[open-ils-commits] [GIT] Evergreen ILS branch rel_1_6_2 updated. 44687e2781dba4747fabe9d7f178492fc265d351
Evergreen Git
git at git.evergreen-ils.org
Tue Oct 11 11:21:50 EDT 2011
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".
The branch, rel_1_6_2 has been updated
via 44687e2781dba4747fabe9d7f178492fc265d351 (commit)
via b53dec7b1e648f2f9c95adfbe1d54f4a0a3ecb9e (commit)
via daccc324405dd44359512cefaae795714514ab0f (commit)
via 40b8cc7649fa86762b9cb7900929819d9b9ce301 (commit)
from 6025e32ad9ec04652c58ffbc86a0b7510de4142a (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 44687e2781dba4747fabe9d7f178492fc265d351
Author: Galen Charlton <gmc at esilibrary.com>
Date: Thu Oct 6 14:57:38 2011 -0400
fix authentication failure
Ensure that the auth_limit values are read when open-ils.auth
initializes, not during oilsAuthInit(). This solves a problem
observed on brick-based setups where authentication could
incorrectly fail because the drone that processes
open-ils.auth.authenticate.complete didn't have the the block
count value initialized yet.
Also fixed type nit when compare the fail count to the block
limit.
Signed-off-by: Galen Charlton <gmc at esilibrary.com>
Signed-off-by: Bill Erickson <berick at esilibrary.com>
Signed-off-by: Galen Charlton <gmc at esilibrary.com>
diff --git a/Open-ILS/src/c-apps/oils_auth.c b/Open-ILS/src/c-apps/oils_auth.c
index c507d19..bd7d452 100644
--- a/Open-ILS/src/c-apps/oils_auth.c
+++ b/Open-ILS/src/c-apps/oils_auth.c
@@ -78,23 +78,6 @@ int osrfAppInitialize() {
"if found, otherwise returns the NO_SESSION event"
"PARAMS( authToken )", 1, 0 );
- return 0;
-}
-
-int osrfAppChildInit() {
- return 0;
-}
-
-int oilsAuthInit( osrfMethodContext* ctx ) {
- OSRF_METHOD_VERIFY_CONTEXT(ctx);
-
- jsonObject* resp;
-
- char* username = NULL;
- char* seed = NULL;
- char* md5seed = NULL;
- char* key = NULL;
- char* countkey = NULL;
if(!_oilsAuthSeedTimeout) { /* Load the default timeouts */
jsonObject* value_obj;
@@ -131,6 +114,24 @@ int oilsAuthInit( osrfMethodContext* ctx ) {
_oilsAuthSeedTimeout, _oilsAuthBlockTimeout, _oilsAuthBlockCount );
}
+ return 0;
+}
+
+int osrfAppChildInit() {
+ return 0;
+}
+
+int oilsAuthInit( osrfMethodContext* ctx ) {
+ OSRF_METHOD_VERIFY_CONTEXT(ctx);
+
+ jsonObject* resp;
+
+ char* username = NULL;
+ char* seed = NULL;
+ char* md5seed = NULL;
+ char* key = NULL;
+ char* countkey = NULL;
+
if( (username = jsonObjectToSimpleString(jsonObjectGetIndex(ctx->params, 0))) ) {
if( strchr( username, ' ' ) ) {
@@ -249,7 +250,7 @@ static int oilsAuthVerifyPassword( const osrfMethodContext* ctx,
char* countkey = va_list_to_string( "%s%s%s", OILS_AUTH_CACHE_PRFX, uname, OILS_AUTH_COUNT_SFFX );
jsonObject* countobject = osrfCacheGetObject( countkey );
if(countobject) {
- double failcount = jsonObjectGetNumber( countobject );
+ long failcount = (long) jsonObjectGetNumber( countobject );
if(failcount >= _oilsAuthBlockCount) {
ret = 0;
osrfLogInternal(OSRF_LOG_MARK, "oilsAuth found too many recent failures: %d, forcing failure state.", failcount);
commit b53dec7b1e648f2f9c95adfbe1d54f4a0a3ecb9e
Author: Thomas Berezansky <tsbere at mvlc.org>
Date: Mon Sep 12 13:33:03 2011 -0400
