opennebula 3.9.80.beta

data/lib/opennebula/server_cipher_auth.rb

@@ -0,0 +1,148 @@
+# -------------------------------------------------------------------------- #
+# Copyright 2002-2013, OpenNebula Project (OpenNebula.org), C12G Labs        #
+#                                                                            #
+# Licensed under the Apache License, Version 2.0 (the "License"); you may    #
+# not use this file except in compliance with the License. You may obtain    #
+# a copy of the License at                                                   #
+#                                                                            #
+# http://www.apache.org/licenses/LICENSE-2.0                                 #
+#                                                                            #
+# Unless required by applicable law or agreed to in writing, software        #
+# distributed under the License is distributed on an "AS IS" BASIS,          #
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #
+# See the License for the specific language governing permissions and        #
+# limitations under the License.                                             #
+#--------------------------------------------------------------------------- #
+
+require 'openssl'
+require 'digest/sha1'
+
+require 'base64'
+require 'fileutils'
+
+module OpenNebula; end
+
+# Server authentication class. This method can be used by OpenNebula services
+# to let access authenticated users by other means. It is based on OpenSSL 
+# symmetric ciphers
+class OpenNebula::ServerCipherAuth 
+    ###########################################################################
+    #Constants with paths to relevant files and defaults
+    ###########################################################################
+
+    CIPHER = "aes-256-cbc"
+
+    ###########################################################################
+
+    def initialize(srv_user, srv_passwd)
+        @srv_user   = srv_user
+        @srv_passwd = srv_passwd 
+
+        if !srv_passwd.empty?
+            @key = Digest::SHA1.hexdigest(@srv_passwd)
+        else
+            @key = ""
+        end
+
+        @cipher = OpenSSL::Cipher::Cipher.new(CIPHER)
+    end
+
+    ###########################################################################
+    # Client side
+    ###########################################################################
+
+    # Creates a ServerCipher for client usage
+    def self.new_client(srv_user=nil, srv_passwd=nil)
+        if ( srv_user == nil || srv_passwd == nil ) 
+            begin
+                if ENV["ONE_CIPHER_AUTH"] and !ENV["ONE_CIPHER_AUTH"].empty?
+                    one_auth = File.read(ENV["ONE_CIPHER_AUTH"])
+                else
+                    raise "ONE_CIPHER_AUTH environment variable not set"
+                end
+
+                one_auth.rstrip!
+
+                rc =  one_auth.match(/(.*?):(.*)/)
+                
+                if rc.nil?
+                    raise "Bad format for one_auth token (<user>:<passwd>)"
+                else 
+                    srv_user   = rc[1]
+                    srv_passwd = rc[2]
+                end
+            rescue => e
+                raise e.message
+            end
+        end 
+
+        self.new(srv_user, srv_passwd)
+    end
+
+    # Generates a login token in the form:
+    #   - server_user:target_user:time_expires 
+    # The token is then encrypted with the contents of one_auth
+    def login_token(expire, target_user=nil)
+        target_user ||= @srv_user
+        token_txt   =   "#{@srv_user}:#{target_user}:#{expire}"
+
+        token   = encrypt(token_txt)
+        token64 = Base64::encode64(token).strip.delete("\n")
+
+        return "#{@srv_user}:#{target_user}:#{token64}"
+    end
+
+    # Returns a valid password string to create a user using this auth driver
+    def password
+        return @srv_passwd
+    end
+
+    ###########################################################################
+    # Driver side
+    ###########################################################################
+
+    # Creates a ServerCipher for driver usage
+    def self.new_driver()
+        self.new("","")
+    end
+
+    # auth method for auth_mad
+    def authenticate(srv_user,srv_pass, signed_text)
+        begin
+            @key = srv_pass
+            
+            s_user, t_user, expires = decrypt(signed_text).split(':')
+
+            return "User name missmatch" if s_user != srv_user
+             
+            return "login token expired" if Time.now.to_i >= expires.to_i
+
+            return true
+        rescue => e
+            return e.message
+        end
+    end
+
+    private
+
+    def encrypt(data) 
+        @cipher.encrypt
+        @cipher.key = @key
+        
+        rc = @cipher.update(data)
+        rc << @cipher.final
+
+        return rc
+    end
+
+    def decrypt(data) 
+        @cipher.decrypt
+        @cipher.key = @key
+        
+        rc = @cipher.update(Base64::decode64(data))
+        rc << @cipher.final
+
+        return rc
+    end
+end
+

