This is an automated email from the git hooks/post-receive script. x2go pushed a change to branch master in repository x2gobroker. from e5eb4a3 add bug closures #379 and #380 to changelog, fixed by commit 1f80caf359b239bf60e5a07c3119446997e4962e and some later follow-ups new 893b4ce Add support for dynamic cookie based auth after initial password auth. (Fixes: #447). new 770683c Add support to run pre and post authentication scripts. (Fixes: #449). new 69fa03e Add simple https get authmech. (Fixes: #450). new e764d4f x2gobroker.conf: list available user/group db backends and auth mechs The 4 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "adds" were already present in the repository and have only been added to this reference. Summary of changes: debian/changelog | 8 ++ etc/x2gobroker.conf | 39 +++++- x2gobroker/authmechs/https_get_authmech.py | 63 +++++++++ x2gobroker/brokers/base_broker.py | 135 ++++++++++++-------- x2gobroker/defaults.py | 9 +- .../{authmechs => optional_scripts}/__init__.py | 0 .../base_script.py} | 6 +- x2gobroker/web/json.py | 9 +- x2gobroker/web/plain.py | 34 ++++- x2gobroker/web/uccs.py | 4 +- 10 files changed, 226 insertions(+), 81 deletions(-) create mode 100644 x2gobroker/authmechs/https_get_authmech.py copy x2gobroker/{authmechs => optional_scripts}/__init__.py (100%) mode change 100644 => 100755 copy x2gobroker/{authmechs/none_authmech.py => optional_scripts/base_script.py} (84%) mode change 100644 => 100755 -- Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/x2gobroker.git
This is an automated email from the git hooks/post-receive script. x2go pushed a commit to branch master in repository x2gobroker. commit 893b4ce7190ef088dc096144feb5c99be6d71cf7 Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Date: Fri Mar 7 21:37:59 2014 +0100 Add support for dynamic cookie based auth after initial password auth. (Fixes: #447). --- debian/changelog | 6 ++ etc/x2gobroker.conf | 30 +++++++-- x2gobroker/brokers/base_broker.py | 135 ++++++++++++++++++++++--------------- x2gobroker/defaults.py | 7 +- x2gobroker/web/json.py | 9 +-- x2gobroker/web/plain.py | 10 ++- x2gobroker/web/uccs.py | 4 +- 7 files changed, 123 insertions(+), 78 deletions(-) diff --git a/debian/changelog b/debian/changelog index ced44bc..0b2dd12 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,5 +1,6 @@ x2gobroker (0.0.3.0-0x2go1) UNRELEASED; urgency=low + [ Mike Gabriel ] * New upstream version (0.0.3.0): - Add SSH support to X2Go Session Broker. (Fixes: #153). - Move x2gobroker executable to /usr/bin. @@ -113,6 +114,11 @@ x2gobroker (0.0.3.0-0x2go1) UNRELEASED; urgency=low sub-package. + Builds for EPEL-7 also have to systemd aware. + [ Josh Lukens ] + * New upstream version (0.0.3.0): + - Add support for dynamic cookie based auth after initial password auth. (Fixes: + #447). + -- Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Fri, 07 Jun 2013 23:25:30 +0200 x2gobroker (0.0.2.3-0~x2go1) unstable; urgency=low diff --git a/etc/x2gobroker.conf b/etc/x2gobroker.conf index 19ea93b..b8b8974 100644 --- a/etc/x2gobroker.conf +++ b/etc/x2gobroker.conf @@ -24,20 +24,38 @@ [global] -# Allow unauthenticated connections? Then set check-credentials to false. -#check-credentials = true +# Allow unauthenticated connections? Then set both require-password and require-cookie to false. + +# Veriy username/password combination sent by client +#require-password = true # To secure server-client communication the client can start the communication # with a pre-set, agreed on authentication ID. Set the below value to true # to make the X2Go Session Broker require this feature -#require-cookie-auth = false ### NOT-IN-USE-YET +#require-cookie = false # X2Go supports two different cookie authentication modes (static and dynamic). -#use-static-cookie = true ### NOT-IN-USE-YET +# Dynamic cookies send new cookie to client on every request. This could possibly +# cause issues if a client ever tries multiple requests at the same time. +#use-static-cookie = true + +# Once a client is authenticated