Commit 0124ce80 authored by ale's avatar ale

rebase on master

parents a7b05ac6 094f3d4f
......@@ -34,6 +34,7 @@ test ${NO_START} -eq 1 && exit 0
. /lib/lsb/init-functions
GUNICORN_OPTS="
--log-config=/etc/sso/logging.conf
--bind 127.0.0.1:${SSO_PORT}
--worker-class gevent
--daemon --pid ${PIDFILE}
......
[loggers]
keys=root, gunicorn.error
[handlers]
keys=syslog
[formatters]
keys=generic
[logger_root]
level=INFO
handlers=syslog
[logger_gunicorn.error]
level=INFO
handlers=syslog
qualname=gunicorn.error
[handler_syslog]
class=logging.handlers.SysLogHandler
formatter=generic
args=('/dev/log',)
[formatter_generic]
format=sso_server[%(process)d] %(levelname)s: %(message)s
class=logging.Formatter
ai-sso (2.1.0) unstable; urgency=low
* Reimplemented in C using tweetnacl.
-- Autistici/Inventati <debian@autistici.org> Mon, 07 Sep 2015 21:35:03 +0000
ai-sso (2.0.2) unstable; urgency=medium
* Logging fixes.
-- Autistici/Inventati <debian@autistici.org> Sun, 18 Jan 2015 19:05:08 +0000
ai-sso (2.0.1) unstable; urgency=low
* OTP support.
......
......@@ -58,6 +58,8 @@ install: build
install -d $(CURDIR)/debian/ai-sso-server/etc/sso
install -o root -g root -m 644 debian/ai-sso-server.config-dist \
$(CURDIR)/debian/ai-sso-server/etc/sso/config.dist
install -o root -g root -m 644 debian/ai-sso-server_logging.conf \
$(CURDIR)/debian/ai-sso-server/etc/sso/logging.conf
#for v in $(PYVERS); do \
#install -d $(CURDIR)/debian/ai-sso-server/usr/lib/python$$v/site-packages/libsso ; \
......@@ -85,9 +87,9 @@ install: build
# libpam-sso
install -d $(CURDIR)/debian/libpam-sso/lib/security
cp -L $(CURDIR)/debian/ai-sso/lib/security/pam_sso.so \
cp -L $(CURDIR)/debian/ai-sso/lib/security/pam_sso.so.0.0.0 \
$(CURDIR)/debian/libpam-sso/lib/security/pam_sso.so
-rm -fr $(CURDIR)/debian/libpam-sso/lib
-rm -fr $(CURDIR)/debian/ai-sso/lib
......@@ -107,7 +109,8 @@ binary-arch: build install
# dh_installemacsen
# dh_installpam
# dh_installmime
dh_pysupport
# dh_pysupport
dh_python2 --no-guessing-versions
dh_installinit
# dh_installcron
# dh_installinfo
......
......@@ -254,25 +254,29 @@ static int is_valid_redir(request_rec *r,
* @return the cookie value, or an empty string if no cookie was found.
*/
static char *get_cookie(request_rec *r, const char *cookie_name) {
char *cookie_value = NULL, *strptr = NULL, *token;
char *rv = NULL, *cookies, *cookie, *tokenizerCtx = NULL;
int cookie_name_len = strlen(cookie_name);
const char *cookies_c = apr_table_get(r->headers_in, "Cookie");
if (cookies_c == NULL) {
return cookie_value;
}
while ((token = strtok_r(apr_pstrdup(r->pool, cookies_c), ";", &strptr)) != NULL) {
char *sep = strchr(token, '=');
if (!sep) {
continue;
}
*sep++ = '\0';
if (!strcmp(token, cookie_name)) {
cookie_value = sep;
return NULL;
}
// Make a copy of the Cookie header so that we can modify it
// (tokenization is destructive).