When workstation is invalid request a new seed
The original one may no longer be valid
Signed-off-by: Thomas Berezansky <tsbere at mvlc.org>
Signed-off-by: Bill Erickson <berick at esilibrary.com>
Signed-off-by: Galen Charlton <gmc at esilibrary.com>
diff --git a/Open-ILS/xul/staff_client/chrome/content/auth/session.js b/Open-ILS/xul/staff_client/chrome/content/auth/session.js
index 405c303..e8c7b61 100644
--- a/Open-ILS/xul/staff_client/chrome/content/auth/session.js
+++ b/Open-ILS/xul/staff_client/chrome/content/auth/session.js
@@ -59,6 +59,15 @@ auth.session.prototype = {
data.stash('ws_info');
data.ws_name = null; data.stash('ws_name');
params.type = 'temp';
+ // We need to get a new seed
+ init = this.network.request(
+ api.AUTH_INIT.app,
+ api.AUTH_INIT.method,
+ [ this.view.name_prompt.value ]
+ );
+ if(init) {
+ params.password = hex_md5(init + hex_md5( this.view.password_prompt.value ));
+ }
robj = this.network.simple_request('AUTH_COMPLETE',[ params ]);
if (robj.ilsevent == 0) {
this.key = robj.payload.authtoken;
commit daccc324405dd44359512cefaae795714514ab0f
Author: Thomas Berezansky <tsbere at mvlc.org>
Date: Thu Sep 1 16:41:33 2011 -0400
Make more auth values configurable
Amount of time seed is valid
Amount of time to keep failure count in memcache since last auth event
Number of failures before locking out auth attempts
Also, remove seed from memcache once it has been used once.
Signed-off-by: Thomas Berezansky <tsbere at mvlc.org>
Signed-off-by: Bill Erickson <berick at esilibrary.com>
Signed-off-by: Galen Charlton <gmc at esilibrary.com>
diff --git a/Open-ILS/examples/opensrf.xml.example b/Open-ILS/examples/opensrf.xml.example
index 99e4407..7306da5 100644
--- a/Open-ILS/examples/opensrf.xml.example
+++ b/Open-ILS/examples/opensrf.xml.example
@@ -363,6 +363,11 @@ vim:et:ts=4:sw=4:
<staff>7200</staff>
<temp>300</temp>
</default_timeout>
+ <auth_limits>
+ <seed>30</seed> <!-- amount of time a seed request is valid for -->
+ <block_time>90</block_time> <!-- amount of time since last auth or seed request to save failure counts -->
+ <block_count>10</block_count> <!-- number of failures before blocking access -->
+ </auth_limits>
</app_settings>
</open-ils.auth>
diff --git a/Open-ILS/src/c-apps/oils_auth.c b/Open-ILS/src/c-apps/oils_auth.c
index ee04276..c507d19 100644
--- a/Open-ILS/src/c-apps/oils_auth.c
+++ b/Open-ILS/src/c-apps/oils_auth.c
@@ -16,15 +16,15 @@
#define OILS_AUTH_STAFF "staff"
#define OILS_AUTH_TEMP "temp"
-#define OILS_AUTH_COUNT_MAX 10
-#define OILS_AUTH_COUNT_INTERVAL 90
-
int osrfAppInitialize();
int osrfAppChildInit();
static int _oilsAuthOPACTimeout = 0;
static int _oilsAuthStaffTimeout = 0;
static int _oilsAuthOverrideTimeout = 0;
+static int _oilsAuthSeedTimeout = 0;
+static int _oilsAuthBlockTimeout = 0;
+static int _oilsAuthBlockCount = 0;
int osrfAppInitialize() {
@@ -95,6 +95,41 @@ int oilsAuthInit( osrfMethodContext* ctx ) {
char* md5seed = NULL;
char* key = NULL;
char* countkey = NULL;
+ if(!_oilsAuthSeedTimeout) { /* Load the default timeouts */
+
+ jsonObject* value_obj;
+
+ value_obj = osrf_settings_host_value_object(
+ "/apps/open-ils.auth/app_settings/auth_limits/seed" );