their password is not revalidated until this +# many seconds have elapsed from their initial authentication. +#auth-timeout = 36000 + +# Client cookies (both static and dynamic) must be stored as local files. +# This is the directory where those files will be stored. Please make sure +# the permissions are set to allow the x2go broker process to write to this directory +#cookie-directory = '/var/log/x2gobroker/cookies' # Every server-client communication (between X2Go Client and broker) has to be -# accompanied by this initial authentication cookie. -#my-cookie = <aaaavveeeerrrrryyyyylooonnnnggggssttrrriiinnnggg> ### NOT-IN-USE-YET +# accompanied by this initial authentication cookie if require-cookie is set above. +# This should be in the format of a UUID. +#my-cookie = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx + +# By default the broker will pin user sessions to the IP address from which they +# origionally authenticate. If you would like to skip that check set this to false. +#verify-ip = true # X2Go Session Broker knows about two output formats: a text/plain based output # and a text/json based output that is compatible with UCCS. The different outputs diff --git a/x2gobroker/brokers/base_broker.py b/x2gobroker/brokers/base_broker.py index 7fb3172..0fa010d 100644 --- a/x2gobroker/brokers/base_broker.py +++ b/x2gobroker/brokers/base_broker.py @@ -31,6 +31,7 @@ import uuid import netaddr import random import time +import os.path # X2Go Broker modules import x2gobroker.config @@ -726,7 +727,7 @@ class X2GoBroker(object): else: return [] - def check_access(self, username='', password='', cookie=None, cookie_only=False): + def check_access(self, username='', password='', ip='', cookie=None): """\ Check if a given user with a given password may gain access to the X2Go session broker. @@ -735,80 +736,102 @@ class X2GoBroker(object): @type username: C{unicode} @param password: a password that authenticates the user against the X2Go session broker @type password: C{unicode} + @param ip: the ip address of the client + @type ip: C{unicode} @param cookie: an extra (static or dynamic) authentication token @type cookie: C{unicode} - @param cookie_only: do only check the auth_cookie, not username/password - @type cookie_only: C{bool} @return: returns C{True} if the authentication has been successful - @rtype: C{bool} + @rtype: C{bool},C{unicode} """ ### FOR INTRANET LOAD BALANCER WE MAY JUST ALLOW ACCESS TO EVERYONE ### This is handled through the config file, normally /etc/x2go/x2gobroker.conf - if not self.config.get_value('global', 'check-credentials'): + if not self.config.get_value('global', 'require-password') and not self.config.get_value('global', 'require-cookie'): logger_broker.debug('base_broker.X2GoBroker.check_access(): access is granted without checking credentials, prevent this in {configfile}'.format(configfile=self.config_file)) - return True + return True, None elif username == 'check-credentials' and password == 'FALSE': # this catches a validation check from the UCCS web frontend... - return False + return False, None ### IMPLEMENT YOUR AUTHENTICATION LOGIC IN THE self._do_authenticate(**kwargs) METHOD ### when inheriting from the base.X2GoBroker class. - - access = False - if cookie_only is False: - access = self._do_authenticate(username=username, password=password) - logger_broker.debug('base_broker.X2GoBroker.check_access(): result of authentication check is: {access}'.format(access=access)) - else: - access = True - - ### HANDLING OF DYNAMIC AUTHENTICATION ID HASHES - - # using cookie authentication as extra security? - if self.config.get_value('global', 'require-cookie-auth'): - - if type(cookie) is types.StringType: - cookie = unicode(cookie) - - if self.config.get_value('global', 'use-static-cookie'): - - # evaluate access based on static authentication ID feature - access = access and ( cookie == self.config.get_value('global', 'my-cookie') ) + if type(cookie) is types.StringType: + cookie = unicode(cookie) + + if (((cookie == None) or (cookie == "")) and self.config.get_value('global', 'require-cookie')): + #cookie required but we did not get one - catch wrong cookie case later + logger_broker.debug('base_broker.X2GoBroker.check_access(): cookie required but none given.') + return False, None + + # check if cookie sent was our preset cookie from config file + next_cookie = self.config.get_value('global', 'my-cookie') + access = (cookie == next_cookie ) + logger_broker.debug('base_broker.X2GoBroker.check_access(): checking if our configured cookie was submitted: {access}'.format(access=access)) + + # the require cookie but not password case falls through to returning value of access + if self.config.get_value('global', 'require-password'): + + # using files to store persistant cookie information because global variables do not work across threads in WSGI + cookie_directory=self.config.get_value('global', 'cookie-directory') + if (not os.path.isdir(cookie_directory)): + logger_broker.debug('base_broker.X2GoBroker.check_access(): cookie-directory {cookie_directory} does not exist trying to craete it'.format(cookie_directory=cookie_directory)) + try: + os.makedirs(cookie_directory); + except: + logger_broker.warning('base_broker.X2GoBroker.check_access(): could not create cookie-directory {cookie_directory} failing to authenticate'.format(cookie_directory=cookie_directory)) + return False, None + + if access or cookie == None or cookie == "": + # this should be the first time we have seen this user or they are using old client so verify their passwrd + access = self._do_authenticate(username=username, password=password) + logger_broker.debug('base_broker.X2GoBroker.check_access(): checking for valid password: {access}'.format(access=access)) + + if access: + #create new cookie for this user + #each user gets one or more tuples of IP, time stored as username_UUID files so they can connect from multiple sessions + next_cookie = str(uuid.uuid4()) + fh = open(cookie_directory+"/"+username+"_"+next_cookie,"w") + fh.write('{ip} {time}'.format(ip=ip, time=time.time())) + fh.close() + logger_broker.debug('base_broker.X2GoBroker.check_access(): Giving new cookie: {cookie} to user {username} at ip {ip}'.format(cookie=next_cookie,username=username,ip=ip)) else: - - # evaluate access based on dynamic authentication ID feature - if self._dynamic_cookie_map.has_key(username): - access = access and ( cookie == self._dynamic_cookie_map[username] ) - if access: - self._dynamic_cookie_map[username] = uuid.uuid5(namespace=cookie, name=username) - + # there is a cookie but its not ours so its either wrong or subsequent password auth + if os.path.isfile(cookie_directory+"/"+username+"_"+cookie): + + logger_broker.debug('base_broker.X2GoBroker.check_access(): found valid auth key for user cookie: {usercookie}'.format(usercookie=username+"_"+cookie)) + fh=open(cookie_directory+"/"+username+"_"+cookie,"r") + origip,origtime= fh.read().split() + fh.close() + os.unlink(cookie_directory+"/"+username+"_"+cookie) + + # found cookie - make sure IP and time are good + if self.config.get_value('global', 'verify-ip') and (ip != origip): + logger_broker.debug('base_broker.X2GoBroker.check_access(): IPs differ (new: {ip} old: {origip}) - rejecting user'.format(ip=ip,origip=origip)) + return False, None + if (time.time() - float(origtime)) > self.config.get_value('global', 'auth-timeout'): + logger_broker.debug('base_broker.X2GoBroker.check_access(): Too much time elapsed since origional auth - rejecting user') + return False, None + if self.config.get_value('global', 'use-static-cookie'): + #if using static cookies keep same cookie as user presented + next_cookie = cookie + else: + #otherwise give them new random cookie + next_cookie = str(uuid.uuid4()) + + logger_broker.debug('base_broker.X2GoBroker.check_access(): Giving cookie: {cookie} to ip {ip}'.format(cookie=next_cookie, ip=ip)) + fh = open(cookie_directory+"/"+username+"_"+next_cookie,"w") + fh.write('{ip} {time}'.format(ip=ip, time=origtime)) + fh.close() + access = True