Commit 39f9dba9 authored by Renato Figueiro Maia's avatar Renato Figueiro Maia
Browse files

Merge from branch sdk/lua/branches/02_00_01 (r168727)

Merge from branch core/branches/02_00_00 (168721:168728)
[OPENBUS-2864] Erros de validadores de senha ou token resultam em ServiceFailure para o cliente
[OPENBUS-2849] Correção para permitir que o 'busservices' atenda novos clientes quando o número de sockets abertos atinge o limite imposto pelo sistema operacional.

git-svn-id: https://subversion.tecgraf.puc-rio.br/engdist/openbus/core/trunk@168729 ae0415b3-e90b-0410-900d-d0be9363c56b
parents 8b4de300 9629c9c8
......@@ -7,6 +7,7 @@ local pairs = _G.pairs
local pcall = _G.pcall
local rawset = _G.rawset
local type = _G.type
local xpcall = _G.xpcall
local coroutine = require "coroutine"
local newthread = coroutine.create
......@@ -29,6 +30,9 @@ local schedule = cothread.schedule
local unschedule = cothread.unschedule
local waituntil = cothread.defer
local debug = require "debug"
local traceback = debug.traceback
local uuid = require "uuid"
local newid = uuid.new
......@@ -52,7 +56,8 @@ local assert = idl.serviceAssertion
local BusEntity = idl.const.BusEntity
local BusLogin = idl.const.BusLogin
local EncryptedBlockSize = idl.const.EncryptedBlockSize
local ServiceFailure = idl.types.services.ServiceFailure
local ServiceFailureId = idl.types.services.ServiceFailure
local ServiceFailure = idl.throw.services.ServiceFailure
local accexp = idl.throw.services.access_control
local UnknownDomain = accexp.UnknownDomain
local AccessDenied = accexp.AccessDenied
......@@ -310,7 +315,7 @@ function AccessControl:__init(data)
entity = login.entity,
})
local ok, ex = pcall(login.remove, login) -- catch I/O errors
if not ok and (type(ex)~="table" or ex._repid~=ServiceFailure) then
if not ok and (type(ex)~="table" or ex._repid~=ServiceFailureId) then
error(ex)
end
end
......@@ -393,8 +398,16 @@ function AccessControl:loginByPassword(entity, domain, pubkey, encrypted)
end
local validator = self.passwordValidators[domain]
if validator ~= nil then
local valid, errmsg = validator.validate(entity, decoded.data)
if valid then
local ok, valid, errmsg = xpcall(validator.validate, traceback, entity, decoded.data)
if not ok then
ServiceFailure{
message = msg.FailedPasswordValidation:tag{
entity = entity,
validator = validator.name,
errmsg = valid,
}
}
elseif valid then
local login = self.activeLogins:newLogin(entity, pubkey)
log:request(msg.LoginByPassword:tag{
login = login.id,
......@@ -499,8 +512,20 @@ function AccessControl:signChainByToken(encrypted, domain)
local validator = self.tokenValidators[domain]
if validator ~= nil then
local imported = ImportedChain()
local ok, errmsg = validator.validate(caller.id, caller.entity, decrypted, imported)
if ok then
local ok, valid, errmsg = xpcall(validator.validate,
traceback,
caller.id,
caller.entity,
decrypted,
imported)
if not ok then
ServiceFailure{
message = msg.FailedTokenValidation:tag{
validator = validator.name,
errmsg = valid,
}
}
elseif valid then
local count = #imported
if count > 0 then
local last = imported[count]
......
......@@ -103,6 +103,7 @@ return function(...)
InvalidSecurityLayerMode = 23,
InvalidChallengeTime = 24,
InvalidSharedAuthTime = 25,
InvalidMaximumChannelLimit = 26,
}
-- configuration parameters parser
