diff options
Adds session authentication upon NewUserConnections. Adds user key authentication (in safemode only) upon CreateChildAgents. All of this for Hypergrid users too. This addresses assorted spoofing vulnerabilities.
Diffstat (limited to 'OpenSim/Framework/Communications')
6 files changed, 75 insertions, 3 deletions
diff --git a/OpenSim/Framework/Communications/Clients/RegionClient.cs b/OpenSim/Framework/Communications/Clients/RegionClient.cs index 27353b0..da3f620 100644 --- a/OpenSim/Framework/Communications/Clients/RegionClient.cs +++ b/OpenSim/Framework/Communications/Clients/RegionClient.cs | |||
| @@ -43,7 +43,7 @@ namespace OpenSim.Framework.Communications.Clients | |||
| 43 | { | 43 | { |
| 44 | private static readonly ILog m_log = LogManager.GetLogger(MethodBase.GetCurrentMethod().DeclaringType); | 44 | private static readonly ILog m_log = LogManager.GetLogger(MethodBase.GetCurrentMethod().DeclaringType); |
| 45 | 45 | ||
| 46 | public bool DoCreateChildAgentCall(RegionInfo region, AgentCircuitData aCircuit) | 46 | public bool DoCreateChildAgentCall(RegionInfo region, AgentCircuitData aCircuit, string authKey) |
| 47 | { | 47 | { |
| 48 | // Eventually, we want to use a caps url instead of the agentID | 48 | // Eventually, we want to use a caps url instead of the agentID |
| 49 | string uri = "http://" + region.ExternalEndPoint.Address + ":" + region.HttpPort + "/agent/" + aCircuit.AgentID + "/"; | 49 | string uri = "http://" + region.ExternalEndPoint.Address + ":" + region.HttpPort + "/agent/" + aCircuit.AgentID + "/"; |
| @@ -54,6 +54,7 @@ namespace OpenSim.Framework.Communications.Clients | |||
| 54 | AgentCreateRequest.ContentType = "application/json"; | 54 | AgentCreateRequest.ContentType = "application/json"; |
| 55 | AgentCreateRequest.Timeout = 10000; | 55 | AgentCreateRequest.Timeout = 10000; |
| 56 | //AgentCreateRequest.KeepAlive = false; | 56 | //AgentCreateRequest.KeepAlive = false; |
| 57 | AgentCreateRequest.Headers.Add("Authorization", authKey); | ||
| 57 | 58 | ||
| 58 | // Fill it in | 59 | // Fill it in |
| 59 | OSDMap args = null; | 60 | OSDMap args = null; |
| @@ -80,7 +81,7 @@ namespace OpenSim.Framework.Communications.Clients | |||
| 80 | } | 81 | } |
| 81 | catch (Exception e) | 82 | catch (Exception e) |
| 82 | { | 83 | { |
| 83 | m_log.WarnFormat("[OSG2]: Exception thrown on serialization of ChildCreate: {0}", e.Message); | 84 | m_log.WarnFormat("[REST COMMS]: Exception thrown on serialization of ChildCreate: {0}", e.Message); |
| 84 | // ignore. buffer will be empty, caller should check. | 85 | // ignore. buffer will be empty, caller should check. |
| 85 | } | 86 | } |
| 86 | 87 | ||
| @@ -91,7 +92,7 @@ namespace OpenSim.Framework.Communications.Clients | |||
| 91 | os = AgentCreateRequest.GetRequestStream(); | 92 | os = AgentCreateRequest.GetRequestStream(); |
| 92 | os.Write(buffer, 0, strBuffer.Length); //Send it | 93 | os.Write(buffer, 0, strBuffer.Length); //Send it |
| 93 | os.Close(); | 94 | os.Close(); |
| 94 | //m_log.InfoFormat("[REST COMMS]: Posted ChildAgentUpdate request to remote sim {0}", uri); | 95 | //m_log.InfoFormat("[REST COMMS]: Posted CreateChildAgent request to remote sim {0}", uri); |
| 95 | } | 96 | } |
| 96 | //catch (WebException ex) | 97 | //catch (WebException ex) |
| 97 | catch | 98 | catch |
