[open-ils-commits] [GIT] Evergreen ILS branch rel_1_6 updated. 3aadaf436fcdf6366a765798c583cc7c9b71bcc0
Evergreen Git
git at git.evergreen-ils.org
Tue Oct 4 12:50:08 EDT 2011
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".
The branch, rel_1_6 has been updated
via 3aadaf436fcdf6366a765798c583cc7c9b71bcc0 (commit)
via 59dad65be04d83dd418b7436bcb8f9229270541e (commit)
via 91cbf664c28934c3c1399b6c22eff4477ff60187 (commit)
from 543676f0a349bbd154a7368610a4564e59d1f744 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 3aadaf436fcdf6366a765798c583cc7c9b71bcc0
Author: Thomas Berezansky <tsbere at mvlc.org>
Date: Mon Sep 12 13:33:03 2011 -0400
When workstation is invalid request a new seed
The original one may no longer be valid
Signed-off-by: Thomas Berezansky <tsbere at mvlc.org>
Signed-off-by: Bill Erickson <berick at esilibrary.com>
diff --git a/Open-ILS/xul/staff_client/chrome/content/auth/session.js b/Open-ILS/xul/staff_client/chrome/content/auth/session.js
index 405c303..e8c7b61 100644
--- a/Open-ILS/xul/staff_client/chrome/content/auth/session.js
+++ b/Open-ILS/xul/staff_client/chrome/content/auth/session.js
@@ -59,6 +59,15 @@ auth.session.prototype = {
data.stash('ws_info');
data.ws_name = null; data.stash('ws_name');
params.type = 'temp';
+ // We need to get a new seed
+ init = this.network.request(
+ api.AUTH_INIT.app,
+ api.AUTH_INIT.method,
+ [ this.view.name_prompt.value ]
+ );
+ if(init) {
+ params.password = hex_md5(init + hex_md5( this.view.password_prompt.value ));
+ }
robj = this.network.simple_request('AUTH_COMPLETE',[ params ]);
if (robj.ilsevent == 0) {
this.key = robj.payload.authtoken;
commit 59dad65be04d83dd418b7436bcb8f9229270541e
Author: Thomas Berezansky <tsbere at mvlc.org>
Date: Thu Sep 1 16:41:33 2011 -0400
Make more auth values configurable
Amount of time seed is valid
Amount of time to keep failure count in memcache since last auth event
Number of failures before locking out auth attempts
Also, remove seed from memcache once it has been used once.
Signed-off-by: Thomas Berezansky <tsbere at mvlc.org>
Signed-off-by: Bill Erickson <berick at esilibrary.com>
diff --git a/Open-ILS/examples/opensrf.xml.example b/Open-ILS/examples/opensrf.xml.example
index 99e4407..7306da5 100644
--- a/Open-ILS/examples/opensrf.xml.example
+++ b/Open-ILS/examples/opensrf.xml.example
@@ -363,6 +363,11 @@ vim:et:ts=4:sw=4:
<staff>7200</staff>
<temp>300</temp>
</default_timeout>
+ <auth_limits>
+ <seed>30</seed> <!-- amount of time a seed request is valid for -->
+ <block_time>90</block_time> <!-- amount of time since last auth or seed request to save failure counts -->
+ <block_count>10</block_count> <!-- number of failures before blocking access -->
+ </auth_limits>
</app_settings>
</open-ils.auth>
diff --git a/Open-ILS/src/c-apps/oils_auth.c b/Open-ILS/src/c-apps/oils_auth.c
index ee04276..c507d19 100644
--- a/Open-ILS/src/c-apps/oils_auth.c
+++ b/Open-ILS/src/c-apps/oils_auth.c
@@ -16,15 +16,15 @@
#define OILS_AUTH_STAFF "staff"
#define OILS_AUTH_TEMP "temp"
-#define OILS_AUTH_COUNT_MAX 10
-#define OILS_AUTH_COUNT_INTERVAL 90
-
int osrfAppInitialize();
int osrfAppChildInit();
static int _oilsAuthOPACTimeout = 0;
static int _oilsAuthStaffTimeout = 0;
static int _oilsAuthOverrideTimeout = 0;
+static int _oilsAuthSeedTimeout = 0;
+static int _oilsAuthBlockTimeout = 0;
+static int _oilsAuthBlockCount = 0;
int osrfAppInitialize() {
@@ -95,6 +95,41 @@ int oilsAuthInit( osrfMethodContext* ctx ) {
