0410a35
From 9238d7a28f029e53dcdd3a043d5778793502a5aa Mon Sep 17 00:00:00 2001
0410a35
From: Tomas Jelinek <tojeline@redhat.com>
0410a35
Date: Thu, 3 Sep 2015 17:04:29 +0200
0410a35
Subject: [PATCH] fixed session and cookies processing
0410a35
0410a35
---
0410a35
 pcsd/auth.rb   | 24 +++++++++++-------------
0410a35
 pcsd/pcs.rb    |  8 ++++----
0410a35
 pcsd/pcsd.rb   | 14 ++++++++++----
0410a35
 pcsd/remote.rb |  2 +-
0410a35
 4 files changed, 26 insertions(+), 22 deletions(-)
0410a35
0410a35
diff --git a/pcsd/auth.rb b/pcsd/auth.rb
0410a35
index 8953d60..05bfadf 100644
0410a35
--- a/pcsd/auth.rb
0410a35
+++ b/pcsd/auth.rb
0410a35
@@ -3,9 +3,8 @@ require 'pp'
0410a35
 require 'securerandom'
0410a35
 require 'rpam'
0410a35
 
0410a35
-class PCSAuth
0410a35
   # Ruby 1.8.7 doesn't implement SecureRandom.uuid
0410a35
-  def self.uuid
0410a35
+  def pcsauth_uuid
0410a35
     if defined? SecureRandom.uuid
0410a35
       return SecureRandom.uuid
0410a35
     else
0410a35
@@ -16,7 +15,7 @@ class PCSAuth
0410a35
     end
0410a35
   end
0410a35
 
0410a35
-  def self.validUser(username, password, generate_token = false, request = nil)
0410a35
+  def pcsauth_validUser(username, password, generate_token = false, request = nil)
0410a35
     $logger.info("Attempting login by '#{username}'")
0410a35
     if not Rpam.auth(username,password, :service => "pcsd")
0410a35
       $logger.info("Failed login by '#{username}' (bad username or password)")
0410a35
@@ -37,7 +36,7 @@ class PCSAuth
0410a35
     $logger.info("Successful login by '#{username}'")
0410a35
 
0410a35
     if generate_token
0410a35
-      token = PCSAuth.uuid
0410a35
+      token = pcsauth_uuid
0410a35
       begin
0410a35
       	password_file = File.open($user_pass_file, File::RDWR|File::CREAT)
0410a35
 	password_file.flock(File::LOCK_EX)
0410a35
@@ -57,7 +56,7 @@ class PCSAuth
0410a35
     return true
0410a35
   end
0410a35
 
0410a35
-  def self.validToken(token)
0410a35
+  def pcsauth_validToken(token)
0410a35
     begin
0410a35
       json = File.read($user_pass_file)
0410a35
       users = JSON.parse(json)
0410a35
@@ -73,10 +72,10 @@ class PCSAuth
0410a35
     return false
0410a35
   end
0410a35
 
0410a35
-  def self.isLoggedIn(session, cookies)
0410a35
-    if username = validToken(cookies["token"])
0410a35
-      if username == "hacluster" and $cookies.key?(:CIB_user) and $cookies.key?(:CIB_user) != ""
0410a35
-        $session[:username] = $cookies[:CIB_user]
0410a35
+  def pcsauth_isLoggedIn(session, cookies)
0410a35
+    if username = pcsauth_validToken(cookies["token"])
0410a35
+      if username == "hacluster" and cookies.key?('CIB_user') and cookies['CIB_user'] != ""
0410a35
+        session[:username] = cookies['CIB_user']
0410a35
       end
0410a35
       return true
0410a35
     else
0410a35
@@ -85,11 +84,11 @@ class PCSAuth
0410a35
   end
0410a35
 
0410a35
   # Always an admin until we implement groups
0410a35
-  def self.isAdmin(session)
0410a35
+  def pcsauth_isAdmin(session)
0410a35
     true
0410a35
   end
0410a35
 
0410a35
-  def self.createUser(username, password)
0410a35
+  def pcsauth_createUser(username, password)
0410a35
     begin
0410a35
       json = File.read($user_pass_file)
0410a35
       users = JSON.parse(json)
0410a35
@@ -97,7 +96,7 @@ class PCSAuth
0410a35
       users = []
0410a35
     end
0410a35
 
0410a35
-    token = PCSAuth.uuid
0410a35
+    token = pcsauth_uuid
0410a35
 
0410a35
     users.delete_if{|u| u["username"] == username}
0410a35
     users << {"username" => username, "password" => password, "token" => token}
0410a35
@@ -105,5 +104,4 @@ class PCSAuth
0410a35
       f.write(JSON.pretty_generate(users))
0410a35
     end
0410a35
   end
0410a35
-end
0410a35
 
