diff options
-rw-r--r-- | OpenSim/Framework/Servers/HttpServer/BaseStreamHandler.cs | 15 | ||||
-rw-r--r-- | OpenSim/Framework/ServiceAuth/BasicHttpAuthentication.cs | 25 | ||||
-rw-r--r-- | OpenSim/Framework/ServiceAuth/CompoundAuthentication.cs | 71 | ||||
-rw-r--r-- | OpenSim/Framework/ServiceAuth/DisallowLlHttpRequest.cs | 57 | ||||
-rw-r--r-- | OpenSim/Framework/ServiceAuth/IServiceAuth.cs | 3 | ||||
-rw-r--r-- | OpenSim/Framework/ServiceAuth/ServiceAuth.cs | 18 | ||||
-rw-r--r-- | bin/Robust.HG.ini.example | 7 | ||||
-rw-r--r-- | bin/Robust.ini.example | 7 |
8 files changed, 184 insertions, 19 deletions
diff --git a/OpenSim/Framework/Servers/HttpServer/BaseStreamHandler.cs b/OpenSim/Framework/Servers/HttpServer/BaseStreamHandler.cs index f160734..41aa19b 100644 --- a/OpenSim/Framework/Servers/HttpServer/BaseStreamHandler.cs +++ b/OpenSim/Framework/Servers/HttpServer/BaseStreamHandler.cs | |||
@@ -56,12 +56,17 @@ namespace OpenSim.Framework.Servers.HttpServer | |||
56 | string path, Stream request, IOSHttpRequest httpRequest, IOSHttpResponse httpResponse) | 56 | string path, Stream request, IOSHttpRequest httpRequest, IOSHttpResponse httpResponse) |
57 | { | 57 | { |
58 | RequestsReceived++; | 58 | RequestsReceived++; |
59 | if (m_Auth != null && !m_Auth.Authenticate(httpRequest.Headers, httpResponse.AddHeader)) | 59 | |
60 | if (m_Auth != null) | ||
60 | { | 61 | { |
61 | 62 | HttpStatusCode statusCode; | |
62 | httpResponse.StatusCode = (int)HttpStatusCode.Unauthorized; | 63 | |
63 | httpResponse.ContentType = "text/plain"; | 64 | if (!m_Auth.Authenticate(httpRequest.Headers, httpResponse.AddHeader, out statusCode)) |
64 | return new byte[0]; | 65 | { |
66 | httpResponse.StatusCode = (int)statusCode; | ||
67 | httpResponse.ContentType = "text/plain"; | ||
68 | return new byte[0]; | ||
69 | } | ||
65 | } | 70 | } |
66 | 71 | ||
67 | byte[] result = ProcessRequest(path, request, httpRequest, httpResponse); | 72 | byte[] result = ProcessRequest(path, request, httpRequest, httpResponse); |
diff --git a/OpenSim/Framework/ServiceAuth/BasicHttpAuthentication.cs b/OpenSim/Framework/ServiceAuth/BasicHttpAuthentication.cs index b3d64e1..3c13bbf 100644 --- a/OpenSim/Framework/ServiceAuth/BasicHttpAuthentication.cs +++ b/OpenSim/Framework/ServiceAuth/BasicHttpAuthentication.cs | |||
@@ -28,6 +28,7 @@ | |||
28 | using System; | 28 | using System; |
29 | using System.Collections.Generic; | 29 | using System.Collections.Generic; |
30 | using System.Collections.Specialized; | 30 | using System.Collections.Specialized; |
31 | using System.Net; | ||
31 | using System.Reflection; | 32 | using System.Reflection; |
32 | 33 | ||
33 | using Nini.Config; | 34 | using Nini.Config; |
@@ -82,24 +83,28 @@ namespace OpenSim.Framework.ServiceAuth | |||
82 | return false; | 83 | return false; |
83 | } | 84 | } |
84 | 85 | ||
85 | public bool Authenticate(NameValueCollection requestHeaders, AddHeaderDelegate d) | 86 | public bool Authenticate(NameValueCollection requestHeaders, AddHeaderDelegate d, out HttpStatusCode statusCode) |
86 | { | 87 | { |
87 | //m_log.DebugFormat("[HTTP BASIC AUTH]: Authenticate in {0}", remove_me); | 88 | // m_log.DebugFormat("[HTTP BASIC AUTH]: Authenticate in {0}", "BasicHttpAuthentication"); |
88 | if (requestHeaders != null) | 89 | |
90 | string value = requestHeaders.Get("Authorization"); | ||
91 | if (value != null) | ||
89 | { | 92 | { |
90 | string value = requestHeaders.Get("Authorization"); | 93 | value = value.Trim(); |
91 | if (value != null) | 94 | if (value.StartsWith("Basic ")) |
92 | { | 95 | { |
93 | value = value.Trim(); | 96 | value = value.Replace("Basic ", string.Empty); |
94 | if (value.StartsWith("Basic ")) | 97 | if (Authenticate(value)) |
95 | { | 98 | { |
96 | value = value.Replace("Basic ", string.Empty); | 99 | statusCode = HttpStatusCode.OK; |
97 | if (Authenticate(value)) | 100 | return true; |
98 | return true; | ||
99 | } | 101 | } |
100 | } | 102 | } |
101 | } | 103 | } |
104 | |||
