From ea51d0b9b90bdf05fa1875d39b3eaeb4c1ec41f4 Mon Sep 17 00:00:00 2001
From: Ted <tdh@camp5.townhouse>
Date: Fri, 26 Aug 2011 11:25:39 -0500
Subject: [PATCH 1/5] Remove validate call, as admin-installed host certs are
 assumed trustworthy. (cherry picked from commit
 6904317c68da51aa3df3be9ee98aa8a8478fc59d)

---
 src/authm_mad/remotes/server/server_auth.rb | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/src/authm_mad/remotes/server/server_auth.rb b/src/authm_mad/remotes/server/server_auth.rb
index 441d2905e9..5fccf4eda5 100644
--- a/src/authm_mad/remotes/server/server_auth.rb
+++ b/src/authm_mad/remotes/server/server_auth.rb
@@ -75,7 +75,7 @@ class ServerAuth < X509Auth
         token_txt = "#{user}:#{user_pass}:#{expires}"
 
         token     = encrypt(token_txt)
-	    token64   = Base64::encode64(token).strip.delete("\n")
+	token64   = Base64::encode64(token).strip.delete("\n")
 
         login_out = "#{user}:server:#{token64}"
         
@@ -88,20 +88,18 @@ class ServerAuth < X509Auth
     # auth method for auth_mad
     def authenticate(user, pass, signed_text)
         begin            
-	        # Decryption demonstrates that the user posessed the private key.
+	    # Decryption demonstrates that the user posessed the private key.
             _user, user_pass, expires = decrypt(signed_text).split(':')
 
             return "User name missmatch" if user != _user
 
             return "login token expired" if Time.now.to_i >= expires.to_i
 
-            # Check an explicitly-specified DN such as for a host-signed login 
+            # Check that the signed password matches one for the user.
             if !pass.split('|').include?(user_pass)
-	            return "User password missmatch"
+	        return "User password missmatch"
             end
 
-	        validate
-
             return true
         rescue => e
             return e.message

From ac1338c737a99af573ce8ab3eb41ec9f72ed1eeb Mon Sep 17 00:00:00 2001
From: Ted <tdh@camp5.townhouse>
Date: Fri, 26 Aug 2011 11:28:13 -0500
Subject: [PATCH 2/5] Raise exception if there is no ca_dir. Fix indentations.
 (cherry picked from commit ecbde5f8798168d58520ec30a6cecb46d97ef671)

---
 src/authm_mad/remotes/x509/x509_auth.rb | 26 ++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/src/authm_mad/remotes/x509/x509_auth.rb b/src/authm_mad/remotes/x509/x509_auth.rb
index 4fba744a26..c6906ec920 100644
--- a/src/authm_mad/remotes/x509/x509_auth.rb
+++ b/src/authm_mad/remotes/x509/x509_auth.rb
@@ -55,7 +55,7 @@ class X509Auth
 
     # Creates the login file for x509 authentication at ~/.one/one_x509.
     # By default it is valid as long as the certificate is valid. It can 
-    # be change to any number of seconds with expire parameter (sec.)
+    # be changed to any number of seconds with expire parameter (sec.)
     def login(user, expire=0)
         write_login(login_token(user,expire))
     end
@@ -95,23 +95,23 @@ class X509Auth
     # auth method for auth_mad
     def authenticate(user, pass, signed_text)
         begin            
-	        # Decryption demonstrates that the user posessed the private key.
+	    # Decryption demonstrates that the user posessed the private key.
             _user, expires = decrypt(signed_text).split(':')
 
             return "User name missmatch" if user != _user
 
             return "x509 proxy expired"  if Time.now.to_i >= expires.to_i
 
-	        # Some DN in the chain must match a DN in the password	    
-	        dn_ok = @cert_chain.each do |cert|
+	    # Some DN in the chain must match a DN in the password	    
+	    dn_ok = @cert_chain.each do |cert|
                 break true if pass.split('|').include?(cert.subject.to_s.delete("\s"))
             end
 	    
-	        unless dn_ok == true
-	            return "Certificate subject missmatch"
+	    unless dn_ok == true
+	        return "Certificate subject missmatch"
             end
 	    
-	        validate
+	    validate
 
             return true
         rescue => e
@@ -156,10 +156,10 @@ private
     # Validate the user certificate
     ###########################################################################
     def validate
- 	    now    = Time.now
+ 	now    = Time.now
         failed = "Could not validate user credentials: "
 