0410a35
diff --git a/pcsd/pcs.rb b/pcsd/pcs.rb
0410a35
index 022d8fa..0a9ca2a 100644
0410a35
--- a/pcsd/pcs.rb
0410a35
+++ b/pcsd/pcs.rb
0410a35
@@ -303,7 +303,7 @@ def send_request_with_token(node,request, post=false, data={}, remote=true, raw_
0410a35
       req.set_form_data(data)
0410a35
     end
0410a35
     cookies_to_send = [CGI::Cookie.new("name" => 'token', "value" => token).to_s]
0410a35
-    cookies_to_send << CGI::Cookie.new("name" =>  "CIB_user", "value" => $session[:username].to_s).to_s
0410a35
+    cookies_to_send << CGI::Cookie.new("name" =>  "CIB_user", "value" => get_session()[:username].to_s).to_s
0410a35
     req.add_field("Cookie",cookies_to_send.join(";"))
0410a35
     myhttp = Net::HTTP.new(uri.host, uri.port)
0410a35
     myhttp.use_ssl = true
0410a35
@@ -620,10 +620,10 @@ def run_cmd(*args)
0410a35
   start = Time.now
0410a35
   out = ""
0410a35
   errout = ""
0410a35
-  if $session[:username] == "hacluster"
0410a35
-    ENV['CIB_user'] = $cookies[:CIB_user]
0410a35
+  if get_session()[:username] == "hacluster"
0410a35
+    ENV['CIB_user'] = get_cookies()['CIB_user']
0410a35
   else
0410a35
-    ENV['CIB_user'] = $session[:username]
0410a35
+    ENV['CIB_user'] = get_session()[:username]
0410a35
   end
0410a35
   $logger.debug("CIB USER: #{ENV['CIB_user'].to_s}")
0410a35
   status = Open4::popen4(*args) do |pid, stdin, stdout, stderr|
0410a35
diff --git a/pcsd/pcsd.rb b/pcsd/pcsd.rb
0410a35
index 8dcba30..9ef1c87 100644
0410a35
--- a/pcsd/pcsd.rb
0410a35
+++ b/pcsd/pcsd.rb
0410a35
@@ -49,8 +49,6 @@ also_reload 'auth.rb'
0410a35
 also_reload 'wizard.rb'
0410a35
 
0410a35
 before do
0410a35
-  $session = session
0410a35
-  $cookies = cookies
0410a35
   if request.path != '/login' and not request.path == "/logout" and not request.path == '/remote/auth'
0410a35
     protected! 
0410a35
   end
0410a35
@@ -117,7 +115,7 @@ set :run, false
0410a35
 
0410a35
 helpers do
0410a35
   def protected!
0410a35
-    if not PCSAuth.isLoggedIn(session, request.cookies)
0410a35
+    if not pcsauth_isLoggedIn(session, request.cookies)
0410a35
       # If we're on /managec/<cluster_name>/main we redirect
0410a35
       match_expr = "/managec/(.*)/(.*)"
0410a35
       mymatch = request.path.match(match_expr)
0410a35
@@ -198,7 +196,7 @@ if not DISABLE_GUI
0410a35
   end
0410a35
 
0410a35
   post '/login' do
0410a35
-    if PCSAuth.validUser(params['username'],params['password'])
0410a35
+    if pcsauth_validUser(params['username'],params['password'])
0410a35
       session["username"] = params['username']
0410a35
       # Temporarily ignore pre_login_path until we come up with a list of valid
0410a35
       # paths to redirect to (to prevent status_all issues)
0410a35
@@ -741,4 +739,12 @@ helpers do
0410a35
   def h(text)
0410a35
     Rack::Utils.escape_html(text)
0410a35
   end
0410a35
+
0410a35
+  def get_session()
0410a35
+    return session
0410a35
+  end
0410a35
+
0410a35
+  def get_cookies()
0410a35
+    return cookies
0410a35
+  end
0410a35
 end
0410a35
diff --git a/pcsd/remote.rb b/pcsd/remote.rb
0410a35
index 2e898ab..fe4a5d9 100644
0410a35
--- a/pcsd/remote.rb
0410a35
+++ b/pcsd/remote.rb
0410a35
@@ -594,7 +594,7 @@ def status_all(params, nodes = [])
0410a35
 end
0410a35
 
0410a35
 def auth(params,request)
0410a35
-  token = PCSAuth.validUser(params['username'],params['password'], true, request)
0410a35
+  token = pcsauth_validUser(params['username'],params['password'], true, request)
0410a35
   # If we authorized to this machine, attempt to authorize everywhere
0410a35
   node_list = []
0410a35
   if token and params["bidirectional"]
0410a35
-- 
0410a35
1.9.1
0410a35