user, pass, dsecret)
 rescue => e
     OpenNebula.error_message e.message
     exit -1
diff --git a/src/authm_mad/remotes/server/server_auth.rb b/src/authm_mad/remotes/server/server_auth.rb
index 0f699bef2d..23bca5819c 100644
--- a/src/authm_mad/remotes/server/server_auth.rb
+++ b/src/authm_mad/remotes/server/server_auth.rb
@@ -18,18 +18,6 @@ require 'openssl'
 require 'base64'
 require 'fileutils'
 
-ONE_LOCATION=ENV["ONE_LOCATION"]
-
-if !ONE_LOCATION
-    RUBY_LIB_LOCATION="/usr/lib/one/ruby"
-    ETC_LOCATION="/etc/one/"
-else
-    RUBY_LIB_LOCATION=ONE_LOCATION+"/lib/ruby"
-    ETC_LOCATION=ONE_LOCATION+"/etc/"
-end
-
-$: << RUBY_LIB_LOCATION
-
 require 'x509_auth'
 
 # Server authentication class. This authmethod can be used by opennebula services
@@ -65,10 +53,8 @@ class ServerAuth < X509Auth
         end
         
         begin
-            certs    = Array.new
-            certs[0] = File.read(@options[:host_cert])
-
-            key = File.read(@options[:host_key])
+            certs = [ File.read(@options[:one_cert]) ]
+            key   =   File.read(@options[:one_key])
 
             super(:certs_pem => certs, 
                   :key_pem   => key,

From 1b1d4f900aecdffe0ae62233a6ad77337e58c041 Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Fri, 26 Aug 2011 16:41:56 +0200
Subject: [PATCH 48/63] feature #754: Missing require

---
 src/authm_mad/remotes/server/server_auth.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/authm_mad/remotes/server/server_auth.rb b/src/authm_mad/remotes/server/server_auth.rb
index 23bca5819c..441d2905e9 100644
--- a/src/authm_mad/remotes/server/server_auth.rb
+++ b/src/authm_mad/remotes/server/server_auth.rb
@@ -17,6 +17,7 @@
 require 'openssl'
 require 'base64'
 require 'fileutils'
+require 'yaml'
 
 require 'x509_auth'
 

From 4c9f95ad58d5e932636f807aaeeeb08f8e6e0de4 Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Fri, 26 Aug 2011 16:51:13 +0200
Subject: [PATCH 49/63] Feature #754: Update configuration files

---
 install.sh                                    | 4 ++--
 src/authm_mad/auth.conf                       | 8 --------
 src/authm_mad/remotes/server/server_auth.conf | 8 ++++++++
 3 files changed, 10 insertions(+), 10 deletions(-)
 delete mode 100644 src/authm_mad/auth.conf
 create mode 100644 src/authm_mad/remotes/server/server_auth.conf

diff --git a/install.sh b/install.sh
index 9bde8267e5..685fbf2f20 100755
--- a/install.sh
+++ b/install.sh
@@ -703,10 +703,10 @@ TM_LVM_ETC_FILES="src/tm_mad/lvm/tm_lvm.conf \
 HM_ETC_FILES="src/hm_mad/hmrc"
 
 #-------------------------------------------------------------------------------
-# Hook Manager driver config. files, to be installed under $ETC_LOCATION/hm
+# Auth Manager drivers config. files, to be installed under $ETC_LOCATION/auth
 #-------------------------------------------------------------------------------
 
-AUTH_ETC_FILES="src/authm_mad/auth.conf"
+AUTH_ETC_FILES="src/authm_mad/remotes/server/server_auth.conf"
 
 #-------------------------------------------------------------------------------
 # Sample files, to be installed under $SHARE_LOCATION/examples
diff --git a/src/authm_mad/auth.conf b/src/authm_mad/auth.conf
deleted file mode 100644
index 8efb6a6678..0000000000
--- a/src/authm_mad/auth.conf
+++ /dev/null
@@ -1,8 +0,0 @@
-:database: sqlite://auth.db
-:authentication: simple
-:quota:
-  :enabled: false
-  :defaults:
-    :cpu: 10.0
-    :memory: 1048576
-    :num_vms: 10
\ No newline at end of file
diff --git a/src/authm_mad/remotes/server/server_auth.conf b/src/authm_mad/remotes/server/server_auth.conf
new file mode 100644
index 0000000000..2eb8e0dc92
--- /dev/null
+++ b/src/authm_mad/remotes/server/server_auth.conf
@@ -0,0 +1,8 @@
+# Path to the certificate used by the OpenNebula Services
+# Certificates must be in PEM format
+:one_cert: "/etc/one/auth/cert.pem"
+:one_key: "/etc/one/auth/pk.pem"
+
+# Path to the trusted CA directory. It should contain the trusted CA's for
+# the server, each CA certificate shoud be name CA_hash.0
+:ca_dir: 

From e38d385dc61313e4b209b985e07963cf133b597b Mon Sep 17 00:00:00 2001
From: Daniel Molina <danmolin@fdi.ucm.es>
Date: Fri, 26 Aug 2011 19:07:20 +0200
Subject: [PATCH 50/63] feature #754: Add user_id to the authorize parameters

---
 src/authm_mad/one_auth_mad.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/authm_mad/one_auth_mad.rb b/src/authm_mad/one_auth_mad.rb
index 67bab4d7a1..c1b9d6cd06 100755
--- a/src/authm_mad/one_auth_mad.rb
+++ b/src/authm_mad/one_auth_mad.rb
@@ -44,6 +44,7 @@ class AuthDriver < OpenNebulaDriver
         :authZ => "AUTHORIZE"
     }
 
+
     # Initialize an AuthDriver
     #
     # @param [String] the authorization method to be used, nil to use the 
@@ -76,7 +77,6 @@ class AuthDriver < OpenNebulaDriver
     # @param [String] password of the user registered in OpenNebula "-" if none
     # @param [String] secret filed of the auth string
     def authN(request_id, user_id, user, password, secret)
-
         #OpenNebula.log_debug("authN: #{request_id} #{user_id} #{password} #{secret}")
 
         secret_attr = secret.split(':')
@@ -122,8 +122,8 @@ class AuthDriver < OpenNebulaDriver
 
             send_message(ACTION[:authZ],result,request_id,"-")
         else
-            command = @authZ_cmd
-            command << ' ' << requests.join(' ')
+            command = @authZ_cmd.clone
+            command << ' ' << user_id << ' ' << requests.join(' ')
             
             local_action(command, request_id, ACTION[:authZ])
         end

From c6e8767f3bdee64758200a73f12a155f39f230af Mon Sep 17 00:00:00 2001
From: Daniel Molina <danmolin@fdi.ucm.es>
Date: Fri, 26 Aug 2011 19:08:15 +0200
Subject: [PATCH 51/63] feature #754: Add quota functionality

---
 src/authm_mad/remotes/quota/authorize    | 165 ++++++-----------------
 src/authm_mad/remotes/quota/one_usage.rb | 113 ++++++++++++++++
 src/authm_mad/remotes/quota/quota.rb     | 155 +++++++++++++++++++++
 3 files changed, 311 insertions(+), 122 deletions(-)
 mode change 100644 => 100755 src/authm_mad/remotes/quota/authorize
 create mode 100644 src/authm_mad/remotes/quota/one_usage.rb
 create mode 100644 src/authm_mad/remotes/quota/quota.rb

diff --git a/src/authm_mad/remotes/quota/authorize b/src/authm_mad/remotes/quota/authorize
old mode 100644
new mode 100755
index ee6047ebbc..19c0ca02f4
--- a/src/authm_mad/remotes/quota/authorize
+++ b/src/authm_mad/remotes/quota/authorize
@@ -1,3 +1,5 @@
+#!/usr/bin/env ruby
+
 # -------------------------------------------------------------------------- #
 # Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org)             #
 #                                                                            #
@@ -14,128 +16,47 @@
 # limitations under the License.                                             #
 #--------------------------------------------------------------------------- #
 
