diff options
Redesign the IAuthenticationService interface to use PKI. Sessioning is
now in the domain of the presence module where it belongs.
Diffstat (limited to '')
-rw-r--r-- | OpenSim/Services/AuthenticationService/AuthenticationService.cs | 312 |
1 files changed, 0 insertions, 312 deletions
diff --git a/OpenSim/Services/AuthenticationService/AuthenticationService.cs b/OpenSim/Services/AuthenticationService/AuthenticationService.cs deleted file mode 100644 index b81a004..0000000 --- a/OpenSim/Services/AuthenticationService/AuthenticationService.cs +++ /dev/null | |||
@@ -1,312 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (c) Contributors, http://opensimulator.org/ | ||
3 | * See CONTRIBUTORS.TXT for a full list of copyright holders. | ||
4 | * | ||
5 | * Redistribution and use in source and binary forms, with or without | ||
6 | * modification, are permitted provided that the following conditions are met: | ||
7 | * * Redistributions of source code must retain the above copyright | ||
8 | * notice, this list of conditions and the following disclaimer. | ||
9 | * * Redistributions in binary form must reproduce the above copyright | ||
10 | * notice, this list of conditions and the following disclaimer in the | ||
11 | * documentation and/or other materials provided with the distribution. | ||
12 | * * Neither the name of the OpenSimulator Project nor the | ||
13 | * names of its contributors may be used to endorse or promote products | ||
14 | * derived from this software without specific prior written permission. | ||
15 | * | ||
16 | * THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY | ||
17 | * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED | ||
18 | * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | ||
19 | * DISCLAIMED. IN NO EVENT SHALL THE CONTRIBUTORS BE LIABLE FOR ANY | ||
20 | * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES | ||
21 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | ||
22 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND | ||
23 | * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | ||
24 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS | ||
25 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||
26 | */ | ||
27 | |||
28 | using System; | ||
29 | using System.Collections.Generic; | ||
30 | using System.Reflection; | ||
31 | using Nini.Config; | ||
32 | using log4net; | ||
33 | using OpenSim.Framework; | ||
34 | using OpenSim.Data; | ||
35 | using OpenSim.Services.Base; | ||
36 | using OpenSim.Services.Interfaces; | ||
37 | using OpenMetaverse; | ||
38 | |||
39 | namespace OpenSim.Services.AuthenticationService | ||
40 | { | ||
41 | /// <summary> | ||
42 | /// Simple authentication service implementation dealing only with users. | ||
43 | /// It uses the user DB directly to access user information. | ||
44 | /// It takes two config vars: | ||
45 | /// - Authenticate = {true|false} : to do or not to do authentication | ||
46 | /// - Authority = string like "osgrid.org" : this identity authority | ||
47 | /// that will be called back for identity verification | ||
48 | /// </summary> | ||
49 | public class HGAuthenticationService : ServiceBase, IAuthenticationService | ||
50 | { | ||
51 | private static readonly ILog m_log | ||
52 | = LogManager.GetLogger(MethodBase.GetCurrentMethod().DeclaringType); | ||
53 | |||
54 | protected IUserDataPlugin m_Database; | ||
55 | protected string m_AuthorityURL; | ||
56 | protected bool m_PerformAuthentication; | ||
57 | protected Dictionary<UUID, List<string>> m_UserKeys = new Dictionary<UUID, List<string>>(); | ||
58 | |||
59 | |||
60 | public HGAuthenticationService(IConfigSource config) : base(config) | ||
61 | { | ||
62 | string dllName = String.Empty; | ||
63 | string connString = String.Empty; | ||
64 | |||
65 | // | ||
66 | // Try reading the [DatabaseService] section first, if it exists | ||
67 | // | ||
68 | IConfig dbConfig = config.Configs["DatabaseService"]; | ||
69 | if (dbConfig != null) | ||
70 | { | ||
71 | dllName = dbConfig.GetString("StorageProvider", String.Empty); | ||
72 | connString = dbConfig.GetString("ConnectionString", String.Empty); | ||
73 | } | ||
74 | |||
75 | // | ||
76 | // Try reading the more specific [InventoryService] section, if it exists | ||