data/lib/opennebula/server_x509_auth.rb

@@ -0,0 +1,104 @@
+# -------------------------------------------------------------------------- #
+# Copyright 2002-2013, OpenNebula Project (OpenNebula.org), C12G Labs        #
+#                                                                            #
+# Licensed under the Apache License, Version 2.0 (the "License"); you may    #
+# not use this file except in compliance with the License. You may obtain    #
+# a copy of the License at                                                   #
+#                                                                            #
+# http://www.apache.org/licenses/LICENSE-2.0                                 #
+#                                                                            #
+# Unless required by applicable law or agreed to in writing, software        #
+# distributed under the License is distributed on an "AS IS" BASIS,          #
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #
+# See the License for the specific language governing permissions and        #
+# limitations under the License.                                             #
+#--------------------------------------------------------------------------- #
+
+require 'openssl'
+require 'base64'
+require 'fileutils'
+
+require 'opennebula/x509_auth'
+
+module OpenNebula; end
+
+# Server authentication class. This authmethod can be used by opennebula services
+# to let access authenticated users by other means. It is based on x509 server
+# certificates
+class OpenNebula::ServerX509Auth < OpenNebula::X509Auth
+    ###########################################################################
+    #Constants with paths to relevant files and defaults
+    ###########################################################################
+
+    SERVER_AUTH_CONF_PATH = ETC_LOCATION + "/auth/server_x509_auth.conf"
+
+    SERVER_DEFAULTS = {
+        :one_cert => ETC_LOCATION + "/auth/cert.pem",
+        :one_key  => ETC_LOCATION + "/auth/key.pem"
+    }
+
+    ###########################################################################
+
+    def initialize()
+        @options = SERVER_DEFAULTS
+
+        load_options(SERVER_AUTH_CONF_PATH)
+
+        begin
+            certs = [ File.read(@options[:one_cert]) ]
+            key   =   File.read(@options[:one_key])
+
+            super(:certs_pem => certs, :key_pem => key)
+        rescue
+            raise
+        end
+
+        if @options[:srv_user] == nil || @options[:srv_user].empty?
+           raise "User for x509 server not defined"
+        end
+    end
+
+    ###########################################################################
+    # Client side
+    ###########################################################################
+
+    # Creates a ServerCipher for client and driver sage
+    class << OpenNebula::ServerX509Auth
+        alias :new_client :new
+        alias :new_driver :new
+    end
+
+    # Generates a login token in the form:
+    #   - server_user:target_user:time_expires
+    def login_token(expire, target_user=nil)
+        target_user ||= @options[:srv_user]
+        token_txt   =   "#{@options[:srv_user]}:#{target_user}:#{expire}"
+
+        token   = encrypt(token_txt)
+        token64 = Base64::encode64(token).strip.delete("\n")
+
+        return "#{@options[:srv_user]}:#{target_user}:#{token64}"
+    end
+
+    ###########################################################################
+    # Server side
+    ###########################################################################
+
+    # auth method for auth_mad
+    def authenticate(server_user, server_pass, signed_text)
+        begin
+            s_user, t_user, expires = decrypt(signed_text).split(':')
+
+            return "Server password missmatch" if server_pass != password
+
+            return "User name missmatch" if ( s_user != server_user ||
+                                              s_user != @options[:srv_user] )
+
+            return "login token expired" if Time.now.to_i >= expires.to_i
+
+            return true
+        rescue => e
+            return e.message
+        end
+    end
+end

