1
0
mirror of https://github.com/OpenNebula/one.git synced 2024-12-23 17:33:56 +03:00

bug #847: Tokens are never sha1_digested. Core authentication mechanism stores the passwords digested, client sends plain passwords. Includes OCA (Ruby), CloudAuth and CLI updates. Ozones needs redesign its password storafe strategy.

This commit is contained in:
Ruben S. Montero 2011-10-12 00:27:03 +02:00
parent cbf64ecf1b
commit fcb352d09d
13 changed files with 39 additions and 55 deletions

View File

@ -21,6 +21,7 @@
#include "MadManager.h"
#include "ActionManager.h"
#include "SSLTools.h"
#include "AuthManagerDriver.h"
@ -435,7 +436,9 @@ public:
bool core_authenticate()
{
return (password == session);
string sha1_session = SSLTools::sha1_digest(session);
return (password == sha1_session);
}
/**

View File

@ -64,9 +64,9 @@ EOT
OPTIONS = XML, NUMERIC, KILOBYTES
class OneHelper
def initialize(secret=nil, endpoint=nil, hash=true)
def initialize(secret=nil, endpoint=nil)
begin
@client = OpenNebula::Client.new(secret,endpoint,hash)
@client = OpenNebula::Client.new(secret,endpoint)
rescue Exception => e
puts e.message
exit -1

View File

@ -37,12 +37,10 @@ class OneUserHelper < OpenNebulaHelper::OneHelper
return -1, "Can not read file: #{arg}"
end
else
if options[:plain] || options[:ssh]
password = arg
elsif options[:x509]
if options[:x509]
password = arg.delete("\s")
else
password = Digest::SHA1.hexdigest(arg)
password = arg
end
end

View File

@ -50,13 +50,6 @@ cmd=CommandParser::CmdParser.new(ARGV) do
:description => "Read password from file"
}
PLAIN={
:name => "plain",
:short => "-p",
:large => "--plain",
:description => "Store plain password"
}
SSH={
:name => "ssh",
:large => "--ssh",
@ -113,7 +106,7 @@ cmd=CommandParser::CmdParser.new(ARGV) do
:description => "Authentication driver to be used with this user"
}
create_options = [READ_FILE, PLAIN, SSH, X509, KEY, CERT, DRIVER]
create_options = [READ_FILE, SSH, X509, KEY, CERT, DRIVER]
login_options = [SSH, X509, X509_PROXY, KEY, CERT, PROXY, TIME]
########################################################################

View File

@ -21,14 +21,11 @@ module BasicCloudAuth
if auth.provided? && auth.basic?
username, password = auth.credentials
if @conf[:hash_passwords]
password = Digest::SHA1.hexdigest(password)
end
one_pass = get_password(username)
if one_pass && one_pass == password
if one_pass && one_pass == Digest::SHA1.hexdigest(password)
@token = "#{username}:#{password}"
@client = Client.new(@token, @conf[:one_xmlrpc], false)
@client = Client.new(@token, @conf[:one_xmlrpc])
return nil
else
return "Authentication failure"

View File

@ -37,7 +37,7 @@ module EC2CloudAuth
end
@token = "#{username}:#{one_pass}"
@client = Client.new(@token, @conf[:one_xmlrpc], false)
@client = Client.new(@token, @conf[:one_xmlrpc])
return nil
end

View File

@ -101,7 +101,7 @@ module X509CloudAuth
auth = ServerAuth.new
@token = auth.login_token(username, subjectname, 300)
@client = Client.new(@token, @conf[:one_xmlrpc], false)
@client = Client.new(@token, @conf[:one_xmlrpc])
return nil
end

