[open-ils-commits] [GIT] Evergreen ILS branch rel_2_5 updated. db79a887ab6537acc77abd3800997dd62979a131

Evergreen Git git at git.evergreen-ils.org
Thu Jul 31 08:14:15 EDT 2014


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".

The branch, rel_2_5 has been updated
       via  db79a887ab6537acc77abd3800997dd62979a131 (commit)
       via  07d40243492b31638d33018a0a687aa1f137ce4d (commit)
      from  c717ca7bccea45c13966be268f47c73c5bd3a889 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit db79a887ab6537acc77abd3800997dd62979a131
Author: Bill Erickson <berick at esilibrary.com>
Date:   Tue Oct 8 15:58:56 2013 -0400

    LP#1348731: have SIP gateway use a login nonce
    
    Since multiple SIP clients may use the same credentials, avoid the
    same-username race condition to authentication by applying a login nonce
    value.
    
    Signed-off-by: Bill Erickson <berick at esilibrary.com>
    Signed-off-by: Galen Charlton <gmc at esilibrary.com>
    Signed-off-by: Mike Rylander <mrylander at gmail.com>

diff --git a/Open-ILS/src/perlmods/lib/OpenILS/SIP.pm b/Open-ILS/src/perlmods/lib/OpenILS/SIP.pm
index 46c902a..a984200 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/SIP.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/SIP.pm
@@ -223,9 +223,10 @@ sub login {
     my( $self, $username, $password ) = @_;
     syslog('LOG_DEBUG', "OILS: Logging in with username $username");
 
+    my $nonce = rand($$);
     my $seed = $U->simplereq( 
         'open-ils.auth',
-        'open-ils.auth.authenticate.init', $username );
+        'open-ils.auth.authenticate.init', $username, $nonce );
 
     my $response = $U->simplereq(
         'open-ils.auth', 
@@ -234,6 +235,7 @@ sub login {
             username => $username, 
             password => md5_hex($seed . md5_hex($password)), 
             type     => 'opac',
+            nonce    => $nonce
         }
     );
 

commit 07d40243492b31638d33018a0a687aa1f137ce4d
Author: Bill Erickson <berick at esilibrary.com>
Date:   Tue Oct 8 15:52:12 2013 -0400

    LP#1348731: Optional Auth login nonce to differentiate same-username logins
    
    If multiple login attempts are made using the same username within a
    very short period of time, a race condition exists where, upon
    completion of the first login, the auth init cache data for any pending
    logins are removed, since there can only be one instance of cached init
    data per username.
    
    This adds support for allowing the caller to pass in a random string
    which is added to the cache key as a way to differentiate between logins
    using the same username.
    
    The seed is passed into auth init as an optional secondary parameter
    and passed again (via the "nonce" argument) to auth complete to ensure
    consistent cache keys across both interactions.
    
    Example:
    
    my $nonce = rand($$);
    
    my $seed = request(
        'open-ils.auth',
        'open-ils.auth.authenticate.init', $username, $nonce );
    
    my $response = request(
        'open-ils.auth',
        'open-ils.auth.authenticate.complete',
        {
            username => $username,
            password => md5_hex($seed . md5_hex($password)),
            type     => 'opac',
            nonce    => $nonce
        }
    );
    
    The race condition has been observed with the SIP2 gateway when
    multiple devices have been configured to use the same account.
    
    Signed-off-by: Bill Erickson <berick at esilibrary.com>
    Signed-off-by: Galen Charlton <gmc at esilibrary.com>
    Signed-off-by: Mike Rylander <mrylander at gmail.com>

diff --git a/Open-ILS/src/c-apps/oils_auth.c b/Open-ILS/src/c-apps/oils_auth.c
index 2c7086a..bd79770 100644
--- a/Open-ILS/src/c-apps/oils_auth.c
+++ b/Open-ILS/src/c-apps/oils_auth.c
@@ -151,6 +151,10 @@ int osrfAppChildInit() {
 
 	Method parameters:
 	- username
+	- nonce : optional login seed (string) provided by the caller which
+		is added to the auth init cache to differentiate between logins
+		using the same username and thus avoiding cache collisions for
+		near-simultaneous logins.
 
 	Return to client: Intermediate authentication seed.
 