......@@ -131,7 +132,9 @@ return function(...)
badpasswordtries = 3,
badpasswordlimit = inf,
badpasswordrate = inf,
maxchannels = 0,
admin = {},
validator = {},
tokenvalidator = {},
......@@ -203,6 +206,8 @@ Options:
-badpasswordlimit <number> nmero mximo de autenticaes simultneas com senha incorreta
-badpasswordrate <number> frequncia mxima de autenticaes com senha incoreta (autenticao/segundo)
-maxchannels <number> nmero mximo de canais de comunicao com os sistemas
-admin <user> usurio com privilgio de administrao
-validator <name> nome de pacote de validao de login
-tokenvalidator <name> nome de pacote de validao de token de cadeia externa
......@@ -306,6 +311,14 @@ Options:
return errcode.InvalidPasswordValidationRate
end
-- validate time parameters
if Configs.maxchannels < 0 then
log:misconfig(msg.InvalidMaximumChannelLimit:tag{
value = Configs.maxchannels,
})
return errcode.InvalidMaximumChannelLimit
end
-- load private key
local prvkey, errmsg = readprivatekey(Configs.privatekey)
if prvkey == nil then
......@@ -489,6 +502,7 @@ Options:
host = Configs.host,
port = getoptcfg(Configs, "port", 0),
sslport = getoptcfg(Configs, "sslport", 0),
maxchannels = getoptcfg(Configs, "maxchannels", 0),
flavor = orbflv,
options = orbopt,
}
......@@ -558,6 +572,9 @@ Options:
log:config(msg.BadPasswordLimitedTries:tag{limit=Configs.badpasswordtries})
log:config(msg.BadPasswordTotalLimit:tag{value=Configs.badpasswordlimit})
log:config(msg.BadPasswordMaxRate:tag{value=Configs.badpasswordrate})
if Configs.maxchannels ~= nil then
log:config(msg.MaximumChannelLimit:tag{value=orb.maxchannels})
end
if not params.enforceAuth then
log:config(msg.OfferAuthorizationDisabled)
end
......
return function (configs)
return function (entity, password)
if entity == "error" and password == "Oops!" then
error("Oops!")
end
end
end
return function ()
return function ()
error("Oops!")
end
end
......@@ -38,6 +38,7 @@ openbus@tecgraf.puc-rio.br
admin=`$busadmin -l openbus.test.configs -e 'print(admin)'`
admpsw=`$busadmin -l openbus.test.configs -e 'print(admpsw)'`
domain=`$busadmin -l openbus.test.configs -e 'print(domain)'`
baddomain=`$busadmin -l openbus.test.configs -e 'print(baddomain)'`
leasetime=`$busadmin -l openbus.test.configs -e 'print(leasetime)'`
expirationgap=`$busadmin -l openbus.test.configs -e 'print(expirationgap)'`
passwordpenalty=`$busadmin -l openbus.test.configs -e 'print(passwordpenalty)'`
......@@ -45,13 +46,15 @@ passwordpenalty=`$busadmin -l openbus.test.configs -e 'print(passwordpenalty)'`
genkey $OPENBUS_TEMP/$name
$buscore \
-port=$port \
-iorfile=$OPENBUS_TEMP/$name.ior \
-database=$OPENBUS_TEMP/$name.db \
-privatekey=$OPENBUS_TEMP/$name.key \
-certificate=$OPENBUS_TEMP/$name.crt \
-port $port \
-iorfile $OPENBUS_TEMP/$name.ior \
-database $OPENBUS_TEMP/$name.db \
-privatekey $OPENBUS_TEMP/$name.key \
-certificate $OPENBUS_TEMP/$name.crt \
-validator $domain:openbus.test.core.services.TesterUserValidator \
-tokenvalidator $domain:openbus.test.core.services.TestTokenValidator \
-validator $baddomain:openbus.test.core.services.BadPasswordValidator \
-tokenvalidator $baddomain:openbus.test.core.services.BadTokenValidator \
-legacydomain $domain \
-admin $admin \
-badpasswordpenalty $passwordpenalty \
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment