openshift-origin-auth-kerberos 0.8.8

data/COPYRIGHT

@@ -0,0 +1 @@
+Copyright 2012 Red Hat, Inc. and/or its affiliates.

data/Gemfile

@@ -0,0 +1,3 @@
+source "http://rubygems.org"
+
+gemspec

data/LICENSE

@@ -0,0 +1,11 @@
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

data/README.md

@@ -0,0 +1,3 @@
+Notice of Export Control Law
+
+This software distribution includes cryptographic software that is subject to the U.S. Export Administration Regulations (the "*EAR*") and other U.S. and foreign laws and may not be exported, re-exported or transferred (a) to any country listed in Country Group E:1 in Supplement No. 1 to part 740 of the EAR (currently, Cuba, Iran, North Korea, Sudan & Syria); (b) to any prohibited destination or to any end user who has been prohibited from participating in U.S. export transactions by any federal agency of the U.S. government; or (c) for use in connection with the design, development or production of nuclear, chemical or biological weapons, or rocket systems, space launch vehicles, or sounding rockets, or unmanned air vehicle systems.You may not download this software or technical information if you are located in one of these countries or otherwise subject to these restrictions. You may not provide this software or technical information to individuals or entities located in one of these countries or otherwise subject to these restrictions. You are also responsible for compliance with foreign law requirements applicable to the import, export and use of this software and technical information.

data/Rakefile

@@ -0,0 +1,11 @@
+#require "bundler/gem_tasks"
+require 'rake'
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  sh "/usr/bin/mongo localhost/openshift_origin_broker_test --eval 'db.addUser(\"openshift\", \"mooo\")'"
+  t.libs << 'test'
+  t.warning = false
+  t.verbose = true
+  t.test_files = FileList['test/**/*_test.rb']
+end

data/lib/openshift-kerberos-plugin.rb

@@ -0,0 +1,8 @@
+module Swingshift
+  module AuthService
+    require 'openshift-origin-auth-kerberos/engine/engine' if defined?(Rails) && Rails::VERSION::MAJOR == 3
+  end
+end
+
+require "openshift-origin-auth-kerberos/lib/openshift/kerberos_auth_service.rb"
+OpenShift Origin::AuthService.provider=Swingshift::KerberosAuthService

data/lib/openshift-kerberos-plugin/app/controllers/account_controller.rb

@@ -0,0 +1,20 @@
+class AccountController < BaseController
+  respond_to :xml, :json
+  before_filter :authenticate, :check_version
+
+  def create
+    username = params[:username]
+
+    auth_config = Rails.application.config.auth
+    auth_service = Swingshift::KerberosAuthService.new(auth_config)
+
+    Rails.logger.debug "username = #{username}"
+
+    log_action('nil', 'nil', username, "ADD_USER", false, "Cannot create account, managed by kerberos")
+    @reply = RestReply.new(:unprocessable_entity)
+    @reply.messages.push(Message.new(:error, "Cannot create account, managed by kerberos", 1001, "username"))
+    respond_with @reply, :status => @reply.status
+    return
+
+  end
+end

data/lib/openshift-kerberos-plugin/app/models/rest_account.rb

@@ -0,0 +1,12 @@
+class RestAccount < OpenShift Origin::Model
+  attr_accessor :username, :created_on
+
+  def initialize(username, created_on)
+    self.username, self.created_on = username, created_on
+  end
+
+  def to_xml(options={})
+    options[:tag_name] = "account"
+    super(options)
+  end
+end

data/lib/openshift-kerberos-plugin/config/routes.rb

@@ -0,0 +1,7 @@
+Rails.application.routes.draw do
+  scope "/rest" do
+    constraints(:ip => %r(127.0.\d+.\d+)) do
+      resource :accounts, :only => [:create], :controller => :account
+    end
+  end
+end

data/lib/openshift-kerberos-plugin/engine/engine.rb

@@ -0,0 +1,12 @@
+require 'openshift-origin-controller'
+require 'rails'
+
+module OpenShift Origin
+  class KerberosAuthServiceEngine < Rails::Engine
+    paths.app.controllers      << "lib/openshift-kerberos-plugin/app/controllers"
+    paths.lib                  << "lib/openshift-kerberos-plugin/lib"
+    paths.config               << "lib/openshift-kerberos-plugin/config"
+    paths.app.models           << "lib/openshift-kerberos-plugin/app/models"
+    config.autoload_paths      += %W(#{config.root}/lib)
+  end
+end

data/lib/openshift-kerberos-plugin/lib/openshift/kerberos_auth_service.rb

@@ -0,0 +1,117 @@
+require 'rubygems'
+require 'digest/md5'
+require 'openshift-origin-controller'
+require 'date'
+require 'krb5_auth'
+
+include Krb5Auth
+
+module Swingshift
+  class KerberosAuthService < OpenShift Origin::AuthService
+
+    def initialize(auth_info = nil)
+      Rails.logger.debug "Initializing KerberosAuthService"
+      if auth_info != nil
+        # no-op
+      elsif defined? Rails
+        auth_info = Rails.application.config.auth
+      else
+        raise Exception.new("Error initilizing KerberosAuthService")
+      end
+
+      @salt         = auth_info[:salt]
+      @privkeyfile  = auth_info[:privkeyfile]
+      @privkeypass  = auth_info[:privkeypass]
+      @pubkeyfile   = auth_info[:pubkeyfile]
+    end
+
+    def generate_broker_key(app)
+      cipher = OpenSSL::Cipher::Cipher.new("aes-256-cbc")
+      cipher.encrypt
+      cipher.key = OpenSSL::Digest::SHA512.new(@salt).digest
+      cipher.iv = iv = cipher.random_iv
+      token = {:app_name => app.name,
+               :login => app.user.login,
+               :creation_time => app.creation_time}
+      encrypted_token = cipher.update(token.to_json)
+      encrypted_token << cipher.final
+
+      public_key = OpenSSL::PKey::RSA.new(File.read(@pubkeyfile), @privkeypass)
+      encrypted_iv = public_key.public_encrypt(iv)
+
+      # Base64 encode the iv and token
+      encoded_iv = Base64::encode64(encrypted_iv)
+      encoded_token = Base64::encode64(encrypted_token)
+
+      [encoded_iv, encoded_token]
+    end
+
+    def validate_broker_key(iv, key)
+      key = key.gsub(" ", "+")
+      iv = iv.gsub(" ", "+")
+      begin
+        encrypted_token = Base64::decode64(key)
+        cipher = OpenSSL::Cipher::Cipher.new("aes-256-cbc")
+        cipher.decrypt
+        cipher.key = OpenSSL::Digest::SHA512.new(@salt).digest
+        private_key = OpenSSL::PKey::RSA.new(File.read(@privkeyfile), @privkeypass)
+        cipher.iv =  private_key.private_decrypt(Base64::decode64(iv))
+        json_token = cipher.update(encrypted_token)
+        json_token << cipher.final
+      rescue => e
+        Rails.logger.debug "Broker key authentication failed. #{e.backtrace.inspect}"
+        raise OpenShift Origin::AccessDeniedException.new
+      end
+
+      token = JSON.parse(json_token)
+      username = token['login']
+      app_name = token['app_name']
+      creation_time = token['creation_time']
+
+      user = CloudUser.find(username)
+      raise OpenShift Origin::AccessDeniedException.new if user.nil?
+      app = Application.find(user, app_name)
+
+      raise OpenShift Origin::AccessDeniedException.new if app.nil? or creation_time != app.creation_time
+      return {:username => username, :auth_method => :broker_auth}
+    end
+
+    def authenticate(request, login, password)
+      params = request.request_parameters()
+      if params['broker_auth_key'] && params['broker_auth_iv']
+        validate_broker_key(params['broker_auth_iv'], params['broker_auth_key'])
+      else
+        raise OpenShift Origin::AccessDeniedException if login.nil? || login.empty? || password.nil? || password.empty?
+        krb5 = Krb5.new
+
+        # get the default realm
+        default_realm = krb5.get_default_realm
+        Rails.logger.debug "Default realm is: " + default_realm
+        # try to cache non-existant data (this should fail and throw an exception)
+        begin
+          krb5.cache
+          rescue Krb5Auth::Krb5::Exception
+            Rails.logger.debug "Failed caching credentials before obtaining them. Continuing..."
+        end
+
+        if krb5.get_init_creds_password(login,password)
+          krb5.close
+          return {:username => login, :auth_method => :login}
+        else
+          krb5.close
+          raise OpenShift Origin::AccessDeniedException
+        end
+
+      end
+    end
+
+    def login(request, params, cookies)
+      if params['broker_auth_key'] && params['broker_auth_iv']
+        validate_broker_key(params['broker_auth_iv'], params['broker_auth_key'])
+      else
+        data = JSON.parse(params['json_data'])
+        return authenticate(request, data['rhlogin'], params['password'])
+      end
+    end
+  end
+end

data/openshift-origin-auth-kerberos.gemspec

@@ -0,0 +1,30 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+lib_dir  = File.join(File.join("lib", "**"), "*")
+test_dir  = File.join(File.join("test", "**"), "*")
+bin_dir  = File.join("bin","*")
+spec_file = "rubygem-openshift-origin-auth-kerberos.spec"
+
+Gem::Specification.new do |s|
+  s.name        = "openshift-origin-auth-kerberos"
+  s.version     = `rpm -q --qf "%{version}\n" --specfile #{spec_file}`.split[0]
+  s.license     = `rpm -q --qf "%{license}\n" --specfile #{spec_file}`.split[0]
+  s.authors     = ["Jason DeTiberus"]
+  s.email       = ["jdetiber@redhat.com"]
+  s.homepage    = `rpm -q --qf "%{url}\n" --specfile #{spec_file}`.split[0]
+  s.summary     = `rpm -q --qf "%{description}\n" --specfile #{spec_file}`.split[0]
+  s.description = `rpm -q --qf "%{description}\n" --specfile #{spec_file}`.split[0]
+
+  s.files       = Dir[lib_dir] + Dir[bin_dir]
+  s.test_files  = Dir[test_dir]
+  s.executables = Dir[bin_dir].map {|binary| File.basename(binary)}
+  s.files       += %w(README.md Rakefile Gemfile rubygem-openshift-origin-auth-kerberos.spec openshift-origin-auth-kerberos.gemspec LICENSE COPYRIGHT)
+  s.require_paths = ["lib"]
+
+  s.add_dependency('openshift-origin-controller')
+  s.add_dependency('json')
+  s.add_dependency('krb5-auth')
+  s.add_development_dependency('rake')
+  s.add_development_dependency('bundler')
+  s.add_development_dependency('mocha')
+end

data/rubygem-openshift-origin-auth-kerberos.spec

@@ -0,0 +1,112 @@
+%global ruby_sitelib %(ruby -rrbconfig -e "puts Config::CONFIG['sitelibdir']")
+%global gemdir %(ruby -rubygems -e 'puts Gem::dir' 2>/dev/null)
+%global gemname openshift-origin-auth-kerberos
+%global geminstdir %{gemdir}/gems/%{gemname}-%{version}
+
+Summary:        OpenShift Origin plugin for kerberos auth service
+Name:           rubygem-%{gemname}
+Version:        0.8.8
+Release:        1%{?dist}
+Group:          Development/Languages
+License:        ASL 2.0
+URL:            http://openshift.redhat.com
+Source0:        rubygem-%{gemname}-%{version}.tar.gz
+BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+Requires:       ruby(abi) = 1.8
+Requires:       rubygems
+Requires:       rubygem(openshift-origin-common)
+Requires:       rubygem(json)
+Requires:       rubygem(mocha)
+Requires:       openshift-origin-broker
+Requires:  		selinux-policy-targeted
+Requires:  		policycoreutils-python
+Requires:       rubygem(krb5-auth)
+
+BuildRequires:  ruby
+BuildRequires:  rubygems
+BuildArch:      noarch
+Provides:       rubygem(%{gemname}) = %version
+
+%package -n ruby-%{gemname}
+Summary:        OpenShift Origin plugin for kerberos auth service
+Requires:       rubygem(%{gemname}) = %version
+Provides:       ruby(%{gemname}) = %version
+Obsoletes:      rubygem-swingshift-kerberos-plugin
+
+%description
+Provides a kerberos auth service based plugin
+
+%description -n ruby-%{gemname}
+Provides a kerberos auth service based plugin
+
+%prep
+%setup -q
+
+%build
+
+%install
+rm -rf %{buildroot}
+mkdir -p %{buildroot}%{gemdir}
+mkdir -p %{buildroot}%{ruby_sitelib}
+
+# Build and install into the rubygem structure
+gem build %{gemname}.gemspec
+gem install --local --install-dir %{buildroot}%{gemdir} --force %{gemname}-%{version}.gem
+
+# Symlink into the ruby site library directories
+ln -s %{geminstdir}/lib/%{gemname} %{buildroot}%{ruby_sitelib}
+ln -s %{geminstdir}/lib/%{gemname}.rb %{buildroot}%{ruby_sitelib}
+
+mkdir -p %{buildroot}/var/www/openshift/broker/config/environments/plugin-config
+cat <<EOF > %{buildroot}/var/www/openshift/broker/config/environments/plugin-config/openshift-origin-auth-kerberos.rb
+Broker::Application.configure do
+  config.auth = {
+    :salt => "ClWqe5zKtEW4CJEMyjzQ",
+    :privkeyfile => "/var/www/openshift/broker/config/server_priv.pem",
+    :privkeypass => "",
+    :pubkeyfile  => "/var/www/openshift/broker/config/server_pub.pem",
+  }
+end
+EOF
+
+%clean
+rm -rf %{buildroot}
+
+%post
+/usr/bin/openssl genrsa -out /var/www/openshift/broker/config/server_priv.pem 2048
+/usr/bin/openssl rsa    -in /var/www/openshift/broker/config/server_priv.pem -pubout > /var/www/openshift/broker/config/server_pub.pem
+
+echo "The following variables need to be set in your rails config to use openshift-origin-auth-kerberos:"
+echo "auth[:salt]                    - salt for the password hash"
+echo "auth[:privkeyfile]             - RSA private key file for node-broker authentication"
+echo "auth[:privkeypass]             - RSA private key password"
+echo "auth[:pubkeyfile]              - RSA public key file for node-broker authentication"
+
+%files
+%defattr(-,root,root,-)
+%dir %{geminstdir}
+%doc %{geminstdir}/Gemfile
+%{gemdir}/doc/%{gemname}-%{version}
+%{gemdir}/gems/%{gemname}-%{version}
+%{gemdir}/cache/%{gemname}-%{version}.gem
+%{gemdir}/specifications/%{gemname}-%{version}.gemspec
+
+%attr(0440,apache,apache) /var/www/openshift/broker/config/environments/plugin-config/openshift-origin-auth-kerberos.rb
+
+%files -n ruby-%{gemname}
+%{ruby_sitelib}/%{gemname}
+%{ruby_sitelib}/%{gemname}.rb
+
+%changelog
+* Fri Oct 05 2012 Krishna Raman <kraman@gmail.com> 0.8.8-1
+- new package built with tito
+
+* Thu Aug 16 2012 Brenton Leanhardt <bleanhar@redhat.com> 0.8.7-1
+- new package built with tito
+
+* Wed Aug 15 2012 Jason DeTiberus <jason.detiberus@redhat.com> 0.8.6-1
+- kerberos auth plugin (jason.detiberus@redhat.com)
+
+* Wed Aug 15 2012 Jason DeTiberus <jason.detiberus@redhat.com> 0.8.5-1
+- new package built with tito
+