cookies = apr_pstrdup(r->pool, cookies_c);
cookie = apr_strtok(cookies, ";", &tokenizerCtx);
do {
while (cookie != NULL && *cookie == ' ')
cookie++;
if (strncmp(cookie, cookie_name, cookie_name_len) == 0) {
cookie += (cookie_name_len + 1);
rv = apr_pstrdup(r->pool, cookie);
break;
}
}
return cookie_value;
cookie = apr_strtok(NULL, ";", &tokenizerCtx);
} while (cookie != NULL);
return rv;
}
char *get_cookie_name(request_rec *r) {
......@@ -769,7 +773,6 @@ static void mod_sso_register_hooks (apr_pool_t *p)
ap_hook_check_user_id(mod_sso_check_user_id, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_auth_checker(mod_sso_auth_checker, NULL, authzSucc, APR_HOOK_MIDDLE);
#endif
}
/*
......
......@@ -13,5 +13,9 @@ LDADD = $(builddir)/../libmod_sso.la $(GTEST_LIBS) $(APR_LIBS) -laprutil-1
sso_utils_unittest_SOURCES = sso_utils_unittest.cc
check-local:
$(PYTHON) $(srcdir)/httpd_integration_test.py
env \
LD_LIBRARY_PATH=$(top_builddir)/src/sso/.libs \
DYLD_LIBRARY_PATH=$(top_builddir)/src/sso/.libs \
PYTHONPATH=$(top_builddir)/src/python \
$(PYTHON) $(srcdir)/httpd_integration_test.py
......@@ -21,4 +21,4 @@ clean-local:
$(PYTHON_SETUP_PY) clean --all
install-exec-local:
$(PYTHON_SETUP_PY) install --root=${DESTDIR}/// --prefix=$(prefix)
$(PYTHON_SETUP_PY) install --root=${DESTDIR}/// --prefix=$(prefix) --install-layout=deb
......@@ -99,6 +99,25 @@ void ssotool_sign(const char *secret_key_file,
printf("%s\n", out);
}
void ssotool_verify(const char *public_key_file,
const char *service,
const char *domain,
const char *ticket) {
unsigned char *public_key = NULL;
sso_ticket_t t = NULL;
size_t sz;
sz = read_from_file(public_key_file, &public_key);
if (sz < 0) {
fprintf(stderr, "Error: could not read public key\n");
exit(2);
}
CHECK_OK(sso_ticket_open(&t, ticket, public_key));
CHECK_OK(sso_validate(t, service, domain, NULL));
printf("ok\n");
}
void show_help() {
fprintf(stderr,
"Usage: ssotool {--sign|--gen-keys} [<options>...]\n"
......@@ -106,6 +125,7 @@ void show_help() {
" --help show this help message\n"
" --gen-keys, -k generate a new public/secret keypair\n"
" --sign, -s create and sign a new ticket\n"
" --verify, -v verify a ticket\n"
"\n"
"Options for --gen-keys:\n"
"\n"
......@@ -135,6 +155,7 @@ void die_and_help(const char *msg) {
int main(int argc, char **argv) {
int do_sign = 0;
int do_verify = 0;
int do_gen_keys = 0;
const char *public_key_file = "public.key";
const char *secret_key_file = "secret.key";
......@@ -147,6 +168,7 @@ int main(int argc, char **argv) {
static struct option long_options[] = {
{"help", 0, 0, 'h'},
{"sign", 0, 0, 's'},
{"verify", 0, 0, 'v'},
{"gen-keys", 0, 0, 'k'},
{"public-key", 1, 0, 'P'},
{"secret-key", 1, 0, 'S'},
......@@ -168,6 +190,9 @@ int main(int argc, char **argv) {
case 's':
do_sign = 1;
break;
case 'v':
do_verify = 1;
break;
case 'k':
do_gen_keys = 1;
break;
......@@ -191,14 +216,22 @@ int main(int argc, char **argv) {
}
}
if (!do_sign && !do_gen_keys) {
die("Specify one of --sign or --gen-keys!");
}
if (do_sign && do_gen_keys) {
die("Can't specify both --sign and --gen-keys!");
if (((int)do_sign + (int)do_gen_keys + (int)do_verify) != 1) {
die("Specify one of --sign, --verify or --gen-keys!");
}
if (do_sign) {
if (do_verify) {
if (!public_key_file) {
die("Specify the location of the public key with --public-key");
}
if (!service || !domain) {
die("Both --service and --domain must be specified");
}
if (argc - optind != 1) {
die("One argument is required");
}
ssotool_verify(public_key_file, service, domain, argv[optind]);
} else if (do_sign) {
if (argc != optind) {
die("Too many arguments.");
}
......