else: - access = access and ( cookie == self.config.get_value('global', 'my-cookie') ) - if access: - # generate a first uuid, initialize the dynamic authencation ID security feature - self._dynamic_cookie_map[username] = uuid.uuid4() - - return access - - def get_next_cookie(self, username): - """\ - Get the next expected authentication cookie for the given user name. - - @param username: query next authentication cookie for this user - @type username: C{unicode} - - @return: returns next authentication cookie for the given username, None if no cookie has been generated, yet - @rtype: C{unicode} or C{None} - - """ - try: - return self._dynamic_cookie_map[username] - except KeyError: - return None + # client sent us an unknown cookie so failing auth + logger_broker.debug('base_broker.X2GoBroker.check_access(): User {username} from {ip} presented cookie {cookie} which is not recognized - rejecting user'.format(username=username, cookie=cookie, ip=ip)) + return False, None + return access, next_cookie def get_remote_agent(self, profile_id, exclude_agents=[], ): """\ diff --git a/x2gobroker/defaults.py b/x2gobroker/defaults.py index e65fd31..9027ed0 100644 --- a/x2gobroker/defaults.py +++ b/x2gobroker/defaults.py @@ -180,9 +180,12 @@ X2GOBROKER_HOME = os.path.normpath(os.path.expanduser('~{broker_uid}'.format(bro # defaults for X2Go Sessino Broker configuration file X2GOBROKER_CONFIG_DEFAULTS = { 'global': { - u'check-credentials': True, - u'require-cookie-auth': False, + u'require-password': True, + u'require-cookie': False, u'use-static-cookie': True, + u'auth-timeout': 36000, + u'cookie-directory': '/var/log/x2gobroker/cookies', + u'verify-ip': True, u'my-cookie': uuid.uuid4(), u'enable-plain-output': True, u'enable-json-output': True, diff --git a/x2gobroker/web/json.py b/x2gobroker/web/json.py index b217050..1f10b31 100644 --- a/x2gobroker/web/json.py +++ b/x2gobroker/web/json.py @@ -119,17 +119,14 @@ class X2GoBrokerWeb(_RequestHandler): output = '' logger_broker.debug ('username: {username}, password: {password}, task: {task}, profile_id: {profile_id}, cookie: {cookie}'.format(username=username, password='XXXXX', task=task, profile_id=profile_id, cookie=cookie)) - if broker_backend.check_access(username=username, password=password, cookie=cookie): + access, next_cookie = broker_backend.check_access(username=username, password=password, ip=ip, cookie=cookie) + if access: ### ### CONFIRM SUCCESSFUL AUTHENTICATION FIRST ### - if global_config['require-cookie-auth'] and not global_config['use-static-cookie']: - - ### FIXME: make up a nice protocol for this, disabled for now - #output += "AUTHID: {authid}<br />".format(authid=broker_backend.get_next_authid(username=data.user)) - pass + ### FIXME: find good way to pass next cookie to client - stored in next_cookie ### ### X2GO BROKER TASKS diff --git a/x2gobroker/web/plain.py b/x2gobroker/web/plain.py index 9d58742..22b4964 100644 --- a/x2gobroker/web/plain.py +++ b/x2gobroker/web/plain.py @@ -115,17 +115,15 @@ class X2GoBrokerWeb(_RequestHandler): output = '' logger_broker.debug ('username: {username}, password: {password}, task: {task}, profile_id: {profile_id}, cookie: {cookie}'.format(username=username, password='XXXXX', task=task, profile_id=profile_id, cookie=cookie)) - if broker_backend.check_access(username=username, password=password, cookie=cookie): + access, next_cookie = broker_backend.check_access(username=username, password=password, ip=ip, cookie=cookie) + if access: ### ### CONFIRM SUCCESSFUL AUTHENTICATION FIRST ### - if global_config['require-cookie-auth'] and not global_config['use-static-cookie']: - - ### FIXME: make up a nice protocol for this, disabled for now - #output += "AUTHID: {authid}<br />".format(authid=broker_backend.get_next_authid(username=data.user)) - pass + if next_cookie is not None: + output += "AUTHID:{authid}\n".format(authid=next_cookie) output += "Access granted\n" ### diff --git a/x2gobroker/web/uccs.py b/x2gobroker/web/uccs.py index 917704f..87dc64a 100644 --- a/x2gobroker/web/uccs.py +++ b/x2gobroker/web/uccs.py @@ -42,11 +42,11 @@ def credentials_validate(username, password): # from x2gobroker.conf are available here... broker = x2gobroker.brokers.base_broker.X2GoBroker() broker.enable() - access = broker.check_access(username=username, password=password) + access, next_cookie = broker.check_access(username=username, password=password) # UCCS only allows email addresses for remote login if not access and "@" in username: username = username.split('@')[0] - access = broker.check_access(username=username, password=password) + access, next_cookie = broker.check_access(username=username, password=password) if username == 'check-credentials' and password == 'FALSE': username = 'anonymous' return username, access -- Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/x2gobroker.git
This is an automated email from the git hooks/post-receive script. x2go pushed a commit to branch master in repository x2gobroker. commit 770683c5ade94095482bdb28ea868ab2d69c2e24 Author: Josh Lukens <jlukens@botch.com> Date: Thu Mar 6 20:55:10 2014 -0500 Add support to run pre and post authentication scripts. (Fixes: #449). --- debian/changelog | 1 + etc/x2gobroker.conf | 7 +++++++ x2gobroker/defaults.py | 2 ++ x2gobroker/optional_scripts/__init__.py | 20 ++++++++++++++++++++ x2gobroker/optional_scripts/base_script.py | 24 ++++++++++++++++++++++++ x2gobroker/web/plain.py | 24 ++++++++++++++++++++++++ 6 files changed, 78 insertions(+) diff --git a/debian/changelog b/debian/changelog index 0b2dd12..bb4cb93 100644 --- a/debian/changelog +++ b/debian/changelog @@ -118,6 +118,7 @@ x2gobroker (0.0.3.0-0x2go1) UNRELEASED; urgency=low * New upstream version (0.0.3.0): - Add support for dynamic cookie based auth after initial password auth. (Fixes: #447). + - Add support to run pre and post authentication scripts. (Fixes: #449). -- Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Fri, 07 Jun 2013 23:25:30 +0200 diff --git a/etc/x2gobroker.conf b/etc/x2gobroker.conf index b8b8974..64967a9 100644 --- a/etc/x2gobroker.conf +++ b/etc/x2gobroker.conf @@ -48,6 +48,13 @@ # the permissions are set to allow the x2go broker process to write to this directory #cookie-directory = '/var/log/x2gobroker/cookies' +# Pre and Post authentication scripts give you the option to run outside scripts +# or adjust the values of variables for users logging in. Pre scripts run just +# before user authentication and Post scripts run just after. Set to list of +# scripts, comma seperated, with no spaces between. +#pre_auth_scripts = +#post_auth_scripts = + # Every server-client communication (between X2Go Client and broker) has to be # accompanied by this initial authentication cookie if require-cookie is set above. # This should be in the format of a UUID. diff --git a/x2gobroker/defaults.py b/x2gobroker/defaults.py index 9027ed0..d4bfaaf 100644 --- a/x2gobroker/defaults.py +++ b/x2gobroker/defaults.py @@ -186,6 +186,8 @@ X2GOBROKER_CONFIG_DEFAULTS = { u'auth-timeout': 36000, u'cookie-directory': '/var/log/x2gobroker/cookies', u'verify-ip': True, + u'pre_auth_scripts': [], + u'post_auth_scripts': [], u'my-cookie': uuid.uuid4(), u'enable-plain-output': True, u'enable-json-output': True, diff --git a/x2gobroker/optional_scripts/__init__.py b/x2gobroker/optional_scripts/__init__.py new file mode 100755 index 0000000..d3eff3c --- /dev/null +++ b/x2gobroker/optional_scripts/__init__.py @@ -0,0 +1,20 @@ +# -*- coding: utf-8 -*- + +# Copyright (C) 2012-2014 by Mike Gabriel <mike.gabriel@das-netzwerkteam.de> +# Copyright (C) 2012-2014 by Oleksandr Shneyder <oleksandr.shneyder@obviously-nice.de> +# +# X2Go Session Broker is free software; you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# X2Go Session Broker is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program; if not, write to the +# Free Software Foundation, Inc., +# 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. + diff --git a/x2gobroker/optional_scripts/base_script.py b/x2gobroker/optional_scripts/base_script.py new file