|
|
bafb64 |
From e338fc2e3eab278aa012f058472ba34b98ae80a3 Mon Sep 17 00:00:00 2001
|
|
|
bafb64 |
From: Tomas Jelinek <tojeline@redhat.com>
|
|
|
bafb64 |
Date: Fri, 31 Jul 2015 17:34:46 +0200
|
|
|
bafb64 |
Subject: [PATCH] fixed session and cookies processing
|
|
|
bafb64 |
|
|
|
bafb64 |
---
|
|
|
bafb64 |
pcsd/auth.rb | 24 +++++++++++-------------
|
|
|
bafb64 |
pcsd/pcs.rb | 8 ++++----
|
|
|
bafb64 |
pcsd/pcsd.rb | 14 ++++++++++----
|
|
|
bafb64 |
pcsd/remote.rb | 2 +-
|
|
|
bafb64 |
4 files changed, 26 insertions(+), 22 deletions(-)
|
|
|
bafb64 |
|
|
|
bafb64 |
diff --git a/pcsd/auth.rb b/pcsd/auth.rb
|
|
|
bafb64 |
index 8953d60..05bfadf 100644
|
|
|
bafb64 |
--- a/pcsd/auth.rb
|
|
|
bafb64 |
+++ b/pcsd/auth.rb
|
|
|
bafb64 |
@@ -3,9 +3,8 @@ require 'pp'
|
|
|
bafb64 |
require 'securerandom'
|
|
|
bafb64 |
require 'rpam'
|
|
|
bafb64 |
|
|
|
bafb64 |
-class PCSAuth
|
|
|
bafb64 |
# Ruby 1.8.7 doesn't implement SecureRandom.uuid
|
|
|
bafb64 |
- def self.uuid
|
|
|
bafb64 |
+ def pcsauth_uuid
|
|
|
bafb64 |
if defined? SecureRandom.uuid
|
|
|
bafb64 |
return SecureRandom.uuid
|
|
|
bafb64 |
else
|
|
|
bafb64 |
@@ -16,7 +15,7 @@ class PCSAuth
|
|
|
bafb64 |
end
|
|
|
bafb64 |
end
|
|
|
bafb64 |
|
|
|
bafb64 |
- def self.validUser(username, password, generate_token = false, request = nil)
|
|
|
bafb64 |
+ def pcsauth_validUser(username, password, generate_token = false, request = nil)
|
|
|
bafb64 |
$logger.info("Attempting login by '#{username}'")
|
|
|
bafb64 |
if not Rpam.auth(username,password, :service => "pcsd")
|
|
|
bafb64 |
$logger.info("Failed login by '#{username}' (bad username or password)")
|
|
|
bafb64 |
@@ -37,7 +36,7 @@ class PCSAuth
|
|
|
bafb64 |
$logger.info("Successful login by '#{username}'")
|
|
|
bafb64 |
|
|
|
bafb64 |
if generate_token
|
|
|
bafb64 |
- token = PCSAuth.uuid
|
|
|
bafb64 |
+ token = pcsauth_uuid
|
|
|
bafb64 |
begin
|
|
|
bafb64 |
password_file = File.open($user_pass_file, File::RDWR|File::CREAT)
|
|
|
bafb64 |
password_file.flock(File::LOCK_EX)
|
|
|
bafb64 |
@@ -57,7 +56,7 @@ class PCSAuth
|
|
|
bafb64 |
return true
|
|
|
bafb64 |
end
|
|
|
bafb64 |
|
|
|
bafb64 |
- def self.validToken(token)
|
|
|
bafb64 |
+ def pcsauth_validToken(token)
|
|
|
bafb64 |
begin
|
|
|
bafb64 |
json = File.read($user_pass_file)
|
|
|
bafb64 |
users = JSON.parse(json)
|
|
|
bafb64 |
@@ -73,10 +72,10 @@ class PCSAuth
|
|
|
bafb64 |
return false
|
|
|
bafb64 |
end
|
|
|
bafb64 |
|
|
|
bafb64 |
- def self.isLoggedIn(session, cookies)
|
|
|
bafb64 |
- if username = validToken(cookies["token"])
|
|
|
bafb64 |
- if username == "hacluster" and $cookies.key?(:CIB_user) and $cookies.key?(:CIB_user) != ""
|
|
|
bafb64 |
- $session[:username] = $cookies[:CIB_user]
|
|
|
bafb64 |
+ def pcsauth_isLoggedIn(session, cookies)
|
|
|
bafb64 |
+ if username = pcsauth_validToken(cookies["token"])
|
|
|
bafb64 |
+ if username == "hacluster" and cookies.key?('CIB_user') and cookies['CIB_user'] != ""
|
|
|
bafb64 |
+ session[:username] = cookies['CIB_user']
|
|
|
bafb64 |
end
|
|
|
bafb64 |
return true
|
|