-require 'one_usage'
+ONE_LOCATION=ENV["ONE_LOCATION"]
 
-# Quota functionality for auth driver. Stores in database limits for each
-# user and using OneUsage is able to retrieve resource usage from
-# OpenNebula daemon and check if it is below limits
-class Quota
-    attr_accessor :defaults
-    
-    TABLE_NAME=:quotas
-    
-    # 'db' is a Sequel database where to store user limits and client
-    # is OpenNebula::Client used to connect to OpenNebula daemon
-    def initialize(db, client, conf={})
-        @db=db
-        @client=client
-        @conf={
-            :defaults => {
-                :cpu => nil,
-                :memory => nil,
-                :num_vms => nil
-            }
-        }.merge(conf)
-        
-        @defaults=@conf[:defaults]
-        
-        @usage=OneUsage.new(@client)
-        
-        create_table
-        @table=@db[TABLE_NAME]
-    end
-    
-    # Creates database quota table if it does not exist
-    def create_table
-        @db.create_table?(TABLE_NAME) do
-            primary_key :id
-            Integer     :uid
-            Float       :cpu
-            Integer     :memory
-            Integer     :num_vms
-            index       :uid
-        end
-    end
-    
-    # Adds new user limits
-    def set(uid, cpu, memory, num_vms)
-        data={
-            :cpu        => cpu,
-            :memory     => memory,
-            :num_vms    => num_vms
-        }
-
-        quotas=@table.filter(:uid => uid)
-        
-        if quotas.first
-            #STDERR.puts "updating"
-            quotas.update(data)
-        else
-            #STDERR.puts "inserting"
-            @table.insert(data.merge!(:uid => uid))
-        end
-    end
-    
-    # Gets user limits
-    def get(uid)
-        limit=@table.filter(:uid => uid).first
-        if limit
-            limit
-        else
-            @defaults
-        end
-    end
-    
-    # Checks if the user is below resource limits. If new_vm is defined
-    # checks if its requirements fit in limits
-    def check(user, new_vm=nil)
-        use=@usage.total(user)
-        use_after=use.clone
-        user_quota=get(user)
-        if new_vm
-            use_after.cpu+=new_vm.cpu.to_f
-            use_after.memory+=new_vm.memory.to_i
-            use_after.num_vms+=1
-        end
-
-        STDERR.puts [user_quota, use_after, new_vm].inspect
-
-        error_message=""
-
-        if !(!user_quota[:cpu] || use_after.cpu<=user_quota[:cpu])
-            error_message<<"Cpu quota exceeded (Quota: #{user_quota[:cpu]}, "+
-                "Used: #{use.cpu}"
-            error_message<<", asked: #{new_vm.cpu.to_f}" if new_vm
-            error_message<<")."
-        end
-
-        if !(!user_quota[:memory] || use_after.memory<=user_quota[:memory])
-            error_message<<" Memory quota exceeded (Quota: "+
-                "#{user_quota[:memory]}, Used: #{use.memory}"
-            error_message<<", asked: #{new_vm.memory.to_i}" if new_vm
-            error_message<<")."
-        end
-
-        if !(!user_quota[:num_vms] || use_after.num_vms<=user_quota[:num_vms])
-            error_message<<" Num VMS quota exceeded (Quota: "+
-                "#{user_quota[:memory]}, Used: #{use.num_vms})."
-        end
-
-        if error_message==""
-            false
-        else
-            error_message.strip
-        end
-    end
-    
-    # Updates user resource consuption
-    def update(user)
-        @usage.update_user(user)
-    end
-    
-    # Get cache for the user
-    def get_user(user)
-        @usage.vms(user)
-    end
+if !ONE_LOCATION
+    RUBY_LIB_LOCATION="/usr/lib/one/ruby"
+    ETC_LOCATION="/etc/one/"
+else
+    RUBY_LIB_LOCATION=ONE_LOCATION+"/lib/ruby"
+    ETC_LOCATION=ONE_LOCATION+"/etc/"
 end
 
