[open-ils-commits] [GIT] Evergreen ILS branch rel_1_6_1 updated. b1660a781e2149e0e91b693b13c91f04f232779d
Evergreen Git
git at git.evergreen-ils.org
Tue Oct 4 13:03:30 EDT 2011
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".
The branch, rel_1_6_1 has been updated
via b1660a781e2149e0e91b693b13c91f04f232779d (commit)
via 6397cfa6fcc9595d2607f9b750b52b7f752261c4 (commit)
via 5e82f9394172a4731986b3ea30f5c0e226c27b9e (commit)
from 7a464f82cffa9b0b15bf0591dbc874f6ccdee522 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit b1660a781e2149e0e91b693b13c91f04f232779d
Author: Thomas Berezansky <tsbere at mvlc.org>
Date: Mon Sep 12 13:33:03 2011 -0400
When workstation is invalid request a new seed
The original one may no longer be valid
Signed-off-by: Thomas Berezansky <tsbere at mvlc.org>
Signed-off-by: Bill Erickson <berick at esilibrary.com>
diff --git a/Open-ILS/xul/staff_client/chrome/content/auth/session.js b/Open-ILS/xul/staff_client/chrome/content/auth/session.js
index 405c303..e8c7b61 100644
--- a/Open-ILS/xul/staff_client/chrome/content/auth/session.js
+++ b/Open-ILS/xul/staff_client/chrome/content/auth/session.js
@@ -59,6 +59,15 @@ auth.session.prototype = {
data.stash('ws_info');
data.ws_name = null; data.stash('ws_name');
params.type = 'temp';
+ // We need to get a new seed
+ init = this.network.request(
+ api.AUTH_INIT.app,
+ api.AUTH_INIT.method,
+ [ this.view.name_prompt.value ]
+ );
+ if(init) {
+ params.password = hex_md5(init + hex_md5( this.view.password_prompt.value ));
+ }
robj = this.network.simple_request('AUTH_COMPLETE',[ params ]);
if (robj.ilsevent == 0) {
this.key = robj.payload.authtoken;
commit 6397cfa6fcc9595d2607f9b750b52b7f752261c4
Author: Thomas Berezansky <tsbere at mvlc.org>
Date: Thu Sep 1 16:41:33 2011 -0400
Make more auth values configurable
Amount of time seed is valid
Amount of time to keep failure count in memcache since last auth event
Number of failures before locking out auth attempts
Also, remove seed from memcache once it has been used once.
Signed-off-by: Thomas Berezansky <tsbere at mvlc.org>
Signed-off-by: Bill Erickson <berick at esilibrary.com>
diff --git a/Open-ILS/examples/opensrf.xml.example b/Open-ILS/examples/opensrf.xml.example
index 7f570fd..05d3712 100644
--- a/Open-ILS/examples/opensrf.xml.example
+++ b/Open-ILS/examples/opensrf.xml.example
@@ -354,6 +354,11 @@ vim:et:ts=4:sw=4:
<staff>7200</staff>
<temp>300</temp>
</default_timeout>
+ <auth_limits>
+ <seed>30</seed> <!-- amount of time a seed request is valid for -->
+ <block_time>90</block_time> <!-- amount of time since last auth or seed request to save failure counts -->
+ <block_count>10</block_count> <!-- number of failures before blocking access -->
+ </auth_limits>
</app_settings>
</open-ils.auth>
diff --git a/Open-ILS/src/c-apps/oils_auth.c b/Open-ILS/src/c-apps/oils_auth.c
index ee04276..c507d19 100644
--- a/Open-ILS/src/c-apps/oils_auth.c
+++ b/Open-ILS/src/c-apps/oils_auth.c
@@ -16,15 +16,15 @@
#define OILS_AUTH_STAFF "staff"
#define OILS_AUTH_TEMP "temp"
-#define OILS_AUTH_COUNT_MAX 10
-#define OILS_AUTH_COUNT_INTERVAL 90
-
int osrfAppInitialize();
int osrfAppChildInit();
static int _oilsAuthOPACTimeout = 0;
static int _oilsAuthStaffTimeout = 0;
static int _oilsAuthOverrideTimeout = 0;
+static int _oilsAuthSeedTimeout = 0;
+static int _oilsAuthBlockTimeout = 0;
+static int _oilsAuthBlockCount = 0;
int osrfAppInitialize() {
@@ -95,6 +95,41 @@ int oilsAuthInit( osrfMethodContext* ctx ) {