|
bafb64 |
else
|
|
|
bafb64 |
@@ -85,11 +84,11 @@ class PCSAuth
|
|
|
bafb64 |
end
|
|
|
bafb64 |
|
|
|
bafb64 |
# Always an admin until we implement groups
|
|
|
bafb64 |
- def self.isAdmin(session)
|
|
|
bafb64 |
+ def pcsauth_isAdmin(session)
|
|
|
bafb64 |
true
|
|
|
bafb64 |
end
|
|
|
bafb64 |
|
|
|
bafb64 |
- def self.createUser(username, password)
|
|
|
bafb64 |
+ def pcsauth_createUser(username, password)
|
|
|
bafb64 |
begin
|
|
|
bafb64 |
json = File.read($user_pass_file)
|
|
|
bafb64 |
users = JSON.parse(json)
|
|
|
bafb64 |
@@ -97,7 +96,7 @@ class PCSAuth
|
|
|
bafb64 |
users = []
|
|
|
bafb64 |
end
|
|
|
bafb64 |
|
|
|
bafb64 |
- token = PCSAuth.uuid
|
|
|
bafb64 |
+ token = pcsauth_uuid
|
|
|
bafb64 |
|
|
|
bafb64 |
users.delete_if{|u| u["username"] == username}
|
|
|
bafb64 |
users << {"username" => username, "password" => password, "token" => token}
|
|
|
bafb64 |
@@ -105,5 +104,4 @@ class PCSAuth
|
|
|
bafb64 |
f.write(JSON.pretty_generate(users))
|
|
|
bafb64 |
end
|
|
|
bafb64 |
end
|
|
|
bafb64 |
-end
|
|
|
bafb64 |
|
|
|
bafb64 |
diff --git a/pcsd/pcs.rb b/pcsd/pcs.rb
|
|
|
bafb64 |
index 3fad833..d8e27b3 100644
|
|
|
bafb64 |
--- a/pcsd/pcs.rb
|
|
|
bafb64 |
+++ b/pcsd/pcs.rb
|
|
|
bafb64 |
@@ -306,7 +306,7 @@ def send_request_with_token(node, request, post=false, data={}, remote=true, raw
|
|
|
bafb64 |
req.set_form_data(data)
|
|
|
bafb64 |
end
|
|
|
bafb64 |
cookies_to_send = [CGI::Cookie.new("name" => 'token', "value" => token).to_s]
|
|
|
bafb64 |
- cookies_to_send << CGI::Cookie.new("name" => "CIB_user", "value" => $session[:username].to_s).to_s
|
|
|
bafb64 |
+ cookies_to_send << CGI::Cookie.new("name" => "CIB_user", "value" => get_session()[:username].to_s).to_s
|
|
|
bafb64 |
req.add_field("Cookie",cookies_to_send.join(";"))
|
|
|
bafb64 |
myhttp = Net::HTTP.new(uri.host, uri.port)
|
|
|
bafb64 |
myhttp.use_ssl = true
|
|
|
bafb64 |
@@ -623,10 +623,10 @@ def run_cmd(*args)
|
|
|
bafb64 |
start = Time.now
|
|
|
bafb64 |
out = ""
|
|
|
bafb64 |
errout = ""
|
|
|
bafb64 |
- if $session[:username] == "hacluster"
|
|
|
bafb64 |
- ENV['CIB_user'] = $cookies[:CIB_user]
|
|
|
bafb64 |
+ if get_session()[:username] == "hacluster"
|
|
|
bafb64 |
+ ENV['CIB_user'] = get_cookies()[:CIB_user]
|
|
|
bafb64 |
else
|
|
|
bafb64 |
- ENV['CIB_user'] = $session[:username]
|
|
|
bafb64 |
+ ENV['CIB_user'] = get_session()[:username]
|
|
|
bafb64 |
end
|
|
|
bafb64 |
$logger.debug("CIB USER: #{ENV['CIB_user'].to_s}")
|
|
|
bafb64 |
status = Open4::popen4(*args) do |pid, stdin, stdout, stderr|
|
|
|
bafb64 |
diff --git a/pcsd/pcsd.rb b/pcsd/pcsd.rb
|
|
|
bafb64 |
index 5a0928a..2633360 100644
|
|
|
bafb64 |
--- a/pcsd/pcsd.rb
|
|
|
bafb64 |
+++ b/pcsd/pcsd.rb
|
|
|
bafb64 |
@@ -49,8 +49,6 @@ also_reload 'auth.rb'
|
|
|
bafb64 |
also_reload 'wizard.rb'
|
|
|
bafb64 |
|
|
|
bafb64 |
before do
|
|
|
bafb64 |
- $session = session
|
|
|
bafb64 |
- $cookies = cookies
|
|
|
bafb64 |
if request.path != '/login' and not request.path == "/logout" and not request.path == '/remote/auth'
|
|
|
bafb64 |
protected!
|
|
|
bafb64 |
end
|
|
|
bafb64 |
@@ -117,7 +115,7 @@ set :run, false
|
|
|
bafb64 |
|
|
|
bafb64 |
helpers do
|
|
|
bafb64 |
def protected!
|
|
|
bafb64 |
- if not PCSAuth.isLoggedIn(session, request.cookies)
|
|
|
bafb64 |
+ if not pcsauth_isLoggedIn(session, request.cookies)
|
|
|
bafb64 |
# If we're on /managec/<cluster_name>/main we redirect
|
|
|
bafb64 |
match_expr = "/managec/(.*)/(.*)"
|
|
|
bafb64 |
mymatch = request.path.match(match_expr)
|
|
|
bafb64 |
@@ -198,7 +196,7 @@ if not DISABLE_GUI
|
|
|
bafb64 |
end
|
|
|
bafb64 |
|
|
|
bafb64 |
post '/login' do
|
|
|
bafb64 |
- if PCSAuth.validUser(params['username'],params['password'])
|
|
|
bafb64 |
+ if pcsauth_validUser(params['username'],params['password'])
|
|
|
bafb64 |
session["username"] = params['username']
|
|
|
bafb64 |
# Temporarily ignore pre_login_path until we come up with a list of valid
|
|
|
bafb64 |
# paths to redirect to (to prevent status_all issues)
|
|
|
bafb64 |
@@ -741,4 +739,12 @@ helpers do
|
|
|
bafb64 |
def h(text)
|
|
|
bafb64 |
Rack::Utils.escape_html(text)
|
|
|
bafb64 |
end
|
|
|
bafb64 |
+
|
|
|
bafb64 |
+ def get_session
|
|
|
bafb64 |
+ session
|
|
|
bafb64 |
+ end
|
|
|
bafb64 |
+
|
|
|
bafb64 |
+ def get_cookies
|
|
|
bafb64 |
+ return cookies
|
|
|
bafb64 |
+ end
|
|
|
bafb64 |
end
|
|
|
bafb64 |
diff --git a/pcsd/remote.rb b/pcsd/remote.rb
|
|
|
bafb64 |
index b98e9a9..69142e4 100644
|
|
|
bafb64 |
--- a/pcsd/remote.rb
|
|
|
bafb64 |
+++ b/pcsd/remote.rb
|
|
|
bafb64 |
@@ -628,7 +628,7 @@ def status_all(params, nodes = [])
|
|
|
bafb64 |
end
|
|
|
bafb64 |
|
|
|
bafb64 |
def auth(params,request)
|
|
|
bafb64 |
- token = PCSAuth.validUser(params['username'],params['password'], true, request)
|
|
|
bafb64 |
+ token = pcsauth_validUser(params['username'],params['password'], true, request)
|
|
|
bafb64 |
# If we authorized to this machine, attempt to authorize everywhere
|
|
|
bafb64 |
node_list = []
|
|
|
bafb64 |
if token and params["bidirectional"]
|
|
|
bafb64 |
--
|
|
|
bafb64 |
1.9.1
|
|
|
bafb64 |
|