77 | // | ||
78 | IConfig authConfig = config.Configs["AuthenticationService"]; | ||
79 | if (authConfig != null) | ||
80 | { | ||
81 | dllName = authConfig.GetString("StorageProvider", dllName); | ||
82 | connString = authConfig.GetString("ConnectionString", connString); | ||
83 | |||
84 | m_PerformAuthentication = authConfig.GetBoolean("Authenticate", true); | ||
85 | m_AuthorityURL = "http://" + authConfig.GetString("Authority", "localhost"); | ||
86 | if (!m_AuthorityURL.EndsWith("/")) | ||
87 | m_AuthorityURL += "/"; | ||
88 | } | ||
89 | |||
90 | // | ||
91 | // We tried, but this doesn't exist. We can't proceed. | ||
92 | // | ||
93 | if (dllName.Equals(String.Empty)) | ||
94 | throw new Exception("No InventoryService configuration"); | ||
95 | |||
96 | m_Database = LoadPlugin<IUserDataPlugin>(dllName); | ||
97 | if (m_Database == null) | ||
98 | throw new Exception("Could not find a storage interface in the given module"); | ||
99 | |||
100 | m_Database.Initialise(connString); | ||
101 | } | ||
102 | |||
103 | public UUID AuthenticateKey(UUID principalID, string key) | ||
104 | { | ||
105 | bool writeAgentData = false; | ||
106 | |||
107 | UserAgentData agent = m_Database.GetAgentByUUID(principalID); | ||
108 | if (agent == null) | ||
109 | { | ||
110 | agent = new UserAgentData(); | ||
111 | agent.ProfileID = principalID; | ||
112 | agent.SessionID = UUID.Random(); | ||
113 | agent.SecureSessionID = UUID.Random(); | ||
114 | agent.AgentIP = "127.0.0.1"; | ||
115 | agent.AgentPort = 0; | ||
116 | agent.AgentOnline = false; | ||
117 | |||
118 | writeAgentData = true; | ||
119 | } | ||
120 | |||
121 | if (!m_PerformAuthentication) | ||
122 | { | ||
123 | if (writeAgentData) | ||
124 | m_Database.AddNewUserAgent(agent); | ||
125 | return agent.SessionID; | ||
126 | } | ||
127 | |||
128 | if (!VerifyKey(principalID, key)) | ||
129 | return UUID.Zero; | ||
130 | |||
131 | if (writeAgentData) | ||
132 | m_Database.AddNewUserAgent(agent); | ||
133 | |||
134 | return agent.SessionID; | ||
135 | } | ||
136 | |||
137 | /// <summary> | ||
138 | /// This implementation only authenticates users. | ||
139 | /// </summary> | ||
140 | /// <param name="principalID"></param> | ||
141 | /// <param name="password"></param> | ||
142 | /// <returns></returns> | ||
143 | public UUID AuthenticatePassword(UUID principalID, string password) | ||
144 | { | ||
145 | bool writeAgentData = false; | ||
146 | |||
147 | UserAgentData agent = m_Database.GetAgentByUUID(principalID); | ||
148 | if (agent == null) | ||
149 | { | ||
150 | agent = new UserAgentData(); | ||
151 | agent.ProfileID = principalID; | ||
152 | agent.SessionID = UUID.Random(); | ||
153 | agent.SecureSessionID = UUID.Random(); | ||
154 | agent.AgentIP = "127.0.0.1"; | ||
155 | agent.AgentPort = 0; | ||
156 | agent.AgentOnline = false; | ||
157 | |||
158 | writeAgentData = true; | ||
159 | } | ||
160 | |||
161 | if (!m_PerformAuthentication) | ||
162 | { | ||
163 | if (writeAgentData) | ||
164 | m_Database.AddNewUserAgent(agent); | ||
165 | return agent.SessionID; | ||
166 | } | ||
167 | |||
168 | UserProfileData profile = m_Database.GetUserByUUID(principalID); | ||
169 | bool passwordSuccess = false; | ||
170 | m_log.InfoFormat("[AUTH]: Authenticating {0} {1} ({2})", profile.FirstName, profile.SurName, profile.ID); | ||
171 | |||
172 | // we do this to get our hash in a form that the server password code can consume | ||
173 | // when the web-login-form submits the password in the clear (supposed to be over SSL!) | ||
174 | if (!password.StartsWith("$1$")) | ||
175 | password = "$1$" + Util.Md5Hash(password); | ||
176 | |||
177 | password = password.Remove(0, 3); //remove $1$ | ||
178 | |||
179 | string s = Util.Md5Hash(password + ":" + profile.PasswordSalt); | ||
180 | // Testing... | ||
181 | //m_log.Info("[LOGIN]: SubHash:" + s + " userprofile:" + profile.passwordHash); | ||
182 | //m_log.Info("[LOGIN]: userprofile:" + profile.passwordHash + " SubCT:" + password); | ||
183 | |||
184 | passwordSuccess = (profile.PasswordHash.Equals(s.ToString(), StringComparison.InvariantCultureIgnoreCase) | ||
185 | || profile.PasswordHash.Equals(password, StringComparison.InvariantCulture)); | ||
186 | |||
187 | if (!passwordSuccess) | ||
188 | return UUID.Zero; | ||
189 | |||
190 | if (writeAgentData) | ||
191 | m_Database.AddNewUserAgent(agent); | ||
192 | |||
193 | return agent.SessionID; | ||
194 | } | ||
195 | |||
196 | /// <summary> | ||
197 | /// This generates authorization keys in the form | ||
198 | /// http://authority/uuid | ||
199 | /// after verifying that the caller is, indeed, authorized to request a key | ||
200 | /// </summary> | ||
201 | /// <param name="userID">The principal ID requesting the new key</param> | ||
202 | /// <param name="authToken">The original authorization token for that principal, obtained during login</param> | ||
203 | /// <returns></returns> | ||
204 | public string GetKey(UUID principalID, string authToken) | ||
205 | { | ||
206 | UserProfileData profile = m_Database.GetUserByUUID(principalID); | ||
207 | string newKey = string.Empty; | ||
208 | |||
209 | if (profile != null) | ||
210 | { | ||
211 | m_log.DebugFormat("[AUTH]: stored auth token is {0}. Given token is {1}", profile.WebLoginKey.ToString(), authToken); | ||
212 | // I'm overloading webloginkey for this, so that no changes are needed in the DB | ||
213 | // The uses of webloginkey are fairly mutually exclusive | ||
214 | if (profile.WebLoginKey.ToString().Equals(authToken)) | ||
215 | { | ||
216 | newKey = UUID.Random().ToString(); | ||
217 | List<string> keys; | ||
218 | lock (m_UserKeys) | ||
219 | { | ||
220 | if (m_UserKeys.ContainsKey(principalID)) | ||
221 | { | ||
222 | keys = m_UserKeys[principalID]; | ||
223 | } | ||
224 | else | ||
225 | { | ||
226 | keys = new List<string>(); | ||
227 | m_UserKeys.Add(principalID, keys); | ||
228 | } | ||
229 | keys.Add(newKey); | ||
230 | } | ||
231 | m_log.InfoFormat("[AUTH]: Successfully generated new auth key for {0}", principalID); | ||
232 | } | ||
233 | else | ||
234 | m_log.Warn("[AUTH]: Unauthorized key generation request. Denying new key."); | ||
235 | } | ||
236 | else | ||
237 | m_log.Warn("[AUTH]: Principal not found."); | ||
238 | |||
239 | return m_AuthorityURL + newKey; | ||
240 | } | ||
241 | |||
242 | /// <summary> | ||
243 | /// This verifies the uuid portion of the key given out by GenerateKey | ||
244 | /// </summary> | ||
245 | /// <param name="userID"></param> | ||
246 | /// <param name="key"></param> | ||
247 | /// <returns></returns> | ||
248 | public bool VerifyKey(UUID userID, string key) | ||
249 | { | ||
250 | lock (m_UserKeys) | ||
251 | { | ||
252 | if (m_UserKeys.ContainsKey(userID)) | ||
253 | { | ||
254 | List<string> keys = m_UserKeys[userID]; | ||
255 | if (keys.Contains(key)) | ||
256 | { | ||
257 | // Keys are one-time only, so remove it | ||
258 | keys.Remove(key); | ||
259 | return true; | ||
260 | } | ||
261 | return false; | ||
262 | } | ||
263 | else | ||
264 | return false; | ||
265 | } | ||
266 | } | ||
267 | |||
268 | public UUID CreateUserSession(UUID userID, UUID oldSessionID) | ||
269 | { | ||
270 | UserAgentData agent = m_Database.GetAgentByUUID(userID); | ||
271 | |||
272 | if (agent == null) | ||
273 | return UUID.Zero; | ||
274 | |||
275 | agent.SessionID = UUID.Random(); | ||
276 | |||
277 | m_Database.AddNewUserAgent(agent); | ||
278 | return agent.SessionID; | ||
279 | } | ||
280 | |||
281 | public bool VerifyUserSession(UUID userID, UUID sessionID) | ||
282 | { | ||
283 | UserProfileData userProfile = m_Database.GetUserByUUID(userID); | ||
284 | |||
285 | if (userProfile != null && userProfile.CurrentAgent != null) | ||
286 | { | ||
287 | m_log.DebugFormat("[AUTH]: Verifying session {0} for {1}; current session {2}", sessionID, userID, userProfile.CurrentAgent.SessionID); | ||
288 | if (userProfile.CurrentAgent.SessionID == sessionID) | ||
289 | { | ||
290 | return true; | ||
291 | } | ||
292 | } | ||
293 | |||
294 | return false; | ||
295 | } | ||
296 | |||
297 | public bool DestroyUserSession(UUID userID, UUID sessionID) | ||
298 | { | ||
299 | if (!VerifyUserSession(userID, sessionID)) | ||
300 | return false; | ||
301 | |||
302 | UserAgentData agent = m_Database.GetAgentByUUID(userID); | ||
303 | if (agent == null) | ||
304 | return false; | ||
305 | |||
306 | agent.SessionID = UUID.Zero; | ||
307 | m_Database.AddNewUserAgent(agent); | ||
308 | |||
309 | return true; | ||
310 | } | ||
311 | } | ||
312 | } | ||