......@@ -5,6 +5,8 @@ all-local:
check-local:
env \
LD_LIBRARY_PATH=$(top_builddir)/src/sso/.libs \
DYLD_LIBRARY_PATH=$(top_builddir)/src/sso/.libs \
PYTHONPATH=$(top_builddir)/src/python \
nosetests -v
......@@ -12,4 +14,4 @@ clean-local:
$(PYTHON) setup.py clean --all
install-exec-local:
$(PYTHON) setup.py install --root=${DESTDIR}/// --prefix=$(prefix)
$(PYTHON) setup.py install --root=${DESTDIR}/// --prefix=$(prefix) --install-layout=deb
......@@ -9,7 +9,6 @@ from flask import Flask, redirect, request, session, render_template, make_respo
from sso_server import login_service
app = Flask('sso_server')
log = logging.getLogger(__name__)
SSO_COOKIE_NAME = '_sso_tkt'
......@@ -99,8 +98,9 @@ def login():
# Form submission, validate CSRF, username and password.
csrf_token = session.pop('_csrf', None)
if not csrf_token or csrf_token != request.form.get('_csrf'):
log.error('CSRF failure, session=%s, form=%s', csrf_token,
request.form.get('_csrf'))
app.logger.error(
'CSRF failure, session=%s, form=%s', csrf_token,
request.form.get('_csrf'))
return show_login_page(params, 'Invalid session')
username = _tostr(request.form.get('username'))
password = _tostr(request.form.get('password'))
......@@ -108,6 +108,8 @@ def login():
if app.config.get('SSO_ENABLE_OTP'):
otp = _tostr(request.form.get('otp'))
if not app.login_service.authenticate(username, password, otp):
app.logger.error(
'authentication failure for user %s', username)
# Authentication failed, show login page again.
return show_login_page(params, 'Authentication failed')
......@@ -122,8 +124,9 @@ def login():
params.destination,
params.groups)
except login_service.Error, e:
log.error('unauthorized access: user=%s, service=%s, dest=%s, '
'err=%s', username, params.service, params.destination, str(e))
app.logger.error(
'unauthorized access for user %s: service=%s, dest=%s, '
'err=%s', username, params.service, params.destination, str(e))
return show_unauthorized_page(e)
# Keep track of the active services.
......
......@@ -131,7 +131,6 @@ class LoginService(object):
"""
self._validate_service_access(service, destination)
groups = self._validate_group_access(username, required_groups)
print 'authorize:', type(username), type(service), type(destination), groups, self.service_ticket_ttl
ticket = sso.Ticket(username, service, self.domain, groups,
self.service_ticket_ttl)
return self.signer.sign(ticket)
......
......@@ -34,6 +34,7 @@ class SSOServerCommandLineTest(mox.MoxTestBase):
old_stderr, sys.stderr = sys.stderr, out
try:
try:
args.insert(0, '--logtostderr')
status = main.main(args)
except SystemExit, e:
status = e.code
......
......@@ -3,6 +3,5 @@
import os
from sso_server import application
application.setup_syslog()
app = application.create_app(
os.getenv('APP_CONFIG', '/etc/sso/config'))
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment