Class: OpenShift::KerberosAuthService

Inherits:
AuthService
  • Object
show all
Defined in:
lib/openshift/kerberos_auth_service.rb

Instance Method Summary collapse

Constructor Details

#initialize(auth_info = nil) ⇒ KerberosAuthService

Returns a new instance of KerberosAuthService.



12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
 
# File 'lib/openshift/kerberos_auth_service.rb', line 12

def initialize(auth_info = nil)
  Rails.logger.debug "Initializing KerberosAuthService"
  if auth_info != nil
    # no-op
  elsif defined? Rails
    auth_info = Rails.application.config.auth
  else
    raise Exception.new("Error initilizing KerberosAuthService")
  end

  @salt         = auth_info[:salt]
  @privkeyfile  = auth_info[:privkeyfile]
  @privkeypass  = auth_info[:privkeypass]
  @pubkeyfile   = auth_info[:pubkeyfile]
end

Instance Method Details

#authenticate(request, login, password) ⇒ Object 



79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
 
# File 'lib/openshift/kerberos_auth_service.rb', line 79

def authenticate(request, , password)
  params = request.request_parameters()
  if params['broker_auth_key'] && params['broker_auth_iv']
    validate_broker_key(params['broker_auth_iv'], params['broker_auth_key'])
  else
    raise OpenShift::AccessDeniedException if .nil? || .empty? || password.nil? || password.empty?
    krb5 = Krb5.new

    # get the default realm
    default_realm = krb5.get_default_realm
    Rails.logger.debug "Default realm is: " + default_realm
    # try to cache non-existant data (this should fail and throw an exception)
    begin
      krb5.cache
      rescue Krb5Auth::Krb5::Exception
        Rails.logger.debug "Failed caching credentials before obtaining them. Continuing..."
    end

    if krb5.get_init_creds_password(,password)
      krb5.close
      return {:username => , :auth_method => :login}
    else
      krb5.close
      raise OpenShift::AccessDeniedException
    end

  end
end

#generate_broker_key(app) ⇒ Object 



28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
 
# File 'lib/openshift/kerberos_auth_service.rb', line 28

def generate_broker_key(app)
  cipher = OpenSSL::Cipher::Cipher.new("aes-256-cbc")
  cipher.encrypt
  cipher.key = OpenSSL::Digest::SHA512.new(@salt).digest
  cipher.iv = iv = cipher.random_iv
  token = {:app_name => app.name,
           :login => app.user.,
           :creation_time => app.creation_time}
  encrypted_token = cipher.update(token.to_json)
  encrypted_token << cipher.final

  public_key = OpenSSL::PKey::RSA.new(File.read(@pubkeyfile), @privkeypass)
  encrypted_iv = public_key.public_encrypt(iv)

  # Base64 encode the iv and token
  encoded_iv = Base64::encode64(encrypted_iv)
  encoded_token = Base64::encode64(encrypted_token)

  [encoded_iv, encoded_token]
end

#login(request, params, cookies) ⇒ Object 



108
109
110
111
112
113
114
115
 
# File 'lib/openshift/kerberos_auth_service.rb', line 108

def (request, params, cookies)
  if params['broker_auth_key'] && params['broker_auth_iv']
    validate_broker_key(params['broker_auth_iv'], params['broker_auth_key'])
  else
    data = JSON.parse(params['json_data'])
    return authenticate(request, data['rhlogin'], params['password'])
  end
end

#validate_broker_key(iv, key) ⇒ Object

Raises:

  • (OpenShift::AccessDeniedException) 


49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
 
# File 'lib/openshift/kerberos_auth_service.rb', line 49

def validate_broker_key(iv, key)
  key = key.gsub(" ", "+")
  iv = iv.gsub(" ", "+")
  begin
    encrypted_token = Base64::decode64(key)
    cipher = OpenSSL::Cipher::Cipher.new("aes-256-cbc")
    cipher.decrypt
    cipher.key = OpenSSL::Digest::SHA512.new(@salt).digest
    private_key = OpenSSL::PKey::RSA.new(File.read(@privkeyfile), @privkeypass)
    cipher.iv =  private_key.private_decrypt(Base64::decode64(iv))
    json_token = cipher.update(encrypted_token)
    json_token << cipher.final
  rescue => e
    Rails.logger.debug "Broker key authentication failed. #{e.backtrace.inspect}"
    raise OpenShift::AccessDeniedException.new
  end

  token = JSON.parse(json_token)
  username = token['login']
  app_name = token['app_name']
  creation_time = token['creation_time']

  user = CloudUser.find(username)
  raise OpenShift::AccessDeniedException.new if user.nil?
  app = Application.find(user, app_name)

  raise OpenShift::AccessDeniedException.new if app.nil? or creation_time != app.creation_time
  return {:username => username, :auth_method => :broker_auth}
end