diff --git a/OpenSim/Framework/Communications/IAuthentication.cs b/OpenSim/Framework/Communications/IAuthentication.cs index 0f62569..bd568e4 100644 --- a/OpenSim/Framework/Communications/IAuthentication.cs +++ b/OpenSim/Framework/Communications/IAuthentication.cs | |||
| @@ -34,5 +34,6 @@ namespace OpenSim.Framework.Communications | |||
| 34 | { | 34 | { |
| 35 | string GetNewKey(string url, UUID userID, UUID authToken); | 35 | string GetNewKey(string url, UUID userID, UUID authToken); |
| 36 | bool VerifyKey(UUID userID, string key); | 36 | bool VerifyKey(UUID userID, string key); |
| 37 | bool VerifySession(UUID iserID, UUID sessionID); | ||
| 37 | } | 38 | } |
| 38 | } | 39 | } |
diff --git a/OpenSim/Framework/Communications/IUserService.cs b/OpenSim/Framework/Communications/IUserService.cs index 3c09b40..3a56d35 100644 --- a/OpenSim/Framework/Communications/IUserService.cs +++ b/OpenSim/Framework/Communications/IUserService.cs | |||
| @@ -119,5 +119,9 @@ namespace OpenSim.Framework.Communications | |||
| 119 | /// </summary> | 119 | /// </summary> |
| 120 | /// <param name="friendlistowner">The agent that we're retreiving the friends Data.</param> | 120 | /// <param name="friendlistowner">The agent that we're retreiving the friends Data.</param> |
| 121 | List<FriendListItem> GetUserFriendList(UUID friendlistowner); | 121 | List<FriendListItem> GetUserFriendList(UUID friendlistowner); |
| 122 | |||
| 123 | // This probably shouldn't be here, it belongs to IAuthentication | ||
| 124 | // But since Scenes only have IUserService references, I'm placing it here for now. | ||
| 125 | bool VerifySession(UUID userID, UUID sessionID); | ||
| 122 | } | 126 | } |
| 123 | } | 127 | } |
diff --git a/OpenSim/Framework/Communications/Services/LoginService.cs b/OpenSim/Framework/Communications/Services/LoginService.cs index d9556e4..d491309 100644 --- a/OpenSim/Framework/Communications/Services/LoginService.cs +++ b/OpenSim/Framework/Communications/Services/LoginService.cs | |||
| @@ -37,6 +37,7 @@ using log4net; | |||
| 37 | using Nwc.XmlRpc; | 37 | using Nwc.XmlRpc; |
| 38 | using OpenMetaverse; | 38 | using OpenMetaverse; |
| 39 | using OpenMetaverse.StructuredData; | 39 | using OpenMetaverse.StructuredData; |
| 40 | using OpenSim.Framework; | ||
| 40 | using OpenSim.Framework.Communications.Cache; | 41 | using OpenSim.Framework.Communications.Cache; |
| 41 | using OpenSim.Framework.Statistics; | 42 | using OpenSim.Framework.Statistics; |
| 42 | 43 | ||
| @@ -194,6 +195,12 @@ namespace OpenSim.Framework.Communications.Services | |||
| 194 | 195 | ||
| 195 | CreateAgent(userProfile, request); | 196 | CreateAgent(userProfile, request); |
| 196 | 197 | ||
| 198 | // We need to commit the agent right here, even though the userProfile info is not complete | ||
| 199 | // at this point. There is another commit further down. | ||
| 200 | // This is for the new sessionID to be stored so that the region can check it for session authentication. | ||
| 201 | // CustomiseResponse->PrepareLoginToRegion | ||
| 202 | CommitAgent(ref userProfile); | ||
| 203 | |||
| 197 | try | 204 | try |
| 198 | { | 205 | { |
| 199 | UUID agentID = userProfile.ID; | 206 | UUID agentID = userProfile.ID; |
| @@ -1108,5 +1115,44 @@ namespace OpenSim.Framework.Communications.Services | |||
| 1108 | { | 1115 | { |
| 1109 | return false; | 1116 | return false; |
| 1110 | } | 1117 | } |
| 1118 | |||
