feature #754: Include also the username in the security token

2025-03-22 18:50:08 +03:00 · 2011-08-19 18:17:06 +02:00 · 2011-08-19 18:17:06 +02:00 · cc36e3858c
commit cc36e3858c
parent b4b5fc97aa
2 changed files with 8 additions and 6 deletions
--- a/src/authm_mad/remotes/x509/authenticate
+++ b/src/authm_mad/remotes/x509/authenticate
@ -44,7 +44,7 @@ proxy, cert = dsecret.split(':')

 x509_auth   = X509Auth.new(:cert=>cert)

-rc = x509_auth.authenticate(pass,proxy)
+rc = x509_auth.authenticate(user, pass,proxy)

 if rc == true
    exit 0
--- a/src/authm_mad/remotes/x509/x509_auth.rb
+++ b/src/authm_mad/remotes/x509/x509_auth.rb
@ -64,7 +64,7 @@ class X509Auth
        #Create the x509 proxy
        time = Time.now.to_i+expire
        
-        text_to_sign = "#{@dn}:#{time}"
+        text_to_sign = "#{user}:#{@dn}:#{time}"
        signed_text  = encrypt(text_to_sign)

 	    token   = "#{signed_text}:#{@cert.to_pem}"	
@ -88,13 +88,15 @@ class X509Auth
    # Server side
    ###########################################################################
    # auth method for auth_mad
-    def authenticate(pass, token)        
+    def authenticate(user, pass, token)        
        begin
            plain = decrypt(token)
        
-            subject, time_expire = plain.split(':')
-            
-            if ((subject != @dn) || (subject != pass))
+            _user, subject, time_expire = plain.split(':')
+
+            if (user != _user)
+                return "User name missmatch"
+            elsif ((subject != @dn) || (subject != pass))
                return "Certificate subject missmatch"
            elsif Time.now.to_i >= time_expire.to_i
                return "x509 proxy expired, login again to renew it"