[open-ils-commits] [GIT] Evergreen ILS branch rel_2_0 updated. 3db19f9d566493ddb5446e69f31b954d52bc361e
Evergreen Git
git at git.evergreen-ils.org
Tue Oct 4 12:52:00 EDT 2011
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".
The branch, rel_2_0 has been updated
via 3db19f9d566493ddb5446e69f31b954d52bc361e (commit)
via de72b1a28e9153c0e59acdbdceee8dc7ea485708 (commit)
via 37c3f2230d49dc09063a6ebcd4e8584a27724c0c (commit)
from 6b1cdad10b6f5adacd07a8956dc8c1da490b4908 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 3db19f9d566493ddb5446e69f31b954d52bc361e
Author: Thomas Berezansky <tsbere at mvlc.org>
Date: Mon Sep 12 13:33:03 2011 -0400
When workstation is invalid request a new seed
The original one may no longer be valid
Signed-off-by: Thomas Berezansky <tsbere at mvlc.org>
Signed-off-by: Bill Erickson <berick at esilibrary.com>
diff --git a/Open-ILS/xul/staff_client/chrome/content/auth/session.js b/Open-ILS/xul/staff_client/chrome/content/auth/session.js
index ca5cb0d..c3f9a13 100644
--- a/Open-ILS/xul/staff_client/chrome/content/auth/session.js
+++ b/Open-ILS/xul/staff_client/chrome/content/auth/session.js
@@ -60,6 +60,15 @@ auth.session.prototype = {
data.stash('ws_info');
data.ws_name = null; data.stash('ws_name');
params.type = 'temp';
+ // We need to get a new seed
+ init = this.network.request(
+ api.AUTH_INIT.app,
+ api.AUTH_INIT.method,
+ [ this.view.name_prompt.value ]
+ );
+ if(init) {
+ params.password = hex_md5(init + hex_md5( this.view.password_prompt.value ));
+ }
robj = this.network.simple_request('AUTH_COMPLETE',[ params ]);
if (robj.ilsevent == 0) {
this.key = robj.payload.authtoken;
commit de72b1a28e9153c0e59acdbdceee8dc7ea485708
Author: Thomas Berezansky <tsbere at mvlc.org>
Date: Thu Sep 1 16:41:33 2011 -0400
Make more auth values configurable
Amount of time seed is valid
Amount of time to keep failure count in memcache since last auth event
Number of failures before locking out auth attempts
Also, remove seed from memcache once it has been used once.
Signed-off-by: Thomas Berezansky <tsbere at mvlc.org>
Signed-off-by: Bill Erickson <berick at esilibrary.com>
diff --git a/Open-ILS/examples/opensrf.xml.example b/Open-ILS/examples/opensrf.xml.example
index fd16730..7c2a878 100644
--- a/Open-ILS/examples/opensrf.xml.example
+++ b/Open-ILS/examples/opensrf.xml.example
@@ -441,6 +441,11 @@ vim:et:ts=4:sw=4:
<temp>300</temp>
<persist>2 weeks</persist>
</default_timeout>
+ <auth_limits>
+ <seed>30</seed> <!-- amount of time a seed request is valid for -->
+ <block_time>90</block_time> <!-- amount of time since last auth or seed request to save failure counts -->
+ <block_count>10</block_count> <!-- number of failures before blocking access -->
+ </auth_limits>
</app_settings>
</open-ils.auth>
diff --git a/Open-ILS/src/c-apps/oils_auth.c b/Open-ILS/src/c-apps/oils_auth.c
index 4d1a413..2e17b09 100644
--- a/Open-ILS/src/c-apps/oils_auth.c
+++ b/Open-ILS/src/c-apps/oils_auth.c
@@ -20,9 +20,6 @@
// Default time for extending a persistent session: ten minutes
#define DEFAULT_RESET_INTERVAL 10 * 60
-#define OILS_AUTH_COUNT_MAX 10
-#define OILS_AUTH_COUNT_INTERVAL 90
-
int osrfAppInitialize();
int osrfAppChildInit();
@@ -30,6 +27,9 @@ static long _oilsAuthOPACTimeout = 0;
static long _oilsAuthStaffTimeout = 0;
static long _oilsAuthOverrideTimeout = 0;
static long _oilsAuthPersistTimeout = 0;
+static long _oilsAuthSeedTimeout = 0;
+static long _oilsAuthBlockTimeout = 0;
+static long _oilsAuthBlockCount = 0;
/**
@@ -120,6 +120,42 @@ int osrfAppChildInit() {
