mirror of
https://github.com/OpenNebula/one.git
synced 2024-12-23 17:33:56 +03:00
bug #847: Tokens are never sha1_digested. Core authentication mechanism stores the passwords digested, client sends plain passwords. Includes OCA (Ruby), CloudAuth and CLI updates. Ozones needs redesign its password storafe strategy.
This commit is contained in:
parent
cbf64ecf1b
commit
fcb352d09d
@ -21,6 +21,7 @@
|
||||
|
||||
#include "MadManager.h"
|
||||
#include "ActionManager.h"
|
||||
#include "SSLTools.h"
|
||||
|
||||
#include "AuthManagerDriver.h"
|
||||
|
||||
@ -435,7 +436,9 @@ public:
|
||||
|
||||
bool core_authenticate()
|
||||
{
|
||||
return (password == session);
|
||||
string sha1_session = SSLTools::sha1_digest(session);
|
||||
|
||||
return (password == sha1_session);
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -64,9 +64,9 @@ EOT
|
||||
OPTIONS = XML, NUMERIC, KILOBYTES
|
||||
|
||||
class OneHelper
|
||||
def initialize(secret=nil, endpoint=nil, hash=true)
|
||||
def initialize(secret=nil, endpoint=nil)
|
||||
begin
|
||||
@client = OpenNebula::Client.new(secret,endpoint,hash)
|
||||
@client = OpenNebula::Client.new(secret,endpoint)
|
||||
rescue Exception => e
|
||||
puts e.message
|
||||
exit -1
|
||||
|
@ -37,12 +37,10 @@ class OneUserHelper < OpenNebulaHelper::OneHelper
|
||||
return -1, "Can not read file: #{arg}"
|
||||
end
|
||||
else
|
||||
if options[:plain] || options[:ssh]
|
||||
password = arg
|
||||
elsif options[:x509]
|
||||
if options[:x509]
|
||||
password = arg.delete("\s")
|
||||
else
|
||||
password = Digest::SHA1.hexdigest(arg)
|
||||
password = arg
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -50,13 +50,6 @@ cmd=CommandParser::CmdParser.new(ARGV) do
|
||||
:description => "Read password from file"
|
||||
}
|
||||
|
||||
PLAIN={
|
||||
:name => "plain",
|
||||
:short => "-p",
|
||||
:large => "--plain",
|
||||
:description => "Store plain password"
|
||||
}
|
||||
|
||||
SSH={
|
||||
:name => "ssh",
|
||||
:large => "--ssh",
|
||||
@ -113,7 +106,7 @@ cmd=CommandParser::CmdParser.new(ARGV) do
|
||||
:description => "Authentication driver to be used with this user"
|
||||
}
|
||||
|
||||
create_options = [READ_FILE, PLAIN, SSH, X509, KEY, CERT, DRIVER]
|
||||
create_options = [READ_FILE, SSH, X509, KEY, CERT, DRIVER]
|
||||
login_options = [SSH, X509, X509_PROXY, KEY, CERT, PROXY, TIME]
|
||||
|
||||
########################################################################
|
||||
|
@ -21,14 +21,11 @@ module BasicCloudAuth
|
||||
if auth.provided? && auth.basic?
|
||||
username, password = auth.credentials
|
||||
|
||||
if @conf[:hash_passwords]
|
||||
password = Digest::SHA1.hexdigest(password)
|
||||
end
|
||||
|
||||
one_pass = get_password(username)
|
||||
if one_pass && one_pass == password
|
||||
|
||||
if one_pass && one_pass == Digest::SHA1.hexdigest(password)
|
||||
@token = "#{username}:#{password}"
|
||||
@client = Client.new(@token, @conf[:one_xmlrpc], false)
|
||||
@client = Client.new(@token, @conf[:one_xmlrpc])
|
||||
return nil
|
||||
else
|
||||
return "Authentication failure"
|
||||
|
@ -37,7 +37,7 @@ module EC2CloudAuth
|
||||
end
|
||||
|
||||
@token = "#{username}:#{one_pass}"
|
||||
@client = Client.new(@token, @conf[:one_xmlrpc], false)
|
||||
@client = Client.new(@token, @conf[:one_xmlrpc])
|
||||
return nil
|
||||
end
|
||||
|
||||
|
@ -101,7 +101,7 @@ module X509CloudAuth
|
||||
auth = ServerAuth.new
|
||||
|
||||
@token = auth.login_token(username, subjectname, 300)
|
||||
@client = Client.new(@token, @conf[:one_xmlrpc], false)
|
||||
@client = Client.new(@token, @conf[:one_xmlrpc])
|
||||
|
||||
return nil
|
||||
end
|
||||
|
@ -80,41 +80,28 @@ module OpenNebula
|
||||
XMLPARSER=false
|
||||
end
|
||||
|
||||
def initialize(secret=nil, endpoint=nil, hash=true)
|
||||
def initialize(secret=nil, endpoint=nil)
|
||||
if secret
|
||||
one_secret = secret
|
||||
@one_auth = secret
|
||||
elsif ENV["ONE_AUTH"] and !ENV["ONE_AUTH"].empty? and File.file?(ENV["ONE_AUTH"])
|
||||
one_secret=File.read(ENV["ONE_AUTH"])
|
||||
@one_auth = File.read(ENV["ONE_AUTH"])
|
||||
elsif File.file?(ENV["HOME"]+"/.one/one_auth")
|
||||
one_secret=File.read(ENV["HOME"]+"/.one/one_auth")
|
||||
@one_auth = File.read(ENV["HOME"]+"/.one/one_auth")
|
||||
else
|
||||
raise "ONE_AUTH file not present"
|
||||
end
|
||||
|
||||
tokens = one_secret.chomp.split(':')
|
||||
|
||||
if tokens.length > 2
|
||||
@one_auth = one_secret
|
||||
elsif tokens.length == 2
|
||||
if hash
|
||||
pass = Digest::SHA1.hexdigest(tokens[1])
|
||||
else
|
||||
pass = tokens[1]
|
||||
end
|
||||
@one_auth = "#{tokens[0]}:#{pass}"
|
||||
else
|
||||
raise "Authorization file malformed"
|
||||
end
|
||||
@one_auth.rstrip!