char* md5seed = NULL;
char* key = NULL;
char* countkey = NULL;
+ if(!_oilsAuthSeedTimeout) { /* Load the default timeouts */
+
+ jsonObject* value_obj;
+
+ value_obj = osrf_settings_host_value_object(
+ "/apps/open-ils.auth/app_settings/auth_limits/seed" );
+ _oilsAuthSeedTimeout = jsonObjectGetNumber( value_obj );
+ jsonObjectFree(value_obj);
+ if( 0 <= _oilsAuthSeedTimeout ) {
+ osrfLogWarning( OSRF_LOG_MARK, "Invalid timeout for Auth Seeds - Using 30 seconds" );
+ _oilsAuthSeedTimeout = 30;
+ }
+
+ value_obj = osrf_settings_host_value_object(
+ "/apps/open-ils.auth/app_settings/auth_limits/block_time" );
+ _oilsAuthBlockTimeout = jsonObjectGetNumber( value_obj );
+ jsonObjectFree(value_obj);
+ if( 0 <= _oilsAuthBlockTimeout ) {
+ osrfLogWarning( OSRF_LOG_MARK, "Invalid timeout for Blocking Timeout - Using 3x Seed" );
+ _oilsAuthBlockTimeout = _oilsAuthSeedTimeout * 3;
+ }
+
+ value_obj = osrf_settings_host_value_object(
+ "/apps/open-ils.auth/app_settings/auth_limits/block_count" );
+ _oilsAuthBlockCount = jsonObjectGetNumber( value_obj );
+ jsonObjectFree(value_obj);
+ if( 0 <= _oilsAuthBlockCount ) {
+ osrfLogWarning( OSRF_LOG_MARK, "Invalid count for Blocking - Using 10" );
+ _oilsAuthBlockCount = 10;
+ }
+
+ osrfLogInfo(OSRF_LOG_MARK, "Set auth limits: "
+ "seed => %ld : block_timeout => %ld : block_count => %ld",
+ _oilsAuthSeedTimeout, _oilsAuthBlockTimeout, _oilsAuthBlockCount );
+ }
if( (username = jsonObjectToSimpleString(jsonObjectGetIndex(ctx->params, 0))) ) {
@@ -116,8 +151,8 @@ int oilsAuthInit( osrfMethodContext* ctx ) {
}
md5seed = md5sum(seed);
- osrfCachePutString( key, md5seed, 30 );
- osrfCachePutObject( countkey, countobject, OILS_AUTH_COUNT_INTERVAL );
+ osrfCachePutString( key, md5seed, _oilsAuthSeedTimeout );
+ osrfCachePutObject( countkey, countobject, _oilsAuthBlockTimeout );
osrfLogDebug( OSRF_LOG_MARK, "oilsAuthInit(): has seed %s and key %s", md5seed, key );
resp = jsonNewObject(md5seed);
@@ -190,6 +225,9 @@ static int oilsAuthVerifyPassword( const osrfMethodContext* ctx,
ctx->request, "No authentication seed found. "
"open-ils.auth.authenticate.init must be called first");
}
+
+ // We won't be needing the seed again, remove it
+ osrfCacheRemove( "%s%s", OILS_AUTH_CACHE_PRFX, uname );
osrfLogInternal(OSRF_LOG_MARK, "oilsAuth retrieved real password: [%s]", realPassword);
osrfLogDebug(OSRF_LOG_MARK, "oilsAuth retrieved seed from cache: %s", seed );
@@ -212,15 +250,15 @@ static int oilsAuthVerifyPassword( const osrfMethodContext* ctx,
jsonObject* countobject = osrfCacheGetObject( countkey );
if(countobject) {
double failcount = jsonObjectGetNumber( countobject );
- if(failcount >= OILS_AUTH_COUNT_MAX) {
+ if(failcount >= _oilsAuthBlockCount) {
ret = 0;
- osrfLogInternal(OSRF_LOG_MARK, "oilsAuth found too many recent failures: %d, forcing failure state.", failcount);
+ osrfLogInternal(OSRF_LOG_MARK, "oilsAuth found too many recent failures: %d, forcing failure state.", failcount);
}
if(ret == 0) {
failcount += 1;
}
jsonObjectSetNumber( countobject, failcount );
- osrfCachePutObject( countkey, countobject, OILS_AUTH_COUNT_INTERVAL );
+ osrfCachePutObject( countkey, countobject, _oilsAuthBlockTimeout );
jsonObjectFree(countobject);
}
free(countkey);
commit 5e82f9394172a4731986b3ea30f5c0e226c27b9e
Author: Thomas Berezansky <tsbere at mvlc.org>
Date: Tue Aug 30 11:55:35 2011 -0400
Brute Force protection for authentication
Count auth failures in memcache.
