rebase on master

0124ce80 · ale · a7b05ac6 · 094f3d4f · 0124ce80 · 0124ce80
Commit 0124ce80 authored Oct 09, 2015 by ale
--- a/debian/ai-sso-server.init
+++ b/debian/ai-sso-server.init
@@ -34,6 +34,7 @@ test ${NO_START} -eq 1 && exit 0
 . /lib/lsb/init-functions

 GUNICORN_OPTS="
+--log-config=/etc/sso/logging.conf
 --bind 127.0.0.1:${SSO_PORT}
 --worker-class gevent
 --daemon --pid ${PIDFILE}

--- a/debian/ai-sso-server_logging.conf
+++ b/debian/ai-sso-server_logging.conf
+[loggers]
+keys=root, gunicorn.error
+
+[handlers]
+keys=syslog
+
+[formatters]
+keys=generic
+
+[logger_root]
+level=INFO
+handlers=syslog
+
+[logger_gunicorn.error]
+level=INFO
+handlers=syslog
+qualname=gunicorn.error
+
+[handler_syslog]
+class=logging.handlers.SysLogHandler
+formatter=generic
+args=('/dev/log',)
+
+[formatter_generic]
+format=sso_server[%(process)d] %(levelname)s: %(message)s
+class=logging.Formatter
+
--- a/debian/changelog
+++ b/debian/changelog
+ai-sso (2.1.0) unstable; urgency=low
+
+  * Reimplemented in C using tweetnacl.
+
+ -- Autistici/Inventati <debian@autistici.org>  Mon, 07 Sep 2015 21:35:03 +0000
+
+ai-sso (2.0.2) unstable; urgency=medium
+
+  * Logging fixes.
+
+ -- Autistici/Inventati <debian@autistici.org>  Sun, 18 Jan 2015 19:05:08 +0000
+
 ai-sso (2.0.1) unstable; urgency=low

  * OTP support.

--- a/debian/rules
+++ b/debian/rules
@@ -58,6 +58,8 @@ install: build
 	install -d $(CURDIR)/debian/ai-sso-server/etc/sso
 	install -o root -g root -m 644 debian/ai-sso-server.config-dist \
 	  $(CURDIR)/debian/ai-sso-server/etc/sso/config.dist
+	install -o root -g root -m 644 debian/ai-sso-server_logging.conf \
+	  $(CURDIR)/debian/ai-sso-server/etc/sso/logging.conf

 	#for v in $(PYVERS); do \
 	#install -d $(CURDIR)/debian/ai-sso-server/usr/lib/python$$v/site-packages/libsso ; \
@@ -85,9 +87,9 @@ install: build

 	# libpam-sso
 	install -d $(CURDIR)/debian/libpam-sso/lib/security
-	cp -L $(CURDIR)/debian/ai-sso/lib/security/pam_sso.so \
+	cp -L $(CURDIR)/debian/ai-sso/lib/security/pam_sso.so.0.0.0 \
 	  $(CURDIR)/debian/libpam-sso/lib/security/pam_sso.so
-	-rm -fr $(CURDIR)/debian/libpam-sso/lib
+	-rm -fr $(CURDIR)/debian/ai-sso/lib



@@ -107,7 +109,8 @@ binary-arch: build install
 #	dh_installemacsen
 #	dh_installpam
 #	dh_installmime
-	dh_pysupport
+#	dh_pysupport
+	dh_python2 --no-guessing-versions
 	dh_installinit
 #	dh_installcron
 #	dh_installinfo

--- a/src/mod_sso/mod_sso.c
+++ b/src/mod_sso/mod_sso.c
@@ -254,25 +254,29 @@ static int is_valid_redir(request_rec *r,
 * @return the cookie value, or an empty string if no cookie was found.
 */
 static char *get_cookie(request_rec *r, const char *cookie_name) {
-  char *cookie_value = NULL, *strptr = NULL, *token;
+  char *rv = NULL, *cookies, *cookie, *tokenizerCtx = NULL;
+  int cookie_name_len = strlen(cookie_name);
+  
  const char *cookies_c = apr_table_get(r->headers_in, "Cookie");
  if (cookies_c == NULL) {
-    return cookie_value;
-  }
-  
-  while ((token = strtok_r(apr_pstrdup(r->pool, cookies_c), ";", &strptr)) != NULL) {
-    char *sep = strchr(token, '=');
-    if (!sep) {
-      continue;
-    }
-    *sep++ = '\0';
-    if (!strcmp(token, cookie_name)) {
-      cookie_value = sep;
+    return NULL;
+  }
+
+  // Make a copy of the Cookie header so that we can modify it
+  // (tokenization is destructive).
+  cookies = apr_pstrdup(r->pool, cookies_c);
+  cookie = apr_strtok(cookies, ";", &tokenizerCtx);
+  do {
+    while (cookie != NULL && *cookie == ' ')
+      cookie++;
+    if (strncmp(cookie, cookie_name, cookie_name_len) == 0) {
+      cookie += (cookie_name_len + 1);
+      rv = apr_pstrdup(r->pool, cookie);
      break;
    }
-  }
-    
-  return cookie_value;
+    cookie = apr_strtok(NULL, ";", &tokenizerCtx);
+  } while (cookie != NULL);
+  return rv;
 }

