Adds session authentication upon NewUserConnections. Adds user key authentication (in safemode only) upon CreateChildAgents. All of this for Hypergrid users too. This addresses assorted spoofing vulnerabilities.

author: diva 2009-04-14 19:35:35 +0000
committer: diva 2009-04-14 19:35:35 +0000
commit: 0413d052a3ec541164049e7d39278c57fb92ed06 (patch)
tree: 9a58c9c51487278d67e1ad9b3a60668769434001 /OpenSim/Region/CoreModules
parent: * Make archiver tests pump the asset server manually instead of starting the ... (diff)
download: opensim-SC_OLD-0413d052a3ec541164049e7d39278c57fb92ed06.zip
opensim-SC_OLD-0413d052a3ec541164049e7d39278c57fb92ed06.tar.gz
opensim-SC_OLD-0413d052a3ec541164049e7d39278c57fb92ed06.tar.bz2
opensim-SC_OLD-0413d052a3ec541164049e7d39278c57fb92ed06.tar.xz
3 files changed, 81 insertions, 3 deletions
diff --git a/OpenSim/Region/CoreModules/Communications/REST/RESTInterregionComms.cs b/OpenSim/Region/CoreModules/Communications/REST/RESTInterregionComms.cs
index 87272a1..97ffeae 100644
--- a/OpenSim/Region/CoreModules/Communications/REST/RESTInterregionComms.cs
+++ b/OpenSim/Region/CoreModules/Communications/REST/RESTInterregionComms.cs
@@ -59,6 +59,9 @@ namespace OpenSim.Region.CoreModules.Communications.REST
        protected RegionToRegionClient m_regionClient;
+        protected bool m_safemode;
+        protected IPAddress m_thisIP;
        #region IRegionModule
        public virtual void Initialise(Scene scene, IConfigSource config)
@@ -74,6 +77,9 @@ namespace OpenSim.Region.CoreModules.Communications.REST
                {
                    m_log.Info("[REST COMMS]: Enabling InterregionComms RESTComms module");
                    m_enabled = true;
+                    if (config.Configs["Hypergrid"] != null)
+                        m_safemode = config.Configs["Hypergrid"].GetBoolean("safemode", false);
                    InitOnce(scene);
                }
            }
@@ -117,6 +123,7 @@ namespace OpenSim.Region.CoreModules.Communications.REST
            m_commsManager = scene.CommsManager;
            m_aScene = scene;
            m_regionClient = new RegionToRegionClient(m_aScene);
+            m_thisIP = Util.GetHostFromDNS(scene.RegionInfo.ExternalHostName);
        }
        protected virtual void AddHTTPHandlers()
@@ -148,7 +155,7 @@ namespace OpenSim.Region.CoreModules.Communications.REST
                {
                    m_regionClient.SendUserInformation(regInfo, aCircuit);
-                    return m_regionClient.DoCreateChildAgentCall(regInfo, aCircuit);
+                    return m_regionClient.DoCreateChildAgentCall(regInfo, aCircuit, "None");
                }
                //else
                //    m_log.Warn("[REST COMMS]: Region not found " + regionHandle);
@@ -331,6 +338,7 @@ namespace OpenSim.Region.CoreModules.Communications.REST
            responsedata["content_type"] = "text/html";
            responsedata["keepalive"] = false;
            UUID agentID;
            string action;
            ulong regionHandle;
@@ -378,6 +386,28 @@ namespace OpenSim.Region.CoreModules.Communications.REST
        protected virtual void DoAgentPost(Hashtable request, Hashtable responsedata, UUID id)
        {
+            if (m_safemode)
+            {
+                // Authentication
+                string authority = string.Empty;
+                string authToken = string.Empty;
+                if (!GetAuthentication(request, out authority, out authToken))
+                {
+                    m_log.InfoFormat("[REST COMMS]: Authentication failed for agent message {0}", request["uri"]);
+                    responsedata["int_response_code"] = 403;
+                    responsedata["str_response_string"] = "Forbidden";
