The branch, master has been updated via 412348110510de7c77fda9f76b039ddfd7a1b7f2 (commit) from 9176b71273c66f2e949f3229e498705ab1f84a6a (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 412348110510de7c77fda9f76b039ddfd7a1b7f2 Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Date: Sun Aug 18 21:53:09 2013 +0200 Get the cookie based extra-authentication working. ----------------------------------------------------------------------- Summary of changes: debian/changelog | 1 + x2gobroker/brokers/base_broker.py | 13 +++-- x2gobroker/client/plain.py | 113 +++++++++++++++++++------------------ 3 files changed, 69 insertions(+), 58 deletions(-) The diff of changes is: diff --git a/debian/changelog b/debian/changelog index 94431cc..64ee398 100644 --- a/debian/changelog +++ b/debian/changelog @@ -7,6 +7,7 @@ x2gobroker (0.0.3.0-0~x2go1) UNRELEASED; urgency=low - SSH broker: Only allow context change to another user for the magic user (default: x2gobroker). - Fix logrotate script: x2gobroker-wsgi. (Fixes: #275). + - Get the cookie based extra-authentication working. * /debian/control: + Replace LDAP support with session brokerage support in LONG_DESCRIPTION. diff --git a/x2gobroker/brokers/base_broker.py b/x2gobroker/brokers/base_broker.py index 5431a99..3a7aa7a 100644 --- a/x2gobroker/brokers/base_broker.py +++ b/x2gobroker/brokers/base_broker.py @@ -706,7 +706,7 @@ class X2GoBroker(object): else: return [] - def check_access(self, username='', password='', cookie=None, ): + def check_access(self, username='', password='', cookie=None, cookie_only=False): """\ Check if a given user with a given password may gain access to the X2Go session broker. @@ -717,6 +717,8 @@ class X2GoBroker(object): @type password: C{unicode} @param cookie: an extra (static or dynamic) authentication token @type cookie: C{unicode} + @param cookie_only: do only check the auth_cookie, not username/password + @type cookie_only: C{bool} @return: returns C{True} if the authentication has been successful @rtype: C{bool} @@ -733,13 +735,16 @@ class X2GoBroker(object): ### when inheriting from the base.X2GoBroker class. access = False - access = self._do_authenticate(username=username, password=password) - logger_broker.debug('base_broker.X2GoBroker.check_access(): result of authentication check is: {access}'.format(access=access)) + if cookie_only is False: + access = self._do_authenticate(username=username, password=password) + logger_broker.debug('base_broker.X2GoBroker.check_access(): result of authentication check is: {access}'.format(access=access)) + else: + access = True ### HANDLING OF DYNAMIC AUTHENTICATION ID HASHES # using cookie authentication as extra security? - if self.config.get_value('global', 'require-cookie-authentication'): + if self.config.get_value('global', 'require-cookie-auth'): if type(cookie) is types.StringType: cookie = unicode(cookie) diff --git a/x2gobroker/client/plain.py b/x2gobroker/client/plain.py index 73bc210..f6df4b6 100644 --- a/x2gobroker/client/plain.py +++ b/x2gobroker/client/plain.py @@ -66,75 +66,80 @@ class X2GoBrokerClient(object): output = '' - logger_broker.debug ('username: {username}, task: {task}, profile_id: {profile_id}'.format(username=username, task=task, profile_id=profile_id)) + if broker_backend.check_access(cookie=cookie, cookie_only=True): - ### - ### CONFIRM SUCCESSFUL AUTHENTICATION FIRST - ### + logger_broker.debug ('username: {username}, task: {task}, profile_id: {profile_id}'.format(username=username, task=task, profile_id=profile_id)) - if global_config['require-cookie-auth']: - - ### FIXME: make up a nice protocol for this, disabled for now - #output += "AUTHID: {authid}<br />".format(authid=broker_backend.get_next_authid(username=data.user)) - pass + ### + ### CONFIRM SUCCESSFUL AUTHENTICATION FIRST + ### - output += "Access granted\n" - ### - ### X2GO BROKER TASKS - ### + if global_config['require-cookie-auth'] and not global_config['use-static-cookie']: - # FIXME: the ,,testcon'' task can be object to DoS attacks... - if task == 'testcon': + ### FIXME: make up a nice protocol for this, disabled for now + #output += "AUTHID: {authid}<br />".format(authid=broker_backend.get_next_authid(username=data.user)) + pass + output += "Access granted\n" ### - ### TEST THE CONNECTION + ### X2GO BROKER TASKS ### - return broker_backend.test_connection() - - if task == 'listsessions': - - profiles = broker_backend.list_profiles(username) - if profiles: - output += "START_USER_SESSIONS\n\n" - profile_ids = profiles.keys() - profile_ids.sort() - for profile_id in profile_ids: - output += "[{profile_id}]\n".format(profile_id=profile_id) - for key in profiles[profile_id].keys(): - if key == u'user' and not profiles[profile_id][key]: - profiles[profile_id][key] = username - if type(profiles[profile_id][key]) in (types.UnicodeType, types.StringType): - output += "{key}={value}".format(key=key, value=unicode(profiles[profile_id][key])) - elif type(profiles[profile_id][key]) in (types.ListType, types.TupleType): - output += "{key}={value}".format(key=key, value=unicode(",".join(profiles[profile_id][key]))) - else: - output += "{key}={value}".format(key=key, value=unicode(int(profiles[profile_id][key]))) - + # FIXME: the ,,testcon'' task can be object to DoS attacks... + if task == 'testcon': + + ### + ### TEST THE CONNECTION + ### + + return broker_backend.test_connection() + + if task == 'listsessions': + + profiles = broker_backend.list_profiles(username) + if profiles: + output += "START_USER_SESSIONS\n\n" + profile_ids = profiles.keys() + profile_ids.sort() + for profile_id in profile_ids: + output += "[{profile_id}]\n".format(profile_id=profile_id) + for key in profiles[profile_id].keys(): + if key == u'user' and not profiles[profile_id][key]: + profiles[profile_id][key] = username + if type(profiles[profile_id][key]) in (types.UnicodeType, types.StringType): + output += "{key}={value}".format(key=key, value=unicode(profiles[profile_id][key])) + elif type(profiles[profile_id][key]) in (types.ListType, types.TupleType): + output += "{key}={value}".format(key=key, value=unicode(",".join(profiles[profile_id][key]))) + else: + output += "{key}={value}".format(key=key, value=unicode(int(profiles[profile_id][key]))) + + output += "\n" output += "\n" - output += "\n" - output += "END_USER_SESSIONS\n" + output += "END_USER_SESSIONS\n" - elif task == 'selectsession': + elif task == 'selectsession': - if profile_id: + if profile_id: - profile_info = broker_backend.select_session(profile_id=profile_id, username=username) - if profile_info.has_key('server'): - output += "SERVER:" - output += profile_info['server'] - if profile_info.has_key('port'): - output += ":{port}".format(port=profile_info['port']) - output += "\n" - if profile_info.has_key('authentication_privkey'): - output += profile_info['authentication_privkey'] - if profile_info.has_key('session_info'): - output += "SESSION_INFO:" - output += profile_info['session_info'] + "\n" + profile_info = broker_backend.select_session(profile_id=profile_id, username=username) + if profile_info.has_key('server'): + output += "SERVER:" + output += profile_info['server'] + if profile_info.has_key('port'): + output += ":{port}".format(port=profile_info['port']) + output += "\n" + if profile_info.has_key('authentication_privkey'): + output += profile_info['authentication_privkey'] + if profile_info.has_key('session_info'): + output += "SESSION_INFO:" + output += profile_info['session_info'] + "\n" + + else: + logger_broker.error ('cookie authentication failed') return output - logger_broker.warn ('broker backend ,,{backend}\'\' is disabled on this system'.format(backend=backend)) + logger_broker.error ('broker backend ,,{backend}\'\' is disabled on this system'.format(backend=backend)) hooks/post-receive -- x2gobroker.git (HTTP(S) Session broker for X2Go) This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "x2gobroker.git" (HTTP(S) Session broker for X2Go).