int oilsAuthInit( osrfMethodContext* ctx ) {
OSRF_METHOD_VERIFY_CONTEXT(ctx);
+ if(!_oilsAuthSeedTimeout) { /* Load the default timeouts */
+
+ jsonObject* value_obj;
+
+ value_obj = osrf_settings_host_value_object(
+ "/apps/open-ils.auth/app_settings/auth_limits/seed" );
+ _oilsAuthSeedTimeout = oilsUtilsIntervalToSeconds( jsonObjectGetString( value_obj ));
+ jsonObjectFree(value_obj);
+ if( -1 == _oilsAuthSeedTimeout ) {
+ osrfLogWarning( OSRF_LOG_MARK, "Invalid timeout for Auth Seeds - Using 30 seconds" );
+ _oilsAuthSeedTimeout = 30;
+ }
+
+ value_obj = osrf_settings_host_value_object(
+ "/apps/open-ils.auth/app_settings/auth_limits/block_time" );
+ _oilsAuthBlockTimeout = oilsUtilsIntervalToSeconds( jsonObjectGetString( value_obj ));
+ jsonObjectFree(value_obj);
+ if( -1 == _oilsAuthBlockTimeout ) {
+ osrfLogWarning( OSRF_LOG_MARK, "Invalid timeout for Blocking Timeout - Using 3x Seed" );
+ _oilsAuthBlockTimeout = _oilsAuthSeedTimeout * 3;
+ }
+
+ value_obj = osrf_settings_host_value_object(
+ "/apps/open-ils.auth/app_settings/auth_limits/block_count" );
+ _oilsAuthBlockCount = oilsUtilsIntervalToSeconds( jsonObjectGetString( value_obj ));
+ jsonObjectFree(value_obj);
+ if( -1 == _oilsAuthBlockCount ) {
+ osrfLogWarning( OSRF_LOG_MARK, "Invalid count for Blocking - Using 10" );
+ _oilsAuthBlockCount = 10;
+ }
+
+ osrfLogInfo(OSRF_LOG_MARK, "Set auth limits: "
+ "seed => %ld : block_timeout => %ld : block_count => %ld",
+ _oilsAuthSeedTimeout, _oilsAuthBlockTimeout, _oilsAuthBlockCount );
+ }
+
char* username = jsonObjectToSimpleString( jsonObjectGetIndex(ctx->params, 0) );
if( username ) {
@@ -141,8 +177,8 @@ int oilsAuthInit( osrfMethodContext* ctx ) {
if(!countobject) {
countobject = jsonNewNumberObject( (double) 0 );
}
- osrfCachePutString( key, seed, 30 );
- osrfCachePutObject( countkey, countobject, OILS_AUTH_COUNT_INTERVAL );
+ osrfCachePutString( key, seed, _oilsAuthSeedTimeout );
+ osrfCachePutObject( countkey, countobject, _oilsAuthBlockTimeout );
osrfLogDebug( OSRF_LOG_MARK, "oilsAuthInit(): has seed %s and key %s", seed, key );
@@ -239,6 +275,9 @@ static int oilsAuthVerifyPassword( const osrfMethodContext* ctx,
ctx->request, "No authentication seed found. "
"open-ils.auth.authenticate.init must be called first");
}
+
+ // We won't be needing the seed again, remove it
+ osrfCacheRemove( "%s%s", OILS_AUTH_CACHE_PRFX, uname );
// Get the hashed password from the user object
char* realPassword = oilsFMGetString( userObj, "passwd" );
@@ -271,15 +310,15 @@ static int oilsAuthVerifyPassword( const osrfMethodContext* ctx,
jsonObject* countobject = osrfCacheGetObject( countkey );
if(countobject) {
double failcount = jsonObjectGetNumber( countobject );
- if(failcount >= OILS_AUTH_COUNT_MAX) {
+ if(failcount >= _oilsAuthBlockCount) {
ret = 0;
- osrfLogInternal(OSRF_LOG_MARK, "oilsAuth found too many recent failures: %d, forcing failure state.", failcount);
+ osrfLogInternal(OSRF_LOG_MARK, "oilsAuth found too many recent failures: %d, forcing failure state.", failcount);
}
if(ret == 0) {
failcount += 1;
}
jsonObjectSetNumber( countobject, failcount );
- osrfCachePutObject( countkey, countobject, OILS_AUTH_COUNT_INTERVAL );
+ osrfCachePutObject( countkey, countobject, _oilsAuthBlockTimeout );
jsonObjectFree(countobject);
}
free(countkey);
commit 37c3f2230d49dc09063a6ebcd4e8584a27724c0c
Author: Thomas Berezansky <tsbere at mvlc.org>
Date: Tue Aug 30 11:55:35 2011 -0400
Brute Force protection for authentication
Count auth failures in memcache.