 char *get_cookie_name(request_rec *r) {
@@ -769,7 +773,6 @@ static void mod_sso_register_hooks (apr_pool_t *p)
  ap_hook_check_user_id(mod_sso_check_user_id, NULL, NULL, APR_HOOK_MIDDLE);
  ap_hook_auth_checker(mod_sso_auth_checker, NULL, authzSucc, APR_HOOK_MIDDLE);
 #endif
-
 }

 /*

--- a/src/mod_sso/test/Makefile.am
+++ b/src/mod_sso/test/Makefile.am
@@ -13,5 +13,9 @@ LDADD = $(builddir)/../libmod_sso.la $(GTEST_LIBS) $(APR_LIBS) -laprutil-1
 sso_utils_unittest_SOURCES = sso_utils_unittest.cc

 check-local:
-	$(PYTHON) $(srcdir)/httpd_integration_test.py
+	env \
+	    LD_LIBRARY_PATH=$(top_builddir)/src/sso/.libs \
+	    DYLD_LIBRARY_PATH=$(top_builddir)/src/sso/.libs \
+	    PYTHONPATH=$(top_builddir)/src/python \
+	    $(PYTHON) $(srcdir)/httpd_integration_test.py

--- a/src/python/Makefile.am
+++ b/src/python/Makefile.am
@@ -21,4 +21,4 @@ clean-local:
 	$(PYTHON_SETUP_PY) clean --all

 install-exec-local:
-	$(PYTHON_SETUP_PY) install --root=${DESTDIR}/// --prefix=$(prefix)
+	$(PYTHON_SETUP_PY) install --root=${DESTDIR}/// --prefix=$(prefix) --install-layout=deb
--- a/src/sso/ssotool.c
+++ b/src/sso/ssotool.c
@@ -99,6 +99,25 @@ void ssotool_sign(const char *secret_key_file,
  printf("%s\n", out);
 }

+void ssotool_verify(const char *public_key_file,
+                    const char *service,
+                    const char *domain,
+                    const char *ticket) {
+  unsigned char *public_key = NULL;
+  sso_ticket_t t = NULL;
+  size_t sz;
+
+  sz = read_from_file(public_key_file, &public_key);
+  if (sz < 0) {
+    fprintf(stderr, "Error: could not read public key\n");
+    exit(2);
+  }
+
+  CHECK_OK(sso_ticket_open(&t, ticket, public_key));
+  CHECK_OK(sso_validate(t, service, domain, NULL));
+  printf("ok\n");
+}
+
 void show_help() {
  fprintf(stderr,
          "Usage: ssotool {--sign|--gen-keys} [<options>...]\n"
@@ -106,6 +125,7 @@ void show_help() {
          "  --help             show this help message\n"
          "  --gen-keys, -k     generate a new public/secret keypair\n"
          "  --sign, -s         create and sign a new ticket\n"
+          "  --verify, -v       verify a ticket\n"
          "\n"
          "Options for --gen-keys:\n"
          "\n"
@@ -135,6 +155,7 @@ void die_and_help(const char *msg) {

 int main(int argc, char **argv) {
  int do_sign = 0;
+  int do_verify = 0;
  int do_gen_keys = 0;
  const char *public_key_file = "public.key";
  const char *secret_key_file = "secret.key";
@@ -147,6 +168,7 @@ int main(int argc, char **argv) {
    static struct option long_options[] = {
      {"help", 0, 0, 'h'},
      {"sign", 0, 0, 's'},
+      {"verify", 0, 0, 'v'},
      {"gen-keys", 0, 0, 'k'},
      {"public-key", 1, 0, 'P'},
      {"secret-key", 1, 0, 'S'},
@@ -168,6 +190,9 @@ int main(int argc, char **argv) {
    case 's':
      do_sign = 1;
      break;
+    case 'v':
+      do_verify = 1;
+      break;
    case 'k':
      do_gen_keys = 1;
      break;
@@ -191,14 +216,22 @@ int main(int argc, char **argv) {
    }
  }

