aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/OpenSim/Region/CoreModules/Communications
diff options
context:
space:
mode:
authordiva2009-04-14 19:35:35 +0000
committerdiva2009-04-14 19:35:35 +0000
commit0413d052a3ec541164049e7d39278c57fb92ed06 (patch)
tree9a58c9c51487278d67e1ad9b3a60668769434001 /OpenSim/Region/CoreModules/Communications
parent* Make archiver tests pump the asset server manually instead of starting the ... (diff)
downloadopensim-SC-0413d052a3ec541164049e7d39278c57fb92ed06.zip
opensim-SC-0413d052a3ec541164049e7d39278c57fb92ed06.tar.gz
opensim-SC-0413d052a3ec541164049e7d39278c57fb92ed06.tar.bz2
opensim-SC-0413d052a3ec541164049e7d39278c57fb92ed06.tar.xz
Adds session authentication upon NewUserConnections. Adds user key authentication (in safemode only) upon CreateChildAgents. All of this for Hypergrid users too. This addresses assorted spoofing vulnerabilities.
Diffstat (limited to 'OpenSim/Region/CoreModules/Communications')
-rw-r--r--OpenSim/Region/CoreModules/Communications/REST/RESTInterregionComms.cs79
1 files changed, 78 insertions, 1 deletions
diff --git a/OpenSim/Region/CoreModules/Communications/REST/RESTInterregionComms.cs b/OpenSim/Region/CoreModules/Communications/REST/RESTInterregionComms.cs
index 87272a1..97ffeae 100644
--- a/OpenSim/Region/CoreModules/Communications/REST/RESTInterregionComms.cs
+++ b/OpenSim/Region/CoreModules/Communications/REST/RESTInterregionComms.cs
@@ -59,6 +59,9 @@ namespace OpenSim.Region.CoreModules.Communications.REST
59 59
60 protected RegionToRegionClient m_regionClient; 60 protected RegionToRegionClient m_regionClient;
61 61
62 protected bool m_safemode;
63 protected IPAddress m_thisIP;
64
62 #region IRegionModule 65 #region IRegionModule
63 66
64 public virtual void Initialise(Scene scene, IConfigSource config) 67 public virtual void Initialise(Scene scene, IConfigSource config)
@@ -74,6 +77,9 @@ namespace OpenSim.Region.CoreModules.Communications.REST
74 { 77 {
75 m_log.Info("[REST COMMS]: Enabling InterregionComms RESTComms module"); 78 m_log.Info("[REST COMMS]: Enabling InterregionComms RESTComms module");
76 m_enabled = true; 79 m_enabled = true;
80 if (config.Configs["Hypergrid"] != null)
81 m_safemode = config.Configs["Hypergrid"].GetBoolean("safemode", false);
82
77 InitOnce(scene); 83 InitOnce(scene);
78 } 84 }
79 } 85 }
@@ -117,6 +123,7 @@ namespace OpenSim.Region.CoreModules.Communications.REST
117 m_commsManager = scene.CommsManager; 123 m_commsManager = scene.CommsManager;
118 m_aScene = scene; 124 m_aScene = scene;
119 m_regionClient = new RegionToRegionClient(m_aScene); 125 m_regionClient = new RegionToRegionClient(m_aScene);
126 m_thisIP = Util.GetHostFromDNS(scene.RegionInfo.ExternalHostName);
120 } 127 }
121 128
122 protected virtual void AddHTTPHandlers() 129 protected virtual void AddHTTPHandlers()
@@ -148,7 +155,7 @@ namespace OpenSim.Region.CoreModules.Communications.REST
148 { 155 {
149 m_regionClient.SendUserInformation(regInfo, aCircuit); 156 m_regionClient.SendUserInformation(regInfo, aCircuit);
150 157
151 return m_regionClient.DoCreateChildAgentCall(regInfo, aCircuit); 158 return m_regionClient.DoCreateChildAgentCall(regInfo, aCircuit, "None");
152 } 159 }
153 //else 160 //else
154 // m_log.Warn("[REST COMMS]: Region not found " + regionHandle); 161 // m_log.Warn("[REST COMMS]: Region not found " + regionHandle);
@@ -331,6 +338,7 @@ namespace OpenSim.Region.CoreModules.Communications.REST