metadata

@@ -0,0 +1,163 @@
+--- !ruby/object:Gem::Specification 
+name: openshift-origin-auth-kerberos
+version: !ruby/object:Gem::Version 
+  hash: 47
+  prerelease: false
+  segments: 
+  - 0
+  - 8
+  - 8
+  version: 0.8.8
+platform: ruby
+authors: 
+- Jason DeTiberus
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2012-10-22 00:00:00 -04:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: openshift-origin-controller
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :runtime
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: json
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :runtime
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
+  name: krb5-auth
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :runtime
+  version_requirements: *id003
+- !ruby/object:Gem::Dependency 
+  name: rake
+  prerelease: false
+  requirement: &id004 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :development
+  version_requirements: *id004
+- !ruby/object:Gem::Dependency 
+  name: bundler
+  prerelease: false
+  requirement: &id005 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :development
+  version_requirements: *id005
+- !ruby/object:Gem::Dependency 
+  name: mocha
+  prerelease: false
+  requirement: &id006 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :development
+  version_requirements: *id006
+description: Provides
+email: 
+- jdetiber@redhat.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- lib/openshift-kerberos-plugin.rb
+- lib/openshift-kerberos-plugin/engine/engine.rb
+- lib/openshift-kerberos-plugin/app/models/rest_account.rb
+- lib/openshift-kerberos-plugin/app/controllers/account_controller.rb
+- lib/openshift-kerberos-plugin/config/routes.rb
+- lib/openshift-kerberos-plugin/lib/openshift/kerberos_auth_service.rb
+- README.md
+- Rakefile
+- Gemfile
+- rubygem-openshift-origin-auth-kerberos.spec
+- openshift-origin-auth-kerberos.gemspec
+- LICENSE
+- COPYRIGHT
+has_rdoc: true
+homepage: http://openshift.redhat.com
+licenses: 
+- ASL
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.7
+signing_key: 
+specification_version: 3
+summary: Provides
+test_files: []
+