@@ -166,6 +170,9 @@ int oilsAuthInit( osrfMethodContext* ctx ) {
 	OSRF_METHOD_VERIFY_CONTEXT(ctx);
 
 	char* username  = jsonObjectToSimpleString( jsonObjectGetIndex(ctx->params, 0) );
+	const char* nonce = jsonObjectGetString(jsonObjectGetIndex(ctx->params, 1));
+	if (!nonce) nonce = "";
+
 	if( username ) {
 
 		jsonObject* resp;
@@ -179,9 +186,9 @@ int oilsAuthInit( osrfMethodContext* ctx ) {
 		} else {
 
 			// Build a key and a seed; store them in memcache.
-			char* key  = va_list_to_string( "%s%s", OILS_AUTH_CACHE_PRFX, username );
+			char* key  = va_list_to_string( "%s%s%s", OILS_AUTH_CACHE_PRFX, username, nonce );
 			char* countkey = va_list_to_string( "%s%s%s", OILS_AUTH_CACHE_PRFX, username, OILS_AUTH_COUNT_SFFX );
-			char* seed = md5sum( "%d.%ld.%s", (int) time(NULL), (long) getpid(), username );
+			char* seed = md5sum( "%d.%ld.%s.%s", (int) time(NULL), (long) getpid(), username, nonce );
 			jsonObject* countobject = osrfCacheGetObject( countkey );
 			if(!countobject) {
 				countobject = jsonNewNumberObject( (double) 0 );
@@ -275,10 +282,11 @@ static int oilsAuthCheckLoginPerm(
 	method or to receive the seed from the process that did so.
 */
 static int oilsAuthVerifyPassword( const osrfMethodContext* ctx,
-		const jsonObject* userObj, const char* uname, const char* password ) {
+		const jsonObject* userObj, const char* uname,
+		const char* password, const char* nonce ) {
 
 	// Get the username seed, as stored previously in memcache by the init method
-	char* seed = osrfCacheGetString( "%s%s", OILS_AUTH_CACHE_PRFX, uname );
+	char* seed = osrfCacheGetString( "%s%s%s", OILS_AUTH_CACHE_PRFX, uname, nonce );
 	if(!seed) {
 		return osrfAppRequestRespondException( ctx->session,
 			ctx->request, "No authentication seed found. "
@@ -288,7 +296,7 @@ static int oilsAuthVerifyPassword( const osrfMethodContext* ctx,
 	}
     
 	// We won't be needing the seed again, remove it
-	osrfCacheRemove( "%s%s", OILS_AUTH_CACHE_PRFX, uname );
+	osrfCacheRemove( "%s%s%s", OILS_AUTH_CACHE_PRFX, uname, nonce );
 
 	// Get the hashed password from the user object
 	char* realPassword = oilsFMGetString( userObj, "passwd" );
@@ -563,6 +571,7 @@ static oilsEvent* oilsAuthVerifyWorkstation(
 		- "org"
 		- "workstation"
 		- "agent" (what software/interface/3rd-party is making the request)
+		- "nonce" optional login seed to differentiate logins using the same username.
 
 	The password is required.  Either a username or a barcode must also be present.
 
@@ -586,8 +595,10 @@ int oilsAuthComplete( osrfMethodContext* ctx ) {
 	const char* workstation = jsonObjectGetString(jsonObjectGetKeyConst(args, "workstation"));
 	const char* barcode     = jsonObjectGetString(jsonObjectGetKeyConst(args, "barcode"));
 	const char* ewho        = jsonObjectGetString(jsonObjectGetKeyConst(args, "agent"));
+	const char* nonce       = jsonObjectGetString(jsonObjectGetKeyConst(args, "nonce"));
 
 	const char* ws = (workstation) ? workstation : "";
+	if (!nonce) nonce = "";
 
 	/* Use __FILE__, harmless_line_number for creating
 	 * OILS_EVENT_AUTH_FAILED events (instead of OSRF_LOG_MARK) to avoid
@@ -674,9 +685,9 @@ int oilsAuthComplete( osrfMethodContext* ctx ) {
 	// Now see if he or she has the right credentials.
 	int passOK = -1;
 	if(uname)
-		passOK = oilsAuthVerifyPassword( ctx, userObj, uname, password );
+		passOK = oilsAuthVerifyPassword( ctx, userObj, uname, password, nonce );
 	else if (barcode)
-		passOK = oilsAuthVerifyPassword( ctx, userObj, barcode, password );
+		passOK = oilsAuthVerifyPassword( ctx, userObj, barcode, password, nonce );
 
 	if( passOK < 0 ) {
 		jsonObjectFree(userObj);

-----------------------------------------------------------------------

Summary of changes:
 Open-ILS/src/c-apps/oils_auth.c          |   25 ++++++++++++++++++-------
 Open-ILS/src/perlmods/lib/OpenILS/SIP.pm |    4 +++-
 2 files changed, 21 insertions(+), 8 deletions(-)


hooks/post-receive
-- 
Evergreen ILS


More information about the open-ils-commits mailing list