102 | d("WWW-Authenticate", "Basic realm = \"Asset Server\""); | 105 | d("WWW-Authenticate", "Basic realm = \"Asset Server\""); |
106 | |||
107 | statusCode = HttpStatusCode.Unauthorized; | ||
103 | return false; | 108 | return false; |
104 | } | 109 | } |
105 | } | 110 | } |
diff --git a/OpenSim/Framework/ServiceAuth/CompoundAuthentication.cs b/OpenSim/Framework/ServiceAuth/CompoundAuthentication.cs new file mode 100644 index 0000000..8c88d1c --- /dev/null +++ b/OpenSim/Framework/ServiceAuth/CompoundAuthentication.cs | |||
@@ -0,0 +1,71 @@ | |||
1 | /* | ||
2 | * Copyright (c) Contributors, http://opensimulator.org/ | ||
3 | * See CONTRIBUTORS.TXT for a full list of copyright holders. | ||
4 | * | ||
5 | * Redistribution and use in source and binary forms, with or without | ||
6 | * modification, are permitted provided that the following conditions are met: | ||
7 | * * Redistributions of source code must retain the above copyright | ||
8 | * notice, this list of conditions and the following disclaimer. | ||
9 | * * Redistributions in binary form must reproduce the above copyright | ||
10 | * notice, this list of conditions and the following disclaimer in the | ||
11 | * documentation and/or other materials provided with the distribution. | ||
12 | * * Neither the name of the OpenSimulator Project nor the | ||
13 | * names of its contributors may be used to endorse or promote products | ||
14 | * derived from this software without specific prior written permission. | ||
15 | * | ||
16 | * THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY | ||
17 | * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED | ||
18 | * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | ||
19 | * DISCLAIMED. IN NO EVENT SHALL THE CONTRIBUTORS BE LIABLE FOR ANY | ||
20 | * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES | ||
21 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | ||
22 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND | ||
23 | * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | ||
24 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS | ||
25 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||
26 | */ | ||
27 | |||
28 | using System; | ||
29 | using System.Collections.Generic; | ||
30 | using System.Collections.Specialized; | ||
31 | using System.Linq; | ||
32 | using System.Net; | ||
33 | |||
34 | namespace OpenSim.Framework.ServiceAuth | ||
35 | { | ||
36 | public class CompoundAuthentication : IServiceAuth | ||
37 | { | ||
38 | private List<IServiceAuth> m_authentications = new List<IServiceAuth>(); | ||
39 | |||
40 | public int Count { get { return m_authentications.Count; } } | ||
41 | |||
42 | public void AddAuthenticator(IServiceAuth auth) | ||
43 | { | ||
44 | m_authentications.Add(auth); | ||
45 | } | ||
46 | |||
47 | public void RemoveAuthenticator(IServiceAuth auth) | ||
48 | { | ||
49 | m_authentications.Remove(auth); | ||
50 | } | ||
51 | |||
52 | public void AddAuthorization(NameValueCollection headers) {} | ||
53 | |||
54 | public bool Authenticate(string data) | ||
55 | { | ||
56 | return m_authentications.TrueForAll(a => a.Authenticate(data)); | ||
57 | } | ||
58 | |||
59 | public bool Authenticate(NameValueCollection requestHeaders, AddHeaderDelegate d, out HttpStatusCode statusCode) | ||
60 | { | ||
61 | foreach (IServiceAuth auth in m_authentications) | ||
62 | { | ||
63 | if (!auth.Authenticate(requestHeaders, d, out statusCode)) | ||
64 | return false; | ||
65 | } | ||
66 | |||
67 | statusCode = HttpStatusCode.OK; | ||
68 | return true; | ||
69 | } | ||
70 | } | ||
71 | } \ No newline at end of file | ||
diff --git a/OpenSim/Framework/ServiceAuth/DisallowLlHttpRequest.cs b/OpenSim/Framework/ServiceAuth/DisallowLlHttpRequest.cs new file mode 100644 index 0000000..1e1ee56 --- /dev/null +++ b/OpenSim/Framework/ServiceAuth/DisallowLlHttpRequest.cs | |||
@@ -0,0 +1,57 @@ | |||
1 | /* | ||
2 | * Copyright (c) Contributors, http://opensimulator.org/ | ||
3 | * See CONTRIBUTORS.TXT for a full list of copyright holders. | ||
4 | * | ||
5 | * Redistribution and use in source and binary forms, with or without | ||
6 | * modification, are permitted provided that the following conditions are met: | ||
7 | * * Redistributions of source code must retain the above copyright | ||
8 | * notice, this list of conditions and the following disclaimer. | ||
9 | * * Redistributions in binary form must reproduce the above copyright | ||
10 | * notice, this list of conditions and the following disclaimer in the | ||
11 | * documentation and/or other materials provided with the distribution. | ||
12 | * * Neither the name of the OpenSimulator Project nor the | ||
13 | * names of its contributors may be used to endorse or promote products | ||
14 | * derived from this software without specific prior written permission. | ||
15 | * | ||
16 | * THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY | ||
17 | * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED | ||
18 | * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | ||
19 | * DISCLAIMED. IN NO EVENT SHALL THE CONTRIBUTORS BE LIABLE FOR ANY | ||
20 | * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES | ||
21 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | ||
22 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND | ||
23 | * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | ||
24 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS | ||
25 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||
26 | */ | ||
27 | |||
28 | using System; | ||
29 | using System.Collections.Specialized; | ||
30 | using System.Net; | ||
31 | |||
32 | namespace OpenSim.Framework.ServiceAuth | ||
33 | { | ||
34 | public class DisallowLlHttpRequest : IServiceAuth | ||
35 | { | ||
36 | public void AddAuthorization(NameValueCollection headers) {} | ||
37 | |||
38 | public bool Authenticate(string data) | ||
39 | { | ||
40 | return false; | ||
41 | } | ||
42 | |||
43 | public bool Authenticate(NameValueCollection requestHeaders, AddHeaderDelegate d, out HttpStatusCode statusCode) | ||
44 | { | ||
45 | // Console.WriteLine("DisallowLlHttpRequest"); | ||
46 | |||
47 | if (requestHeaders["X-SecondLife-Shard"] != null) | ||
48 | { | ||
49 | statusCode = HttpStatusCode.Forbidden; | ||
50 | return false; | ||
51 | } | ||
52 | |||
53 | statusCode = HttpStatusCode.OK; | ||
54 | return true; | ||
55 | } | ||
56 | } | ||
57 | } \ No newline at end of file | ||
diff --git a/OpenSim/Framework/ServiceAuth/IServiceAuth.cs b/OpenSim/Framework/ServiceAuth/IServiceAuth.cs index fdd97b2..adde62f 100644 --- a/OpenSim/Framework/ServiceAuth/IServiceAuth.cs +++ b/OpenSim/Framework/ServiceAuth/IServiceAuth.cs | |||
@@ -26,6 +26,7 @@ | |||
26 | */ | 26 | */ |
27 | 27 | ||
28 | using System; | 28 | using System; |
29 | using System.Net; | ||
29 | using System.Collections.Generic; | 30 | using System.Collections.Generic; |
30 | using System.Collections.Specialized; | 31 | using System.Collections.Specialized; |
31 | 32 | ||
@@ -36,7 +37,7 @@ namespace OpenSim.Framework.ServiceAuth | |||
36 | public interface IServiceAuth | 37 | public interface IServiceAuth |
37 | { | 38 | { |
38 | bool Authenticate(string data); | 39 | bool Authenticate(string data); |
39 | bool Authenticate(NameValueCollection headers, AddHeaderDelegate d); | 40 | bool Authenticate(NameValueCollection headers, AddHeaderDelegate d, out HttpStatusCode statusCode); |
40 | void AddAuthorization(NameValueCollection headers); | 41 | void AddAuthorization(NameValueCollection headers); |
41 | } | 42 | } |
42 | } | 43 | } |
diff --git a/OpenSim/Framework/ServiceAuth/ServiceAuth.cs b/OpenSim/Framework/ServiceAuth/ServiceAuth.cs index 5ab613b..30f5bd6 100644 --- a/OpenSim/Framework/ServiceAuth/ServiceAuth.cs +++ b/OpenSim/Framework/ServiceAuth/ServiceAuth.cs | |||
@@ -36,15 +36,27 @@ namespace OpenSim.Framework.ServiceAuth | |||
36 | { | 36 | { |
37 | public static IServiceAuth Create(IConfigSource config, string section) | 37 | public static IServiceAuth Create(IConfigSource config, string section) |
