diff options
author | Melanie | 2009-08-29 17:37:41 +0100 |
---|---|---|
committer | Melanie | 2009-08-29 17:37:41 +0100 |
commit | dce04df4f229cbf5636a096c834202dec7cd1765 (patch) | |
tree | c0c10b2472163df93dcb0e4d105a6e921cc84379 | |
parent | Add a slow cache cleaner thread. By default, the thread starts a cleanup (diff) | |
download | opensim-SC-dce04df4f229cbf5636a096c834202dec7cd1765.zip opensim-SC-dce04df4f229cbf5636a096c834202dec7cd1765.tar.gz opensim-SC-dce04df4f229cbf5636a096c834202dec7cd1765.tar.bz2 opensim-SC-dce04df4f229cbf5636a096c834202dec7cd1765.tar.xz |
Redesign the IAuthenticationService interface to use PKI. Sessioning is
now in the domain of the presence module where it belongs.
-rw-r--r-- | OpenSim/Services/AuthenticationService/AuthenticationService.cs | 312 | ||||
-rw-r--r-- | OpenSim/Services/Interfaces/IAuthenticationService.cs | 108 |
2 files changed, 70 insertions, 350 deletions
diff --git a/OpenSim/Services/AuthenticationService/AuthenticationService.cs b/OpenSim/Services/AuthenticationService/AuthenticationService.cs deleted file mode 100644 index b81a004..0000000 --- a/OpenSim/Services/AuthenticationService/AuthenticationService.cs +++ /dev/null | |||
@@ -1,312 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (c) Contributors, http://opensimulator.org/ | ||
3 | * See CONTRIBUTORS.TXT for a full list of copyright holders. | ||
4 | * | ||
5 | * Redistribution and use in source and binary forms, with or without | ||
6 | * modification, are permitted provided that the following conditions are met: | ||
7 | * * Redistributions of source code must retain the above copyright | ||
8 | * notice, this list of conditions and the following disclaimer. | ||
9 | * * Redistributions in binary form must reproduce the above copyright | ||
10 | * notice, this list of conditions and the following disclaimer in the | ||
11 | * documentation and/or other materials provided with the distribution. | ||
12 | * * Neither the name of the OpenSimulator Project nor the | ||
13 | * names of its contributors may be used to endorse or promote products | ||
14 | * derived from this software without specific prior written permission. | ||
15 | * | ||
16 | * THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY | ||
17 | * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED | ||
18 | * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | ||
19 | * DISCLAIMED. IN NO EVENT SHALL THE CONTRIBUTORS BE LIABLE FOR ANY | ||
20 | * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES | ||
21 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | ||
22 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND | ||
23 | * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | ||
24 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS | ||
25 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||
26 | */ | ||
27 | |||
28 | using System; | ||
29 | using System.Collections.Generic; | ||
30 | using System.Reflection; | ||
31 | using Nini.Config; | ||
32 | using log4net; | ||
33 | using OpenSim.Framework; | ||
34 | using OpenSim.Data; | ||
35 | using OpenSim.Services.Base; | ||
36 | using OpenSim.Services.Interfaces; | ||
37 | using OpenMetaverse; | ||
38 | |||
39 | namespace OpenSim.Services.AuthenticationService | ||
40 | { | ||
41 | /// <summary> | ||
42 | /// Simple authentication service implementation dealing only with users. | ||
43 | /// It uses the user DB directly to access user information. | ||
44 | /// It takes two config vars: | ||
45 | /// - Authenticate = {true|false} : to do or not to do authentication | ||
46 | /// - Authority = string like "osgrid.org" : this identity authority | ||
47 | /// that will be called back for identity verification | ||
48 | /// </summary> | ||
49 | public class HGAuthenticationService : ServiceBase, IAuthenticationService | ||
50 | { | ||
51 | private static readonly ILog m_log | ||
52 | = LogManager.GetLogger(MethodBase.GetCurrentMethod().DeclaringType); | ||
53 | |||
54 | protected IUserDataPlugin m_Database; | ||
55 | protected string m_AuthorityURL; | ||
56 | protected bool m_PerformAuthentication; | ||
57 | protected Dictionary<UUID, List<string>> m_UserKeys = new Dictionary<UUID, List<string>>(); | ||
58 | |||
59 | |||
60 | public HGAuthenticationService(IConfigSource config) : base(config) | ||
61 | { | ||
62 | string dllName = String.Empty; | ||
63 | string connString = String.Empty; | ||
64 | |||
65 | // | ||
66 | // Try reading the [DatabaseService] section first, if it exists | ||
67 | // | ||
68 | IConfig dbConfig = config.Configs["DatabaseService"]; | ||
69 | if (dbConfig != null) | ||
70 | { | ||
71 | dllName = dbConfig.GetString("StorageProvider", String.Empty); | ||
72 | connString = dbConfig.GetString("ConnectionString", String.Empty); | ||
73 | } | ||
74 | |||
75 | // | ||
76 | // Try reading the more specific [InventoryService] section, if it exists | ||
77 | // | ||
78 | IConfig authConfig = config.Configs["AuthenticationService"]; | ||
79 | if (authConfig != null) | ||
80 | { | ||
81 | dllName = authConfig.GetString("StorageProvider", dllName); | ||
82 | connString = authConfig.GetString("ConnectionString", connString); | ||
83 | |||
84 | m_PerformAuthentication = authConfig.GetBoolean("Authenticate", true); | ||
85 | m_AuthorityURL = "http://" + authConfig.GetString("Authority", "localhost"); | ||
86 | if (!m_AuthorityURL.EndsWith("/")) | ||
87 | m_AuthorityURL += "/"; | ||
88 | } | ||
89 | |||
90 | // | ||
91 | // We tried, but this doesn't exist. We can't proceed. | ||
92 | // | ||
93 | if (dllName.Equals(String.Empty)) | ||
94 | throw new Exception("No InventoryService configuration"); | ||
95 | |||
96 | m_Database = LoadPlugin<IUserDataPlugin>(dllName); | ||
97 | if (m_Database == null) | ||
98 | throw new Exception("Could not find a storage interface in the given module"); | ||
99 | |||
100 | m_Database.Initialise(connString); | ||
101 | } | ||
102 | |||
103 | public UUID AuthenticateKey(UUID principalID, string key) | ||
104 | { | ||
105 | bool writeAgentData = false; | ||
106 | |||
107 | UserAgentData agent = m_Database.GetAgentByUUID(principalID); | ||
108 | if (agent == null) | ||
109 | { | ||
110 | agent = new UserAgentData(); | ||
111 | agent.ProfileID = principalID; | ||
112 | agent.SessionID = UUID.Random(); | ||
113 | agent.SecureSessionID = UUID.Random(); | ||
114 | agent.AgentIP = "127.0.0.1"; | ||
115 | agent.AgentPort = 0; | ||
116 | agent.AgentOnline = false; | ||
117 | |||
118 | writeAgentData = true; | ||
119 | } | ||
120 | |||
121 | if (!m_PerformAuthentication) | ||
122 | { | ||
123 | if (writeAgentData) | ||
124 | m_Database.AddNewUserAgent(agent); | ||
125 | return agent.SessionID; | ||
126 | } | ||
127 | |||
128 | if (!VerifyKey(principalID, key)) | ||
129 | return UUID.Zero; | ||
130 | |||
131 | if (writeAgentData) | ||
132 | m_Database.AddNewUserAgent(agent); | ||
133 | |||
134 | return agent.SessionID; | ||
135 | } | ||
136 | |||
137 | /// <summary> | ||
138 | /// This implementation only authenticates users. | ||
139 | /// </summary> | ||
140 | /// <param name="principalID"></param> | ||
141 | /// <param name="password"></param> | ||
142 | /// <returns></returns> | ||
143 | public UUID AuthenticatePassword(UUID principalID, string password) | ||
144 | { | ||
145 | bool writeAgentData = false; | ||
146 | |||
147 | UserAgentData agent = m_Database.GetAgentByUUID(principalID); | ||
148 | if (agent == null) | ||
149 | { | ||
150 | agent = new UserAgentData(); | ||
151 | agent.ProfileID = principalID; | ||
152 | agent.SessionID = UUID.Random(); | ||
153 | agent.SecureSessionID = UUID.Random(); | ||
154 | agent.AgentIP = "127.0.0.1"; | ||
155 | agent.AgentPort = 0; | ||
156 | agent.AgentOnline = false; | ||
157 | |||
158 | writeAgentData = true; | ||
159 | } | ||
160 | |||