char* md5seed = NULL;
char* key = NULL;
char* countkey = NULL;
+ if(!_oilsAuthSeedTimeout) { /* Load the default timeouts */
+
+ jsonObject* value_obj;
+
+ value_obj = osrf_settings_host_value_object(
+ "/apps/open-ils.auth/app_settings/auth_limits/seed" );
+ _oilsAuthSeedTimeout = jsonObjectGetNumber( value_obj );
+ jsonObjectFree(value_obj);
+ if( 0 <= _oilsAuthSeedTimeout ) {
+ osrfLogWarning( OSRF_LOG_MARK, "Invalid timeout for Auth Seeds - Using 30 seconds" );
+ _oilsAuthSeedTimeout = 30;
+ }
+
+ value_obj = osrf_settings_host_value_object(
+ "/apps/open-ils.auth/app_settings/auth_limits/block_time" );
+ _oilsAuthBlockTimeout = jsonObjectGetNumber( value_obj );
+ jsonObjectFree(value_obj);
+ if( 0 <= _oilsAuthBlockTimeout ) {
+ osrfLogWarning( OSRF_LOG_MARK, "Invalid timeout for Blocking Timeout - Using 3x Seed" );
+ _oilsAuthBlockTimeout = _oilsAuthSeedTimeout * 3;
+ }
+
+ value_obj = osrf_settings_host_value_object(
+ "/apps/open-ils.auth/app_settings/auth_limits/block_count" );
+ _oilsAuthBlockCount = jsonObjectGetNumber( value_obj );
+ jsonObjectFree(value_obj);
+ if( 0 <= _oilsAuthBlockCount ) {
+ osrfLogWarning( OSRF_LOG_MARK, "Invalid count for Blocking - Using 10" );
+ _oilsAuthBlockCount = 10;
+ }
+
+ osrfLogInfo(OSRF_LOG_MARK, "Set auth limits: "
+ "seed => %ld : block_timeout => %ld : block_count => %ld",
+ _oilsAuthSeedTimeout, _oilsAuthBlockTimeout, _oilsAuthBlockCount );
+ }
if( (username = jsonObjectToSimpleString(jsonObjectGetIndex(ctx->params, 0))) ) {
@@ -116,8 +151,8 @@ int oilsAuthInit( osrfMethodContext* ctx ) {
}
md5seed = md5sum(seed);
- osrfCachePutString( key, md5seed, 30 );
- osrfCachePutObject( countkey, countobject, OILS_AUTH_COUNT_INTERVAL );
+ osrfCachePutString( key, md5seed, _oilsAuthSeedTimeout );
+ osrfCachePutObject( countkey, countobject, _oilsAuthBlockTimeout );
osrfLogDebug( OSRF_LOG_MARK, "oilsAuthInit(): has seed %s and key %s", md5seed, key );
resp = jsonNewObject(md5seed);
@@ -190,6 +225,9 @@ static int oilsAuthVerifyPassword( const osrfMethodContext* ctx,
ctx->request, "No authentication seed found. "
"open-ils.auth.authenticate.init must be called first");
}
+
+ // We won't be needing the seed again, remove it
+ osrfCacheRemove( "%s%s", OILS_AUTH_CACHE_PRFX, uname );
osrfLogInternal(OSRF_LOG_MARK, "oilsAuth retrieved real password: [%s]", realPassword);
osrfLogDebug(OSRF_LOG_MARK, "oilsAuth retrieved seed from cache: %s", seed );
@@ -212,15 +250,15 @@ static int oilsAuthVerifyPassword( const osrfMethodContext* ctx,
jsonObject* countobject = osrfCacheGetObject( countkey );
if(countobject) {
double failcount = jsonObjectGetNumber( countobject );
- if(failcount >= OILS_AUTH_COUNT_MAX) {
+ if(failcount >= _oilsAuthBlockCount) {
ret = 0;
- osrfLogInternal(OSRF_LOG_MARK, "oilsAuth found too many recent failures: %d, forcing failure state.", failcount);
+ osrfLogInternal(OSRF_LOG_MARK, "oilsAuth found too many recent failures: %d, forcing failure state.", failcount);
}
if(ret == 0) {
failcount += 1;
}
jsonObjectSetNumber( countobject, failcount );
- osrfCachePutObject( countkey, countobject, OILS_AUTH_COUNT_INTERVAL );
+ osrfCachePutObject( countkey, countobject, _oilsAuthBlockTimeout );
jsonObjectFree(countobject);
}
free(countkey);
commit 91cbf664c28934c3c1399b6c22eff4477ff60187
Author: Thomas Berezansky <tsbere at mvlc.org>
Date: Tue Aug 30 11:55:35 2011 -0400
Brute Force protection for authentication
Count auth failures in memcache.