+$: << RUBY_LIB_LOCATION
+
+require 'scripts_common'
+require 'quota'
+
+user_id = ARGV.shift
+
+overall_evalutation = ARGV.pop
+exit -1 if overall_evalutation == 0
+
+quota = Quota.new
+
+#q = {
+#    :cpu => 10,
+#    :memory => 2048,
+#    :storage => 100000,
+#    :num_vms => 5
+#}
+#
+#quota.set(1, q)
+#OpenNebula.log_debug("quotas: #{quota.get(1)}")
+
+ARGV.each {|request|
+    rc = quota.check_request(user_id, request)
+    
+    if rc
+        OpenNebula.error_message rc
+        exit -1
+    end
+}
+
+#OpenNebula.log_debug("AUTHORIZE ARGS: #{ARGV.join(' ')}")
+
+exit 0
\ No newline at end of file
diff --git a/src/authm_mad/remotes/quota/one_usage.rb b/src/authm_mad/remotes/quota/one_usage.rb
new file mode 100644
index 0000000000..8a52a84121
--- /dev/null
+++ b/src/authm_mad/remotes/quota/one_usage.rb
@@ -0,0 +1,113 @@
+# -------------------------------------------------------------------------- #
+# Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org)             #
+#                                                                            #
+# Licensed under the Apache License, Version 2.0 (the "License"); you may    #
+# not use this file except in compliance with the License. You may obtain    #
+# a copy of the License at                                                   #
+#                                                                            #
+# http://www.apache.org/licenses/LICENSE-2.0                                 #
+#                                                                            #
+# Unless required by applicable law or agreed to in writing, software        #
+# distributed under the License is distributed on an "AS IS" BASIS,          #
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #
+# See the License for the specific language governing permissions and        #
+# limitations under the License.                                             #
+#--------------------------------------------------------------------------- #
+
+require 'OpenNebula'
+
+# This class retrieves and caches vms and its consuption grouped
+# by users. 'update_user' method should be called to fill data for
+# a user before any calculation is made
+class OneUsage
+    VM_USAGE = {
+        :cpu => {
+            :proc_info  => lambda {|template| template['CPU']},
+            :proc_total => lambda {|resource| resource['TEMPLATE']['CPU']}
+        },
+        :memory => {
+            :proc_info  => lambda {|template| template['MEMORY']},
+            :proc_total => lambda {|resource| resource['TEMPLATE']['MEMORY']}
+        },
+        :num_vms => {
+            :proc_info  => lambda {|template| 1 },
+            :proc_total => lambda {|resource| 1 }
+        }
+    }
+
+    IMAGE_USAGE = {
+        :storage => {
+            :proc_info  => lambda {|template| File.size(template['PATH']) },
+            :proc_total => lambda {|resource| File.size(resource['TEMPLATE']['SOURCE']) }
+        }
+    }
+
+    def initialize()
+        @client = OpenNebula::Client.new
+
+        @usage =  Hash.new
+
+        keys = VM_USAGE.keys + IMAGE_USAGE.keys
+        keys.each { |key|
+            @usage[key] = 0
+        }
+
+    end
+
+
+    def total(resource, user_id)
+        pool_array = pool_to_array(resource, user_id)
+
+        usage = Hash.new
+        pool_array.each { |elem|
+            OneUsage.const_get("#{resource}_USAGE".to_sym).each { |key, params|
+                usage[key] ||= 0
+                usage[key] += params[:proc_total].call(elem).to_i
+            }
+        }
+
+        usage
+    end
+
+    # Retrieve the useful information of the template for the specified
+    # kind of resource
+    def get_info(resource, xml_template)
+        template = OpenNebula::XMLElement.new
+        template.initialize_xml(xml_template, 'TEMPLATE')
+
+        info = Hash.new
+
+        self.class.const_get("#{resource}_USAGE").each { |key, params|
+            info[key] = params[:proc_info].call(template).to_i
+        }
+
+        info
+    end
+
+    private
+
+    # Returns a an Array than contains the elements of the resource Pool
+    def pool_to_array(resource, user_id)
+        pool = case resource
+        when "VM"    then OpenNebula::VirtualMachinePool.new(@client, user_id)
+        when "IMAGE" then OpenNebula::ImagePool.new(@client, user_id)
+        end
+
+        rc = pool.info
+
+        phash = pool.to_hash
+
+        if phash["#{resource}_POOL"] &&
+                phash["#{resource}_POOL"]["#{resource}"]
+            if phash["#{resource}_POOL"]["#{resource}"].instance_of?(Array)
+                parray = phash["#{resource}_POOL"]["#{resource}"]
+            else
+                parray = [phash["#{resource}_POOL"]["#{resource}"]]
+            end
+        else
+            parray = Array.new
+        end
+
+        return parray
+    end
+end
diff --git a/src/authm_mad/remotes/quota/quota.rb b/src/authm_mad/remotes/quota/quota.rb
new file mode 100644
index 0000000000..69977c60b4
--- /dev/null
+++ b/src/authm_mad/remotes/quota/quota.rb
@@ -0,0 +1,155 @@
+# -------------------------------------------------------------------------- #
+# Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org)             #
+#                                                                            #
+# Licensed under the Apache License, Version 2.0 (the "License"); you may    #
+# not use this file except in compliance with the License. You may obtain    #
+# a copy of the License at                                                   #
+#                                                                            #
+# http://www.apache.org/licenses/LICENSE-2.0                                 #
+#                                                                            #
+# Unless required by applicable law or agreed to in writing, software        #
+# distributed under the License is distributed on an "AS IS" BASIS,          #
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #
+# See the License for the specific language governing permissions and        #
+# limitations under the License.                                             #
+#--------------------------------------------------------------------------- #
+
+require 'one_usage'
+require 'sequel'
+require 'base64'
+
+# Quota functionality for auth driver. Stores in database limits for each
+# user and using OneUsage is able to retrieve resource usage from
+# OpenNebula daemon and check if it is below limits
+class Quota
+    attr_accessor :defaults
+
+    TABLE_NAME = :quotas
+
+    DB_QUOTA_SCHEMA = {
+        :cpu     => Float,
+        :memory  => Integer,
+        :num_vms => Integer,
+        :storage => Integer
+    }
+
+    CONF = {
+        :db => "sqlite:///tmp/onequota.db",
+        :defaults => {
+            :cpu     => nil,
+            :memory  => nil,
+            :num_vms => nil,
+            :storage => nil
+        }
+    }
+
+    # 'db' is a Sequel database where to store user limits and client
+    # is OpenNebula::Client used to connect to OpenNebula daemon
+    def initialize(conf={})
+        # TBD merge with the conf file
+        @conf=CONF
+
+        @defaults=@conf[:defaults]
+
+        @db=Sequel.connect(@conf[:db])
+
+        create_table
+        @table=@db[TABLE_NAME]
+
+        @one_usage=OneUsage.new
+    end
+
+    ###########################################################################
+    # DB handling
+    ###########################################################################
+
+    # Creates database quota table if it does not exist
+    def create_table
+        @db.create_table?(TABLE_NAME) do
+            Integer     :uid
+
+            DB_QUOTA_SCHEMA.each { |key,value|
+                column key, value
+            }
+
+            primary_key :uid
+            index       :uid
+        end
+    end
+
+    # Adds new user limits
+    def set(uid, quota={})
+        data=quota.delete_if{|key,value| !DB_QUOTA_SCHEMA.keys.include?(key)}
+
+        quotas=@table.filter(:uid => uid)
+
+        if quotas.first
+            quotas.update(data)
+        else
+            @table.insert(data.merge!(:uid => uid))
+        end
+    end
+
+    # Gets user limits
+    def get(uid)
+        limit=@table.filter(:uid => uid).first
+        if limit
+            limit
+        else
+            @conf[:defaults]
+        end
+    end
+
+
+    ###########################################################################
+    # Authorization
+    ###########################################################################
+
+    def check_request(user_id, request)
+        obj, template_or_id, op, owner, pub, acl_eval = request.split(':')
+
+        if acl_eval == 0
+            return "ACL evaluation denied"
+        end
+
+        # Check if this op needs to check the quota
+        return false unless with_quota?(obj, op)
+
+        # If the object is a template the info should be retrived from the
+        # VM pool.
+        obj = "VM" if obj == "TEMPLATE"
+        template = Base64::decode64(template_or_id)
+
+        check_quotas(user_id.to_i, obj, template)
+    end
+
+    def check_quotas(user_id, obj, template)
+        info  = @one_usage.get_info(obj, template)
+        total = @one_usage.total(obj, user_id)
+        quota = get(user_id)
+
+        msg = ""
+        info.each { |quota_name, quota_requested|
+            spent = total[quota_name].to_i + quota_requested.to_i
+            if spent > quota[quota_name].to_i
+                msg << " #{quota_name.to_s.upcase} quota exceeded "
+                msg << "(Quota: #{quota[quota_name].to_i}, "
+                msg << "Used: #{spent.to_i}, "
+                msg << "Asked: #{quota_requested.to_i})."
+            end
+        }
+
+        if msg==""
+            return false
+        else
+            return msg.strip
+        end
+    end
+
+    def with_quota?(obj, op)
+        return (obj == "VM"       && op == "CREATE") ||
+               (obj == "IMAGE"    && op == "CREATE") ||
+               (obj == "TEMPLATE" && op == "INSTANTIATE")
+    end
+end
+

From ea51d0b9b90bdf05fa1875d39b3eaeb4c1ec41f4 Mon Sep 17 00:00:00 2001
From: Ted <tdh@camp5.townhouse>
Date: Fri, 26 Aug 2011 11:25:39 -0500
Subject: [PATCH 52/63] Remove validate call, as admin-installed host certs are
 assumed trustworthy. (cherry picked from commit
 6904317c68da51aa3df3be9ee98aa8a8478fc59d)

---
 src/authm_mad/remotes/server/server_auth.rb | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/src/authm_mad/remotes/server/server_auth.rb b/src/authm_mad/remotes/server/server_auth.rb
index 441d2905e9..5fccf4eda5 100644
--- a/src/authm_mad/remotes/server/server_auth.rb
+++ b/src/authm_mad/remotes/server/server_auth.rb
@@ -75,7 +75,7 @@ class ServerAuth < X509Auth
         token_txt = "#{user}:#{user_pass}:#{expires}"
 
         token     = encrypt(token_txt)
-	    token64   = Base64::encode64(token).strip.delete("\n")
+	token64   = Base64::encode64(token).strip.delete("\n")
 
         login_out = "#{user}:server:#{token64}"
         
@@ -88,20 +88,18 @@ class ServerAuth < X509Auth
     # auth method for auth_mad
     def authenticate(user, pass, signed_text)
         begin            
-	        # Decryption demonstrates that the user posessed the private key.
+	    # Decryption demonstrates that the user posessed the private key.
             _user, user_pass, expires = decrypt(signed_text).split(':')
 
             return "User name missmatch" if user != _user
 
             return "login token expired" if Time.now.to_i >= expires.to_i
 
-            # Check an explicitly-specified DN such as for a host-signed login 
+            # Check that the signed password matches one for the user.
             if !pass.split('|').include?(user_pass)
-	            return "User password missmatch"
+	        return "User password missmatch"
             end
 
-	        validate
-
             return true
         rescue => e
             return e.message