+                    return ;
+                }
+                if (!VerifyKey(id, authority, authToken))
+                {
+                    m_log.InfoFormat("[REST COMMS]: Authentication failed for agent message {0}", request["uri"]);
+                    responsedata["int_response_code"] = 403;
+                    responsedata["str_response_string"] = "Forbidden";
+                    return ;
+                }
+                m_log.DebugFormat("[REST COMMS]: Authentication succeeded for {0}", id);
+            }
            OSDMap args = RegionClient.GetOSDMap((string)request["body"]);
            if (args == null)
            {
@@ -793,6 +823,53 @@ namespace OpenSim.Region.CoreModules.Communications.REST
            }
        }
+        public static bool GetAuthentication(Hashtable request, out string authority, out string authKey)
+        {
+            authority = string.Empty;
+            authKey = string.Empty;
+            Uri authUri;
+            Hashtable headers = (Hashtable)request["headers"];
+            // Authorization keys look like this:
+            // http://orgrid.org:8002/<uuid>
+            if (headers.ContainsKey("authorization") && (string)headers["authorization"] != "None")
+            {
+                if (Uri.TryCreate((string)headers["authorization"], UriKind.Absolute, out authUri))
+                {
+                    authority = authUri.Authority;
+                    authKey = authUri.PathAndQuery.Trim('/');
+                    m_log.DebugFormat("[REST COMMS]: Got authority {0} and key {1}", authority, authKey);
+                    return true;
+                }
+                else
+                    m_log.Debug("[REST COMMS]: Wrong format for Authorization header: " + (string)headers["authorization"]);
+            }
+            else
+                m_log.Debug("[REST COMMS]: Authorization header not found");
+            return false;
+        }
+        bool VerifyKey(UUID userID, string authority, string key)
+        {
+            string[] parts = authority.Split(':');
+            IPAddress ipaddr = IPAddress.None;
+            uint port = 0;
+            if (parts.Length <= 2)
+                ipaddr = Util.GetHostFromDNS(parts[0]);
+            if (parts.Length == 2)
+                UInt32.TryParse(parts[1], out port);
+            // local authority (standalone), local call
+            if (m_thisIP.Equals(ipaddr) && (m_aScene.RegionInfo.HttpPort == port))
+                return ((IAuthentication)m_aScene.CommsManager.UserAdminService).VerifyKey(userID, key);
+            // remote call
+            else
+                return AuthClient.VerifyKey("http://" + authority, userID, key);
+        }
        #endregion Misc 
        protected class RegionToRegionClient : RegionClient
diff --git a/OpenSim/Region/CoreModules/Hypergrid/HGStandaloneInventoryModule.cs b/OpenSim/Region/CoreModules/Hypergrid/HGStandaloneInventoryModule.cs
index 3675583..f0d70a7 100644
--- a/OpenSim/Region/CoreModules/Hypergrid/HGStandaloneInventoryModule.cs
+++ b/OpenSim/Region/CoreModules/Hypergrid/HGStandaloneInventoryModule.cs
@@ -93,7 +93,7 @@ namespace OpenSim.Region.CoreModules.Hypergrid
                m_inventoryService = new HGInventoryService(m_inventoryBase,
                    ((AssetServerBase)m_scene.CommsManager.AssetCache.AssetServer).AssetProviderPlugin,
-                    (UserManagerBase)m_scene.CommsManager.UserService, m_scene.CommsManager.HttpServer, 
+                    (UserManagerBase)m_scene.CommsManager.UserAdminService, m_scene.CommsManager.HttpServer, 
                    m_scene.CommsManager.NetworkServersInfo.InventoryURL);
                AddHttpHandlers(m_scene.CommsManager.HttpServer);
