diff --git a/src/authm_mad/remotes/server/server_auth.rb b/src/authm_mad/remotes/server/server_auth.rb index 441d2905e9..5fccf4eda5 100644 --- a/src/authm_mad/remotes/server/server_auth.rb +++ b/src/authm_mad/remotes/server/server_auth.rb @@ -75,7 +75,7 @@ class ServerAuth < X509Auth token_txt = "#{user}:#{user_pass}:#{expires}" token = encrypt(token_txt) - token64 = Base64::encode64(token).strip.delete("\n") + token64 = Base64::encode64(token).strip.delete("\n") login_out = "#{user}:server:#{token64}" @@ -88,20 +88,18 @@ class ServerAuth < X509Auth # auth method for auth_mad def authenticate(user, pass, signed_text) begin - # Decryption demonstrates that the user posessed the private key. + # Decryption demonstrates that the user posessed the private key. _user, user_pass, expires = decrypt(signed_text).split(':') return "User name missmatch" if user != _user return "login token expired" if Time.now.to_i >= expires.to_i - # Check an explicitly-specified DN such as for a host-signed login + # Check that the signed password matches one for the user. if !pass.split('|').include?(user_pass) - return "User password missmatch" + return "User password missmatch" end - validate - return true rescue => e return e.message diff --git a/src/authm_mad/remotes/x509/x509_auth.rb b/src/authm_mad/remotes/x509/x509_auth.rb index 4fba744a26..48fe58193f 100644 --- a/src/authm_mad/remotes/x509/x509_auth.rb +++ b/src/authm_mad/remotes/x509/x509_auth.rb @@ -55,7 +55,7 @@ class X509Auth # Creates the login file for x509 authentication at ~/.one/one_x509. # By default it is valid as long as the certificate is valid. It can - # be change to any number of seconds with expire parameter (sec.) + # be changed to any number of seconds with expire parameter (sec.) def login(user, expire=0) write_login(login_token(user,expire)) end @@ -95,23 +95,23 @@ class X509Auth # auth method for auth_mad def authenticate(user, pass, signed_text) begin - # Decryption demonstrates that the user posessed the private key. + # Decryption demonstrates that the user posessed the private key. _user, expires = decrypt(signed_text).split(':') return "User name missmatch" if user != _user return "x509 proxy expired" if Time.now.to_i >= expires.to_i - # Some DN in the chain must match a DN in the password - dn_ok = @cert_chain.each do |cert| + # Some DN in the chain must match a DN in the password + dn_ok = @cert_chain.each do |cert| break true if pass.split('|').include?(cert.subject.to_s.delete("\s")) end - unless dn_ok == true - return "Certificate subject missmatch" + unless dn_ok == true + return "Certificate subject missmatch" end - validate + validate return true rescue => e @@ -156,10 +156,10 @@ private # Validate the user certificate ########################################################################### def validate - now = Time.now + now = Time.now failed = "Could not validate user credentials: " - # Check start time and end time of certificate + # Check start time and end time of certificates @cert_chain.each do |cert| if cert.not_before > now || cert.not_after < now raise failed + "Certificate not valid. Current time is " + @@ -168,10 +168,10 @@ private end begin - # Validate the proxy certifcates + # Validate the proxy certifcates signee = @cert_chain[0] - @cert_chain[1..-1].each do |cert| + @cert_chain[1..-1].each do |cert| if !((signee.issuer.to_s == cert.subject.to_s) && (signee.verify(cert.public_key))) raise failed + signee.subject.to_s + " with issuer " + diff --git a/src/um/UserPool.cc b/src/um/UserPool.cc index 746e898346..60933f7a45 100644 --- a/src/um/UserPool.cc +++ b/src/um/UserPool.cc @@ -253,20 +253,7 @@ bool UserPool::authenticate(const string& session, ar.add_authenticate(username,u_pass,secret); - if ( uid == 0 ) //oneadmin - { - if (ar.plain_authenticate()) - { - user_id = uid; - group_id = gid; - - uname = tuname; - gname = tgname; - - result = true; - } - } - else if (authm == 0) //plain auth + if (authm == 0) //plain auth { if ( user != 0 && ar.plain_authenticate()) //no plain for external users {