From ac1338c737a99af573ce8ab3eb41ec9f72ed1eeb Mon Sep 17 00:00:00 2001
From: Ted <tdh@camp5.townhouse>
Date: Fri, 26 Aug 2011 11:28:13 -0500
Subject: [PATCH 53/63] Raise exception if there is no ca_dir. Fix
 indentations. (cherry picked from commit
 ecbde5f8798168d58520ec30a6cecb46d97ef671)

---
 src/authm_mad/remotes/x509/x509_auth.rb | 26 ++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/src/authm_mad/remotes/x509/x509_auth.rb b/src/authm_mad/remotes/x509/x509_auth.rb
index 4fba744a26..c6906ec920 100644
--- a/src/authm_mad/remotes/x509/x509_auth.rb
+++ b/src/authm_mad/remotes/x509/x509_auth.rb
@@ -55,7 +55,7 @@ class X509Auth
 
     # Creates the login file for x509 authentication at ~/.one/one_x509.
     # By default it is valid as long as the certificate is valid. It can 
-    # be change to any number of seconds with expire parameter (sec.)
+    # be changed to any number of seconds with expire parameter (sec.)
     def login(user, expire=0)
         write_login(login_token(user,expire))
     end
@@ -95,23 +95,23 @@ class X509Auth
     # auth method for auth_mad
     def authenticate(user, pass, signed_text)
         begin            
-	        # Decryption demonstrates that the user posessed the private key.
+	    # Decryption demonstrates that the user posessed the private key.
             _user, expires = decrypt(signed_text).split(':')
 
             return "User name missmatch" if user != _user
 
             return "x509 proxy expired"  if Time.now.to_i >= expires.to_i
 
-	        # Some DN in the chain must match a DN in the password	    
-	        dn_ok = @cert_chain.each do |cert|
+	    # Some DN in the chain must match a DN in the password	    
+	    dn_ok = @cert_chain.each do |cert|
                 break true if pass.split('|').include?(cert.subject.to_s.delete("\s"))
             end
 	    
-	        unless dn_ok == true
-	            return "Certificate subject missmatch"
+	    unless dn_ok == true
+	        return "Certificate subject missmatch"
             end
 	    
-	        validate
+	    validate
 
             return true
         rescue => e
@@ -156,10 +156,10 @@ private
     # Validate the user certificate
     ###########################################################################
     def validate
- 	    now    = Time.now
+ 	now    = Time.now
         failed = "Could not validate user credentials: "
 
-        # Check start time and end time of certificate
+        # Check start time and end time of certificates
         @cert_chain.each do |cert|		
             if cert.not_before > now || cert.not_after < now
                 raise failed +  "Certificate not valid. Current time is " + 
@@ -168,10 +168,10 @@ private
         end 
 
         begin
-	        # Validate the proxy certifcates
+	    # Validate the proxy certifcates
             signee = @cert_chain[0]
 
-	        @cert_chain[1..-1].each do |cert|
+	    @cert_chain[1..-1].each do |cert|
                 if !((signee.issuer.to_s == cert.subject.to_s) &&
                      (signee.verify(cert.public_key)))
                     raise  failed + signee.subject.to_s + " with issuer " +
@@ -182,8 +182,8 @@ private
             end
 
             # Validate the End Entity certificate
-	        if !@options[:ca_dir]
-                return
+	    if !@options[:ca_dir]
+                raise failed + "No certifcate authority directory was specified."
             end
 
             begin

From daab17b4e0524bf21a114f309518eb1616730a78 Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Tue, 30 Aug 2011 00:22:51 +0200
Subject: [PATCH 54/63] feature #754: If CA path is not defined, CAs will not
 be checked instead of raising an exception

---
 src/authm_mad/remotes/x509/x509_auth.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/authm_mad/remotes/x509/x509_auth.rb b/src/authm_mad/remotes/x509/x509_auth.rb
index c6906ec920..48fe58193f 100644
--- a/src/authm_mad/remotes/x509/x509_auth.rb
+++ b/src/authm_mad/remotes/x509/x509_auth.rb
@@ -182,8 +182,8 @@ private
             end
 
             # Validate the End Entity certificate
-	    if !@options[:ca_dir]
-                raise failed + "No certifcate authority directory was specified."
+	        if !@options[:ca_dir]
+                return
             end
 
             begin

From 02bd5ec4efeda92b90d1a61adefa6e1fb4ffc93e Mon Sep 17 00:00:00 2001
From: Ted <tdh@camp5.townhouse>
Date: Mon, 29 Aug 2011 16:32:04 -0500
Subject: [PATCH 55/63] Remove restriction for plain auth for oneadmin. (cherry
 picked from commit ff05d07af0231ae4a2e8a0915973c05f9b533409)

---
 src/um/UserPool.cc | 17 +++--------------
 1 file changed, 3 insertions(+), 14 deletions(-)

diff --git a/src/um/UserPool.cc b/src/um/UserPool.cc
index 746e898346..2ab1618f42 100644
--- a/src/um/UserPool.cc
+++ b/src/um/UserPool.cc
@@ -250,23 +250,12 @@ bool UserPool::authenticate(const string& session,
     }
 
     AuthRequest ar(uid, gid);
+    
+    NebulaLog::log("UserPool",Log::ERROR, "Authenticating " + username);
 
     ar.add_authenticate(username,u_pass,secret);
 
-    if ( uid == 0 ) //oneadmin
-    {
-        if (ar.plain_authenticate())
-        {
-            user_id  = uid;
-            group_id = gid;
-
-            uname = tuname;
-            gname = tgname;
-
-            result   = true;
-        }
-    }
-    else if (authm == 0) //plain auth
+    if (authm == 0) //plain auth
     {
         if ( user != 0 && ar.plain_authenticate()) //no plain for external users
         {

From 5e67ef24b975e5110ef646709ca322731a0f7fdb Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Tue, 30 Aug 2011 01:00:45 +0200
Subject: [PATCH 56/63] feature #754: Removed comment

---
 src/um/UserPool.cc | 2 --
 1 file changed, 2 deletions(-)

diff --git a/src/um/UserPool.cc b/src/um/UserPool.cc
index 2ab1618f42..60933f7a45 100644
--- a/src/um/UserPool.cc
+++ b/src/um/UserPool.cc
@@ -250,8 +250,6 @@ bool UserPool::authenticate(const string& session,
     }
 
     AuthRequest ar(uid, gid);
-    
-    NebulaLog::log("UserPool",Log::ERROR, "Authenticating " + username);
 
     ar.add_authenticate(username,u_pass,secret);
 

From 93c133b1814a6b3d85ae874f2ac3ca9df9e8aaac Mon Sep 17 00:00:00 2001
From: Daniel Molina <danmolin@fdi.ucm.es>
Date: Tue, 30 Aug 2011 12:33:54 +0200
Subject: [PATCH 57/63] Generate password from options for the passwd command

---
 src/cli/oneuser | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/cli/oneuser b/src/cli/oneuser
index 753d3bb388..856a99d1af 100755
--- a/src/cli/oneuser
+++ b/src/cli/oneuser
@@ -189,9 +189,21 @@ cmd=CommandParser::CmdParser.new(ARGV) do
         Changes the given User's password
     EOT
 
-    command :passwd, passwd_desc, :userid, :password do
+    command :passwd, passwd_desc, :userid, :password,
+            :options=>create_options do
+        if options[:ssh] or options[:x509]
+            rc = helper.password(options)
+            if rc.first == 0
+                pass = rc[1]
+            else
+                exit_with_code *rc
+            end
+        else
+            pass = args[1]
+        end
+
         helper.perform_action(args[0],options,"Password changed") do |user|
-            user.passwd(args[1])
+            user.passwd(pass)
         end
     end
 