If 10+ have occurred cause failure.
After 90 seconds of no activity counter resets.
Signed-off-by: Thomas Berezansky <tsbere at mvlc.org>
Signed-off-by: Bill Erickson <berick at esilibrary.com>
diff --git a/Open-ILS/src/c-apps/oils_auth.c b/Open-ILS/src/c-apps/oils_auth.c
index b553c5f..ee04276 100644
--- a/Open-ILS/src/c-apps/oils_auth.c
+++ b/Open-ILS/src/c-apps/oils_auth.c
@@ -8,6 +8,7 @@
#include "openils/oils_event.h"
#define OILS_AUTH_CACHE_PRFX "oils_auth_"
+#define OILS_AUTH_COUNT_SFFX "_count"
#define MODULENAME "open-ils.auth"
@@ -15,6 +16,9 @@
#define OILS_AUTH_STAFF "staff"
#define OILS_AUTH_TEMP "temp"
+#define OILS_AUTH_COUNT_MAX 10
+#define OILS_AUTH_COUNT_INTERVAL 90
+
int osrfAppInitialize();
int osrfAppChildInit();
@@ -90,6 +94,7 @@ int oilsAuthInit( osrfMethodContext* ctx ) {
char* seed = NULL;
char* md5seed = NULL;
char* key = NULL;
+ char* countkey = NULL;
if( (username = jsonObjectToSimpleString(jsonObjectGetIndex(ctx->params, 0))) ) {
@@ -103,10 +108,16 @@ int oilsAuthInit( osrfMethodContext* ctx ) {
seed = va_list_to_string( "%d.%ld.%s", time(NULL), (long) getpid(), username );
key = va_list_to_string( "%s%s", OILS_AUTH_CACHE_PRFX, username );
+ countkey = va_list_to_string( "%s%s%s", OILS_AUTH_CACHE_PRFX, username, OILS_AUTH_COUNT_SFFX );
+
+ jsonObject* countobject = osrfCacheGetObject( countkey );
+ if(!countobject) {
+ countobject = jsonNewNumberObject( (double) 0 );
+ }
md5seed = md5sum(seed);
osrfCachePutString( key, md5seed, 30 );
-
+ osrfCachePutObject( countkey, countobject, OILS_AUTH_COUNT_INTERVAL );
osrfLogDebug( OSRF_LOG_MARK, "oilsAuthInit(): has seed %s and key %s", md5seed, key );
resp = jsonNewObject(md5seed);
@@ -115,6 +126,8 @@ int oilsAuthInit( osrfMethodContext* ctx ) {
free(seed);
free(md5seed);
free(key);
+ free( countkey );
+ jsonObjectFree( countobject );
}
jsonObjectFree(resp);
@@ -195,6 +208,23 @@ static int oilsAuthVerifyPassword( const osrfMethodContext* ctx,
free(seed);
free(maskedPw);
+ char* countkey = va_list_to_string( "%s%s%s", OILS_AUTH_CACHE_PRFX, uname, OILS_AUTH_COUNT_SFFX );
+ jsonObject* countobject = osrfCacheGetObject( countkey );
+ if(countobject) {
+ double failcount = jsonObjectGetNumber( countobject );
+ if(failcount >= OILS_AUTH_COUNT_MAX) {
+ ret = 0;
+ osrfLogInternal(OSRF_LOG_MARK, "oilsAuth found too many recent failures: %d, forcing failure state.", failcount);
+ }
+ if(ret == 0) {
+ failcount += 1;
+ }
+ jsonObjectSetNumber( countobject, failcount );
+ osrfCachePutObject( countkey, countobject, OILS_AUTH_COUNT_INTERVAL );
+ jsonObjectFree(countobject);
+ }
+ free(countkey);
+
return ret;
}
-----------------------------------------------------------------------
Summary of changes:
Open-ILS/examples/opensrf.xml.example | 5 ++
Open-ILS/src/c-apps/oils_auth.c | 72 +++++++++++++++++++-
.../staff_client/chrome/content/auth/session.js | 9 +++
3 files changed, 84 insertions(+), 2 deletions(-)
hooks/post-receive
--
Evergreen ILS
More information about the open-ils-commits
mailing list