diff --git a/OpenSim/Region/CoreModules/Hypergrid/HGStandaloneLoginModule.cs b/OpenSim/Region/CoreModules/Hypergrid/HGStandaloneLoginModule.cs
index f0e957b..c458b89 100644
--- a/OpenSim/Region/CoreModules/Hypergrid/HGStandaloneLoginModule.cs
+++ b/OpenSim/Region/CoreModules/Hypergrid/HGStandaloneLoginModule.cs
@@ -104,11 +104,12 @@ namespace OpenSim.Region.CoreModules.Hypergrid
                    IHttpServer httpServer = m_firstScene.CommsManager.HttpServer;
                    //TODO: fix the casting of the user service, maybe by registering the userManagerBase with scenes, or refactoring so we just need a IUserService reference
-                    m_loginService = new HGLoginAuthService((UserManagerBase)m_firstScene.CommsManager.UserService, welcomeMessage, m_firstScene.CommsManager.InterServiceInventoryService, m_firstScene.CommsManager.NetworkServersInfo, authenticate, rootFolder, this);
+                    m_loginService = new HGLoginAuthService((UserManagerBase)m_firstScene.CommsManager.UserAdminService, welcomeMessage, m_firstScene.CommsManager.InterServiceInventoryService, m_firstScene.CommsManager.NetworkServersInfo, authenticate, rootFolder, this);
                    httpServer.AddXmlRPCHandler("hg_login", m_loginService.XmlRpcLoginMethod);
                    httpServer.AddXmlRPCHandler("hg_new_auth_key", m_loginService.XmlRpcGenerateKeyMethod);
                    httpServer.AddXmlRPCHandler("hg_verify_auth_key", m_loginService.XmlRpcVerifyKeyMethod);
+                    httpServer.AddXmlRPCHandler("check_auth_session", m_loginService.XmlRPCCheckAuthSession);
                }
            }
author	diva	2009-04-14 19:35:35 +0000
committer	diva	2009-04-14 19:35:35 +0000
commit	0413d052a3ec541164049e7d39278c57fb92ed06 (patch)
tree	9a58c9c51487278d67e1ad9b3a60668769434001 /OpenSim/Region/CoreModules
parent	* Make archiver tests pump the asset server manually instead of starting the ... (diff)
download	opensim-SC_OLD-0413d052a3ec541164049e7d39278c57fb92ed06.zip opensim-SC_OLD-0413d052a3ec541164049e7d39278c57fb92ed06.tar.gz opensim-SC_OLD-0413d052a3ec541164049e7d39278c57fb92ed06.tar.bz2 opensim-SC_OLD-0413d052a3ec541164049e7d39278c57fb92ed06.tar.xz

diff --git a/OpenSim/Region/CoreModules/Communications/REST/RESTInterregionComms.cs b/OpenSim/Region/CoreModules/Communications/REST/RESTInterregionComms.cs index 87272a1..97ffeae 100644 --- a/OpenSim/Region/CoreModules/Communications/REST/RESTInterregionComms.cs +++ b/OpenSim/Region/CoreModules/Communications/REST/RESTInterregionComms.cs
@@ -59,6 +59,9 @@ namespace OpenSim.Region.CoreModules.Communications.REST
59		59
60	protected RegionToRegionClient m_regionClient;	60	protected RegionToRegionClient m_regionClient;
61		61
		62	protected bool m_safemode;
		63	protected IPAddress m_thisIP;
		64
62	#region IRegionModule	65	#region IRegionModule
63		66
64	public virtual void Initialise(Scene scene, IConfigSource config)	67	public virtual void Initialise(Scene scene, IConfigSource config)
@@ -74,6 +77,9 @@ namespace OpenSim.Region.CoreModules.Communications.REST
74	{	77	{
75	m_log.Info("[REST COMMS]: Enabling InterregionComms RESTComms module");	78	m_log.Info("[REST COMMS]: Enabling InterregionComms RESTComms module");
76	m_enabled = true;	79	m_enabled = true;
		80	if (config.Configs["Hypergrid"] != null)
		81	m_safemode = config.Configs["Hypergrid"].GetBoolean("safemode", false);
		82
77	InitOnce(scene);	83	InitOnce(scene);
78	}	84	}
79	}	85	}
@@ -117,6 +123,7 @@ namespace OpenSim.Region.CoreModules.Communications.REST
117	m_commsManager = scene.CommsManager;	123	m_commsManager = scene.CommsManager;
118	m_aScene = scene;	124	m_aScene = scene;
119	m_regionClient = new RegionToRegionClient(m_aScene);	125	m_regionClient = new RegionToRegionClient(m_aScene);