|
||||
|
||||
if endpoint
|
||||
@one_endpoint=endpoint
|
||||
@one_endpoint = endpoint
|
||||
elsif ENV["ONE_XMLRPC"]
|
||||
@one_endpoint=ENV["ONE_XMLRPC"]
|
||||
@one_endpoint = ENV["ONE_XMLRPC"]
|
||||
else
|
||||
@one_endpoint="http://localhost:2633/RPC2"
|
||||
@one_endpoint = "http://localhost:2633/RPC2"
|
||||
end
|
||||
|
||||
@server=XMLRPC::Client.new2(@one_endpoint)
|
||||
@server = XMLRPC::Client.new2(@one_endpoint)
|
||||
end
|
||||
|
||||
def call(action, *args)
|
||||
|
@ -36,8 +36,7 @@ module OZones
|
||||
|
||||
client = OpenNebula::Client.new(
|
||||
zone.onename + ":" + zone.onepass,
|
||||
zone.endpoint,
|
||||
false)
|
||||
zone.endpoint)
|
||||
|
||||
pool = factory(client)
|
||||
|
||||
|
@ -125,8 +125,7 @@ module OZones
|
||||
|
||||
@client = OpenNebula::Client.new(
|
||||
"#{@zone.onename}:#{@zone.onepass}",
|
||||
@zone.endpoint,
|
||||
false)
|
||||
@zone.endpoint)
|
||||
end
|
||||
|
||||
def pool_to_json(pool_kind)
|
||||
@ -180,7 +179,7 @@ module OZones
|
||||
|
||||
def self.check_oneadmin(name, pass, endpoint)
|
||||
# Create a new client to interact with the zone
|
||||
client = OpenNebula::Client.new("#{name}:#{pass}",endpoint,false)
|
||||
client = OpenNebula::Client.new("#{name}:#{pass}",endpoint)
|
||||
hostpool = OpenNebula::HostPool.new(client)
|
||||
|
||||
return hostpool.info
|
||||
|
@ -24,7 +24,7 @@ class SunstoneServer
|
||||
POOL_FILTER = Pool::INFO_GROUP
|
||||
|
||||
def initialize(token, xmlrpc)
|
||||
@client = Client.new(token, xmlrpc, false)
|
||||
@client = Client.new(token, xmlrpc)
|
||||
end
|
||||
|
||||
############################################################################
|
||||
|
@ -53,7 +53,7 @@ require 'SunstonePlugins'
|
||||
|
||||
begin
|
||||
conf = YAML.load_file(CONFIGURATION_FILE)
|
||||
conf[:hash_passwords] = true
|
||||
conf[:hash_passwords] = false
|
||||
rescue Exception => e
|
||||
puts "Error parsing config file #{CONFIGURATION_FILE}: #{e.message}"
|
||||
exit 1
|
||||
|
@ -88,13 +88,12 @@ UserPool::UserPool(SqlDB * db):PoolSQL(db,User::table)
|
||||
if (User::split_secret(one_token,one_name,one_pass) == 0)
|
||||
{
|
||||
string error_str;
|
||||
string sha1_pass = SSLTools::sha1_digest(one_pass);
|
||||
|
||||
allocate(&one_uid,
|
||||
GroupPool::ONEADMIN_ID,
|
||||
one_name,
|
||||
GroupPool::ONEADMIN_NAME,
|
||||
sha1_pass,
|
||||
one_pass,
|
||||
UserPool::CORE_AUTH,
|
||||
true,
|
||||
error_str);
|
||||
@ -139,9 +138,11 @@ int UserPool::allocate (
|
||||
Group * group;
|
||||
|
||||
string auth_driver = auth;
|
||||
string upass = password;
|
||||
|
||||
ostringstream oss;
|
||||
|
||||
// Check username and password
|
||||
if ( !User::is_valid(password, error_str) )
|
||||
{
|
||||
goto error_pass;
|
||||
@ -152,6 +153,7 @@ int UserPool::allocate (
|
||||
goto error_name;
|
||||
}
|
||||
|
||||
// Check for duplicates
|
||||
user = get(uname,false);
|
||||
|
||||
if ( user !=0 )
|
||||
@ -159,13 +161,19 @@ int UserPool::allocate (
|
||||
goto error_duplicated;
|
||||
}
|
||||
|
||||
// Set auth driver and hash password for CORE_AUTH
|
||||
if (auth_driver.empty())
|
||||
{
|
||||
auth_driver = UserPool::CORE_AUTH;
|
||||
}
|
||||
|
||||
if (auth_driver == UserPool::CORE_AUTH)
|
||||
{
|
||||
upass = SSLTools::sha1_digest(password);
|
||||
}
|
||||
|
||||
// Build a new User object
|
||||
user = new User(-1, gid, uname, gname, password, auth_driver, enabled);
|
||||
user = new User(-1, gid, uname, gname, upass, auth_driver, enabled);
|
||||
|
||||
// Insert the Object in the pool
|
||||
*oid = PoolSQL::allocate(user, error_str);
|
||||
|
Loading…
Reference in New Issue
Block a user