Merge branch 'feature-754' of git.opennebula.org:one into feature-754

2025-03-21 14:50:08 +03:00 · 2011-08-30 13:02:52 +02:00 · 2011-08-30 13:02:52 +02:00 · 961ff912df
commit 961ff912df
parent 719b509d05 aaddf58d96
4 changed files with 30 additions and 33 deletions
--- a/src/authm_mad/remotes/server/server_auth.rb
+++ b/src/authm_mad/remotes/server/server_auth.rb
@ -75,7 +75,7 @@ class ServerAuth < X509Auth
        token_txt = "#{user}:#{user_pass}:#{expires}"

        token     = encrypt(token_txt)
-	    token64   = Base64::encode64(token).strip.delete("\n")
+	token64   = Base64::encode64(token).strip.delete("\n")

        login_out = "#{user}:server:#{token64}"
        
@ -88,20 +88,18 @@ class ServerAuth < X509Auth
    # auth method for auth_mad
    def authenticate(user, pass, signed_text)
        begin            
-	        # Decryption demonstrates that the user posessed the private key.
+	    # Decryption demonstrates that the user posessed the private key.
            _user, user_pass, expires = decrypt(signed_text).split(':')

            return "User name missmatch" if user != _user

            return "login token expired" if Time.now.to_i >= expires.to_i

-            # Check an explicitly-specified DN such as for a host-signed login 
+            # Check that the signed password matches one for the user.
            if !pass.split('|').include?(user_pass)
-	            return "User password missmatch"
+	        return "User password missmatch"
            end

-	        validate
-
            return true
        rescue => e
            return e.message
--- a/src/authm_mad/remotes/x509/x509_auth.rb
+++ b/src/authm_mad/remotes/x509/x509_auth.rb
@ -55,7 +55,7 @@ class X509Auth

    # Creates the login file for x509 authentication at ~/.one/one_x509.
    # By default it is valid as long as the certificate is valid. It can 
-    # be change to any number of seconds with expire parameter (sec.)
+    # be changed to any number of seconds with expire parameter (sec.)
    def login(user, expire=0)
        write_login(login_token(user,expire))
    end
@ -95,23 +95,23 @@ class X509Auth
    # auth method for auth_mad
    def authenticate(user, pass, signed_text)
        begin            
-	        # Decryption demonstrates that the user posessed the private key.
+	    # Decryption demonstrates that the user posessed the private key.
            _user, expires = decrypt(signed_text).split(':')

            return "User name missmatch" if user != _user

            return "x509 proxy expired"  if Time.now.to_i >= expires.to_i

-	        # Some DN in the chain must match a DN in the password	    
-	        dn_ok = @cert_chain.each do |cert|
+	    # Some DN in the chain must match a DN in the password	    
+	    dn_ok = @cert_chain.each do |cert|
                break true if pass.split('|').include?(cert.subject.to_s.delete("\s"))
            end
 	    
-	        unless dn_ok == true
-	            return "Certificate subject missmatch"
+	    unless dn_ok == true
+	        return "Certificate subject missmatch"
            end
 	    
-	        validate
+	    validate

            return true
        rescue => e
@ -156,10 +156,10 @@ private
    # Validate the user certificate
    ###########################################################################
    def validate
- 	    now    = Time.now
+ 	now    = Time.now
        failed = "Could not validate user credentials: "

-        # Check start time and end time of certificate
+        # Check start time and end time of certificates
        @cert_chain.each do |cert|		
            if cert.not_before > now || cert.not_after < now
                raise failed +  "Certificate not valid. Current time is " + 
@ -168,10 +168,10 @@ private
        end 

        begin
-	        # Validate the proxy certifcates
+	    # Validate the proxy certifcates
            signee = @cert_chain[0]

-	        @cert_chain[1..-1].each do |cert|
+	    @cert_chain[1..-1].each do |cert|
                if !((signee.issuer.to_s == cert.subject.to_s) &&
                     (signee.verify(cert.public_key)))
                    raise  failed + signee.subject.to_s + " with issuer " +
--- a/src/cli/oneuser
+++ b/src/cli/oneuser
@ -189,9 +189,21 @@ cmd=CommandParser::CmdParser.new(ARGV) do
        Changes the given User's password
    EOT

-    command :passwd, passwd_desc, :userid, :password do
+    command :passwd, passwd_desc, :userid, :password,
+            :options=>create_options do
+        if options[:ssh] or options[:x509]
+            rc = helper.password(options)
+            if rc.first == 0
+                pass = rc[1]
+            else
+                exit_with_code *rc
+            end
+        else
+            pass = args[1]
+        end
+
        helper.perform_action(args[0],options,"Password changed") do |user|
-            user.passwd(args[1])
+            user.passwd(pass)
        end
    end

--- a/src/um/UserPool.cc
+++ b/src/um/UserPool.cc
@ -253,20 +253,7 @@ bool UserPool::authenticate(const string& session,

    ar.add_authenticate(username,u_pass,secret);

-    if ( uid == 0 ) //oneadmin
-    {
-        if (ar.plain_authenticate())
-        {
-            user_id  = uid;
-            group_id = gid;
-
-            uname = tuname;
-            gname = tgname;
-
-            result   = true;
-        }
-    }
-    else if (authm == 0) //plain auth
+    if (authm == 0) //plain auth
    {
        if ( user != 0 && ar.plain_authenticate()) //no plain for external users
        {