If 10+ have occurred cause failure.
After 90 seconds of no activity counter resets.
Signed-off-by: Thomas Berezansky <tsbere at mvlc.org>
Signed-off-by: Bill Erickson <berick at esilibrary.com>
diff --git a/Open-ILS/src/c-apps/oils_auth.c b/Open-ILS/src/c-apps/oils_auth.c
index eab493e..4d1a413 100644
--- a/Open-ILS/src/c-apps/oils_auth.c
+++ b/Open-ILS/src/c-apps/oils_auth.c
@@ -8,6 +8,7 @@
#include "openils/oils_event.h"
#define OILS_AUTH_CACHE_PRFX "oils_auth_"
+#define OILS_AUTH_COUNT_SFFX "_count"
#define MODULENAME "open-ils.auth"
@@ -19,6 +20,9 @@
// Default time for extending a persistent session: ten minutes
#define DEFAULT_RESET_INTERVAL 10 * 60
+#define OILS_AUTH_COUNT_MAX 10
+#define OILS_AUTH_COUNT_INTERVAL 90
+
int osrfAppInitialize();
int osrfAppChildInit();
@@ -131,8 +135,14 @@ int oilsAuthInit( osrfMethodContext* ctx ) {
// Build a key and a seed; store them in memcache.
char* key = va_list_to_string( "%s%s", OILS_AUTH_CACHE_PRFX, username );
+ char* countkey = va_list_to_string( "%s%s%s", OILS_AUTH_CACHE_PRFX, username, OILS_AUTH_COUNT_SFFX );
char* seed = md5sum( "%d.%ld.%s", (int) time(NULL), (long) getpid(), username );
+ jsonObject* countobject = osrfCacheGetObject( countkey );
+ if(!countobject) {
+ countobject = jsonNewNumberObject( (double) 0 );
+ }
osrfCachePutString( key, seed, 30 );
+ osrfCachePutObject( countkey, countobject, OILS_AUTH_COUNT_INTERVAL );
osrfLogDebug( OSRF_LOG_MARK, "oilsAuthInit(): has seed %s and key %s", seed, key );
@@ -141,6 +151,8 @@ int oilsAuthInit( osrfMethodContext* ctx ) {
free( seed );
free( key );
+ free( countkey );
+ jsonObjectFree( countobject );
}
// Return the seed to the client.
@@ -255,6 +267,23 @@ static int oilsAuthVerifyPassword( const osrfMethodContext* ctx,
free(maskedPw);
+ char* countkey = va_list_to_string( "%s%s%s", OILS_AUTH_CACHE_PRFX, uname, OILS_AUTH_COUNT_SFFX );
+ jsonObject* countobject = osrfCacheGetObject( countkey );
+ if(countobject) {
+ double failcount = jsonObjectGetNumber( countobject );
+ if(failcount >= OILS_AUTH_COUNT_MAX) {
+ ret = 0;
+ osrfLogInternal(OSRF_LOG_MARK, "oilsAuth found too many recent failures: %d, forcing failure state.", failcount);
+ }
+ if(ret == 0) {
+ failcount += 1;
+ }
+ jsonObjectSetNumber( countobject, failcount );
+ osrfCachePutObject( countkey, countobject, OILS_AUTH_COUNT_INTERVAL );
+ jsonObjectFree(countobject);
+ }
+ free(countkey);
+
return ret;
}
-----------------------------------------------------------------------
Summary of changes:
Open-ILS/examples/opensrf.xml.example | 5 ++
Open-ILS/src/c-apps/oils_auth.c | 70 +++++++++++++++++++-
.../staff_client/chrome/content/auth/session.js | 9 +++
3 files changed, 83 insertions(+), 1 deletions(-)
hooks/post-receive
--
Evergreen ILS
More information about the open-ils-commits
mailing list