From 719b509d05fb59b26d29477a86e373a70080da5e Mon Sep 17 00:00:00 2001
From: Daniel Molina <danmolin@fdi.ucm.es>
Date: Tue, 30 Aug 2011 13:02:30 +0200
Subject: [PATCH 58/63] feature #754: Improve get_usage method

---
 src/authm_mad/remotes/quota/one_usage.rb | 85 +++++++++++++-----------
 src/authm_mad/remotes/quota/quota.rb     |  4 +-
 src/oca/ruby/OpenNebula/XMLUtils.rb      | 26 ++++++--
 3 files changed, 69 insertions(+), 46 deletions(-)

diff --git a/src/authm_mad/remotes/quota/one_usage.rb b/src/authm_mad/remotes/quota/one_usage.rb
index 8a52a84121..0d83e684d2 100644
--- a/src/authm_mad/remotes/quota/one_usage.rb
+++ b/src/authm_mad/remotes/quota/one_usage.rb
@@ -23,55 +23,63 @@ class OneUsage
     VM_USAGE = {
         :cpu => {
             :proc_info  => lambda {|template| template['CPU']},
-            :proc_total => lambda {|resource| resource['TEMPLATE']['CPU']}
+            :xpath => 'TEMPLATE/CPU'
         },
         :memory => {
             :proc_info  => lambda {|template| template['MEMORY']},
-            :proc_total => lambda {|resource| resource['TEMPLATE']['MEMORY']}
+            :xpath => 'TEMPLATE/MEMORY'
         },
         :num_vms => {
             :proc_info  => lambda {|template| 1 },
-            :proc_total => lambda {|resource| 1 }
+            :xpath => 'ID',
+            :count => true
         }
     }
 
     IMAGE_USAGE = {
         :storage => {
             :proc_info  => lambda {|template| File.size(template['PATH']) },
-            :proc_total => lambda {|resource| File.size(resource['TEMPLATE']['SOURCE']) }
+            :proc_total => 'TEMPLATE/SIZE'
         }
     }
 
+    RESOURCES = ["VM", "IMAGE"]
+
     def initialize()
         @client = OpenNebula::Client.new
-
         @usage =  Hash.new
-
-        keys = VM_USAGE.keys + IMAGE_USAGE.keys
-        keys.each { |key|
-            @usage[key] = 0
-        }
-
     end
 
-
-    def total(resource, user_id)
-        pool_array = pool_to_array(resource, user_id)
-
+    def total(user_id, resource=nil, force=false)
         usage = Hash.new
-        pool_array.each { |elem|
-            OneUsage.const_get("#{resource}_USAGE".to_sym).each { |key, params|
-                usage[key] ||= 0
-                usage[key] += params[:proc_total].call(elem).to_i
+
+        if force
+            resources = [resource] if RESOURCES.include?(resource)
+
+            resources.each{ |res|
+                pool = get_pool(res, user_id)
+
+                base_xpath = "/#{res}_POOL/#{resource}"
+                OneUsage.const_get("#{res}_USAGE".to_sym).each { |key, params|
+                    usage[key] ||= 0
+                    pool.each_xpath("#{base_xpath}/#{params[:xpath]}") { |elem|
+                        usage[key] += params[:count] ? 1 : elem.to_i
+                    }
+                }
+
+                @usage[:user_id] ||= Hash.new
+                @usage[:user_id].merge!(usage)
             }
-        }
+        else
+            usage = get_usage(user_id)
+        end
 
         usage
     end
 
     # Retrieve the useful information of the template for the specified
     # kind of resource
-    def get_info(resource, xml_template)
+    def get_resources(resource, xml_template)
         template = OpenNebula::XMLElement.new
         template.initialize_xml(xml_template, 'TEMPLATE')
 
@@ -86,28 +94,31 @@ class OneUsage
 
     private
 
+    def get_usage(user_id)
+        usage = @usage[:user_id]
+
+        unless usage
+            usage = Hash.new
+
+            keys = VM_USAGE.keys + IMAGE_USAGE.keys
+            keys.each { |key|
+                usage[key] = 0
+            }
+
+            @usage[:user_id] = usage
+        end
+
+        usage
+    end
+
     # Returns a an Array than contains the elements of the resource Pool
-    def pool_to_array(resource, user_id)
+    def get_pool(resource, user_id)
         pool = case resource
         when "VM"    then OpenNebula::VirtualMachinePool.new(@client, user_id)
         when "IMAGE" then OpenNebula::ImagePool.new(@client, user_id)
         end
 
         rc = pool.info
-
-        phash = pool.to_hash
-
-        if phash["#{resource}_POOL"] &&
-                phash["#{resource}_POOL"]["#{resource}"]
-            if phash["#{resource}_POOL"]["#{resource}"].instance_of?(Array)
-                parray = phash["#{resource}_POOL"]["#{resource}"]
-            else
-                parray = [phash["#{resource}_POOL"]["#{resource}"]]
-            end
-        else
-            parray = Array.new
-        end
-
-        return parray
+        return pool
     end
 end
diff --git a/src/authm_mad/remotes/quota/quota.rb b/src/authm_mad/remotes/quota/quota.rb
index 69977c60b4..e46a7eb7f9 100644
--- a/src/authm_mad/remotes/quota/quota.rb
+++ b/src/authm_mad/remotes/quota/quota.rb
@@ -124,14 +124,14 @@ class Quota
     end
 
     def check_quotas(user_id, obj, template)
-        info  = @one_usage.get_info(obj, template)
+        info  = @one_usage.get_resources(obj, template)
         total = @one_usage.total(obj, user_id)
         quota = get(user_id)
 
         msg = ""
         info.each { |quota_name, quota_requested|
             spent = total[quota_name].to_i + quota_requested.to_i
-            if spent > quota[quota_name].to_i
+            if quota[quota_name] && spent > quota[quota_name].to_i
                 msg << " #{quota_name.to_s.upcase} quota exceeded "
                 msg << "(Quota: #{quota[quota_name].to_i}, "
                 msg << "Used: #{spent.to_i}, "
diff --git a/src/oca/ruby/OpenNebula/XMLUtils.rb b/src/oca/ruby/OpenNebula/XMLUtils.rb
index 912c2e4561..c71dece114 100644
--- a/src/oca/ruby/OpenNebula/XMLUtils.rb
+++ b/src/oca/ruby/OpenNebula/XMLUtils.rb
@@ -101,11 +101,11 @@ module OpenNebula
                 element.text
             end
         end
-        
-        # Gets an array of text from elemenets extracted 
+
+        # Gets an array of text from elemenets extracted
         # using  the XPATH  expression passed as filter
         def retrieve_elements(filter)
-            elements_array = Array.new            
+            elements_array = Array.new
 
             if NOKOGIRI
                 @xml.xpath(filter.to_s).each { |pelem|
@@ -116,13 +116,13 @@ module OpenNebula
                     elements_array << pelem.text if pelem.text
                 }
             end
-            
-            if elements_array.size == 0 
+
+            if elements_array.size == 0
                 return nil
             else
                 return elements_array
             end
-            
+
         end
 
         # Gets an attribute from an elemenT
@@ -164,6 +164,18 @@ module OpenNebula
             end
         end
 
+        def each_xpath(xpath_str,&block)
+            if NOKOGIRI
+                @xml.xpath(xpath_str).each { |pelem|
+                    block.call pelem.text
+                }
+            else
+                @xml.elements.each(xpath_str) { |pelem|
+                    block.call pelem.text
+                }
+            end
+        end
+
         def name
             @xml.name
         end
@@ -285,7 +297,7 @@ module OpenNebula
 
             hash
         end
-    
+
     private
         def attr_to_str(attr)
             attr.gsub!('"',"\\\"")

From 304b82f0244e74f67cea6d3036b905858ca35a0e Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Tue, 30 Aug 2011 17:14:39 +0200
Subject: [PATCH 59/63] feature #754: Revert CA check
 c1338c737a99af573ce8ab3eb41ec9f72ed1ee