161 | if (!m_PerformAuthentication) | ||
162 | { | ||
163 | if (writeAgentData) | ||
164 | m_Database.AddNewUserAgent(agent); | ||
165 | return agent.SessionID; | ||
166 | } | ||
167 | |||
168 | UserProfileData profile = m_Database.GetUserByUUID(principalID); | ||
169 | bool passwordSuccess = false; | ||
170 | m_log.InfoFormat("[AUTH]: Authenticating {0} {1} ({2})", profile.FirstName, profile.SurName, profile.ID); | ||
171 | |||
172 | // we do this to get our hash in a form that the server password code can consume | ||
173 | // when the web-login-form submits the password in the clear (supposed to be over SSL!) | ||
174 | if (!password.StartsWith("$1$")) | ||
175 | password = "$1$" + Util.Md5Hash(password); | ||
176 | |||
177 | password = password.Remove(0, 3); //remove $1$ | ||
178 | |||
179 | string s = Util.Md5Hash(password + ":" + profile.PasswordSalt); | ||
180 | // Testing... | ||
181 | //m_log.Info("[LOGIN]: SubHash:" + s + " userprofile:" + profile.passwordHash); | ||
182 | //m_log.Info("[LOGIN]: userprofile:" + profile.passwordHash + " SubCT:" + password); | ||
183 | |||
184 | passwordSuccess = (profile.PasswordHash.Equals(s.ToString(), StringComparison.InvariantCultureIgnoreCase) | ||
185 | || profile.PasswordHash.Equals(password, StringComparison.InvariantCulture)); | ||
186 | |||
187 | if (!passwordSuccess) | ||
188 | return UUID.Zero; | ||
189 | |||
190 | if (writeAgentData) | ||
191 | m_Database.AddNewUserAgent(agent); | ||
192 | |||
193 | return agent.SessionID; | ||
194 | } | ||
195 | |||
196 | /// <summary> | ||
197 | /// This generates authorization keys in the form | ||
198 | /// http://authority/uuid | ||
199 | /// after verifying that the caller is, indeed, authorized to request a key | ||
200 | /// </summary> | ||
201 | /// <param name="userID">The principal ID requesting the new key</param> | ||
202 | /// <param name="authToken">The original authorization token for that principal, obtained during login</param> | ||
203 | /// <returns></returns> | ||
204 | public string GetKey(UUID principalID, string authToken) | ||
205 | { | ||
206 | UserProfileData profile = m_Database.GetUserByUUID(principalID); | ||
207 | string newKey = string.Empty; | ||
208 | |||
209 | if (profile != null) | ||
210 | { | ||
211 | m_log.DebugFormat("[AUTH]: stored auth token is {0}. Given token is {1}", profile.WebLoginKey.ToString(), authToken); | ||
212 | // I'm overloading webloginkey for this, so that no changes are needed in the DB | ||
213 | // The uses of webloginkey are fairly mutually exclusive | ||
214 | if (profile.WebLoginKey.ToString().Equals(authToken)) | ||
215 | { | ||
216 | newKey = UUID.Random().ToString(); | ||
217 | List<string> keys; | ||
218 | lock (m_UserKeys) | ||
219 | { | ||
220 | if (m_UserKeys.ContainsKey(principalID)) | ||
221 | { | ||
222 | keys = m_UserKeys[principalID]; | ||
223 | } | ||
224 | else | ||
225 | { | ||
226 | keys = new List<string>(); | ||
227 | m_UserKeys.Add(principalID, keys); | ||
228 | } | ||
229 | keys.Add(newKey); | ||
230 | } | ||
231 | m_log.InfoFormat("[AUTH]: Successfully generated new auth key for {0}", principalID); | ||
232 | } | ||
233 | else | ||
234 | m_log.Warn("[AUTH]: Unauthorized key generation request. Denying new key."); | ||
235 | } | ||
236 | else | ||
237 | m_log.Warn("[AUTH]: Principal not found."); | ||
238 | |||
239 | return m_AuthorityURL + newKey; | ||
240 | } | ||
241 | |||
242 | /// <summary> | ||
243 | /// This verifies the uuid portion of the key given out by GenerateKey | ||
244 | /// </summary> | ||
245 | /// <param name="userID"></param> | ||
246 | /// <param name="key"></param> | ||
247 | /// <returns></returns> | ||
248 | public bool VerifyKey(UUID userID, string key) | ||
249 | { | ||
250 | lock (m_UserKeys) | ||
251 | { | ||
252 | if (m_UserKeys.ContainsKey(userID)) | ||
253 | { | ||
254 | List<string> keys = m_UserKeys[userID]; | ||
255 | if (keys.Contains(key)) | ||
