From 392a87cfa181a762bf4b3244aa3c6d065ef15253 Mon Sep 17 00:00:00 2001 From: Patrick J Cherry Date: Sat, 21 Apr 2012 10:46:37 +0100 Subject: Added SSL cert verification for Bytemark Authentication. Also tidied away error messages generated during login tests in the web_interface. --- lib/mauve/authentication.rb | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) (limited to 'lib/mauve/authentication.rb') diff --git a/lib/mauve/authentication.rb b/lib/mauve/authentication.rb index 54743f1..0fc6823 100644 --- a/lib/mauve/authentication.rb +++ b/lib/mauve/authentication.rb @@ -3,6 +3,11 @@ require 'sha1' require 'xmlrpc/client' require 'timeout' +# +# This allows poking of the SSL attributes of the http client. +# +module XMLRPC ; class Client ; attr_reader :http ; end ; end + module Mauve # @@ -131,15 +136,25 @@ module Mauve def authenticate(login, password) super - client = XMLRPC::Client.new(@srv,"/",@port,nil,nil,nil,nil,true,@timeout).proxy("bytemark.auth") + client = XMLRPC::Client.new(@srv,"/",@port,nil,nil,nil,nil,true,@timeout) + + # + # Make sure we verify our peer before attempting login. + # + if client.http.use_ssl? + client.http.ca_path = "/etc/ssl/certs/" + client.http.verify_mode = OpenSSL::SSL::VERIFY_PEER + end begin - challenge = client.getChallengeForUser(login) + proxy = client.proxy("bytemark.auth") + challenge = proxy.getChallengeForUser(login) response = Digest::SHA1.new.update(challenge).update(password).hexdigest - client.login(login, response) + proxy.login(login, response) return true rescue XMLRPC::FaultException => fault - logger.warn "#{self.class} for #{login} failed: #{fault.faultCode}: #{fault.faultString}" + logger.warn "#{self.class} for #{login} failed" + logger.debug "#{fault.faultCode}: #{fault.faultString}" return false rescue IOError => ex logger.warn "#{ex.class} during auth for #{login} (#{ex.to_s})" -- cgit v1.2.1 From 84b1abf30fe79032209cb0fcd0bfa9d6aaf37721 Mon Sep 17 00:00:00 2001 From: Patrick J Cherry Date: Sat, 21 Apr 2012 13:37:12 +0100 Subject: Overhaul of authentication. * Added new configuration options: ** bytemark_calendar_url ** bytemark_auth_url ** remote_https_verify_mode ** remote_http_timeout ** failed_login_delay * Added authentication tests * Removed remote auth tests in from the web interface tests. * If no bytemark_auth_url is set, then no remote auth takes place. * SSL peer cert validation now takes place by default. * Removed old logic tests * Tidied the way tests take place a little. --- lib/mauve/authentication.rb | 71 +++++++++++++++++---------------------------- 1 file changed, 26 insertions(+), 45 deletions(-) (limited to 'lib/mauve/authentication.rb') diff --git a/lib/mauve/authentication.rb b/lib/mauve/authentication.rb index 0fc6823..c467a1d 100644 --- a/lib/mauve/authentication.rb +++ b/lib/mauve/authentication.rb @@ -1,7 +1,6 @@ # encoding: UTF-8 require 'sha1' require 'xmlrpc/client' -require 'timeout' # # This allows poking of the SSL attributes of the http client. @@ -28,8 +27,6 @@ module Mauve raise ArgumentError.new("Password must be a string, not a #{password.class}") if String != password.class raise ArgumentError.new("Login or/and password is/are empty.") if login.empty? || password.empty? - return false unless Mauve::Configuration.current.people.has_key?(login) - false end @@ -73,7 +70,7 @@ module Mauve unless true == result logger.info "Authentication for #{login} failed" # Rate limit - sleep 5 + sleep Server.instance.failed_login_delay end result @@ -88,45 +85,6 @@ module Mauve Mauve::Authentication::ORDER << self - # Set up the Bytemark authenticator - # - # @todo allow configuration of where the server is. - # - # @param [String] srv Authentication server name - # @param [String] port Port overwhich authentication should take place - # - # @return [Mauve::AuthBytemark] - # - def initialize (srv='auth.bytemark.co.uk', port=443) - raise ArgumentError.new("Server must be a String, not a #{srv.class}") if String != srv.class - raise ArgumentError.new("Port must be a Fixnum, not a #{port.class}") if Fixnum != port.class - @srv = srv - @port = port - @timeout = 7 - - self - end - - # Tests to see if a server is alive, alive-o. - # - # @deprecated Not really needed. - # - # @return [Boolean] - def ping - begin - Timeout.timeout(@timeout) do - s = TCPSocket.open(@srv, @port) - s.close() - return true - end - rescue Timeout::Error => ex - return false - rescue => ex - return false - end - return false - end - # Authenticate against the Bytemark server # # @param [String] login @@ -136,14 +94,27 @@ module Mauve def authenticate(login, password) super - client = XMLRPC::Client.new(@srv,"/",@port,nil,nil,nil,nil,true,@timeout) + # + # Don't bother checking if no auth_url has been set. + # + return false unless Server.instance.bytemark_auth_url.is_a?(URI) + + # + # Don't bother checking if the person doesn't exist. + # + return false unless Mauve::Configuration.current.people.has_key?(login) + + uri = Server.instance.bytemark_auth_url + timeout = Server.instance.remote_http_timeout + # host=nil, path=nil, port=nil, proxy_host=nil, proxy_port=nil, user=nil, password=nil, use_ssl=nil, timeout=nil) + client = XMLRPC::Client.new(uri.host, uri.path, uri.port, nil, nil, uri.user, uri.password, uri.scheme == "https", timeout) # # Make sure we verify our peer before attempting login. # if client.http.use_ssl? client.http.ca_path = "/etc/ssl/certs/" - client.http.verify_mode = OpenSSL::SSL::VERIFY_PEER + client.http.verify_mode = Server.instance.remote_https_verify_mode end begin @@ -179,6 +150,16 @@ module Mauve # @return [Boolean] def authenticate(login,password) super + # + # Don't bother checking if the person doesn't exist. + # + return false unless Mauve::Configuration.current.people.has_key?(login) + + # + # Don't bother checking if no password has been set. + # + return false if Mauve::Configuration.current.people[login].password.nil? + if ( Digest::SHA1.hexdigest(password) == Mauve::Configuration.current.people[login].password ) return true else -- cgit v1.2.1