diff --git a/src/authm_mad/remotes/server_x509/server_x509_auth.rb b/src/authm_mad/remotes/server_x509/server_x509_auth.rb index 44e31cb4d5..18d400c66c 100644 --- a/src/authm_mad/remotes/server_x509/server_x509_auth.rb +++ b/src/authm_mad/remotes/server_x509/server_x509_auth.rb @@ -21,7 +21,7 @@ require 'fileutils' require 'x509_auth' # Server authentication class. This authmethod can be used by opennebula services -# to let access authenticated users by other means. It is based on x509 server +# to let access authenticated users by other means. It is based on x509 server # certificates class ServerX509Auth < X509Auth ########################################################################### @@ -39,7 +39,7 @@ class ServerX509Auth < X509Auth def initialize() @options = SERVER_DEFAULTS - + load_options(SERVER_AUTH_CONF_PATH) begin @@ -52,7 +52,7 @@ class ServerX509Auth < X509Auth end if @options[:srv_user] == nil || @options[:srv_user].empty? - raise "User for x509 server not defined" + raise "User for x509 server not defined" end end @@ -61,10 +61,10 @@ class ServerX509Auth < X509Auth ########################################################################### # Creates a ServerCipher for client usage - alias :new_client :new + alias :new_client :initialize # Generates a login token in the form: - # - server_user:target_user:time_expires + # - server_user:target_user:time_expires def login_token(expire, target_user=nil) target_user ||= @options[:srv_user] token_txt = "#{@options[:srv_user]}:#{target_user}:#{expire}" @@ -78,20 +78,20 @@ class ServerX509Auth < X509Auth ########################################################################### # Server side ########################################################################### - + # Creates a ServerCipher for driver usage - alias :new_driver :new + alias :new_driver :initialize # auth method for auth_mad def authenticate(server_user, server_pass, signed_text) - begin + begin s_user, t_user, expires = decrypt(signed_text).split(':') - + return "Server password missmatch" if server_pass != password - return "User name missmatch" if ( s_user != server_user || + return "User name missmatch" if ( s_user != server_user || s_user != @options[:srv_user] ) - + return "login token expired" if Time.now.to_i >= expires.to_i return true diff --git a/src/cli/oneuser b/src/cli/oneuser index 24de6ecac1..4a7c8cd784 100755 --- a/src/cli/oneuser +++ b/src/cli/oneuser @@ -153,9 +153,9 @@ cmd=CommandParser::CmdParser.new(ARGV) do Examples: oneuser create my_user my_password oneuser create my_user -r /tmp/mypass - oneuser create my_user --ssh --key /tmp/id_rsa -d ssh - oneuser create my_user --ssh -r /tmp/public_key -d ssh - oneuser create my_user --x509 --cert /tmp/my_cert.pem -d x509 + oneuser create my_user --ssh --key /tmp/id_rsa + oneuser create my_user --ssh -r /tmp/public_key + oneuser create my_user --x509 --cert /tmp/my_cert.pem EOT command :create, create_desc, :username, [:password, nil], diff --git a/src/cloud/common/CloudAuth/X509CloudAuth.rb b/src/cloud/common/CloudAuth/X509CloudAuth.rb index 627cb6ac1a..dd0601469c 100644 --- a/src/cloud/common/CloudAuth/X509CloudAuth.rb +++ b/src/cloud/common/CloudAuth/X509CloudAuth.rb @@ -19,7 +19,8 @@ module X509CloudAuth # password:: _String_ the password # [return] _Hash_ with the username def get_username(password) - @oneadmin_client ||= OpenNebula::Client.new(nil, @conf[:one_xmlrpc]) + token = @server_auth.login_token(expiration_time) + @oneadmin_client ||= OpenNebula::Client.new(token, @conf[:one_xmlrpc]) if @user_pool.nil? @user_pool ||= OpenNebula::UserPool.new(@oneadmin_client) @@ -32,7 +33,7 @@ module X509CloudAuth username = @user_pool["USER[PASSWORD=\"#{password}\"]/NAME"] return username if (username != nil) - + # Check if the DN is part of a |-separted multi-DN password user_elts = Array.new @user_pool.each {|e| user_elts << e['PASSWORD']} @@ -98,11 +99,6 @@ module X509CloudAuth raise msg end - auth = ServerX509Auth.new - - @token = auth.login_token(username, subjectname, 300) - @client = Client.new(@token, @conf[:one_xmlrpc]) - - return nil + return username end end diff --git a/src/sunstone/sunstone-server.rb b/src/sunstone/sunstone-server.rb index 631c90fbb4..af4f9f36df 100755 --- a/src/sunstone/sunstone-server.rb +++ b/src/sunstone/sunstone-server.rb @@ -25,16 +25,15 @@ if !ONE_LOCATION RUBY_LIB_LOCATION = "/usr/lib/one/ruby" CONFIGURATION_FILE = "/etc/one/sunstone-server.conf" PLUGIN_CONFIGURATION_FILE = "/etc/one/sunstone-plugins.yaml" - SUNSTONE_AUTH = "/etc/one/auth/sunstone_auth" else VAR_LOCATION = ONE_LOCATION+"/var" LOG_LOCATION = ONE_LOCATION+"/var" RUBY_LIB_LOCATION = ONE_LOCATION+"/lib/ruby" CONFIGURATION_FILE = ONE_LOCATION+"/etc/sunstone-server.conf" PLUGIN_CONFIGURATION_FILE = ONE_LOCATION+"/etc/sunstone-plugins.yaml" - SUNSTONE_AUTH = ONE_LOCATION + "/etc/auth/sunstone_auth" end +SUNSTONE_AUTH = VAR_LOCATION + "/sunstone_auth" SUNSTONE_ROOT_DIR = File.dirname(__FILE__) $: << RUBY_LIB_LOCATION @@ -68,12 +67,12 @@ set :config, conf set :host, settings.config[:host] set :port, settings.config[:port] -begin +begin ENV["ONE_CIPHER_AUTH"] = SUNSTONE_AUTH cloud_auth = CloudAuth.new(settings.config) rescue => e puts "Error initializing authentication system" - puts e.message + puts e.message exit -1 end @@ -154,7 +153,7 @@ end ############################################################################## get '/' do if !authorized? - if settings.config[:auth] == "x509" + if settings.config[:auth] == "x509" templ = "login_x509.html" else templ = "login.html" @@ -181,7 +180,7 @@ end get '/login' do if !authorized? - if settings.config[:auth] == "x509" + if settings.config[:auth] == "x509" templ = "login_x509.html" else templ = "login.html"