mode 100755 index 0000000..e284362 --- /dev/null +++ b/x2gobroker/optional_scripts/base_script.py @@ -0,0 +1,24 @@ +# -*- coding: utf-8 -*- + +# Copyright (C) 2012-2014 by Mike Gabriel <mike.gabriel@das-netzwerkteam.de> +# Copyright (C) 2012-2014 by Oleksandr Shneyder <oleksandr.shneyder@obviously-nice.de> +# +# X2Go Session Broker is free software; you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# X2Go Session Broker is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program; if not, write to the +# Free Software Foundation, Inc., +# 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. + +class X2GoBrokerOptionalScript(object): + + def run_me(self, username, password, task, profile_id, ip, cookie): + return username, password, task, profile_id, ip, cookie diff --git a/x2gobroker/web/plain.py b/x2gobroker/web/plain.py index 22b4964..dcf853b 100644 --- a/x2gobroker/web/plain.py +++ b/x2gobroker/web/plain.py @@ -114,9 +114,33 @@ class X2GoBrokerWeb(_RequestHandler): output = '' + if len(global_config['pre_auth_scripts']) != 0: + for script in global_config['pre_auth_scripts']: + try: + post_auth_script=None + exec("import x2gobroker.optional_scripts.{script}_script".format(script=script)) + exec("pre_auth_script = x2gobroker.optional_scripts.{script}_script.X2GoBrokerOptionalScript()".format(script=script)) + logger_broker.debug ('Calling pre-auth script {script} with username: {username}, password: {password}, task: {task}, profile_id: {profile_id}, ip: {ip}, cookie: {cookie}'.format(script=script,username=username, password='XXXXX', task=task, profile_id=profile_id, ip=ip, cookie=cookie)) + username, password, task, profile_id, ip, cookie = pre_auth_script.run_me(username=username, password=password, task=task, profile_id=profile_id, ip=ip, cookie=cookie) + logger_broker.debug ('Pre-auth script {script} finished with username: {username}, password: {password}, task: {task}, profile_id: {profile_id}, ip: {ip}, cookie: {cookie}'.format(script=script,username=username, password='XXXXX', task=task, profile_id=profile_id, ip=ip, cookie=cookie)) + except ImportError: + logger_error.error('No such optional script \'{script}\''.format(script=script)) + logger_broker.debug ('username: {username}, password: {password}, task: {task}, profile_id: {profile_id}, cookie: {cookie}'.format(username=username, password='XXXXX', task=task, profile_id=profile_id, cookie=cookie)) access, next_cookie = broker_backend.check_access(username=username, password=password, ip=ip, cookie=cookie) + if access: + if len(global_config['post_auth_scripts']) != 0: + for script in global_config['post_auth_scripts']: + try: + post_auth_script=None + exec("import x2gobroker.optional_scripts.{script}_script".format(script=script)) + exec("post_auth_script = x2gobroker.optional_scripts.{script}_script.X2GoBrokerOptionalScript()".format(script=script)) + logger_broker.debug ('Calling post-auth script {script} with username: {username}, password: {password}, task: {task}, profile_id: {profile_id}, ip: {ip}, cookie: {cookie}'.format(script=script,username=username, password='XXXXX', task=task, profile_id=profile_id, ip=ip, cookie=cookie)) + username, password, task, profile_id, ip, cookie = post_auth_script.run_me(username=username, password=password, task=task, profile_id=profile_id, ip=ip, cookie=cookie) + logger_broker.debug ('Post-auth script {script} finished with username: {username}, password: {password}, task: {task}, profile_id: {profile_id}, ip: {ip}, cookie: {cookie}'.format(script=script,username=username, password='XXXXX', task=task, profile_id=profile_id, ip=ip, cookie=cookie)) + except ImportError: + logger_error.error('No such optional script \'{script}\''.format(script=script)) ### ### CONFIRM SUCCESSFUL AUTHENTICATION FIRST -- Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/x2gobroker.git