256 | { | ||
257 | // Keys are one-time only, so remove it | ||
258 | keys.Remove(key); | ||
259 | return true; | ||
260 | } | ||
261 | return false; | ||
262 | } | ||
263 | else | ||
264 | return false; | ||
265 | } | ||
266 | } | ||
267 | |||
268 | public UUID CreateUserSession(UUID userID, UUID oldSessionID) | ||
269 | { | ||
270 | UserAgentData agent = m_Database.GetAgentByUUID(userID); | ||
271 | |||
272 | if (agent == null) | ||
273 | return UUID.Zero; | ||
274 | |||
275 | agent.SessionID = UUID.Random(); | ||
276 | |||
277 | m_Database.AddNewUserAgent(agent); | ||
278 | return agent.SessionID; | ||
279 | } | ||
280 | |||
281 | public bool VerifyUserSession(UUID userID, UUID sessionID) | ||
282 | { | ||
283 | UserProfileData userProfile = m_Database.GetUserByUUID(userID); | ||
284 | |||
285 | if (userProfile != null && userProfile.CurrentAgent != null) | ||
286 | { | ||
287 | m_log.DebugFormat("[AUTH]: Verifying session {0} for {1}; current session {2}", sessionID, userID, userProfile.CurrentAgent.SessionID); | ||
288 | if (userProfile.CurrentAgent.SessionID == sessionID) | ||
289 | { | ||
290 | return true; | ||
291 | } | ||
292 | } | ||
293 | |||
294 | return false; | ||
295 | } | ||
296 | |||
297 | public bool DestroyUserSession(UUID userID, UUID sessionID) | ||
298 | { | ||
299 | if (!VerifyUserSession(userID, sessionID)) | ||
300 | return false; | ||
301 | |||
302 | UserAgentData agent = m_Database.GetAgentByUUID(userID); | ||
303 | if (agent == null) | ||
304 | return false; | ||
305 | |||
306 | agent.SessionID = UUID.Zero; | ||
307 | m_Database.AddNewUserAgent(agent); | ||
308 | |||
309 | return true; | ||
310 | } | ||
311 | } | ||
312 | } | ||
diff --git a/OpenSim/Services/Interfaces/IAuthenticationService.cs b/OpenSim/Services/Interfaces/IAuthenticationService.cs index 2402414..d473cf8 100644 --- a/OpenSim/Services/Interfaces/IAuthenticationService.cs +++ b/OpenSim/Services/Interfaces/IAuthenticationService.cs | |||
@@ -38,57 +38,89 @@ namespace OpenSim.Services.Interfaces | |||
38 | // | 38 | // |
39 | public interface IAuthenticationService | 39 | public interface IAuthenticationService |
40 | { | 40 | { |
41 | ////////////////////////////////////////////////// | 41 | ////////////////////////////////////////////////////// |
42 | // Web login key portion | 42 | // PKI Zone! |
43 | // | 43 | // |
44 | 44 | // HG2 authentication works by using a cryptographic | |
45 | // Get a service key given that principal's | 45 | // exchange. |
46 | // authentication token (master key). | 46 | // This method must provide a public key, the other |
47 | // crypto methods must understand hoow to deal with | ||
48 | // messages encrypted to it. | ||
47 | // | 49 | // |
48 | string GetKey(UUID principalID, string authToken); | 50 | // If the public key is of zero length, you will |
49 | 51 | // get NO encryption and NO security. | |
50 | // Verify that a principal key is valid | 52 | // |
53 | // For non-HG installations, this is not relevant | ||
51 | // | 54 | // |
52 | bool VerifyKey(UUID principalID, string key); | 55 | // Implementors who are not using PKI can treat the |
56 | // cyphertext as a string and provide a zero-length | ||
57 | // key. Encryptionless implementations will not | ||
58 | // interoperate with implementations using encryption. | ||
59 | // If one side uses encryption, both must do so. | ||
60 | // | ||
61 | byte[] GetPublicKey(); | ||
53 | 62 | ||
54 | ////////////////////////////////////////////////// | 63 | ////////////////////////////////////////////////////// |
55 | // Password auth portion | 64 | // Authentication |
65 | // | ||
66 | // These methods will return a token, which can be used to access | ||
67 | // various services. | ||
68 | // | ||
69 | // The encrypted versions take the received cyphertext and | ||
70 | // the public key of the peer, which the connector must have | ||
