From aedb8239e76307d20eb36b5abecff1f1700dfa60 Mon Sep 17 00:00:00 2001
From: Javi Fontan <jfontan@opennebula.org>
Date: Wed, 6 Mar 2013 18:44:55 +0100
Subject: [PATCH 1/4] feature #1790: check crl for x509 auth
This patch is based on the work done by Hyunwoo Kim from FermiLab.
More info at http://dev.opennebula.org/issues/1790
---
src/authm_mad/remotes/x509/x509_auth.conf | 3 ++
src/authm_mad/remotes/x509/x509_auth.rb | 37 +++++++++++++++++++++++
2 files changed, 40 insertions(+)
diff --git a/src/authm_mad/remotes/x509/x509_auth.conf b/src/authm_mad/remotes/x509/x509_auth.conf
index b841529176..570843835a 100644
--- a/src/authm_mad/remotes/x509/x509_auth.conf
+++ b/src/authm_mad/remotes/x509/x509_auth.conf
@@ -2,3 +2,6 @@
# the server, each CA certificate shoud be name CA_hash.0
#:ca_dir: "/etc/one/auth/certificates"
+
+# Uncoment this line if you want to force crl checking
+#:check_crl: true
diff --git a/src/authm_mad/remotes/x509/x509_auth.rb b/src/authm_mad/remotes/x509/x509_auth.rb
index 4cdb0c7890..34afa5c20a 100644
--- a/src/authm_mad/remotes/x509/x509_auth.rb
+++ b/src/authm_mad/remotes/x509/x509_auth.rb
@@ -213,6 +213,8 @@ private
# Validate the proxy certifcates
signee = @cert_chain[0]
+ check_crl(signee)
+
@cert_chain[1..-1].each do |cert|
if !((signee.issuer.to_s == cert.subject.to_s) &&
(signee.verify(cert.public_key)))
@@ -247,4 +249,39 @@ private
raise
end
end
+
+ def check_crl(signee)
+ ca_hash = signee.issuer.hash.to_s(16)
+ ca_path = @options[:ca_dir] + '/' + ca_hash + '.0'
+
+ crl_path = @options[:ca_dir] + '/' + ca_hash + '.r0'
+
+ if !File.exist?(crl_path)
+ if @options[:check_crl]
+ raise failed + "CRL file #{crl_path} does not exist"
+ else
+ return
+ end
+ end
+
+ ca_cert = OpenSSL::X509::Certificate.new( File.read(ca_path) )
+ crl_cert = OpenSSL::X509::CRL.new( File.read(crl_path) )
+
+ # First verify the CRL itself with its signer
+ unless crl_cert.verify( ca_cert.public_key ) then
+ raise failed + "CRL is not verified by its Signer"
+ end
+
+ # Extract the list of revoked certificates from the CRL
+ rc_array = crl_cert.revoked
+
+ # Loop over the list and compare with the target personal
+ # certificate
+ rc_array.each do |e|
+ if e.serial.eql?(signee.serial) then
+ raise failed + "#{signee.subject.to_s} is found in the "<<
+ "CRL, i.e. it is revoked"
+ end
+ end
+ end
end
From ca1b6ab41f8a3501d107d93f899da5278e1fc7e4 Mon Sep 17 00:00:00 2001
From: Javi Fontan <jfontan@opennebula.org>
Date: Thu, 7 Mar 2013 12:45:04 +0100
Subject: [PATCH 2/4] feature #1790: bug in crl check function
---
src/authm_mad/remotes/x509/x509_auth.rb | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/authm_mad/remotes/x509/x509_auth.rb b/src/authm_mad/remotes/x509/x509_auth.rb
index 34afa5c20a..24ff82d63f 100644
--- a/src/authm_mad/remotes/x509/x509_auth.rb
+++ b/src/authm_mad/remotes/x509/x509_auth.rb
@@ -199,7 +199,6 @@ private
###########################################################################
def validate
now = Time.now
- failed = "Could not validate user credentials: "
# Check start time and end time of certificates
@cert_chain.each do |cert|
@@ -251,6 +250,8 @@ private
end
def check_crl(signee)
+ failed = "Could not validate user credentials: "
+
ca_hash = signee.issuer.hash.to_s(16)
ca_path = @options[:ca_dir] + '/' + ca_hash + '.0'
From 987f833b1630406e7767e2fcbe95efb503a57e3d Mon Sep 17 00:00:00 2001
From: Javi Fontan <jfontan@opennebula.org>
Date: Thu, 7 Mar 2013 19:13:30 +0100
Subject: [PATCH 3/4] feature #1691: bug reading xen driver configuration
(cherry picked from commit 902c594b2e0c8e0e725627b1529c55de215549f3)
---
src/vmm_mad/remotes/xen/attach_nic | 2 +-
src/vmm_mad/remotes/xen/detach_nic | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/vmm_mad/remotes/xen/attach_nic b/src/vmm_mad/remotes/xen/attach_nic
index 58c7d809b6..40592ebc51 100755
--- a/src/vmm_mad/remotes/xen/attach_nic
+++ b/src/vmm_mad/remotes/xen/attach_nic
@@ -16,7 +16,7 @@
# limitations under the License. #
#--------------------------------------------------------------------------- #
-source $(dirname $0)/kvmrc
+source $(dirname $0)/xenrc
source $(dirname $0)/../../scripts_common.sh
DOMAIN=$1
diff --git a/src/vmm_mad/remotes/xen/detach_nic b/src/vmm_mad/remotes/xen/detach_nic
index 5ae5221596..e8a68f4682 100755
--- a/src/vmm_mad/remotes/xen/detach_nic
+++ b/src/vmm_mad/remotes/xen/detach_nic
@@ -16,7 +16,7 @@
# limitations under the License. #
#--------------------------------------------------------------------------- #
-source $(dirname $0)/kvmrc
+source $(dirname $0)/xenrc
source $(dirname $0)/../../scripts_common.sh
DOMAIN=$1
From 2289b1d3f427a57f90ff6a3c14e877ae7aacf681 Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rsmontero@opennebula.org>
Date: Fri, 8 Mar 2013 00:18:52 +0100
Subject: [PATCH 4/4] feature #1369. Add information to Sunstone conf file and
VNC log. Default value for session is memory.