38 | { | 38 | { |
39 | CompoundAuthentication compoundAuth = new CompoundAuthentication(); | ||
40 | |||
41 | bool allowLlHttpRequestIn | ||
42 | = Util.GetConfigVarFromSections<bool>(config, "AllowllHTTPRequestIn", new string[] { "Network", section }, false); | ||
43 | |||
44 | if (!allowLlHttpRequestIn) | ||
45 | compoundAuth.AddAuthenticator(new DisallowLlHttpRequest()); | ||
46 | |||
39 | string authType = Util.GetConfigVarFromSections<string>(config, "AuthType", new string[] { "Network", section }, "None"); | 47 | string authType = Util.GetConfigVarFromSections<string>(config, "AuthType", new string[] { "Network", section }, "None"); |
40 | 48 | ||
41 | switch (authType) | 49 | switch (authType) |
42 | { | 50 | { |
43 | case "BasicHttpAuthentication": | 51 | case "BasicHttpAuthentication": |
44 | return new BasicHttpAuthentication(config, section); | 52 | compoundAuth.AddAuthenticator(new BasicHttpAuthentication(config, section)); |
53 | break; | ||
45 | } | 54 | } |
46 | 55 | ||
47 | return null; | 56 | if (compoundAuth.Count > 0) |
57 | return compoundAuth; | ||
58 | else | ||
59 | return null; | ||
48 | } | 60 | } |
49 | } | 61 | } |
50 | } | 62 | } \ No newline at end of file |
diff --git a/bin/Robust.HG.ini.example b/bin/Robust.HG.ini.example index 5fa4026..872a7f8 100644 --- a/bin/Robust.HG.ini.example +++ b/bin/Robust.HG.ini.example | |||
@@ -153,6 +153,13 @@ | |||
153 | ;; Hypergrid services are not affected by this; they are publicly available | 153 | ;; Hypergrid services are not affected by this; they are publicly available |
154 | ;; by design. | 154 | ;; by design. |
155 | 155 | ||
156 | ;; By default, scripts are not allowed to call private services via llHttpRequest() | ||
157 | ;; Such calls are detected by the X-SecondLife-Shared HTTP header | ||
158 | ;; If you allow such calls you must be sure that they are restricted to very trusted scripters | ||
159 | ;; (remember scripts can also be in visiting avatar attachments). | ||
160 | ;; This can be overriden in individual private service sections if necessary | ||
161 | AllowllHTTPRequestIn = false | ||
162 | |||
156 | ; * The following are for the remote console | 163 | ; * The following are for the remote console |
157 | ; * They have no effect for the local or basic console types | 164 | ; * They have no effect for the local or basic console types |
158 | ; * Leave commented to diable logins to the console | 165 | ; * Leave commented to diable logins to the console |
diff --git a/bin/Robust.ini.example b/bin/Robust.ini.example index a0b8f50..48deeae 100644 --- a/bin/Robust.ini.example +++ b/bin/Robust.ini.example | |||
@@ -129,6 +129,13 @@ | |||
129 | ;; This is useful in cases where you want to protect most of the services, | 129 | ;; This is useful in cases where you want to protect most of the services, |
130 | ;; but unprotect individual services. Username and Password can also be | 130 | ;; but unprotect individual services. Username and Password can also be |
131 | ;; overriden if you want to use different credentials for the different services. | 131 | ;; overriden if you want to use different credentials for the different services. |
132 | |||
133 | ;; By default, scripts are not allowed to call private services via llHttpRequest() | ||
134 | ;; Such calls are detected by the X-SecondLife-Shared HTTP header | ||
135 | ;; If you allow such calls you must be sure that they are restricted to very trusted scripters | ||
136 | ;; (remember scripts can also be in visiting avatar attachments). | ||
137 | ;; This can be overriden in individual private service sections if necessary | ||
138 | AllowllHTTPRequestIn = false | ||
132 | 139 | ||
133 | ; * The following are for the remote console | 140 | ; * The following are for the remote console |
134 | ; * They have no effect for the local or basic console types | 141 | ; * They have no effect for the local or basic console types |