71 | // obtained using a remote GetPublicKey call. | ||
56 | // | 72 | // |
73 | string AuthenticatePassword(UUID principalID, string password); | ||
74 | byte[] AuthenticatePasswordEncrypted(byte[] cyphertext, byte[] key); | ||
57 | 75 | ||
58 | // Here's how thos works, and why. | 76 | string AuthenticateWebkey(UUID principalID, string webkey); |
59 | // | 77 | byte[] AuthenticateWebkeyEncrypted(byte[] cyphertext, byte[] key); |
60 | // The authentication methods will return the existing session, | ||
61 | // or UUID.Zero if authentication failed. If there is no session, | ||
62 | // they will create one. | ||
63 | // The CreateUserSession method will unconditionally create a session | ||
64 | // and invalidate the prior session. | ||
65 | // Grid login uses this method to make sure that the session is | ||
66 | // fresh and new. Other software, like management applications, | ||
67 | // can obtain this existing session if they have a key or password | ||
68 | // for that account, this allows external apps to obtain credentials | ||
69 | // and use authenticating interface methods. | ||
70 | // | ||
71 | |||
72 | // Check the pricipal's password | ||
73 | // | ||
74 | UUID AuthenticatePassword(UUID principalID, string password); | ||
75 | 78 | ||
76 | // Check the principal's key | 79 | ////////////////////////////////////////////////////// |
80 | // Verification | ||
77 | // | 81 | // |
78 | UUID AuthenticateKey(UUID principalID, string password); | 82 | // Allows to verify the authenticity of a token |
83 | // | ||
84 | // Tokens expire after 30 minutes and can be refreshed by | ||
85 | // re-verifying. | ||
86 | // | ||
87 | // If encrypted authentication was used, encrypted verification | ||
88 | // must be used to refresh. Unencrypted verification is still | ||
89 | // performed, but doesn't refresh token lifetime. | ||
90 | // | ||
91 | bool Verify(UUID principalID, string token); | ||
92 | bool VerifyEncrypted(byte[] cyphertext, byte[] key); | ||
79 | 93 | ||
80 | // Create a new session, invalidating the old ones | 94 | ////////////////////////////////////////////////////// |
95 | // Teardown | ||
96 | // | ||
97 | // A token can be returned before the timeout. This | ||
98 | // invalidates it and it can not subsequently be used | ||
99 | // or refreshed. | ||
100 | // | ||
101 | // Tokens created by encrypted authentication must | ||
102 | // be returned by encrypted release calls; | ||
81 | // | 103 | // |
82 | UUID CreateUserSession(UUID principalID, UUID oldSessionID); | 104 | bool Release(UUID principalID, string token); |
105 | bool ReleaseEncrypted(byte[] cyphertext, byte[] key); | ||
83 | 106 | ||
84 | // Verify that a user session ID is valid. A session ID is | 107 | ////////////////////////////////////////////////////// |
85 | // considered valid when a user has successfully authenticated | 108 | // Grid |
86 | // at least one time inside that session. | ||
87 | // | 109 | // |
88 | bool VerifyUserSession(UUID principalID, UUID sessionID); | 110 | // We no longer need a shared secret between grid |
111 | // servers. Anything a server requests from another | ||
112 | // server is either done on behalf of a user, in which | ||
113 | // case there is a token, or on behalf of a region, | ||
114 | // which has a session. So, no more keys. | ||
115 | // If sniffing on the local lan is an issue, admins | ||
116 | // need to take approriate action (IPSec is recommended) | ||
117 | // to secure inter-server traffic. | ||
89 | 118 | ||
90 | // Deauthenticate user | 119 | ////////////////////////////////////////////////////// |
120 | // NOTE | ||
91 | // | 121 | // |
92 | bool DestroyUserSession(UUID principalID, UUID sessionID); | 122 | // Session IDs are not handled here. After obtaining |
123 | // a token, the session ID regions use can be | ||
124 | // obtained from the presence service. | ||
93 | } | 125 | } |
94 | } | 126 | } |