| 93 |
93 |
# For https, the web service should be set to include the user cert in the environment.
|
| 94 |
94 |
cert_line_in = env['HTTP_SSL_CLIENT_CERT']
|
| 95 |
95 |
|
| 96 |
|
if cert_line_in ==""
|
|
96 |
if cert_line_in == nil
|
| 97 |
97 |
# Use the secret key for authentication.
|
| 98 |
98 |
|
| 99 |
99 |
password = get_user_password(params['AWSAccessKeyId'])
|
| ... | ... | |
| 127 |
127 |
else
|
| 128 |
128 |
# Use the https credentials for authentication
|
| 129 |
129 |
|
| 130 |
|
# Get the DN from the certificate
|
| 131 |
|
begin
|
| 132 |
|
cert_array=cert_line_in.scan(/([^\s]*)\s/)
|
| 133 |
|
cert_array = cert_array[2..-3]
|
| 134 |
|
cert_array.unshift('-----BEGIN CERTIFICATE-----').push('-----END CERTIFICATE-----')
|
| 135 |
|
user_cert = cert_array.join("\n")
|
| 136 |
|
user_cert = OpenSSL::X509::Certificate.new(user_cert)
|
| 137 |
|
subjectname = user_cert.subject.to_s
|
| 138 |
|
subjectname_nosp = subjectname.gsub(/\s/, '')
|
| 139 |
|
puts(subjectname)
|
| 140 |
|
rescue
|
| 141 |
|
raise failed + "Could not create X509 certificate from " + user_cert
|
|
130 |
while cert_line_in != nil
|
|
131 |
# Get the DN from the certificate
|
|
132 |
begin
|
|
133 |
cert_array=cert_line_in.scan(/([^\s]*)\s/)
|
|
134 |
cert_array = cert_array[2..-3]
|
|
135 |
cert_array.unshift('-----BEGIN CERTIFICATE-----')
|
|
136 |
cert_array.push('-----END CERTIFICATE-----')
|
|
137 |
user_cert = cert_array.join("\n")
|
|
138 |
user_cert = OpenSSL::X509::Certificate.new(user_cert)
|
|
139 |
subj_name = user_cert.subject.to_s
|
|
140 |
rescue
|
|
141 |
raise failed + "Could not create X509 certificate from " + cert_line_in
|
|
142 |
end
|
|
143 |
|
|
144 |
# Password should be DN with whitespace removed.
|
|
145 |
subjectname = subj_name.gsub(/\s/, '')
|
|
146 |
chain_dn = "" if chain_dn == nil
|
|
147 |
chain_dn = chain_dn + "\n" + subjectname
|
|
148 |
begin
|
|
149 |
username = get_username(subjectname)
|
|
150 |
STDERR.puts("Username " + username + " found for DN " + subjectname)
|
|
151 |
STDERR.flush
|
|
152 |
break
|
|
153 |
rescue
|
|
154 |
STDERR.puts "No username found for DN " + subjectname
|
|
155 |
STDERR.flush
|
|
156 |
chain_index = 0 if chain_index == nil
|
|
157 |
chain_index = chain_index + 1
|
|
158 |
cert_chain_key = "HTTP_SSL_CLIENT_CERT_CHAIN#{chain_index}"
|
|
159 |
cert_line_in = env[cert_chain_key]
|
|
160 |
end
|
| 142 |
161 |
end
|
| 143 |
162 |
|
| 144 |
|
# Check that the DN corresponds to the password of a user
|
| 145 |
|
begin
|
| 146 |
|
username = get_username(subjectname_nosp)
|
| 147 |
|
puts("The username is " + username)
|
| 148 |
|
rescue
|
| 149 |
|
raise failed + "User with DN " + subjectname + " not found."
|
|
163 |
if cert_line_in == nil
|
|
164 |
raise failed + "Username not found in certificate chain " + chain_dn
|
| 150 |
165 |
end
|
| 151 |
166 |
|
| 152 |
167 |
# Sign the message and compose the special login token
|
| ... | ... | |
| 173 |
188 |
host_key_array=host_cert_array[begin_index..end_index]
|
| 174 |
189 |
private_key=host_key_array.join("\n")
|
| 175 |
190 |
rescue
|
| 176 |
|
raise failed + "Could not get private key from " + '/etc/grid-security/hostkey.pem'
|
|
191 |
raise failed + "Could not get private key from " + @hostkey
|
| 177 |
192 |
end
|
| 178 |
193 |
|
| 179 |
194 |
begin
|
| 180 |
195 |
rsa=OpenSSL::PKey::RSA.new(private_key)
|
| 181 |
196 |
rescue
|
| 182 |
|
raise failed + "Could not create RSA key from " + '/etc/grid-security/hostkey.pem'
|
|
197 |
raise failed + "Could not create RSA key from " + @hostkey
|
| 183 |
198 |
end
|
| 184 |
199 |
|
| 185 |
200 |
# Sign with timestamp
|
| 186 |
|
-
|