+ _oilsAuthSeedTimeout = jsonObjectGetNumber( value_obj );
+ jsonObjectFree(value_obj);
+ if( 0 <= _oilsAuthSeedTimeout ) {
+ osrfLogWarning( OSRF_LOG_MARK, "Invalid timeout for Auth Seeds - Using 30 seconds" );
+ _oilsAuthSeedTimeout = 30;
+ }
+
+ value_obj = osrf_settings_host_value_object(
+ "/apps/open-ils.auth/app_settings/auth_limits/block_time" );
+ _oilsAuthBlockTimeout = jsonObjectGetNumber( value_obj );
+ jsonObjectFree(value_obj);
+ if( 0 <= _oilsAuthBlockTimeout ) {
+ osrfLogWarning( OSRF_LOG_MARK, "Invalid timeout for Blocking Timeout - Using 3x Seed" );
+ _oilsAuthBlockTimeout = _oilsAuthSeedTimeout * 3;
+ }
+
+ value_obj = osrf_settings_host_value_object(
+ "/apps/open-ils.auth/app_settings/auth_limits/block_count" );
+ _oilsAuthBlockCount = jsonObjectGetNumber( value_obj );
+ jsonObjectFree(value_obj);
+ if( 0 <= _oilsAuthBlockCount ) {
+ osrfLogWarning( OSRF_LOG_MARK, "Invalid count for Blocking - Using 10" );
+ _oilsAuthBlockCount = 10;
+ }
+
+ osrfLogInfo(OSRF_LOG_MARK, "Set auth limits: "
+ "seed => %ld : block_timeout => %ld : block_count => %ld",
+ _oilsAuthSeedTimeout, _oilsAuthBlockTimeout, _oilsAuthBlockCount );
+ }
if( (username = jsonObjectToSimpleString(jsonObjectGetIndex(ctx->params, 0))) ) {
@@ -116,8 +151,8 @@ int oilsAuthInit( osrfMethodContext* ctx ) {
}
md5seed = md5sum(seed);
- osrfCachePutString( key, md5seed, 30 );
- osrfCachePutObject( countkey, countobject, OILS_AUTH_COUNT_INTERVAL );
+ osrfCachePutString( key, md5seed, _oilsAuthSeedTimeout );
+ osrfCachePutObject( countkey, countobject, _oilsAuthBlockTimeout );
osrfLogDebug( OSRF_LOG_MARK, "oilsAuthInit(): has seed %s and key %s", md5seed, key );
resp = jsonNewObject(md5seed);
@@ -190,6 +225,9 @@ static int oilsAuthVerifyPassword( const osrfMethodContext* ctx,
ctx->request, "No authentication seed found. "
"open-ils.auth.authenticate.init must be called first");
}
+
+ // We won't be needing the seed again, remove it
+ osrfCacheRemove( "%s%s", OILS_AUTH_CACHE_PRFX, uname );
osrfLogInternal(OSRF_LOG_MARK, "oilsAuth retrieved real password: [%s]", realPassword);
osrfLogDebug(OSRF_LOG_MARK, "oilsAuth retrieved seed from cache: %s", seed );
@@ -212,15 +250,15 @@ static int oilsAuthVerifyPassword( const osrfMethodContext* ctx,
jsonObject* countobject = osrfCacheGetObject( countkey );
if(countobject) {
double failcount = jsonObjectGetNumber( countobject );
- if(failcount >= OILS_AUTH_COUNT_MAX) {
+ if(failcount >= _oilsAuthBlockCount) {
ret = 0;
- osrfLogInternal(OSRF_LOG_MARK, "oilsAuth found too many recent failures: %d, forcing failure state.", failcount);
+ osrfLogInternal(OSRF_LOG_MARK, "oilsAuth found too many recent failures: %d, forcing failure state.", failcount);
}
if(ret == 0) {
failcount += 1;
}
jsonObjectSetNumber( countobject, failcount );
- osrfCachePutObject( countkey, countobject, OILS_AUTH_COUNT_INTERVAL );
+ osrfCachePutObject( countkey, countobject, _oilsAuthBlockTimeout );
jsonObjectFree(countobject);
}
free(countkey);
commit 40b8cc7649fa86762b9cb7900929819d9b9ce301
Author: Thomas Berezansky <tsbere at mvlc.org>
Date: Tue Aug 30 11:55:35 2011 -0400
Brute Force protection for authentication
Count auth failures in memcache.
