[CalendarServer-changes] [1464] CalendarServer/trunk

source_changes at macosforge.org source_changes at macosforge.org
Tue Apr 10 12:56:07 PDT 2007


Revision: 1464
          http://trac.macosforge.org/projects/calendarserver/changeset/1464
Author:   cdaboo at apple.com
Date:     2007-04-10 12:56:07 -0700 (Tue, 10 Apr 2007)

Log Message:
-----------
Make sure that the digest auth's opaque hash secret is the same for all server processes on one machine, or can
be configured the same for multiple machines.

Modified Paths:
--------------
    CalendarServer/trunk/conf/caldavd-test.plist
    CalendarServer/trunk/conf/caldavd.plist
    CalendarServer/trunk/twistedcaldav/cluster.py
    CalendarServer/trunk/twistedcaldav/config.py
    CalendarServer/trunk/twistedcaldav/directory/digest.py
    CalendarServer/trunk/twistedcaldav/tap.py

Modified: CalendarServer/trunk/conf/caldavd-test.plist
===================================================================
--- CalendarServer/trunk/conf/caldavd-test.plist	2007-04-10 18:34:03 UTC (rev 1463)
+++ CalendarServer/trunk/conf/caldavd-test.plist	2007-04-10 19:56:07 UTC (rev 1464)
@@ -217,6 +217,8 @@
       <string>md5</string>
       <key>Qop</key>
       <string></string>
+      <key>Secret</key>
+      <string></string>
     </dict>
 
     <!-- Kerberos/SPNEGO -->

Modified: CalendarServer/trunk/conf/caldavd.plist
===================================================================
--- CalendarServer/trunk/conf/caldavd.plist	2007-04-10 18:34:03 UTC (rev 1463)
+++ CalendarServer/trunk/conf/caldavd.plist	2007-04-10 19:56:07 UTC (rev 1464)
@@ -164,6 +164,8 @@
       <string>md5</string>
       <key>Qop</key>
       <string></string>
+      <key>Secret</key>
+      <string></string>
     </dict>
 
     <!-- Kerberos/SPNEGO -->

Modified: CalendarServer/trunk/twistedcaldav/cluster.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/cluster.py	2007-04-10 18:34:03 UTC (rev 1463)
+++ CalendarServer/trunk/twistedcaldav/cluster.py	2007-04-10 19:56:07 UTC (rev 1464)
@@ -92,7 +92,8 @@
              '-o', 'BindHTTPPorts=%s' % (','.join(map(str, self.ports)),),
              '-o', 'BindSSLPorts=%s' % (','.join(map(str, self.sslPorts)),),
              '-o', 'PIDFile=None',
-             '-o', 'ErrorLogFile=None'])
+             '-o', 'ErrorLogFile=None',
+             '-o', 'SharedSecret=%s' % (config.SharedSecret,)])
 
         return args
 

Modified: CalendarServer/trunk/twistedcaldav/config.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/config.py	2007-04-10 18:34:03 UTC (rev 1463)
+++ CalendarServer/trunk/twistedcaldav/config.py	2007-04-10 19:56:07 UTC (rev 1464)
@@ -93,7 +93,8 @@
         "Digest"  : {                       # Digest challenge/response
             "Enabled": True,
             "Algorithm": "md5",
-            "Qop": ""
+            "Qop": "",
+            "Secret": "",
         },
         "Kerberos": {                       # Kerberos/SPNEGO
             "Enabled": False,
@@ -170,6 +171,10 @@
     # A unix socket used for communication between the child and master
     # processes.
     "ControlSocket": "/var/run/caldavd.sock",
+    
+    # A secret key (SHA-1 hash of random string) that is used for internal
+    # crypto operations and shared by multiple server processes
+    "SharedSecret": "",
 }
 
 class Config (object):

Modified: CalendarServer/trunk/twistedcaldav/directory/digest.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/directory/digest.py	2007-04-10 18:34:03 UTC (rev 1463)
+++ CalendarServer/trunk/twistedcaldav/directory/digest.py	2007-04-10 19:56:07 UTC (rev 1464)
@@ -29,7 +29,7 @@
     See twisted.web2.auth.digest.DigestCredentialFactory
     """
 
-    def __init__(self, algorithm, qop, realm):
+    def __init__(self, algorithm, qop, secret, realm):
         """
         @type algorithm: C{str}
         @param algorithm: case insensitive string that specifies
@@ -40,12 +40,18 @@
         @param qop: case insensitive string that specifies
             the qop to use
 
+
+        @type secret: C{str}
+        @param secret: specifies a secret key to be used for opaque value hashing
+
         @type realm: C{str}
         @param realm: case sensitive string that specifies the realm
             portion of the challenge
         """
         super(QopDigestCredentialFactory, self).__init__(algorithm, realm)
         self.qop = qop
+        if secret:
+            self.privateKey = secret
 
     def getChallenge(self, peer):
         """

Modified: CalendarServer/trunk/twistedcaldav/tap.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/tap.py	2007-04-10 18:34:03 UTC (rev 1463)
+++ CalendarServer/trunk/twistedcaldav/tap.py	2007-04-10 19:56:07 UTC (rev 1464)
@@ -16,8 +16,11 @@
 # DRI: David Reid, dreid at apple.com
 ##
 
+from hashlib import sha1
+import random
 import os
 import stat
+import sys
 
 from zope.interface import implements
 
@@ -196,6 +199,11 @@
             log.msg("WARNING: changing umask from: 0%03o to 0%03o" % (
                     oldmask, config.umask,))
         
+        # Generate a shared secret that will be passed to any slave processes
+        if not config.SharedSecret:
+            c = tuple([random.randrange(sys.maxint) for _ in range(3)])
+            config.SharedSecret = sha1('%d%d%d' % c).hexdigest()                   
+
     def checkDirectory(self, dirpath, description, access=None, fail=False, permissions=None, uname=None, gname=None):
         if not os.path.exists(dirpath):
             raise ConfigurationError("%s does not exist: %s" % (description, dirpath,))
@@ -403,9 +411,16 @@
                     )
 
                 elif scheme == 'digest':
+                    secret = schemeConfig['Secret']
+                    if not secret and config.SharedSecret:
+                        log.msg("Using master process shared secret for Digest authentication")
+                        secret = config.SharedSecret
+                    else:
+                        log.msg("No shared secret for Digest authentication")
                     credFactory = QopDigestCredentialFactory(
                         schemeConfig['Algorithm'],
                         schemeConfig['Qop'],
+                        secret,
                         realm
                     )
 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20070410/874bc545/attachment.html


More information about the calendarserver-changes mailing list