---
 src/authm_mad/remotes/x509/x509_auth.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/authm_mad/remotes/x509/x509_auth.rb b/src/authm_mad/remotes/x509/x509_auth.rb
index 48fe58193f..dfd76a5ae6 100644
--- a/src/authm_mad/remotes/x509/x509_auth.rb
+++ b/src/authm_mad/remotes/x509/x509_auth.rb
@@ -171,7 +171,7 @@ private
 	    # Validate the proxy certifcates
             signee = @cert_chain[0]
 
-	    @cert_chain[1..-1].each do |cert|
+	        @cert_chain[1..-1].each do |cert|
                 if !((signee.issuer.to_s == cert.subject.to_s) &&
                      (signee.verify(cert.public_key)))
                     raise  failed + signee.subject.to_s + " with issuer " +
@@ -183,7 +183,7 @@ private
 
             # Validate the End Entity certificate
 	        if !@options[:ca_dir]
-                return
+                raise failed + "No certifcate authority directory was specified." 
             end
 
             begin

From 43b79a3e3a058ef9f19e3266f98206de4e1f2d48 Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Tue, 30 Aug 2011 18:04:53 +0200
Subject: [PATCH 60/63] feature #754: Fix problem parsing cert chains. Includes
 conf files for server and x509 authN methods

---
 install.sh                                    |  3 +-
 src/authm_mad/remotes/server/server_auth.conf |  4 ---
 src/authm_mad/remotes/server/server_auth.rb   | 28 +++++------------
 src/authm_mad/remotes/x509/x509_auth.conf     |  3 ++
 src/authm_mad/remotes/x509/x509_auth.rb       | 30 ++++++++++++++++++-
 src/cli/one_helper/oneuser_helper.rb          |  4 +--
 6 files changed, 44 insertions(+), 28 deletions(-)
 create mode 100644 src/authm_mad/remotes/x509/x509_auth.conf

diff --git a/install.sh b/install.sh
index d979b08cc7..81f19d63f9 100755
--- a/install.sh
+++ b/install.sh
@@ -706,7 +706,8 @@ HM_ETC_FILES="src/hm_mad/hmrc"
 # Auth Manager drivers config. files, to be installed under $ETC_LOCATION/auth
 #-------------------------------------------------------------------------------
 
-AUTH_ETC_FILES="src/authm_mad/remotes/server/server_auth.conf"
+AUTH_ETC_FILES="src/authm_mad/remotes/server/server_auth.conf \
+                src/authm_mad/remotes/x509/x509_auth.conf"
 
 #-------------------------------------------------------------------------------
 # Sample files, to be installed under $SHARE_LOCATION/examples
diff --git a/src/authm_mad/remotes/server/server_auth.conf b/src/authm_mad/remotes/server/server_auth.conf
index 2eb8e0dc92..2d48125dcd 100644
--- a/src/authm_mad/remotes/server/server_auth.conf
+++ b/src/authm_mad/remotes/server/server_auth.conf
@@ -2,7 +2,3 @@
 # Certificates must be in PEM format
 :one_cert: "/etc/one/auth/cert.pem"
 :one_key: "/etc/one/auth/pk.pem"
-
-# Path to the trusted CA directory. It should contain the trusted CA's for
-# the server, each CA certificate shoud be name CA_hash.0
-:ca_dir: 
diff --git a/src/authm_mad/remotes/server/server_auth.rb b/src/authm_mad/remotes/server/server_auth.rb
index 5fccf4eda5..e4003f3289 100644
--- a/src/authm_mad/remotes/server/server_auth.rb
+++ b/src/authm_mad/remotes/server/server_auth.rb
@@ -17,7 +17,6 @@
 require 'openssl'
 require 'base64'
 require 'fileutils'
-require 'yaml'
 
 require 'x509_auth'
 
@@ -28,38 +27,27 @@ class ServerAuth < X509Auth
     ###########################################################################
     #Constants with paths to relevant files and defaults
     ###########################################################################
-    if !ENV["ONE_LOCATION"]
-        ETC_LOCATION      = "/etc/one"
-    else
-        ETC_LOCATION      = ONE_LOCATION + "/etc"
-    end
 
     SERVER_AUTH_CONF_PATH = ETC_LOCATION + "/auth/server_auth.conf"
 
-    DEFAULT_CERTS_PATH = {
+    SERVER_DEFAULTS = {
         :one_cert => ETC_LOCATION + "/auth/cert.pem",
-        :one_key  => ETC_LOCATION + "/auth/key.pem",
-        :ca_dir   => ETC_LOCATION + "/auth/certificates",
+        :one_key  => ETC_LOCATION + "/auth/key.pem"
     }
 
     ###########################################################################
 
     def initialize()
-        @options = DEFAULT_CERTS_PATH
+        @options = SERVER_DEFAULTS
+       
+        load_options(SERVER_AUTH_CONF_PATH)
 
-        if File.readable?(SERVER_AUTH_CONF_PATH)
-            config = File.read(SERVER_AUTH_CONF_PATH)
-             
-            @options.merge!(YAML::load(config))
-        end
-        
         begin
             certs = [ File.read(@options[:one_cert]) ]
             key   =   File.read(@options[:one_key])
 
             super(:certs_pem => certs, 
-                  :key_pem   => key,
-                  :ca_dir    => @options[:ca_dir])
+                  :key_pem   => key)
         rescue
             raise
         end  
@@ -75,7 +63,7 @@ class ServerAuth < X509Auth
         token_txt = "#{user}:#{user_pass}:#{expires}"
 
         token     = encrypt(token_txt)
-	token64   = Base64::encode64(token).strip.delete("\n")
+	    token64   = Base64::encode64(token).strip.delete("\n")
 
         login_out = "#{user}:server:#{token64}"
         
@@ -97,7 +85,7 @@ class ServerAuth < X509Auth
 
             # Check that the signed password matches one for the user.
             if !pass.split('|').include?(user_pass)
-	        return "User password missmatch"
+	            return "User password missmatch"
             end
 
             return true
diff --git a/src/authm_mad/remotes/x509/x509_auth.conf b/src/authm_mad/remotes/x509/x509_auth.conf
new file mode 100644
index 0000000000..679610ba0c
--- /dev/null
+++ b/src/authm_mad/remotes/x509/x509_auth.conf
@@ -0,0 +1,3 @@
+# Path to the trusted CA directory. It should contain the trusted CA's for
+# the server, each CA certificate shoud be name CA_hash.0
+:ca_dir: "/etc/one/auth/certificates"
diff --git a/src/authm_mad/remotes/x509/x509_auth.rb b/src/authm_mad/remotes/x509/x509_auth.rb
index dfd76a5ae6..d54ba9b9a3 100644
--- a/src/authm_mad/remotes/x509/x509_auth.rb
+++ b/src/authm_mad/remotes/x509/x509_auth.rb
@@ -17,13 +17,30 @@
 require 'openssl'
 require 'base64'
 require 'fileutils'
+require 'yaml'
 
 # X509 authentication class. It can be used as a driver for auth_mad
 # as auth method is defined. It also holds some helper methods to be used
 # by oneauth command
 class X509Auth
+    ###########################################################################
+    #Constants with paths to relevant files and defaults
+    ###########################################################################
+    if !ENV["ONE_LOCATION"]
+        ETC_LOCATION      = "/etc/one"
+    else
+        ETC_LOCATION      = ONE_LOCATION + "/etc"
+    end
+
     LOGIN_PATH = ENV['HOME']+'/.one/one_x509'
 