If 10+ have occurred cause failure.
After 90 seconds of no activity counter resets.
Signed-off-by: Thomas Berezansky <tsbere at mvlc.org>
Signed-off-by: Bill Erickson <berick at esilibrary.com>
Signed-off-by: Galen Charlton <gmc at esilibrary.com>
diff --git a/Open-ILS/src/c-apps/oils_auth.c b/Open-ILS/src/c-apps/oils_auth.c
index b553c5f..ee04276 100644
--- a/Open-ILS/src/c-apps/oils_auth.c
+++ b/Open-ILS/src/c-apps/oils_auth.c
@@ -8,6 +8,7 @@
#include "openils/oils_event.h"
#define OILS_AUTH_CACHE_PRFX "oils_auth_"
+#define OILS_AUTH_COUNT_SFFX "_count"
#define MODULENAME "open-ils.auth"
@@ -15,6 +16,9 @@
#define OILS_AUTH_STAFF "staff"
#define OILS_AUTH_TEMP "temp"
+#define OILS_AUTH_COUNT_MAX 10
+#define OILS_AUTH_COUNT_INTERVAL 90
+
int osrfAppInitialize();
int osrfAppChildInit();
@@ -90,6 +94,7 @@ int oilsAuthInit( osrfMethodContext* ctx ) {
char* seed = NULL;
char* md5seed = NULL;
char* key = NULL;
+ char* countkey = NULL;
if( (username = jsonObjectToSimpleString(jsonObjectGetIndex(ctx->params, 0))) ) {
@@ -103,10 +108,16 @@ int oilsAuthInit( osrfMethodContext* ctx ) {
seed = va_list_to_string( "%d.%ld.%s", time(NULL), (long) getpid(), username );
key = va_list_to_string( "%s%s", OILS_AUTH_CACHE_PRFX, username );
+ countkey = va_list_to_string( "%s%s%s", OILS_AUTH_CACHE_PRFX, username, OILS_AUTH_COUNT_SFFX );
+
+ jsonObject* countobject = osrfCacheGetObject( countkey );
+ if(!countobject) {
+ countobject = jsonNewNumberObject( (double) 0 );
+ }
md5seed = md5sum(seed);
osrfCachePutString( key, md5seed, 30 );
-
+ osrfCachePutObject( countkey, countobject, OILS_AUTH_COUNT_INTERVAL );
osrfLogDebug( OSRF_LOG_MARK, "oilsAuthInit(): has seed %s and key %s", md5seed, key );
resp = jsonNewObject(md5seed);
@@ -115,6 +126,8 @@ int oilsAuthInit( osrfMethodContext* ctx ) {
free(seed);
free(md5seed);
free(key);
+ free( countkey );
+ jsonObjectFree( countobject );
}
jsonObjectFree(resp);
@@ -195,6 +208,23 @@ static int oilsAuthVerifyPassword( const osrfMethodContext* ctx,
free(seed);
free(maskedPw);
+ char* countkey = va_list_to_string( "%s%s%s", OILS_AUTH_CACHE_PRFX, uname, OILS_AUTH_COUNT_SFFX );
+ jsonObject* countobject = osrfCacheGetObject( countkey );
+ if(countobject) {
+ double failcount = jsonObjectGetNumber( countobject );
+ if(failcount >= OILS_AUTH_COUNT_MAX) {
+ ret = 0;
+ osrfLogInternal(OSRF_LOG_MARK, "oilsAuth found too many recent failures: %d, forcing failure state.", failcount);
+ }
+ if(ret == 0) {
+ failcount += 1;
+ }
+ jsonObjectSetNumber( countobject, failcount );
+ osrfCachePutObject( countkey, countobject, OILS_AUTH_COUNT_INTERVAL );
+ jsonObjectFree(countobject);
+ }
+ free(countkey);
+
return ret;
}
-----------------------------------------------------------------------
Summary of changes:
Open-ILS/examples/opensrf.xml.example | 5 ++
Open-ILS/src/c-apps/oils_auth.c | 73 +++++++++++++++++++-
.../staff_client/chrome/content/auth/session.js | 9 +++
3 files changed, 85 insertions(+), 2 deletions(-)
hooks/post-receive
--
Evergreen ILS
More information about the open-ils-commits
mailing list