331 responsedata["content_type"] = "text/html"; 338 responsedata["content_type"] = "text/html";
332 responsedata["keepalive"] = false; 339 responsedata["keepalive"] = false;
333 340
341
334 UUID agentID; 342 UUID agentID;
335 string action; 343 string action;
336 ulong regionHandle; 344 ulong regionHandle;
@@ -378,6 +386,28 @@ namespace OpenSim.Region.CoreModules.Communications.REST
378 386
379 protected virtual void DoAgentPost(Hashtable request, Hashtable responsedata, UUID id) 387 protected virtual void DoAgentPost(Hashtable request, Hashtable responsedata, UUID id)
380 { 388 {
389 if (m_safemode)
390 {
391 // Authentication
392 string authority = string.Empty;
393 string authToken = string.Empty;
394 if (!GetAuthentication(request, out authority, out authToken))
395 {
396 m_log.InfoFormat("[REST COMMS]: Authentication failed for agent message {0}", request["uri"]);
397 responsedata["int_response_code"] = 403;
398 responsedata["str_response_string"] = "Forbidden";
399 return ;
400 }
401 if (!VerifyKey(id, authority, authToken))
402 {
403 m_log.InfoFormat("[REST COMMS]: Authentication failed for agent message {0}", request["uri"]);
404 responsedata["int_response_code"] = 403;
405 responsedata["str_response_string"] = "Forbidden";
406 return ;
407 }
408 m_log.DebugFormat("[REST COMMS]: Authentication succeeded for {0}", id);
409 }
410
381 OSDMap args = RegionClient.GetOSDMap((string)request["body"]); 411 OSDMap args = RegionClient.GetOSDMap((string)request["body"]);
382 if (args == null) 412 if (args == null)
383 { 413 {
@@ -793,6 +823,53 @@ namespace OpenSim.Region.CoreModules.Communications.REST
793 } 823 }
794 } 824 }
795 825
826 public static bool GetAuthentication(Hashtable request, out string authority, out string authKey)
827 {
828 authority = string.Empty;
829 authKey = string.Empty;
830
831 Uri authUri;
832 Hashtable headers = (Hashtable)request["headers"];
833
834 // Authorization keys look like this:
835 // http://orgrid.org:8002/<uuid>
836 if (headers.ContainsKey("authorization") && (string)headers["authorization"] != "None")
837 {
838 if (Uri.TryCreate((string)headers["authorization"], UriKind.Absolute, out authUri))
839 {
840 authority = authUri.Authority;
841 authKey = authUri.PathAndQuery.Trim('/');
842 m_log.DebugFormat("[REST COMMS]: Got authority {0} and key {1}", authority, authKey);
843 return true;
844 }
845 else
846 m_log.Debug("[REST COMMS]: Wrong format for Authorization header: " + (string)headers["authorization"]);
847 }
848 else
849 m_log.Debug("[REST COMMS]: Authorization header not found");
850
851 return false;
852 }
853
854 bool VerifyKey(UUID userID, string authority, string key)
855 {
856 string[] parts = authority.Split(':');
857 IPAddress ipaddr = IPAddress.None;
858 uint port = 0;
859 if (parts.Length <= 2)
860 ipaddr = Util.GetHostFromDNS(parts[0]);
861 if (parts.Length == 2)
862 UInt32.TryParse(parts[1], out port);
863
864 // local authority (standalone), local call
865 if (m_thisIP.Equals(ipaddr) && (m_aScene.RegionInfo.HttpPort == port))
866 return ((IAuthentication)m_aScene.CommsManager.UserAdminService).VerifyKey(userID, key);
867 // remote call
868 else
869 return AuthClient.VerifyKey("http://" + authority, userID, key);
870 }
871
872
796 #endregion Misc 873 #endregion Misc
797 874
798 protected class RegionToRegionClient : RegionClient 875 protected class RegionToRegionClient : RegionClient