github-personal/sysadm
1
0
Fork 0
mirror of https://github.com/outbackdingo/sysadm.git synced 2026-01-28 02:20:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

Finish fixing up the new auth_ssl option (lots of debugging still enabled). The SSL encode/decode systems still are not working yet - looks like an inherent incompatibility with a text-base transport system (JSON), so we will need to find another method (acting on a file and sending the hash instead?).

Browse Source
This commit is contained in:
Ken Moore
2016-02-19 15:13:29 -05:00
parent 6cfaf6e597
commit 767bf82ec8
2 changed files with 31 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/server/AuthorizationManager.cpp
View File

@@ -211,7 +211,7 @@ QString AuthorizationManager::GenerateEncCheckString(){
QString AuthorizationManager::LoginUC(QHostAddress host, QString encstring){
//Login w/ SSL certificate
bool ok = false;
qDebug() << "SSL Auth Attempt";
//First clean out any old strings/keys
QStringList pubkeys = QStringList(HASH.keys()).filter("SSL_CHECK_STRING/"); //temporary, re-use variable below
for(int i=0; i<pubkeys.length(); i++){
@@ -226,11 +226,13 @@ QString AuthorizationManager::LoginUC(QHostAddress host, QString encstring){
//Now re-use the "pubkeys" variable for the public SSL keys
QString user;
pubkeys = CONFIG->allKeys().filter("RegisteredCerts/"); //Format: "RegisteredCerts/<user>/<key>"
qDebug() << " - Check pubkeys";// << pubkeys;
for(int i=0; i<pubkeys.length() && !ok; i++){
//Decrypt the string with this pubkey - and compare to the outstanding initstrings
QString key = DecryptSSLString(encstring, pubkeys[i].section("/",2,50000));
if(HASH.contains("SSL_CHECK_STRING/"+key)){
//Valid reponse found
qDebug() << " - Found Valid Key";
ok = true;
//Remove the initstring from the hash (already used)
HASH.remove("SSL_CHECK_STRING/"+key);
@@ -239,8 +241,8 @@ QString AuthorizationManager::LoginUC(QHostAddress host, QString encstring){
}
bool isOperator = false;
if(ok){
qDebug() << "Check user groups";
//First check that the user is valid on the system and part of the operator group
if(user!="root" && user!="toor"){
QStringList groups = getUserGroups(user);
if(groups.contains("wheel")){ isOperator = true; } //full-access user
@@ -328,13 +330,18 @@ void AuthorizationManager::ClearHostFail(QString host){
}
QString AuthorizationManager::DecryptSSLString(QString encstring, QString pubkey){
qDebug() << "Decrypt String:" << "Length:" << encstring.length() << encstring;
unsigned char decode[4098] = {};
RSA *rsa= NULL;
BIO *keybio = NULL;
qDebug() << " - Generate keybio";
keybio = BIO_new_mem_buf(pubkey.toLatin1().data(), -1);
if(keybio==NULL){ return ""; }
qDebug() << " - Read pubkey";
rsa = PEM_read_bio_RSA_PUBKEY(keybio, &rsa,NULL, NULL);
qDebug() << " - Decrypt string";
bool ok = (-1 != RSA_public_decrypt(encstring.length(), (unsigned char*)(encstring.toLatin1().data()), decode, rsa, RSA_PKCS1_PADDING) );
qDebug() <<" - Success:" << ok;
if(!ok){ return ""; }
else{ return QString::fromLatin1( (char *)(decode) ).simplified(); }
}

41
src/server/WebSocket.cpp
View File

@@ -146,13 +146,13 @@ void WebSocket::EvaluateRequest(const RestInputStruct &REQ){
//Now check the body of the message and do what it needs
if(out.in_struct.namesp.toLower() == "rpc"){
if(out.in_struct.name.startsWith("auth")){
//Now perform authentication based on type of auth given
//Note: This sets/changes the current SockAuthToken
AUTHSYSTEM->clearAuth(SockAuthToken); //new auth requested - clear any old token
if(DEBUG){ qDebug() << "Authenticate Peer:" << SOCKET->peerAddress().toString(); }
//Now do the auth
if(out.in_struct.name=="auth" && out.in_struct.args.isObject() ){
if(out.in_struct.name.startsWith("auth")){
//Now perform authentication based on type of auth given
//Note: This sets/changes the current SockAuthToken
AUTHSYSTEM->clearAuth(SockAuthToken); //new auth requested - clear any old token
if(DEBUG){ qDebug() << "Authenticate Peer:" << SOCKET->peerAddress().toString(); }
//Now do the auth
if(out.in_struct.name=="auth" && out.in_struct.args.isObject() ){
//username/[password/cert] authentication
QString user, pass;
if(out.in_struct.args.toObject().contains("username")){ user = JsonValueToString(out.in_struct.args.toObject().value("username")); }
@@ -160,21 +160,24 @@ if(out.in_struct.namesp.toLower() == "rpc"){
//Use the given password
SockAuthToken = AUTHSYSTEM->LoginUP(host, user, pass);
}else if(out.in_struct.name=="auth_ssl" && out.in_struct.args.isObject() ){
if(!out.in_struct.args.toObject().contains("encrypted_string")){
}else if(out.in_struct.name=="auth_ssl"){
if(out.in_struct.args.isObject() && out.in_struct.args.toObject().contains("encrypted_string")){
//Stage 2: Check the returned encrypted/string
SockAuthToken = AUTHSYSTEM->LoginUC(host, JsonValueToString(out.in_struct.args.toObject().value("encrypted_string")) );
}else{
//Stage 1: Send the client a random string to encrypt with their SSL key
QString key = AUTHSYSTEM->GenerateEncCheckString();
QJsonObject obj; obj.insert("test_string", key);
out.CODE = RestOutputStruct::PARTIALCONTENT;
}else{
//Stage 2: Check the returned encrypted/string
SockAuthToken = AUTHSYSTEM->LoginUC(host, JsonValueToString(out.in_struct.args.toObject().value("encrypted_string")) );
}
}else if(out.in_struct.name == "auth_token" && out.in_struct.args.isObject()){
SockAuthToken = JsonValueToString(out.in_struct.args.toObject().value("token"));
}else if(out.in_struct.name == "auth_clear"){
return; //don't send a return message after clearing an auth (already done)
}
out.out_args = obj;
out.CODE = RestOutputStruct::OK;
this->sendReply(out.assembleMessage());
return;
}
}else if(out.in_struct.name == "auth_token" && out.in_struct.args.isObject()){
SockAuthToken = JsonValueToString(out.in_struct.args.toObject().value("token"));
}else if(out.in_struct.name == "auth_clear"){
return; //don't send a return message after clearing an auth (already done)
}
//Now check the auth and respond appropriately
if(AUTHSYSTEM->checkAuth(SockAuthToken)){