If 10+ have occurred cause failure.
After 90 seconds of no activity counter resets.
Signed-off-by: Thomas Berezansky <tsbere at mvlc.org>
Signed-off-by: Bill Erickson <berick at esilibrary.com>
diff --git a/Open-ILS/src/c-apps/oils_auth.c b/Open-ILS/src/c-apps/oils_auth.c
index b553c5f..ee04276 100644
--- a/Open-ILS/src/c-apps/oils_auth.c
+++ b/Open-ILS/src/c-apps/oils_auth.c
@@ -8,6 +8,7 @@
#include "openils/oils_event.h"
#define OILS_AUTH_CACHE_PRFX "oils_auth_"
+#define OILS_AUTH_COUNT_SFFX "_count"
#define MODULENAME "open-ils.auth"
@@ -15,6 +16,9 @@
#define OILS_AUTH_STAFF "staff"
#define OILS_AUTH_TEMP "temp"
+#define OILS_AUTH_COUNT_MAX 10
+#define OILS_AUTH_COUNT_INTERVAL 90
+
int osrfAppInitialize();
int osrfAppChildInit();
@@ -90,6 +94,7 @@ int oilsAuthInit( osrfMethodContext* ctx ) {
char* seed = NULL;
char* md5seed = NULL;
char* key = NULL;
+ char* countkey = NULL;
if( (username = jsonObjectToSimpleString(jsonObjectGetIndex(ctx->params, 0))) ) {
@@ -103,10 +108,16 @@ int oilsAuthInit( osrfMethodContext* ctx ) {
seed = va_list_to_string( "%d.%ld.%s", time(NULL), (long) getpid(), username );
key = va_list_to_string( "%s%s", OILS_AUTH_CACHE_PRFX, username );
+ countkey = va_list_to_string( "%s%s%s", OILS_AUTH_CACHE_PRFX, username, OILS_AUTH_COUNT_SFFX );
+
+ jsonObject* countobject = osrfCacheGetObject( countkey );
+ if(!countobject) {
+ countobject = jsonNewNumberObject( (double) 0 );
+ }
md5seed = md5sum(seed);
osrfCachePutString( key, md5seed, 30 );
-
+ osrfCachePutObject( countkey, countobject, OILS_AUTH_COUNT_INTERVAL );
osrfLogDebug( OSRF_LOG_MARK, "oilsAuthInit(): has seed %s and key %s", md5seed, key );
resp = jsonNewObject(md5seed);
@@ -115,6 +126,8 @@ int oilsAuthInit( osrfMethodContext* ctx ) {
free(seed);
free(md5seed);
free(key);
+ free( countkey );
+ jsonObjectFree( countobject );
}
jsonObjectFree(resp);
@@ -195,6 +208,23 @@ static int oilsAuthVerifyPassword( const osrfMethodContext* ctx,
free(seed);
free(maskedPw);
+ char* countkey = va_list_to_string( "%s%s%s", OILS_AUTH_CACHE_PRFX, uname, OILS_AUTH_COUNT_SFFX );
+ jsonObject* countobject = osrfCacheGetObject( countkey );
+ if(countobject) {
+ double failcount = jsonObjectGetNumber( countobject );
+ if(failcount >= OILS_AUTH_COUNT_MAX) {
+ ret = 0;
+ osrfLogInternal(OSRF_LOG_MARK, "oilsAuth found too many recent failures: %d, forcing failure state.", failcount);
+ }
+ if(ret == 0) {
+ failcount += 1;
+ }
+ jsonObjectSetNumber( countobject, failcount );
+ osrfCachePutObject( countkey, countobject, OILS_AUTH_COUNT_INTERVAL );
+ jsonObjectFree(countobject);
+ }
+ free(countkey);
+
return ret;
}
-----------------------------------------------------------------------
Summary of changes:
Open-ILS/examples/opensrf.xml.example | 5 ++
Open-ILS/src/c-apps/oils_auth.c | 72 +++++++++++++++++++-
.../staff_client/chrome/content/auth/session.js | 9 +++
3 files changed, 84 insertions(+), 2 deletions(-)
hooks/post-receive
--
Evergreen ILS
More information about the open-ils-commits
mailing list