---
src/sunstone/OpenNebulaVNC.rb | 2 +-
src/sunstone/bin/novnc-server | 2 ++
src/sunstone/etc/sunstone-server.conf | 3 +++
src/sunstone/sunstone-server.rb | 3 +--
4 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/src/sunstone/OpenNebulaVNC.rb b/src/sunstone/OpenNebulaVNC.rb
index 9ac0cd4b92..15ea9e292c 100644
--- a/src/sunstone/OpenNebulaVNC.rb
+++ b/src/sunstone/OpenNebulaVNC.rb
@@ -63,7 +63,7 @@ class OpenNebulaVNC
end
if @proxy_path == nil || @proxy_path.empty?
- @logger.error "VNC proxy not configured"
+ @logger.error "VNC proxy not configured. Try #{SHARE_LOCATION}/install_novnc.sh"
return false
end
diff --git a/src/sunstone/bin/novnc-server b/src/sunstone/bin/novnc-server
index e203ff4bf6..20d2772a50 100755
--- a/src/sunstone/bin/novnc-server
+++ b/src/sunstone/bin/novnc-server
@@ -23,12 +23,14 @@ if !ONE_LOCATION
LOG_LOCATION = "/var/log/one"
LOCK_LOCATION = "/var/lock/one"
VAR_LOCATION = "/var/lib/one"
+ SHARE_LOCATION = "/usr/share/one"
ETC_LOCATION = "/etc/one"
RUBY_LIB_LOCATION = "/usr/lib/one/ruby"
else
VAR_LOCATION = ONE_LOCATION + "/var"
LOCK_LOCATION = ONE_LOCATION + "/var"
LOG_LOCATION = ONE_LOCATION + "/var"
+ SHARE_LOCATION = ONE_LOCATION + "/share"
ETC_LOCATION = ONE_LOCATION + "/etc"
RUBY_LIB_LOCATION = ONE_LOCATION+"/lib/ruby"
end
diff --git a/src/sunstone/etc/sunstone-server.conf b/src/sunstone/etc/sunstone-server.conf
index 0104ff5e17..de5da49729 100644
--- a/src/sunstone/etc/sunstone-server.conf
+++ b/src/sunstone/etc/sunstone-server.conf
@@ -34,6 +34,9 @@
# Place where to store sessions, this value can be memory or memcache
# Use memcache when starting multiple server processes, for example,
# with passenger
+#
+# NOTE. memcache needs a separate memcached server to be configured. Refer
+# to memcached documentation to configure the server.
:sessions: memory
# Memcache configuration
diff --git a/src/sunstone/sunstone-server.rb b/src/sunstone/sunstone-server.rb
index 35eac27f14..ac64ad5f49 100755
--- a/src/sunstone/sunstone-server.rb
+++ b/src/sunstone/sunstone-server.rb
@@ -81,7 +81,7 @@ set :bind, settings.config[:host]
set :port, settings.config[:port]
case settings.config[:sessions]
-when 'memory'
+when 'memory', nil
use Rack::Session::Pool, :key => 'sunstone'
when 'memcache'
memcache_server=settings.config[:memcache_host]+':'<<
@@ -92,7 +92,6 @@ when 'memcache'
use Rack::Session::Memcache,
:memcache_server => memcache_server,
:namespace => settings.config[:memcache_namespace]
-
else
STDERR.puts "Wrong value for :sessions in configuration file"
exit(-1)