From 767bf82ec85ed3b2e049ae59e285cfd7c40e209e Mon Sep 17 00:00:00 2001
From: Ken Moore <moorekou@gmail.com>
Date: Fri, 19 Feb 2016 15:13:29 -0500
Subject: [PATCH] Finish fixing up the new auth_ssl option (lots of debugging
 still enabled). The SSL encode/decode systems still are not working yet -
 looks like an inherent incompatibility with a text-base transport system
 (JSON), so we will need to find another method (acting on a file and sending
 the hash instead?).

---
 src/server/AuthorizationManager.cpp | 11 ++++++--
 src/server/WebSocket.cpp            | 41 ++++++++++++++++-------------
 2 files changed, 31 insertions(+), 21 deletions(-)

diff --git a/src/server/AuthorizationManager.cpp b/src/server/AuthorizationManager.cpp
index 3cb65fe..92fb7d2 100644
--- a/src/server/AuthorizationManager.cpp
+++ b/src/server/AuthorizationManager.cpp
@@ -211,7 +211,7 @@ QString AuthorizationManager::GenerateEncCheckString(){
 QString AuthorizationManager::LoginUC(QHostAddress host, QString encstring){
   //Login w/  SSL certificate
   bool ok = false;
-
+  qDebug() << "SSL Auth Attempt";
     //First clean out any old strings/keys
     QStringList pubkeys = QStringList(HASH.keys()).filter("SSL_CHECK_STRING/"); //temporary, re-use variable below
     for(int i=0; i<pubkeys.length(); i++){ 
@@ -226,11 +226,13 @@ QString AuthorizationManager::LoginUC(QHostAddress host, QString encstring){
     //Now re-use the "pubkeys" variable for the public SSL keys
     QString user;
     pubkeys = CONFIG->allKeys().filter("RegisteredCerts/"); //Format: "RegisteredCerts/<user>/<key>"
+    qDebug() << " - Check pubkeys";// << pubkeys;
     for(int i=0; i<pubkeys.length() && !ok; i++){
       //Decrypt the string with this pubkey - and compare to the outstanding initstrings
       QString key = DecryptSSLString(encstring, pubkeys[i].section("/",2,50000));
       if(HASH.contains("SSL_CHECK_STRING/"+key)){
         //Valid reponse found
+	qDebug() << " - Found Valid Key";
         ok = true;
         //Remove the initstring from the hash (already used)
         HASH.remove("SSL_CHECK_STRING/"+key);
@@ -239,8 +241,8 @@ QString AuthorizationManager::LoginUC(QHostAddress host, QString encstring){
     }
   bool isOperator = false;    
   if(ok){
+    qDebug() << "Check user groups";
     //First check that the user is valid on the system and part of the operator group
-
     if(user!="root" && user!="toor"){
       QStringList groups = getUserGroups(user);
       if(groups.contains("wheel")){ isOperator = true; } //full-access user
@@ -328,13 +330,18 @@ void AuthorizationManager::ClearHostFail(QString host){
 }
 
 QString AuthorizationManager::DecryptSSLString(QString encstring, QString pubkey){
+  qDebug() << "Decrypt String:" << "Length:" << encstring.length() << encstring;
   unsigned char decode[4098] = {};
   RSA *rsa= NULL;
   BIO *keybio = NULL;
+  qDebug() << " - Generate keybio";
   keybio = BIO_new_mem_buf(pubkey.toLatin1().data(), -1);
   if(keybio==NULL){ return ""; }
+  qDebug() << " - Read pubkey";
   rsa = PEM_read_bio_RSA_PUBKEY(keybio, &rsa,NULL, NULL);
+  qDebug() << " - Decrypt string";
   bool ok = (-1 != RSA_public_decrypt(encstring.length(), (unsigned char*)(encstring.toLatin1().data()), decode, rsa, RSA_PKCS1_PADDING) );
+  qDebug() <<" - Success:" << ok;
   if(!ok){ return ""; }
   else{ return QString::fromLatin1( (char *)(decode) ).simplified(); }
 }
diff --git a/src/server/WebSocket.cpp b/src/server/WebSocket.cpp
index 1900bea..cbc5691 100644
--- a/src/server/WebSocket.cpp
+++ b/src/server/WebSocket.cpp
@@ -146,13 +146,13 @@ void WebSocket::EvaluateRequest(const RestInputStruct &REQ){
 	  