+    X509_AUTH_CONF_PATH = ETC_LOCATION + "/auth/x509_auth.conf"
+
+    X509_DEFAULTS = {
+        :ca_dir   => ETC_LOCATION + "/auth/certificates"
+    }
+
+    ###########################################################################
     # Initialize x509Auth object
     #
     # @param [Hash] default options for path
@@ -37,9 +54,11 @@ class X509Auth
         @options={
             :certs_pem => nil,
             :key_pem   => nil,
-            :ca_dir    => nil
+            :ca_dir    => X509_DEFAULTS[:ca_dir]
         }.merge!(options)
 
+        load_options(X509_AUTH_CONF_PATH)
+
         @cert_chain = @options[:certs_pem].collect do |cert_pem|
             OpenSSL::X509::Certificate.new(cert_pem)
         end
@@ -137,6 +156,15 @@ private
         file.close
     end
 
+    # Load class options form a configuration file (yaml syntax)
+    def load_options(conf_file)
+        if File.readable?(conf_file)
+            config = File.read(conf_file)
+             
+            @options.merge!(YAML::load(config))
+        end
+    end
+
     ###########################################################################
     #                       Methods to encrpyt/decrypt keys
     ###########################################################################
diff --git a/src/cli/one_helper/oneuser_helper.rb b/src/cli/one_helper/oneuser_helper.rb
index 06d86bbff5..7ce551f4ca 100644
--- a/src/cli/one_helper/oneuser_helper.rb
+++ b/src/cli/one_helper/oneuser_helper.rb
@@ -111,10 +111,10 @@ class OneUserHelper < OpenNebulaHelper::OneHelper
             begin  
                 proxy = File.read(options[:proxy])
 
-                rc = proxy.scan(/-+BEGIN CERTIFICATE-+\n([^-]*)\n-+END CERTIFICATE-+/)
+                rc = proxy.scan(/(-+BEGIN CERTIFICATE-+\n[^-]*\n-+END CERTIFICATE-+)/)
                 certs = rc.flatten!
 
-                rc = proxy.match(/-+BEGIN RSA PRIVATE KEY-+\n([^-]*)\n-+END RSA PRIVATE KEY-+/)
+                rc = proxy.match(/(-+BEGIN RSA PRIVATE KEY-+\n[^-]*\n-+END RSA PRIVATE KEY-+)/)
 
                 key  = rc[1]
 

From 9155e7fc53e6f8f00df340c8ee4a9c1394e7c927 Mon Sep 17 00:00:00 2001
From: Ted <tdh@camp5.townhouse>
Date: Tue, 30 Aug 2011 13:57:30 -0500
Subject: [PATCH 61/63] Fixed typo in X509 instantiation.

---
 src/cli/one_helper/oneuser_helper.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/cli/one_helper/oneuser_helper.rb b/src/cli/one_helper/oneuser_helper.rb
index 7ce551f4ca..b481f9291b 100644
--- a/src/cli/one_helper/oneuser_helper.rb
+++ b/src/cli/one_helper/oneuser_helper.rb
@@ -118,7 +118,7 @@ class OneUserHelper < OpenNebulaHelper::OneHelper
 
                 key  = rc[1]
 
-                auth = X509Auth.new(:cert=>certs, :key=>key)
+                auth = X509Auth.new(:certs_pem=>certs, :key_pem=>key)
             rescue => e
                 return -1, e.message
             end

From 40efd2ea46ee48dceb28d960c7baa0db0b0a7f8f Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Wed, 31 Aug 2011 00:38:37 +0200
Subject: [PATCH 62/63] feature #754: Fix typo in constant

---
 src/authm_mad/remotes/x509/x509_auth.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/authm_mad/remotes/x509/x509_auth.rb b/src/authm_mad/remotes/x509/x509_auth.rb
index d54ba9b9a3..dbb69746d7 100644
--- a/src/authm_mad/remotes/x509/x509_auth.rb
+++ b/src/authm_mad/remotes/x509/x509_auth.rb
@@ -29,7 +29,7 @@ class X509Auth
     if !ENV["ONE_LOCATION"]
         ETC_LOCATION      = "/etc/one"
     else
-        ETC_LOCATION      = ONE_LOCATION + "/etc"
+        ETC_LOCATION      = ENV["ONE_LOCATION"] + "/etc"
     end
 
     LOGIN_PATH = ENV['HOME']+'/.one/one_x509'

From a94219ee0679276aff9b772cf01a8bc6036cdbbe Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Wed, 31 Aug 2011 00:38:58 +0200
Subject: [PATCH 63/63] feature #754: Removed quota from 754 branch to moved
 its development to another branch

---
 src/authm_mad/remotes/quota/authorize    |  62 ---------
 src/authm_mad/remotes/quota/one_usage.rb | 124 ------------------
 src/authm_mad/remotes/quota/quota.rb     | 155 -----------------------
 3 files changed, 341 deletions(-)
 delete mode 100755 src/authm_mad/remotes/quota/authorize
 delete mode 100644 src/authm_mad/remotes/quota/one_usage.rb
 delete mode 100644 src/authm_mad/remotes/quota/quota.rb