-  if (!do_sign && !do_gen_keys) {
-    die("Specify one of --sign or --gen-keys!");
-  }
-  if (do_sign && do_gen_keys) {
-    die("Can't specify both --sign and --gen-keys!");
+  if (((int)do_sign + (int)do_gen_keys + (int)do_verify) != 1) {
+    die("Specify one of --sign, --verify or --gen-keys!");
  }

-  if (do_sign) {
+  if (do_verify) {
+    if (!public_key_file) {
+      die("Specify the location of the public key with --public-key");
+    }
+    if (!service || !domain) {
+      die("Both --service and --domain must be specified");
+    }
+    if (argc - optind != 1) {
+      die("One argument is required");
+    }
+    ssotool_verify(public_key_file, service, domain, argv[optind]);
+  } else if (do_sign) {
    if (argc != optind) {
      die("Too many arguments.");
    }

--- a/src/sso_server/Makefile.am
+++ b/src/sso_server/Makefile.am
@@ -5,6 +5,8 @@ all-local:

 check-local:
 	env \
+	    LD_LIBRARY_PATH=$(top_builddir)/src/sso/.libs \
+	    DYLD_LIBRARY_PATH=$(top_builddir)/src/sso/.libs \
 	    PYTHONPATH=$(top_builddir)/src/python \
 	    nosetests -v

@@ -12,4 +14,4 @@ clean-local:
 	$(PYTHON) setup.py clean --all

 install-exec-local:
-	$(PYTHON) setup.py install --root=${DESTDIR}/// --prefix=$(prefix)
+	$(PYTHON) setup.py install --root=${DESTDIR}/// --prefix=$(prefix) --install-layout=deb
--- a/src/sso_server/sso_server/application.py
+++ b/src/sso_server/sso_server/application.py
@@ -9,7 +9,6 @@ from flask import Flask, redirect, request, session, render_template, make_respo
 from sso_server import login_service

 app = Flask('sso_server')
-log = logging.getLogger(__name__)

 SSO_COOKIE_NAME = '_sso_tkt'

@@ -99,8 +98,9 @@ def login():
        # Form submission, validate CSRF, username and password.
        csrf_token = session.pop('_csrf', None)
        if not csrf_token or csrf_token != request.form.get('_csrf'):
-            log.error('CSRF failure, session=%s, form=%s', csrf_token,
-                      request.form.get('_csrf'))
+            app.logger.error(
+                'CSRF failure, session=%s, form=%s', csrf_token,
+                request.form.get('_csrf'))
            return show_login_page(params, 'Invalid session')
        username = _tostr(request.form.get('username'))
        password = _tostr(request.form.get('password'))
@@ -108,6 +108,8 @@ def login():
        if app.config.get('SSO_ENABLE_OTP'):
            otp = _tostr(request.form.get('otp'))
        if not app.login_service.authenticate(username, password, otp):
+            app.logger.error(
+                'authentication failure for user %s', username)
            # Authentication failed, show login page again.
            return show_login_page(params, 'Authentication failed')

@@ -122,8 +124,9 @@ def login():
                                                 params.destination,
                                                 params.groups)
    except login_service.Error, e:
-        log.error('unauthorized access: user=%s, service=%s, dest=%s, '
-                  'err=%s', username, params.service, params.destination, str(e))
+        app.logger.error(
+            'unauthorized access for user %s: service=%s, dest=%s, '
+            'err=%s', username, params.service, params.destination, str(e))
        return show_unauthorized_page(e)

    # Keep track of the active services.

--- a/src/sso_server/sso_server/login_service.py
+++ b/src/sso_server/sso_server/login_service.py
@@ -131,7 +131,6 @@ class LoginService(object):
        """
        self._validate_service_access(service, destination)
        groups = self._validate_group_access(username, required_groups)
-        print 'authorize:', type(username), type(service), type(destination), groups, self.service_ticket_ttl
        ticket = sso.Ticket(username, service, self.domain, groups,
                            self.service_ticket_ttl)
        return self.signer.sign(ticket)

--- a/src/sso_server/sso_server/test/main_test.py
+++ b/src/sso_server/sso_server/test/main_test.py
@@ -34,6 +34,7 @@ class SSOServerCommandLineTest(mox.MoxTestBase):
        old_stderr, sys.stderr = sys.stderr, out
        try:
            try:
+                args.insert(0, '--logtostderr')
                status = main.main(args)
            except SystemExit, e:
                status = e.code

--- a/src/sso_server/sso_server/wsgi.py
+++ b/src/sso_server/sso_server/wsgi.py
@@ -3,6 +3,5 @@
 import os
 from sso_server import application

-application.setup_syslog()
 app = application.create_app(
    os.getenv('APP_CONFIG', '/etc/sso/config'))