     //Now check the body of the message and do what it needs
 if(out.in_struct.namesp.toLower() == "rpc"){
-	if(out.in_struct.name.startsWith("auth")){
-	  //Now perform authentication based on type of auth given
-	  //Note: This sets/changes the current SockAuthToken
-	  AUTHSYSTEM->clearAuth(SockAuthToken); //new auth requested - clear any old token
-	  if(DEBUG){ qDebug() << "Authenticate Peer:" << SOCKET->peerAddress().toString(); }
-	  //Now do the auth
-	  if(out.in_struct.name=="auth" && out.in_struct.args.isObject() ){
+  if(out.in_struct.name.startsWith("auth")){
+    //Now perform authentication based on type of auth given
+    //Note: This sets/changes the current SockAuthToken
+    AUTHSYSTEM->clearAuth(SockAuthToken); //new auth requested - clear any old token
+    if(DEBUG){ qDebug() << "Authenticate Peer:" << SOCKET->peerAddress().toString(); }
+    //Now do the auth
+    if(out.in_struct.name=="auth" && out.in_struct.args.isObject() ){
 	    //username/[password/cert] authentication
 	    QString user, pass;
 	    if(out.in_struct.args.toObject().contains("username")){ user = JsonValueToString(out.in_struct.args.toObject().value("username"));  }
@@ -160,21 +160,24 @@ if(out.in_struct.namesp.toLower() == "rpc"){
 	    
 	      //Use the given password
 	      SockAuthToken = AUTHSYSTEM->LoginUP(host, user, pass);
-    }else if(out.in_struct.name=="auth_ssl" && out.in_struct.args.isObject() ){
-	    if(!out.in_struct.args.toObject().contains("encrypted_string")){
+    }else if(out.in_struct.name=="auth_ssl"){
+      if(out.in_struct.args.isObject() && out.in_struct.args.toObject().contains("encrypted_string")){
+        //Stage 2: Check the returned encrypted/string
+	SockAuthToken = AUTHSYSTEM->LoginUC(host, JsonValueToString(out.in_struct.args.toObject().value("encrypted_string")) );
+      }else{
         //Stage 1: Send the client a random string to encrypt with their SSL key
         QString key = AUTHSYSTEM->GenerateEncCheckString();
         QJsonObject obj; obj.insert("test_string", key);
-        out.CODE = RestOutputStruct::PARTIALCONTENT;
-      }else{
-        //Stage 2: Check the returned encrypted/string
-	      SockAuthToken = AUTHSYSTEM->LoginUC(host, JsonValueToString(out.in_struct.args.toObject().value("encrypted_string")) );
-	    }
-	  }else if(out.in_struct.name == "auth_token" && out.in_struct.args.isObject()){
-	    SockAuthToken = JsonValueToString(out.in_struct.args.toObject().value("token"));
-	  }else if(out.in_struct.name == "auth_clear"){
-	    return; //don't send a return message after clearing an auth (already done)
-	  }
+	out.out_args = obj;
+        out.CODE = RestOutputStruct::OK;
+	this->sendReply(out.assembleMessage());
+	return;
+      }
+    }else if(out.in_struct.name == "auth_token" && out.in_struct.args.isObject()){
+       SockAuthToken = JsonValueToString(out.in_struct.args.toObject().value("token"));
+    }else if(out.in_struct.name == "auth_clear"){
+       return; //don't send a return message after clearing an auth (already done)
+    }
 	  
 	  //Now check the auth and respond appropriately
 	  if(AUTHSYSTEM->checkAuth(SockAuthToken)){