Class: OpenNebula::ServerX509Auth

Inherits:

X509Auth

Object
X509Auth
OpenNebula::ServerX509Auth

show all

Defined in:: lib/opennebula/server_x509_auth.rb

Overview

Server authentication class. This authmethod can be used by opennebula services to let access authenticated users by other means. It is based on x509 server certificates

Constant Summary collapse

SERVER_AUTH_CONF_PATH = Constants with paths to relevant files and defaults

ETC_LOCATION + "/auth/server_x509_auth.conf"

SERVER_DEFAULTS =

{
    :one_cert => ETC_LOCATION + "/auth/cert.pem",
    :one_key  => ETC_LOCATION + "/auth/key.pem"
}

Constants inherited from X509Auth

X509Auth::ETC_LOCATION, X509Auth::X509_AUTH_CONF_PATH, X509Auth::X509_DEFAULTS

Instance Method Summary collapse

#authenticate(server_user, server_pass, signed_text) ⇒ Object

auth method for auth_mad.
#initialize ⇒ ServerX509Auth constructor

A new instance of ServerX509Auth.
#login_token(expire, target_user = nil) ⇒ Object

Generates a login token in the form: - server_user:target_user:time_expires.

Methods inherited from X509Auth

escape_dn, #password, unescape_dn

Constructor Details

#initialize ⇒ `ServerX509Auth`

Returns a new instance of ServerX509Auth.

# File 'lib/opennebula/server_x509_auth.rb', line 42

def initialize()
    @options = SERVER_DEFAULTS

    load_options(SERVER_AUTH_CONF_PATH)

    begin
        certs = [ File.read(@options[:one_cert]) ]
        key   =   File.read(@options[:one_key])

        super(:certs_pem => certs, :key_pem => key)
    rescue
        raise
    end

    if @options[:srv_user] == nil || @options[:srv_user].empty?
       raise "User for x509 server not defined"
    end
end

Instance Method Details

#authenticate(server_user, server_pass, signed_text) ⇒ `Object`

auth method for auth_mad

# File 'lib/opennebula/server_x509_auth.rb', line 88

def authenticate(server_user, server_pass, signed_text)
    begin
        s_user, t_user, expires = decrypt(signed_text).split(':')

        return "Server password missmatch" if server_pass != password

        return "User name missmatch" if ( s_user != server_user ||
                                          s_user != @options[:srv_user] )

        return "login token expired" if Time.now.to_i >= expires.to_i

        return true
    rescue => e
        return e.message
    end
end

#login_token(expire, target_user = nil) ⇒ `Object`

Generates a login token in the form:

- server_user:target_user:time_expires

# File 'lib/opennebula/server_x509_auth.rb', line 73

def login_token(expire, target_user=nil)
    target_user ||= @options[:srv_user]
    token_txt   =   "#{@options[:srv_user]}:#{target_user}:#{expire}"

    token   = encrypt(token_txt)
    token64 = Base64::encode64(token).strip.delete("\n")

    return "#{@options[:srv_user]}:#{target_user}:#{token64}"
end