diff --git a/src/authm_mad/remotes/quota/authorize b/src/authm_mad/remotes/quota/authorize
deleted file mode 100755
index 19c0ca02f4..0000000000
--- a/src/authm_mad/remotes/quota/authorize
+++ /dev/null
@@ -1,62 +0,0 @@
-#!/usr/bin/env ruby
-
-# -------------------------------------------------------------------------- #
-# Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org)             #
-#                                                                            #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may    #
-# not use this file except in compliance with the License. You may obtain    #
-# a copy of the License at                                                   #
-#                                                                            #
-# http://www.apache.org/licenses/LICENSE-2.0                                 #
-#                                                                            #
-# Unless required by applicable law or agreed to in writing, software        #
-# distributed under the License is distributed on an "AS IS" BASIS,          #
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #
-# See the License for the specific language governing permissions and        #
-# limitations under the License.                                             #
-#--------------------------------------------------------------------------- #
-
-ONE_LOCATION=ENV["ONE_LOCATION"]
-
-if !ONE_LOCATION
-    RUBY_LIB_LOCATION="/usr/lib/one/ruby"
-    ETC_LOCATION="/etc/one/"
-else
-    RUBY_LIB_LOCATION=ONE_LOCATION+"/lib/ruby"
-    ETC_LOCATION=ONE_LOCATION+"/etc/"
-end
-
-$: << RUBY_LIB_LOCATION
-
-require 'scripts_common'
-require 'quota'
-
-user_id = ARGV.shift
-
-overall_evalutation = ARGV.pop
-exit -1 if overall_evalutation == 0
-
-quota = Quota.new
-
-#q = {
-#    :cpu => 10,
-#    :memory => 2048,
-#    :storage => 100000,
-#    :num_vms => 5
-#}
-#
-#quota.set(1, q)
-#OpenNebula.log_debug("quotas: #{quota.get(1)}")
-
-ARGV.each {|request|
-    rc = quota.check_request(user_id, request)
-    
-    if rc
-        OpenNebula.error_message rc
-        exit -1
-    end
-}
-
-#OpenNebula.log_debug("AUTHORIZE ARGS: #{ARGV.join(' ')}")
-
-exit 0
\ No newline at end of file
diff --git a/src/authm_mad/remotes/quota/one_usage.rb b/src/authm_mad/remotes/quota/one_usage.rb
deleted file mode 100644
index 0d83e684d2..0000000000
--- a/src/authm_mad/remotes/quota/one_usage.rb
+++ /dev/null
@@ -1,124 +0,0 @@
-# -------------------------------------------------------------------------- #
-# Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org)             #
-#                                                                            #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may    #
-# not use this file except in compliance with the License. You may obtain    #
-# a copy of the License at                                                   #
-#                                                                            #
-# http://www.apache.org/licenses/LICENSE-2.0                                 #
-#                                                                            #
-# Unless required by applicable law or agreed to in writing, software        #
-# distributed under the License is distributed on an "AS IS" BASIS,          #
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #
-# See the License for the specific language governing permissions and        #
-# limitations under the License.                                             #
-#--------------------------------------------------------------------------- #
-
-require 'OpenNebula'
-
-# This class retrieves and caches vms and its consuption grouped
-# by users. 'update_user' method should be called to fill data for
-# a user before any calculation is made
-class OneUsage
-    VM_USAGE = {
-        :cpu => {
-            :proc_info  => lambda {|template| template['CPU']},
-            :xpath => 'TEMPLATE/CPU'
-        },
-        :memory => {
-            :proc_info  => lambda {|template| template['MEMORY']},
-            :xpath => 'TEMPLATE/MEMORY'
-        },
-        :num_vms => {
-            :proc_info  => lambda {|template| 1 },
-            :xpath => 'ID',
-            :count => true
-        }
-    }
-
-    IMAGE_USAGE = {
-        :storage => {
-            :proc_info  => lambda {|template| File.size(template['PATH']) },
-            :proc_total => 'TEMPLATE/SIZE'
-        }
-    }
-
-    RESOURCES = ["VM", "IMAGE"]
-
-    def initialize()
-        @client = OpenNebula::Client.new
-        @usage =  Hash.new
-    end
-
-    def total(user_id, resource=nil, force=false)
-        usage = Hash.new
-
-        if force
-            resources = [resource] if RESOURCES.include?(resource)
-
-            resources.each{ |res|
-                pool = get_pool(res, user_id)
-
-                base_xpath = "/#{res}_POOL/#{resource}"
-                OneUsage.const_get("#{res}_USAGE".to_sym).each { |key, params|
-                    usage[key] ||= 0
-                    pool.each_xpath("#{base_xpath}/#{params[:xpath]}") { |elem|
-                        usage[key] += params[:count] ? 1 : elem.to_i
-                    }
-                }
-
-                @usage[:user_id] ||= Hash.new
-                @usage[:user_id].merge!(usage)
-            }
-        else
-            usage = get_usage(user_id)
-        end
-
-        usage
-    end
-
-    # Retrieve the useful information of the template for the specified
-    # kind of resource
-    def get_resources(resource, xml_template)
-        template = OpenNebula::XMLElement.new
-        template.initialize_xml(xml_template, 'TEMPLATE')
-
-        info = Hash.new
-
-        self.class.const_get("#{resource}_USAGE").each { |key, params|
-            info[key] = params[:proc_info].call(template).to_i
-        }
-
-        info
-    end
-
-    private
-
-    def get_usage(user_id)
-        usage = @usage[:user_id]
-
-        unless usage
-            usage = Hash.new
-
-            keys = VM_USAGE.keys + IMAGE_USAGE.keys
-            keys.each { |key|
-                usage[key] = 0
-            }
-
-            @usage[:user_id] = usage
-        end
-
-        usage
-    end
-
-    # Returns a an Array than contains the elements of the resource Pool
-    def get_pool(resource, user_id)
-        pool = case resource
-        when "VM"    then OpenNebula::VirtualMachinePool.new(@client, user_id)
-        when "IMAGE" then OpenNebula::ImagePool.new(@client, user_id)
-        end
-
-        rc = pool.info
-        return pool
-    end
-end
diff --git a/src/authm_mad/remotes/quota/quota.rb b/src/authm_mad/remotes/quota/quota.rb
deleted file mode 100644
index e46a7eb7f9..0000000000
--- a/src/authm_mad/remotes/quota/quota.rb
+++ /dev/null
@@ -1,155 +0,0 @@
-# -------------------------------------------------------------------------- #
-# Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org)             #
-#                                                                            #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may    #
-# not use this file except in compliance with the License. You may obtain    #
-# a copy of the License at                                                   #
-#                                                                            #
-# http://www.apache.org/licenses/LICENSE-2.0                                 #
-#                                                                            #
-# Unless required by applicable law or agreed to in writing, software        #
-# distributed under the License is distributed on an "AS IS" BASIS,          #
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #
-# See the License for the specific language governing permissions and        #
-# limitations under the License.                                             #
-#--------------------------------------------------------------------------- #
-
-require 'one_usage'
-require 'sequel'
-require 'base64'
-
-# Quota functionality for auth driver. Stores in database limits for each
-# user and using OneUsage is able to retrieve resource usage from
-# OpenNebula daemon and check if it is below limits
-class Quota
-    attr_accessor :defaults
-
-    TABLE_NAME = :quotas
-
-    DB_QUOTA_SCHEMA = {
-        :cpu     => Float,
-        :memory  => Integer,
-        :num_vms => Integer,
-        :storage => Integer
-    }
-
-    CONF = {
-        :db => "sqlite:///tmp/onequota.db",
-        :defaults => {
-            :cpu     => nil,
-            :memory  => nil,
-            :num_vms => nil,
-            :storage => nil
-        }
-    }
-
-    # 'db' is a Sequel database where to store user limits and client
-    # is OpenNebula::Client used to connect to OpenNebula daemon
-    def initialize(conf={})
-        # TBD merge with the conf file
-        @conf=CONF
-
-        @defaults=@conf[:defaults]
-
-        @db=Sequel.connect(@conf[:db])
-
-        create_table
-        @table=@db[TABLE_NAME]
-
-        @one_usage=OneUsage.new
-    end
-
-    ###########################################################################
-    # DB handling
-    ###########################################################################
-
-    # Creates database quota table if it does not exist
-    def create_table
-        @db.create_table?(TABLE_NAME) do
-            Integer     :uid
-
-            DB_QUOTA_SCHEMA.each { |key,value|
-                column key, value
-            }
-
-            primary_key :uid
-            index       :uid
-        end
-    end
-
-    # Adds new user limits
-    def set(uid, quota={})
-        data=quota.delete_if{|key,value| !DB_QUOTA_SCHEMA.keys.include?(key)}
-
-        quotas=@table.filter(:uid => uid)
-
-        if quotas.first
-            quotas.update(data)
-        else
-            @table.insert(data.merge!(:uid => uid))
-        end
-    end
-
-    # Gets user limits
-    def get(uid)
-        limit=@table.filter(:uid => uid).first
-        if limit
-            limit
-        else
-            @conf[:defaults]
-        end
-    end
-
-
-    ###########################################################################
-    # Authorization
-    ###########################################################################
-
-    def check_request(user_id, request)
-        obj, template_or_id, op, owner, pub, acl_eval = request.split(':')
-
-        if acl_eval == 0
-            return "ACL evaluation denied"
-        end
-
-        # Check if this op needs to check the quota
-        return false unless with_quota?(obj, op)
-
-        # If the object is a template the info should be retrived from the
-        # VM pool.
-        obj = "VM" if obj == "TEMPLATE"
-        template = Base64::decode64(template_or_id)
-
-        check_quotas(user_id.to_i, obj, template)
-    end
-
-    def check_quotas(user_id, obj, template)
-        info  = @one_usage.get_resources(obj, template)
-        total = @one_usage.total(obj, user_id)
-        quota = get(user_id)
-
-        msg = ""
-        info.each { |quota_name, quota_requested|
-            spent = total[quota_name].to_i + quota_requested.to_i
-            if quota[quota_name] && spent > quota[quota_name].to_i
-                msg << " #{quota_name.to_s.upcase} quota exceeded "
-                msg << "(Quota: #{quota[quota_name].to_i}, "
-                msg << "Used: #{spent.to_i}, "
-                msg << "Asked: #{quota_requested.to_i})."
-            end
-        }
-
-        if msg==""
-            return false
-        else
-            return msg.strip
-        end
-    end
-
-    def with_quota?(obj, op)
-        return (obj == "VM"       && op == "CREATE") ||
-               (obj == "IMAGE"    && op == "CREATE") ||
-               (obj == "TEMPLATE" && op == "INSTANTIATE")
-    end
-end
-