View File

@ -80,41 +80,28 @@ module OpenNebula
XMLPARSER=false
end
def initialize(secret=nil, endpoint=nil, hash=true)
def initialize(secret=nil, endpoint=nil)
if secret
one_secret = secret
@one_auth = secret
elsif ENV["ONE_AUTH"] and !ENV["ONE_AUTH"].empty? and File.file?(ENV["ONE_AUTH"])
one_secret=File.read(ENV["ONE_AUTH"])
@one_auth = File.read(ENV["ONE_AUTH"])
elsif File.file?(ENV["HOME"]+"/.one/one_auth")
one_secret=File.read(ENV["HOME"]+"/.one/one_auth")
@one_auth = File.read(ENV["HOME"]+"/.one/one_auth")
else
raise "ONE_AUTH file not present"
end
tokens = one_secret.chomp.split(':')
if tokens.length > 2
@one_auth = one_secret
elsif tokens.length == 2
if hash
pass = Digest::SHA1.hexdigest(tokens[1])
else
pass = tokens[1]
end
@one_auth = "#{tokens[0]}:#{pass}"
else
raise "Authorization file malformed"
end
@one_auth.rstrip!
if endpoint
@one_endpoint=endpoint
@one_endpoint = endpoint
elsif ENV["ONE_XMLRPC"]
@one_endpoint=ENV["ONE_XMLRPC"]
@one_endpoint = ENV["ONE_XMLRPC"]
else
@one_endpoint="http://localhost:2633/RPC2"
@one_endpoint = "http://localhost:2633/RPC2"
end
@server=XMLRPC::Client.new2(@one_endpoint)
@server = XMLRPC::Client.new2(@one_endpoint)
end
def call(action, *args)

View File

@ -36,8 +36,7 @@ module OZones
client = OpenNebula::Client.new(
zone.onename + ":" + zone.onepass,
zone.endpoint,
false)
zone.endpoint)
pool = factory(client)

View File

@ -125,8 +125,7 @@ module OZones
@client = OpenNebula::Client.new(
"#{@zone.onename}:#{@zone.onepass}",
@zone.endpoint,
false)
@zone.endpoint)
end
def pool_to_json(pool_kind)
@ -180,7 +179,7 @@ module OZones
def self.check_oneadmin(name, pass, endpoint)
# Create a new client to interact with the zone
client = OpenNebula::Client.new("#{name}:#{pass}",endpoint,false)
client = OpenNebula::Client.new("#{name}:#{pass}",endpoint)
hostpool = OpenNebula::HostPool.new(client)
return hostpool.info

View File

@ -24,7 +24,7 @@ class SunstoneServer
POOL_FILTER = Pool::INFO_GROUP
def initialize(token, xmlrpc)
@client = Client.new(token, xmlrpc, false)
@client = Client.new(token, xmlrpc)
end
############################################################################

View File

@ -53,7 +53,7 @@ require 'SunstonePlugins'
begin
conf = YAML.load_file(CONFIGURATION_FILE)
conf[:hash_passwords] = true
conf[:hash_passwords] = false
rescue Exception => e
puts "Error parsing config file #{CONFIGURATION_FILE}: #{e.message}"
exit 1

View File

@ -88,13 +88,12 @@ UserPool::UserPool(SqlDB * db):PoolSQL(db,User::table)
if (User::split_secret(one_token,one_name,one_pass) == 0)
{
string error_str;
string sha1_pass = SSLTools::sha1_digest(one_pass);
allocate(&one_uid,
GroupPool::ONEADMIN_ID,
one_name,
GroupPool::ONEADMIN_NAME,
sha1_pass,
one_pass,
UserPool::CORE_AUTH,
true,
error_str);
@ -139,9 +138,11 @@ int UserPool::allocate (
Group * group;
string auth_driver = auth;
string upass = password;
ostringstream oss;
// Check username and password
if ( !User::is_valid(password, error_str) )
{
goto error_pass;
@ -152,6 +153,7 @@ int UserPool::allocate (
goto error_name;
}
// Check for duplicates
user = get(uname,false);
if ( user !=0 )
@ -159,13 +161,19 @@ int UserPool::allocate (
goto error_duplicated;
}
// Set auth driver and hash password for CORE_AUTH
if (auth_driver.empty())
{
auth_driver = UserPool::CORE_AUTH;
}
if (auth_driver == UserPool::CORE_AUTH)
{
upass = SSLTools::sha1_digest(password);
}
// Build a new User object
user = new User(-1, gid, uname, gname, password, auth_driver, enabled);
user = new User(-1, gid, uname, gname, upass, auth_driver, enabled);
// Insert the Object in the pool
*oid = PoolSQL::allocate(user, error_str);