data/lib/opennebula/ssh_auth.rb

@@ -0,0 +1,139 @@
+# -------------------------------------------------------------------------- #
+# Copyright 2002-2013, OpenNebula Project (OpenNebula.org), C12G Labs        #
+#                                                                            #
+# Licensed under the Apache License, Version 2.0 (the "License"); you may    #
+# not use this file except in compliance with the License. You may obtain    #
+# a copy of the License at                                                   #
+#                                                                            #
+# http://www.apache.org/licenses/LICENSE-2.0                                 #
+#                                                                            #
+# Unless required by applicable law or agreed to in writing, software        #
+# distributed under the License is distributed on an "AS IS" BASIS,          #
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #
+# See the License for the specific language governing permissions and        #
+# limitations under the License.                                             #
+#--------------------------------------------------------------------------- #
+
+
+require 'pp'
+require 'openssl'
+require 'base64'
+require 'fileutils'
+
+module OpenNebula; end
+
+# SSH key authentication class. It can be used as a driver for auth_mad
+# as auth method is defined. It also holds some helper methods to be used
+# by oneauth command
+class OpenNebula::SshAuth
+    LOGIN_PATH = ENV['HOME']+'/.one/one_ssh'
+
+    # Initialize SshAuth object
+    #
+    # @param [Hash] default options for path
+    # @option options [String] :public_key public key for the user
+    # @option options [String] :private_key key private key for the user.
+    def initialize(options={})
+        @private_key = nil
+        @public_key  = nil
+
+        if options[:private_key]
+            begin
+                @private_key = File.read(options[:private_key])
+            rescue Exception => e
+                raise "Cannot read #{options[:private_key]}"
+            end
+        end
+
+        if options[:public_key]
+            @public_key = options[:public_key]
+        elsif @private_key != nil
+            # Init ssh keys using private key. public key is extracted in a
+            # format compatible with openssl. The public key does not contain
+            # "---- BEGIN/END RSA PUBLIC KEY ----" and is in a single line
+            key = OpenSSL::PKey::RSA.new(@private_key)
+
+            @public_key = key.public_key.to_pem.split("\n")
+            @public_key = @public_key.reject {|l| l.match(/RSA PUBLIC KEY/) }.join('')
+        end
+
+        if @private_key.nil? && @public_key.nil?
+            raise "You have to define at least one of the keys"
+        end
+    end
+
+    # Creates the login file for ssh authentication at ~/.one/one_ssh.
+    # By default it is valid for 1 hour but it can be changed to any number
+    # of seconds with expire parameter (in seconds)
+    def login(user, expire=3600)
+        expire ||= 3600
+
+        # Init proxy file path and creates ~/.one directory if needed
+        proxy_dir = File.dirname(LOGIN_PATH)
+
+        begin
+            FileUtils.mkdir_p(proxy_dir)
+        rescue Errno::EEXIST
+        end
+
+        # Generate security token
+        time = Time.now.to_i + expire.to_i
+
+        secret_plain   = "#{user}:#{time}"
+        secret_crypted = encrypt(secret_plain)
+
+        proxy = "#{user}:#{secret_crypted}"
+
+        file = File.open(LOGIN_PATH, "w")
+        file.write(proxy)
+        file.close
+
+        File.chmod(0600,LOGIN_PATH)
+        
+        secret_crypted
+    end
+
+    # Returns a valid password string to create a user using this auth driver.
+    # In this case the ssh public key.
+    def password
+        @public_key
+    end
+
+    # Checks the proxy created with the login method
+    def authenticate(user, token)
+        begin
+            token_plain = decrypt(token)
+            _user, time = token_plain.split(':')
+
+            if user == _user
+                if Time.now.to_i >= time.to_i
+                    return "ssh proxy expired, login again to renew it"
+                else
+                    return true
+                end
+            else
+                return "invalid credentials"
+            end
+        rescue
+            return "error"
+        end
+    end
+
+    private
+
+    ###########################################################################
+    #                       Methods to handle ssh keys
+    ###########################################################################
+    # Encrypts data with the private key of the user and returns
+    # base 64 encoded output in a single line
+    def encrypt(data)
+        rsa=OpenSSL::PKey::RSA.new(@private_key)
+        Base64::encode64(rsa.private_encrypt(data)).gsub!(/\n/, '').strip
+    end
+
+    # Decrypts base 64 encoded data with pub_key (public key)
+    def decrypt(data)
+        rsa=OpenSSL::PKey::RSA.new(Base64::decode64(@public_key))
+        rsa.public_decrypt(Base64::decode64(data))
+    end
+end