This is an automated email from the git hooks/post-receive script. x2go pushed a commit to branch master in repository x2gobroker. commit 69fa03ef3eb9e6bf4aa299e3de6194b315c39d6e Author: Josh Lukens <jlukens@botch.com> Date: Thu Mar 6 21:33:38 2014 -0500 Add simple https get authmech. (Fixes: #450). --- debian/changelog | 1 + x2gobroker/authmechs/https_get_authmech.py | 63 ++++++++++++++++++++++++++++ 2 files changed, 64 insertions(+) diff --git a/debian/changelog b/debian/changelog index bb4cb93..49e1087 100644 --- a/debian/changelog +++ b/debian/changelog @@ -119,6 +119,7 @@ x2gobroker (0.0.3.0-0x2go1) UNRELEASED; urgency=low - Add support for dynamic cookie based auth after initial password auth. (Fixes: #447). - Add support to run pre and post authentication scripts. (Fixes: #449). + - Add auth mechanism https_get. (Fixes: #450). -- Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Fri, 07 Jun 2013 23:25:30 +0200 diff --git a/x2gobroker/authmechs/https_get_authmech.py b/x2gobroker/authmechs/https_get_authmech.py new file mode 100755 index 0000000..d8d1a99 --- /dev/null +++ b/x2gobroker/authmechs/https_get_authmech.py @@ -0,0 +1,63 @@ +# -*- coding: utf-8 -*- + +# Copyright (C) 2012-2013 by Mike Gabriel <mike.gabriel@das-netzwerkteam.de> +# Copyright (C) 2012-2013 by Oleksandr Shneyder <oleksandr.shneyder@obviously-nice.de> +# +# X2Go Session Broker is free software; you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# X2Go Session Broker is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program; if not, write to the +# Free Software Foundation, Inc., +# 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. + +# Very simple authmech that requests a webpage over https with basic auth. +# If the page is fetched successfully (status 200) the user is authenticated. +# +# Used in conjunction with something like an apache server you can get easy +# access to the full handful of existing auth modules for things like radius, +# RSA, etc. +# +# Server name and path must be hard coded below for the time being. Also note +# that the httplib module used does not verify SSL certificates so be sure +# you are on a trusted network as there is a possibility of a man in the middle +# attack. + +# modules +import sys +import httplib +import base64 +import string + +class X2GoBrokerAuthMech(object): + + def authenticate(self, username, password): + + ## FIXME: these should really be specificed in config file + host = "my.webserver.com" + path = "/auth/index.html" + + # base64 encode the username and password + auth = base64.standard_b64encode('%s:%s' % (username, password)).replace('\n', '') + + https = httplib.HTTPSConnection(host) + https.putrequest("GET", path) + https.putheader("Host", host) + https.putheader("User-Agent", "x2go http auth") + https.putheader("Authorization", "Basic %s" % auth) + https.endheaders() + + response = https.getresponse() + https.close() + + if response.status == 200: + return True + + return False -- Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/x2gobroker.git
This is an automated email from the git hooks/post-receive script. x2go pushed a commit to branch master in repository x2gobroker. commit e764d4f1da20c777ca87ee379d4d9979f16ca82c Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Date: Fri Mar 7 22:14:39 2014 +0100 x2gobroker.conf: list available user/group db backends and auth mechs --- etc/x2gobroker.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/x2gobroker.conf b/etc/x2gobroker.conf index 64967a9..8112a5a 100644 --- a/etc/x2gobroker.conf +++ b/etc/x2gobroker.conf @@ -81,10 +81,12 @@ #my-uccs-url-base = http://localhost:8080/ # default authentication mechanism for all broker backends +# Available auth mechs: pam, none, https_get #default-auth-mech = pam # how does this X2Go Session Broker instance retrieve user and group # information from the system? (defaults for all broker backends) +Available user/group db backends: libnss #default-user-db = libnss #default-group-db = libnss diff --git a/x2gobroker/authmechs/https_get_authmech.py b/x2gobroker/authmechs/https_get_authmech.py old mode 100755 new mode 100644 -- Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/x2gobroker.git
-
git-admin@x2go.org