		126	m_thisIP = Util.GetHostFromDNS(scene.RegionInfo.ExternalHostName);
120	}	127	}
121		128
122	protected virtual void AddHTTPHandlers()	129	protected virtual void AddHTTPHandlers()
@@ -148,7 +155,7 @@ namespace OpenSim.Region.CoreModules.Communications.REST
148	{	155	{
149	m_regionClient.SendUserInformation(regInfo, aCircuit);	156	m_regionClient.SendUserInformation(regInfo, aCircuit);
150		157
151	return m_regionClient.DoCreateChildAgentCall(regInfo, aCircuit);	158	return m_regionClient.DoCreateChildAgentCall(regInfo, aCircuit, "None");
152	}	159	}
153	//else	160	//else
154	// m_log.Warn("[REST COMMS]: Region not found " + regionHandle);	161	// m_log.Warn("[REST COMMS]: Region not found " + regionHandle);
@@ -331,6 +338,7 @@ namespace OpenSim.Region.CoreModules.Communications.REST
331	responsedata["content_type"] = "text/html";	338	responsedata["content_type"] = "text/html";
332	responsedata["keepalive"] = false;	339	responsedata["keepalive"] = false;
333		340
		341
334	UUID agentID;	342	UUID agentID;
335	string action;	343	string action;
336	ulong regionHandle;	344	ulong regionHandle;
@@ -378,6 +386,28 @@ namespace OpenSim.Region.CoreModules.Communications.REST
378		386
379	protected virtual void DoAgentPost(Hashtable request, Hashtable responsedata, UUID id)	387	protected virtual void DoAgentPost(Hashtable request, Hashtable responsedata, UUID id)
380	{	388	{
		389	if (m_safemode)
		390	{
		391	// Authentication
		392	string authority = string.Empty;
		393	string authToken = string.Empty;
		394	if (!GetAuthentication(request, out authority, out authToken))
		395	{
		396	m_log.InfoFormat("[REST COMMS]: Authentication failed for agent message {0}", request["uri"]);
		397	responsedata["int_response_code"] = 403;
		398	responsedata["str_response_string"] = "Forbidden";
		399	return ;
		400	}
		401	if (!VerifyKey(id, authority, authToken))
		402	{
		403	m_log.InfoFormat("[REST COMMS]: Authentication failed for agent message {0}", request["uri"]);
		404	responsedata["int_response_code"] = 403;
		405	responsedata["str_response_string"] = "Forbidden";
		406	return ;
		407	}
		408	m_log.DebugFormat("[REST COMMS]: Authentication succeeded for {0}", id);
		409	}
		410
381	OSDMap args = RegionClient.GetOSDMap((string)request["body"]);	411	OSDMap args = RegionClient.GetOSDMap((string)request["body"]);
382	if (args == null)	412	if (args == null)
383	{	413	{
@@ -793,6 +823,53 @@ namespace OpenSim.Region.CoreModules.Communications.REST
793	}	823	}
794	}	824	}
795		825
		826	public static bool GetAuthentication(Hashtable request, out string authority, out string authKey)
		827	{
		828	authority = string.Empty;
		829	authKey = string.Empty;
		830
		831	Uri authUri;
		832	Hashtable headers = (Hashtable)request["headers"];
		833
		834	// Authorization keys look like this:
		835	// http://orgrid.org:8002/<uuid>
		836	if (headers.ContainsKey("authorization") && (string)headers["authorization"] != "None")
		837	{
		838	if (Uri.TryCreate((string)headers["authorization"], UriKind.Absolute, out authUri))
		839	{
		840	authority = authUri.Authority;
		841	authKey = authUri.PathAndQuery.Trim('/');
		842	m_log.DebugFormat("[REST COMMS]: Got authority {0} and key {1}", authority, authKey);
		843	return true;
		844	}
		845	else
		846	m_log.Debug("[REST COMMS]: Wrong format for Authorization header: " + (string)headers["authorization"]);
		847	}
		848	else
		849	m_log.Debug("[REST COMMS]: Authorization header not found");
		850
		851	return false;
		852	}
		853
		854	bool VerifyKey(UUID userID, string authority, string key)
		855	{
		856	string[] parts = authority.Split(':');
		857	IPAddress ipaddr = IPAddress.None;
		858	uint port = 0;
		859	if (parts.Length <= 2)
		860	ipaddr = Util.GetHostFromDNS(parts[0]);
		861	if (parts.Length == 2)
		862	UInt32.TryParse(parts[1], out port);
		863
		864	// local authority (standalone), local call
		865	if (m_thisIP.Equals(ipaddr) && (m_aScene.RegionInfo.HttpPort == port))
		866	return ((IAuthentication)m_aScene.CommsManager.UserAdminService).VerifyKey(userID, key);
		867	// remote call
		868	else
		869	return AuthClient.VerifyKey("http://" + authority, userID, key);
		870	}
		871
		872
796	#endregion Misc	873	#endregion Misc
797		874
798	protected class RegionToRegionClient : RegionClient	875	protected class RegionToRegionClient : RegionClient


diff --git a/OpenSim/Region/CoreModules/Hypergrid/HGStandaloneInventoryModule.cs b/OpenSim/Region/CoreModules/Hypergrid/HGStandaloneInventoryModule.cs index 3675583..f0d70a7 100644 --- a/OpenSim/Region/CoreModules/Hypergrid/HGStandaloneInventoryModule.cs +++ b/OpenSim/Region/CoreModules/Hypergrid/HGStandaloneInventoryModule.cs
@@ -93,7 +93,7 @@ namespace OpenSim.Region.CoreModules.Hypergrid
93		93
94	m_inventoryService = new HGInventoryService(m_inventoryBase,	94	m_inventoryService = new HGInventoryService(m_inventoryBase,
95	((AssetServerBase)m_scene.CommsManager.AssetCache.AssetServer).AssetProviderPlugin,	95	((AssetServerBase)m_scene.CommsManager.AssetCache.AssetServer).AssetProviderPlugin,
96	(UserManagerBase)m_scene.CommsManager.UserService, m_scene.CommsManager.HttpServer,	96	(UserManagerBase)m_scene.CommsManager.UserAdminService, m_scene.CommsManager.HttpServer,
97	m_scene.CommsManager.NetworkServersInfo.InventoryURL);	97	m_scene.CommsManager.NetworkServersInfo.InventoryURL);
98		98
99	AddHttpHandlers(m_scene.CommsManager.HttpServer);	99	AddHttpHandlers(m_scene.CommsManager.HttpServer);


diff --git a/OpenSim/Region/CoreModules/Hypergrid/HGStandaloneLoginModule.cs b/OpenSim/Region/CoreModules/Hypergrid/HGStandaloneLoginModule.cs index f0e957b..c458b89 100644 --- a/OpenSim/Region/CoreModules/Hypergrid/HGStandaloneLoginModule.cs +++ b/OpenSim/Region/CoreModules/Hypergrid/HGStandaloneLoginModule.cs
@@ -104,11 +104,12 @@ namespace OpenSim.Region.CoreModules.Hypergrid
104	IHttpServer httpServer = m_firstScene.CommsManager.HttpServer;	104	IHttpServer httpServer = m_firstScene.CommsManager.HttpServer;
105		105
106	//TODO: fix the casting of the user service, maybe by registering the userManagerBase with scenes, or refactoring so we just need a IUserService reference	106	//TODO: fix the casting of the user service, maybe by registering the userManagerBase with scenes, or refactoring so we just need a IUserService reference
107	m_loginService = new HGLoginAuthService((UserManagerBase)m_firstScene.CommsManager.UserService, welcomeMessage, m_firstScene.CommsManager.InterServiceInventoryService, m_firstScene.CommsManager.NetworkServersInfo, authenticate, rootFolder, this);	107	m_loginService = new HGLoginAuthService((UserManagerBase)m_firstScene.CommsManager.UserAdminService, welcomeMessage, m_firstScene.CommsManager.InterServiceInventoryService, m_firstScene.CommsManager.NetworkServersInfo, authenticate, rootFolder, this);
108		108
109	httpServer.AddXmlRPCHandler("hg_login", m_loginService.XmlRpcLoginMethod);	109	httpServer.AddXmlRPCHandler("hg_login", m_loginService.XmlRpcLoginMethod);
110	httpServer.AddXmlRPCHandler("hg_new_auth_key", m_loginService.XmlRpcGenerateKeyMethod);	110	httpServer.AddXmlRPCHandler("hg_new_auth_key", m_loginService.XmlRpcGenerateKeyMethod);
111	httpServer.AddXmlRPCHandler("hg_verify_auth_key", m_loginService.XmlRpcVerifyKeyMethod);	111	httpServer.AddXmlRPCHandler("hg_verify_auth_key", m_loginService.XmlRpcVerifyKeyMethod);
		112	httpServer.AddXmlRPCHandler("check_auth_session", m_loginService.XmlRPCCheckAuthSession);
112		113
113	}	114	}
114	}	115	}