-        # Check start time and end time of certificate
+        # Check start time and end time of certificates
         @cert_chain.each do |cert|		
             if cert.not_before > now || cert.not_after < now
                 raise failed +  "Certificate not valid. Current time is " + 
@@ -168,10 +168,10 @@ private
         end 
 
         begin
-	        # Validate the proxy certifcates
+	    # Validate the proxy certifcates
             signee = @cert_chain[0]
 
-	        @cert_chain[1..-1].each do |cert|
+	    @cert_chain[1..-1].each do |cert|
                 if !((signee.issuer.to_s == cert.subject.to_s) &&
                      (signee.verify(cert.public_key)))
                     raise  failed + signee.subject.to_s + " with issuer " +
@@ -182,8 +182,8 @@ private
             end
 
             # Validate the End Entity certificate
-	        if !@options[:ca_dir]
-                return
+	    if !@options[:ca_dir]
+                raise failed + "No certifcate authority directory was specified."
             end
 
             begin

From daab17b4e0524bf21a114f309518eb1616730a78 Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Tue, 30 Aug 2011 00:22:51 +0200
Subject: [PATCH 3/5] feature #754: If CA path is not defined, CAs will not be
 checked instead of raising an exception

---
 src/authm_mad/remotes/x509/x509_auth.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/authm_mad/remotes/x509/x509_auth.rb b/src/authm_mad/remotes/x509/x509_auth.rb
index c6906ec920..48fe58193f 100644
--- a/src/authm_mad/remotes/x509/x509_auth.rb
+++ b/src/authm_mad/remotes/x509/x509_auth.rb
@@ -182,8 +182,8 @@ private
             end
 
             # Validate the End Entity certificate
-	    if !@options[:ca_dir]
-                raise failed + "No certifcate authority directory was specified."
+	        if !@options[:ca_dir]
+                return
             end
 
             begin

From 02bd5ec4efeda92b90d1a61adefa6e1fb4ffc93e Mon Sep 17 00:00:00 2001
From: Ted <tdh@camp5.townhouse>
Date: Mon, 29 Aug 2011 16:32:04 -0500
Subject: [PATCH 4/5] Remove restriction for plain auth for oneadmin. (cherry
 picked from commit ff05d07af0231ae4a2e8a0915973c05f9b533409)

---
 src/um/UserPool.cc | 17 +++--------------
 1 file changed, 3 insertions(+), 14 deletions(-)

diff --git a/src/um/UserPool.cc b/src/um/UserPool.cc
index 746e898346..2ab1618f42 100644
--- a/src/um/UserPool.cc
+++ b/src/um/UserPool.cc
@@ -250,23 +250,12 @@ bool UserPool::authenticate(const string& session,
     }
 
     AuthRequest ar(uid, gid);
+    
+    NebulaLog::log("UserPool",Log::ERROR, "Authenticating " + username);
 
     ar.add_authenticate(username,u_pass,secret);
 
-    if ( uid == 0 ) //oneadmin
-    {
-        if (ar.plain_authenticate())
-        {
-            user_id  = uid;
-            group_id = gid;
-
-            uname = tuname;
-            gname = tgname;
-
-            result   = true;
-        }
-    }
-    else if (authm == 0) //plain auth
+    if (authm == 0) //plain auth
     {
         if ( user != 0 && ar.plain_authenticate()) //no plain for external users
         {

From 5e67ef24b975e5110ef646709ca322731a0f7fdb Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rubensm@dacya.ucm.es>
Date: Tue, 30 Aug 2011 01:00:45 +0200
Subject: [PATCH 5/5] feature #754: Removed comment

---
 src/um/UserPool.cc | 2 --
 1 file changed, 2 deletions(-)

diff --git a/src/um/UserPool.cc b/src/um/UserPool.cc
index 2ab1618f42..60933f7a45 100644
--- a/src/um/UserPool.cc
+++ b/src/um/UserPool.cc
@@ -250,8 +250,6 @@ bool UserPool::authenticate(const string& session,
     }
 
     AuthRequest ar(uid, gid);
-    
-    NebulaLog::log("UserPool",Log::ERROR, "Authenticating " + username);
 
     ar.add_authenticate(username,u_pass,secret);