B #2575: encode the EGID in the authentication token when a user (#2893)

* B #2575: encode the EGID in the authentication token when a user authenticates with a scoped user token * Update OpenNebulaCloudAuth.rb * Update OpenNebulaCloudAuth.rb
2025-03-16 22:50:10 +03:00 · 2019-02-05 15:32:17 +01:00 · 2019-02-05 15:32:17 +01:00 · a48d00d6eb
commit a48d00d6eb
parent c419db5664
5 changed files with 65 additions and 11 deletions
--- a/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb
+++ b/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb
@ -108,12 +108,15 @@ class OpenNebula::ServerCipherAuth
    end

    # auth method for auth_mad
-    def authenticate(srv_user,srv_pass, signed_text)
+    def authenticate(srv_user, srv_pass, signed_text)
        begin
            # truncate token to 32-bytes for Ruby >= 2.4
            @key = srv_pass[0..31]

-            s_user, t_user, expires = decrypt(signed_text).split(':')
+            token_array = decrypt(signed_text).split(':')
+
+            s_user  = token_array[0]
+            expires = token_array[-1]

            return "User name missmatch" if s_user != srv_user

--- a/src/authm_mad/remotes/server_x509/server_x509_auth.rb
+++ b/src/authm_mad/remotes/server_x509/server_x509_auth.rb
@ -87,7 +87,10 @@ class OpenNebula::ServerX509Auth < OpenNebula::X509Auth
    # auth method for auth_mad
    def authenticate(server_user, server_pass, signed_text)
        begin
-            s_user, t_user, expires = decrypt(signed_text).split(':')
+            token_array = decrypt(signed_text).split(':')
+
+            s_user  = token_array[0]
+            expires = token_array[-1]

            return "Server password missmatch" if server_pass != password

--- a/src/cloud/common/CloudAuth/OpenNebulaCloudAuth.rb
+++ b/src/cloud/common/CloudAuth/OpenNebulaCloudAuth.rb
@ -31,6 +31,7 @@ module OpenNebulaCloudAuth
    #
    def do_auth(env, params={})
        auth = Rack::Auth::Basic::Request.new(env)
+
        if auth.provided? && auth.basic?
            username, password = auth.credentials
            authenticated = false
@ -63,11 +64,14 @@ module OpenNebulaCloudAuth
                end

                username = parser.escape(username)
-                password = parser.escape(password)
-                client = OpenNebula::Client.new("#{username}:#{password}", @conf[:one_xmlrpc])
+                epassword = parser.escape(password)
+
+                client = OpenNebula::Client.new("#{username}:#{epassword}", @conf[:one_xmlrpc])
                user   = OpenNebula::User.new_with_id(OpenNebula::User::SELF, client)
+
                rc = user.info
            end
+
            if OpenNebula.is_error?(rc)
                if logger
                    logger.error{ "User #{username} could not be authenticated"}
@ -77,7 +81,14 @@ module OpenNebulaCloudAuth
                return nil
            end

-            return user.name
+            # Check if the user authenticated with a scoped token. In this case
+            # encode the EGID in the username as "user:egid"
+            egid = user["//LOGIN_TOKEN [ TOKEN = \"#{password}\" ]/EGID"]
+
+            auth_name = user.name
+            auth_name = "#{auth_name}:#{egid}" if egid
+
+            return auth_name
        end

        return nil
--- a/src/sunstone/sunstone-server.rb
+++ b/src/sunstone/sunstone-server.rb
@ -283,7 +283,7 @@ helpers do
            csrftoken_plain = Time.now.to_f.to_s + SecureRandom.base64
            session[:csrftoken] = Digest::MD5.hexdigest(csrftoken_plain)

-            group = OpenNebula::Group.new_with_id(user['GID'], client)
+            group = OpenNebula::Group.new_with_id(OpenNebula::Group::SELF, client)
            rc = group.info
            if OpenNebula.is_error?(rc)
                logger.error { rc.message }
--- a/src/um/UserPool.cc
+++ b/src/um/UserPool.cc
@ -871,16 +871,16 @@ auth_failure_driver:
    NebulaLog::log("AuM",Log::ERROR,oss);

    goto auth_failure;
-	
+
 auth_failure_token:
    NebulaLog::log("AuM", Log::ERROR, "Token has expired.");
    goto auth_failure;
-	
+
 auth_failure_nodriver:
    NebulaLog::log("AuM",Log::ERROR,
        "Auth Error: Authentication driver not enabled. "
        "Check AUTH_MAD in oned.conf");
-	
+
 auth_failure:
    user_id  = -1;
    group_id = -1;
@ -920,9 +920,15 @@ bool UserPool::authenticate_server(User *        user,

    string target_username;
    string second_token;
+    string egid;
+
+    istringstream iss;
+
+    int egid_i = -1;

    Nebula& nd         = Nebula::instance();
    AuthManager* authm = nd.get_authm();
+    GroupPool* gpool   = nd.get_gpool();

    server_username = user->name;
    server_password = user->password;
@ -934,13 +940,34 @@ bool UserPool::authenticate_server(User *        user,
    user->unlock();

    // token = target_username:second_token
-    int rc = User::split_secret(token,target_username,second_token);
+    int rc = User::split_secret(token, target_username, second_token);

    if ( rc != 0 )
    {
        goto wrong_server_token;
    }

+    // Look for a EGID in the user token. The second token can be:
+    // second_token = egid:server_admin_auth
+    // second_token = server_admin_auth
+    rc = User::split_secret(second_token, egid, second_token);
+
+    if ( rc == -1 ) //No EGID found
+    {
+        egid_i = -1;
+    }
+    else
+    {
+        iss.str(egid);
+
+        iss >> egid_i;
+
+        if (iss.fail() || !iss.eof())
+        {
+            goto wrong_server_token;
+        }
+    }
+
    user = get_ro(target_username);

    if ( user == 0 )
@ -964,6 +991,16 @@ bool UserPool::authenticate_server(User *        user,

    user->unlock();

+    //server_admin token set a EGID, update auth info
+    if ( egid_i != - 1 )
+    {
+        group_id = egid_i;
+        gname    = gpool->get_name(egid_i);
+
+        group_ids.clear();
+        group_ids.insert(egid_i);
+    }
+
    if (result)
    {
        return true;