Merge remote-tracking branch 'origin'

2025-03-22 18:50:08 +03:00 · 2013-03-08 16:08:09 +01:00 · 2013-03-08 16:08:09 +01:00 · f04d2803ae
commit f04d2803ae
parent e7f35bcb2b 2289b1d3f4
8 changed files with 51 additions and 6 deletions
--- a/src/authm_mad/remotes/x509/x509_auth.conf
+++ b/src/authm_mad/remotes/x509/x509_auth.conf
@ -2,3 +2,6 @@
 # the server, each CA certificate shoud be name CA_hash.0

 #:ca_dir: "/etc/one/auth/certificates"
+
+# Uncoment this line if you want to force crl checking
+#:check_crl: true
--- a/src/authm_mad/remotes/x509/x509_auth.rb
+++ b/src/authm_mad/remotes/x509/x509_auth.rb
@ -199,7 +199,6 @@ private
    ###########################################################################
    def validate
        now    = Time.now
-        failed = "Could not validate user credentials: "

        # Check start time and end time of certificates
        @cert_chain.each do |cert|
@ -213,6 +212,8 @@ private
            # Validate the proxy certifcates
            signee = @cert_chain[0]

+            check_crl(signee)
+
            @cert_chain[1..-1].each do |cert|
                if !((signee.issuer.to_s == cert.subject.to_s) &&
                     (signee.verify(cert.public_key)))
@ -247,4 +248,41 @@ private
            raise
        end
    end
+
+    def check_crl(signee)
+        failed = "Could not validate user credentials: "
+
+        ca_hash = signee.issuer.hash.to_s(16)
+        ca_path = @options[:ca_dir] + '/' + ca_hash + '.0'
+
+        crl_path = @options[:ca_dir] + '/' + ca_hash + '.r0'
+
+        if !File.exist?(crl_path)
+            if @options[:check_crl]
+                raise failed + "CRL file #{crl_path} does not exist"
+            else
+                return
+            end
+        end
+
+        ca_cert = OpenSSL::X509::Certificate.new( File.read(ca_path) )
+        crl_cert = OpenSSL::X509::CRL.new( File.read(crl_path) )
+
+        # First verify the CRL itself with its signer
+        unless crl_cert.verify( ca_cert.public_key ) then
+            raise failed + "CRL is not verified by its Signer"
+        end
+
+        # Extract the list of revoked certificates from the CRL
+        rc_array = crl_cert.revoked
+
+        # Loop over the list and compare with the target personal
+        # certificate
+        rc_array.each do |e|
+            if e.serial.eql?(signee.serial) then
+                raise failed + "#{signee.subject.to_s} is found in the "<<
+                    "CRL, i.e. it is revoked"
+            end
+        end
+    end
 end
--- a/src/sunstone/OpenNebulaVNC.rb
+++ b/src/sunstone/OpenNebulaVNC.rb
@ -63,7 +63,7 @@ class OpenNebulaVNC
        end

        if @proxy_path == nil || @proxy_path.empty?
-            @logger.error "VNC proxy not configured"
+            @logger.error "VNC proxy not configured. Try #{SHARE_LOCATION}/install_novnc.sh"
            return false
        end

--- a/src/sunstone/bin/novnc-server
+++ b/src/sunstone/bin/novnc-server
@ -23,12 +23,14 @@ if !ONE_LOCATION
    LOG_LOCATION = "/var/log/one"
    LOCK_LOCATION = "/var/lock/one"
    VAR_LOCATION = "/var/lib/one"
+    SHARE_LOCATION = "/usr/share/one"
    ETC_LOCATION = "/etc/one"
    RUBY_LIB_LOCATION = "/usr/lib/one/ruby"
 else
    VAR_LOCATION = ONE_LOCATION + "/var"
    LOCK_LOCATION = ONE_LOCATION + "/var"
    LOG_LOCATION = ONE_LOCATION + "/var"
+    SHARE_LOCATION = ONE_LOCATION + "/share"
    ETC_LOCATION = ONE_LOCATION + "/etc"
    RUBY_LIB_LOCATION = ONE_LOCATION+"/lib/ruby"
 end
--- a/src/sunstone/etc/sunstone-server.conf
+++ b/src/sunstone/etc/sunstone-server.conf
@ -34,6 +34,9 @@
 # Place where to store sessions, this value can be memory or memcache
 # Use memcache when starting multiple server processes, for example,
 # with passenger
+#
+# NOTE. memcache needs a separate memcached server to be configured. Refer
+# to memcached documentation to configure the server.
 :sessions: memory

 # Memcache configuration
--- a/src/sunstone/sunstone-server.rb
+++ b/src/sunstone/sunstone-server.rb
@ -81,7 +81,7 @@ set :bind, settings.config[:host]
 set :port, settings.config[:port]

 case settings.config[:sessions]
-when 'memory'
+when 'memory', nil
    use Rack::Session::Pool, :key => 'sunstone'
 when 'memcache'
    memcache_server=settings.config[:memcache_host]+':'<<
@ -92,7 +92,6 @@ when 'memcache'
    use Rack::Session::Memcache,
        :memcache_server => memcache_server,
        :namespace => settings.config[:memcache_namespace]
-
 else
    STDERR.puts "Wrong value for :sessions in configuration file"
    exit(-1)
--- a/src/vmm_mad/remotes/xen/attach_nic
+++ b/src/vmm_mad/remotes/xen/attach_nic
@ -16,7 +16,7 @@
 # limitations under the License.                                             #
 #--------------------------------------------------------------------------- #

-source $(dirname $0)/kvmrc
+source $(dirname $0)/xenrc
 source $(dirname $0)/../../scripts_common.sh

 DOMAIN=$1
--- a/src/vmm_mad/remotes/xen/detach_nic
+++ b/src/vmm_mad/remotes/xen/detach_nic
@ -16,7 +16,7 @@
 # limitations under the License.                                             #
 #--------------------------------------------------------------------------- #

-source $(dirname $0)/kvmrc
+source $(dirname $0)/xenrc
 source $(dirname $0)/../../scripts_common.sh

 DOMAIN=$1