data/lib/opennebula/system.rb

@@ -0,0 +1,141 @@
+# -------------------------------------------------------------------------- #
+# Copyright 2002-2013, OpenNebula Project (OpenNebula.org), C12G Labs        #
+#                                                                            #
+# Licensed under the Apache License, Version 2.0 (the "License"); you may    #
+# not use this file except in compliance with the License. You may obtain    #
+# a copy of the License at                                                   #
+#                                                                            #
+# http://www.apache.org/licenses/LICENSE-2.0                                 #
+#                                                                            #
+# Unless required by applicable law or agreed to in writing, software        #
+# distributed under the License is distributed on an "AS IS" BASIS,          #
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #
+# See the License for the specific language governing permissions and        #
+# limitations under the License.                                             #
+#--------------------------------------------------------------------------- #
+
+
+require 'opennebula/pool'
+
+module OpenNebula
+    class System
+        #######################################################################
+        # Constants and Class attribute accessors
+        #######################################################################
+
+        SYSTEM_METHODS = {
+            :userquotainfo      => "userquota.info",
+            :userquotaupdate    => "userquota.update",
+            :groupquotainfo     => "groupquota.info",
+            :groupquotaupdate   => "groupquota.update",
+            :version            => "system.version",
+            :config             => "system.config"
+        }
+
+        #######################################################################
+        # Class constructor
+        #######################################################################
+
+        # Constructor
+        #   @param [Client] client that represents a XML-RPC connection
+        def initialize(client)
+            @client = client
+        end
+
+        #######################################################################
+        # XML-RPC Methods
+        #######################################################################
+
+        # Gets the oned version
+        #
+        # @return [String, OpenNebula::Error] the oned version in case
+        #   of success, Error otherwise
+        def get_oned_version()
+            return @client.call("system.version")
+        end
+
+        # Returns whether of not the oned version is the same as the OCA version
+        #
+        # @return [true, false, OpenNebula::Error] true if oned is the same
+        #   version
+        def compatible_version()
+            no_revision = VERSION[/^\d+\.\d+\./]
+            oned_v = get_oned_version
+
+            if OpenNebula.is_error?(oned_v)
+                return oned_v
+            end
+
+            return (oned_v =~ /#{no_revision}/) != nil
+        end
+
+        # Gets the oned configuration
+        #
+        # @return [XMLElement, OpenNebula::Error] the oned configuration in case
+        #   of success, Error otherwise
+        def get_configuration()
+            rc = @client.call(SYSTEM_METHODS[:config])
+
+            if OpenNebula.is_error?(rc)
+                return rc
+            end
+
+            config = XMLElement.new
+            config.initialize_xml(rc, 'TEMPLATE')
+
+            return config
+        end
+
+        # Gets the default user quota limits
+        #
+        # @return [XMLElement, OpenNebula::Error] the default user quota in case
+        #   of success, Error otherwise
+        def get_user_quotas()
+            rc = @client.call(SYSTEM_METHODS[:userquotainfo])
+
+            if OpenNebula.is_error?(rc)
+                return rc
+            end
+
+            default_quotas = XMLElement.new
+            default_quotas.initialize_xml(rc, 'DEFAULT_USER_QUOTAS')
+
+            return default_quotas
+        end
+
+        # Sets the default user quota limits
+        # @param quota [String] a template (XML or txt) with the new quota limits
+        #
+        # @return [nil, OpenNebula::Error] nil in case of success, Error
+        #   otherwise
+        def set_user_quotas(quota)
+            return @client.call(SYSTEM_METHODS[:userquotaupdate], quota)
+        end
+
+        # Gets the default group quota limits
+        #
+        # @return [XMLElement, OpenNebula::Error] the default group quota in case
+        #   of success, Error otherwise
+        def get_group_quotas()
+            rc = @client.call(SYSTEM_METHODS[:groupquotainfo])
+
+            if OpenNebula.is_error?(rc)
+                return rc
+            end
+
+            default_quotas = XMLElement.new
+            default_quotas.initialize_xml(rc, 'DEFAULT_GROUP_QUOTAS')
+
+            return default_quotas
+        end
+
+        # Sets the default group quota limits
+        # @param quota [String] a template (XML or txt) with the new quota limits
+        #
+        # @return [nil, OpenNebula::Error] nil in case of success, Error
+        #   otherwise
+        def set_group_quotas(quota)
+            return @client.call(SYSTEM_METHODS[:groupquotaupdate], quota)
+        end
+    end
+end