diff --git a/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb b/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb index ff07f453c0..c3dc0c78c1 100644 --- a/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb +++ b/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb @@ -108,12 +108,15 @@ class OpenNebula::ServerCipherAuth end # auth method for auth_mad - def authenticate(srv_user,srv_pass, signed_text) + def authenticate(srv_user, srv_pass, signed_text) begin # truncate token to 32-bytes for Ruby >= 2.4 @key = srv_pass[0..31] - s_user, t_user, expires = decrypt(signed_text).split(':') + token_array = decrypt(signed_text).split(':') + + s_user = token_array[0] + expires = token_array[-1] return "User name missmatch" if s_user != srv_user diff --git a/src/authm_mad/remotes/server_x509/server_x509_auth.rb b/src/authm_mad/remotes/server_x509/server_x509_auth.rb index 66e5048d19..43763b6843 100644 --- a/src/authm_mad/remotes/server_x509/server_x509_auth.rb +++ b/src/authm_mad/remotes/server_x509/server_x509_auth.rb @@ -87,7 +87,10 @@ class OpenNebula::ServerX509Auth < OpenNebula::X509Auth # auth method for auth_mad def authenticate(server_user, server_pass, signed_text) begin - s_user, t_user, expires = decrypt(signed_text).split(':') + token_array = decrypt(signed_text).split(':') + + s_user = token_array[0] + expires = token_array[-1] return "Server password missmatch" if server_pass != password diff --git a/src/cloud/common/CloudAuth/OpenNebulaCloudAuth.rb b/src/cloud/common/CloudAuth/OpenNebulaCloudAuth.rb index 92433c44eb..0fd5114a0e 100644 --- a/src/cloud/common/CloudAuth/OpenNebulaCloudAuth.rb +++ b/src/cloud/common/CloudAuth/OpenNebulaCloudAuth.rb @@ -31,6 +31,7 @@ module OpenNebulaCloudAuth # def do_auth(env, params={}) auth = Rack::Auth::Basic::Request.new(env) + if auth.provided? && auth.basic? username, password = auth.credentials authenticated = false @@ -63,11 +64,14 @@ module OpenNebulaCloudAuth end username = parser.escape(username) - password = parser.escape(password) - client = OpenNebula::Client.new("#{username}:#{password}", @conf[:one_xmlrpc]) + epassword = parser.escape(password) + + client = OpenNebula::Client.new("#{username}:#{epassword}", @conf[:one_xmlrpc]) user = OpenNebula::User.new_with_id(OpenNebula::User::SELF, client) + rc = user.info end + if OpenNebula.is_error?(rc) if logger logger.error{ "User #{username} could not be authenticated"} @@ -77,7 +81,14 @@ module OpenNebulaCloudAuth return nil end - return user.name + # Check if the user authenticated with a scoped token. In this case + # encode the EGID in the username as "user:egid" + egid = user["//LOGIN_TOKEN [ TOKEN = \"#{password}\" ]/EGID"] + + auth_name = user.name + auth_name = "#{auth_name}:#{egid}" if egid + + return auth_name end return nil diff --git a/src/sunstone/sunstone-server.rb b/src/sunstone/sunstone-server.rb index d8ecd1a328..bbc07edbcc 100755 --- a/src/sunstone/sunstone-server.rb +++ b/src/sunstone/sunstone-server.rb @@ -283,7 +283,7 @@ helpers do csrftoken_plain = Time.now.to_f.to_s + SecureRandom.base64 session[:csrftoken] = Digest::MD5.hexdigest(csrftoken_plain) - group = OpenNebula::Group.new_with_id(user['GID'], client) + group = OpenNebula::Group.new_with_id(OpenNebula::Group::SELF, client) rc = group.info if OpenNebula.is_error?(rc) logger.error { rc.message } diff --git a/src/um/UserPool.cc b/src/um/UserPool.cc index e35862b398..960efc5b28 100644 --- a/src/um/UserPool.cc +++ b/src/um/UserPool.cc @@ -871,16 +871,16 @@ auth_failure_driver: NebulaLog::log("AuM",Log::ERROR,oss); goto auth_failure; - + auth_failure_token: NebulaLog::log("AuM", Log::ERROR, "Token has expired."); goto auth_failure; - + auth_failure_nodriver: NebulaLog::log("AuM",Log::ERROR, "Auth Error: Authentication driver not enabled. " "Check AUTH_MAD in oned.conf"); - + auth_failure: user_id = -1; group_id = -1; @@ -920,9 +920,15 @@ bool UserPool::authenticate_server(User * user, string target_username; string second_token; + string egid; + + istringstream iss; + + int egid_i = -1; Nebula& nd = Nebula::instance(); AuthManager* authm = nd.get_authm(); + GroupPool* gpool = nd.get_gpool(); server_username = user->name; server_password = user->password; @@ -934,13 +940,34 @@ bool UserPool::authenticate_server(User * user, user->unlock(); // token = target_username:second_token - int rc = User::split_secret(token,target_username,second_token); + int rc = User::split_secret(token, target_username, second_token); if ( rc != 0 ) { goto wrong_server_token; } + // Look for a EGID in the user token. The second token can be: + // second_token = egid:server_admin_auth + // second_token = server_admin_auth + rc = User::split_secret(second_token, egid, second_token); + + if ( rc == -1 ) //No EGID found + { + egid_i = -1; + } + else + { + iss.str(egid); + + iss >> egid_i; + + if (iss.fail() || !iss.eof()) + { + goto wrong_server_token; + } + } + user = get_ro(target_username); if ( user == 0 ) @@ -964,6 +991,16 @@ bool UserPool::authenticate_server(User * user, user->unlock(); + //server_admin token set a EGID, update auth info + if ( egid_i != - 1 ) + { + group_id = egid_i; + gname = gpool->get_name(egid_i); + + group_ids.clear(); + group_ids.insert(egid_i); + } + if (result) { return true;