bug #847: Update server_x509_auth to the new token system

src/authm_mad/remotes/server_x509/server_x509_auth.rb

@@ -21,7 +21,7 @@ require 'fileutils'
 require 'x509_auth'
 
 # Server authentication class. This authmethod can be used by opennebula services
-# to let access authenticated users by other means. It is based on x509 server 
+# to let access authenticated users by other means. It is based on x509 server
 # certificates
 class ServerX509Auth < X509Auth
     ###########################################################################
@@ -39,7 +39,7 @@ class ServerX509Auth < X509Auth
 
     def initialize()
         @options = SERVER_DEFAULTS
-       
+
         load_options(SERVER_AUTH_CONF_PATH)
 
         begin
@@ -52,7 +52,7 @@ class ServerX509Auth < X509Auth
         end
 
         if @options[:srv_user] == nil || @options[:srv_user].empty?
-           raise "User for x509 server not defined"  
+           raise "User for x509 server not defined"
         end
     end
 
@@ -61,10 +61,10 @@ class ServerX509Auth < X509Auth
     ###########################################################################
 
     # Creates a ServerCipher for client usage
-    alias :new_client :new
+    alias :new_client :initialize
 
     # Generates a login token in the form:
-    #   - server_user:target_user:time_expires 
+    #   - server_user:target_user:time_expires
     def login_token(expire, target_user=nil)
         target_user ||= @options[:srv_user]
         token_txt   =   "#{@options[:srv_user]}:#{target_user}:#{expire}"
@@ -78,20 +78,20 @@ class ServerX509Auth < X509Auth
     ###########################################################################
     # Server side
     ###########################################################################
-    
+
     # Creates a ServerCipher for driver usage
-    alias :new_driver :new
+    alias :new_driver :initialize
 
     # auth method for auth_mad
     def authenticate(server_user, server_pass, signed_text)
-        begin           
+        begin
             s_user, t_user, expires = decrypt(signed_text).split(':')
-   
+
             return "Server password missmatch" if server_pass != password
 
-            return "User name missmatch" if ( s_user != server_user || 
+            return "User name missmatch" if ( s_user != server_user ||
                                               s_user != @options[:srv_user] )
-           
+
             return "login token expired" if Time.now.to_i >= expires.to_i
 
             return true

src/cli/oneuser

@@ -153,9 +153,9 @@ cmd=CommandParser::CmdParser.new(ARGV) do
         Examples:
           oneuser create my_user my_password
           oneuser create my_user -r /tmp/mypass
-          oneuser create my_user --ssh --key /tmp/id_rsa -d ssh
-          oneuser create my_user --ssh -r /tmp/public_key -d ssh
-          oneuser create my_user --x509 --cert /tmp/my_cert.pem -d x509
+          oneuser create my_user --ssh --key /tmp/id_rsa
+          oneuser create my_user --ssh -r /tmp/public_key
+          oneuser create my_user --x509 --cert /tmp/my_cert.pem
     EOT
 
     command :create, create_desc, :username, [:password, nil],

src/cloud/common/CloudAuth/X509CloudAuth.rb

@@ -19,7 +19,8 @@ module X509CloudAuth
     # password:: _String_ the password
     # [return] _Hash_ with the username
     def get_username(password)
-        @oneadmin_client ||= OpenNebula::Client.new(nil, @conf[:one_xmlrpc])
+        token = @server_auth.login_token(expiration_time)
+        @oneadmin_client ||= OpenNebula::Client.new(token, @conf[:one_xmlrpc])
 
         if @user_pool.nil?
             @user_pool ||= OpenNebula::UserPool.new(@oneadmin_client)
@@ -32,7 +33,7 @@ module X509CloudAuth
 
         username = @user_pool["USER[PASSWORD=\"#{password}\"]/NAME"]
         return username if (username != nil)
-     
+
         # Check if the DN is part of a |-separted multi-DN password
         user_elts = Array.new
         @user_pool.each {|e| user_elts << e['PASSWORD']}
@@ -98,11 +99,6 @@ module X509CloudAuth
             raise msg
         end
 
-        auth = ServerX509Auth.new
-
-        @token = auth.login_token(username, subjectname, 300)
-        @client = Client.new(@token, @conf[:one_xmlrpc])
-
-        return nil
+        return username
     end
 end

src/sunstone/sunstone-server.rb

@@ -25,16 +25,15 @@ if !ONE_LOCATION
     RUBY_LIB_LOCATION = "/usr/lib/one/ruby"
     CONFIGURATION_FILE = "/etc/one/sunstone-server.conf"
     PLUGIN_CONFIGURATION_FILE = "/etc/one/sunstone-plugins.yaml"
-    SUNSTONE_AUTH = "/etc/one/auth/sunstone_auth"
 else
     VAR_LOCATION = ONE_LOCATION+"/var"
     LOG_LOCATION = ONE_LOCATION+"/var"
     RUBY_LIB_LOCATION = ONE_LOCATION+"/lib/ruby"
     CONFIGURATION_FILE = ONE_LOCATION+"/etc/sunstone-server.conf"
     PLUGIN_CONFIGURATION_FILE = ONE_LOCATION+"/etc/sunstone-plugins.yaml"
-    SUNSTONE_AUTH = ONE_LOCATION + "/etc/auth/sunstone_auth"
 end
 
+SUNSTONE_AUTH = VAR_LOCATION + "/sunstone_auth"
 SUNSTONE_ROOT_DIR = File.dirname(__FILE__)
 
 $: << RUBY_LIB_LOCATION
@@ -68,12 +67,12 @@ set :config, conf
 set :host, settings.config[:host]
 set :port, settings.config[:port]
 
-begin    
+begin
     ENV["ONE_CIPHER_AUTH"] = SUNSTONE_AUTH
     cloud_auth = CloudAuth.new(settings.config)
 rescue => e
     puts "Error initializing authentication system"
-    puts e.message 
+    puts e.message
     exit -1
 end
 
@@ -154,7 +153,7 @@ end
 ##############################################################################
 get '/' do
     if !authorized?
-        if settings.config[:auth] == "x509" 
+        if settings.config[:auth] == "x509"
             templ = "login_x509.html"
         else
             templ = "login.html"
@@ -181,7 +180,7 @@ end
 
 get '/login' do
     if !authorized?
-        if settings.config[:auth] == "x509" 
+        if settings.config[:auth] == "x509"
             templ = "login_x509.html"
         else
             templ = "login.html"