| 1119 | public XmlRpcResponse XmlRPCCheckAuthSession(XmlRpcRequest request) | ||
| 1120 | { | ||
| 1121 | XmlRpcResponse response = new XmlRpcResponse(); | ||
| 1122 | Hashtable requestData = (Hashtable)request.Params[0]; | ||
| 1123 | |||
| 1124 | string authed = "FALSE"; | ||
| 1125 | if (requestData.Contains("avatar_uuid") && requestData.Contains("session_id")) | ||
| 1126 | { | ||
| 1127 | UUID guess_aid; | ||
| 1128 | UUID guess_sid; | ||
| 1129 | |||
| 1130 | UUID.TryParse((string)requestData["avatar_uuid"], out guess_aid); | ||
| 1131 | if (guess_aid == UUID.Zero) | ||
| 1132 | { | ||
| 1133 | return Util.CreateUnknownUserErrorResponse(); | ||
| 1134 | } | ||
| 1135 | UUID.TryParse((string)requestData["session_id"], out guess_sid); | ||
| 1136 | if (guess_sid == UUID.Zero) | ||
| 1137 | { | ||
| 1138 | return Util.CreateUnknownUserErrorResponse(); | ||
| 1139 | } | ||
| 1140 | if (m_userManager.VerifySession(guess_aid, guess_sid)) | ||
| 1141 | { | ||
| 1142 | authed = "TRUE"; | ||
| 1143 | } | ||
| 1144 | m_log.InfoFormat("[UserManager]: CheckAuthSession TRUE for user {0}", guess_aid); | ||
| 1145 | } | ||
| 1146 | else | ||
| 1147 | { | ||
| 1148 | m_log.InfoFormat("[UserManager]: CheckAuthSession FALSE"); | ||
| 1149 | return Util.CreateUnknownUserErrorResponse(); | ||
| 1150 | } | ||
| 1151 | Hashtable responseData = new Hashtable(); | ||
| 1152 | responseData["auth_session"] = authed; | ||
| 1153 | response.Value = responseData; | ||
| 1154 | return response; | ||
| 1155 | } | ||
| 1156 | |||
| 1111 | } | 1157 | } |
| 1112 | } | 1158 | } |
diff --git a/OpenSim/Framework/Communications/Tests/Cache/AssetCacheTests.cs b/OpenSim/Framework/Communications/Tests/Cache/AssetCacheTests.cs index 5d6bc8d..178c356 100644 --- a/OpenSim/Framework/Communications/Tests/Cache/AssetCacheTests.cs +++ b/OpenSim/Framework/Communications/Tests/Cache/AssetCacheTests.cs | |||
| @@ -178,6 +178,11 @@ namespace OpenSim.Framework.Communications.Tests | |||
| 178 | { | 178 | { |
| 179 | throw new NotImplementedException(); | 179 | throw new NotImplementedException(); |
| 180 | } | 180 | } |
| 181 | |||
| 182 | public bool VerifySession(UUID userID, UUID sessionID) | ||
| 183 | { | ||
| 184 | return true; | ||
| 185 | } | ||
| 181 | } | 186 | } |
| 182 | 187 | ||
| 183 | [Test] | 188 | [Test] |
diff --git a/OpenSim/Framework/Communications/UserManagerBase.cs b/OpenSim/Framework/Communications/UserManagerBase.cs index 155f5cd..1115041 100644 --- a/OpenSim/Framework/Communications/UserManagerBase.cs +++ b/OpenSim/Framework/Communications/UserManagerBase.cs | |||
| @@ -839,6 +839,21 @@ namespace OpenSim.Framework.Communications | |||
| 839 | } | 839 | } |
| 840 | } | 840 | } |
| 841 | 841 | ||
| 842 | public bool VerifySession(UUID userID, UUID sessionID) | ||
| 843 | { | ||
| 844 | UserProfileData userProfile = GetUserProfile(userID); | ||
| 845 | |||
| 846 | if (userProfile != null && userProfile.CurrentAgent != null) | ||
| 847 | { | ||
| 848 | m_log.DebugFormat("[USERAUTH]: Verifying session {0} for {1}; current session {2}", sessionID, userID, userProfile.CurrentAgent.SessionID); | ||
| 849 | if (userProfile.CurrentAgent.SessionID == sessionID) | ||
| 850 | { | ||
| 851 | return true; | ||
| 852 | } | ||
| 853 | } | ||
| 854 | return false; | ||
| 855 | } | ||
| 856 | |||
| 842 | #endregion | 857 | #endregion |
| 843 | } | 858 | } |
| 844 | } | 859 | } |