From a9a41212a30d9c44d08a014241b7d255e049f491 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=B4me=20Bernigaud?= <come.bernigaud@opensides.be>
Date: Tue, 4 Aug 2015 17:04:37 +0200
Subject: [PATCH] Fixes #943 Added full support for HTTPS to Argonaut server

---
 argonaut-client/bin/argonaut-client          |    5 +++--
 argonaut-common/Argonaut/Libraries/Common.pm |    4 ++++
 argonaut-server/bin/argonaut-server          |   30 ++++++++++++++++++++++++--
 3 files changed, 35 insertions(+), 4 deletions(-)

diff --git a/argonaut-client/bin/argonaut-client b/argonaut-client/bin/argonaut-client
index 3956522..a3a0e67 100644
--- a/argonaut-client/bin/argonaut-client
+++ b/argonaut-client/bin/argonaut-client
@@ -78,9 +78,10 @@ if (USE_LEGACY_JSON_RPC) {
 }
 my $server = $serverClass->new(
   LocalPort => $client_settings->{'port'},
-  ($server_settings->{'protocol'} eq 'https') ? (SSL_server    => 1,
+  ($client_settings->{'protocol'} eq 'https') ? (SSL_server    => 1,
                                                   SSL_key_file  => $client_settings->{'keyfile'},
-                                                  SSL_cert_file => $client_settings->{'certfile'},)
+                                                  SSL_cert_file => $client_settings->{'certfile'},
+                                                )
                                                : ());
 
 $log->notice("argonaut-client-management started on port ".$client_settings->{'port'});
diff --git a/argonaut-common/Argonaut/Libraries/Common.pm b/argonaut-common/Argonaut/Libraries/Common.pm
index 707c544..33759f8 100644
--- a/argonaut-common/Argonaut/Libraries/Common.pm
+++ b/argonaut-common/Argonaut/Libraries/Common.pm
@@ -711,6 +711,9 @@ sub argonaut_get_server_settings {
       'ip'                    => "ipHostNumber",
       'port'                  => "argonautPort",
       'protocol'              => "argonautProtocol",
+      'keyfile'               => "argonautKeyPath",
+      'certfile'              => "argonautCertPath",
+      'cacertfile'            => "argonautCaCertPath",
       'iptool'                => "argonautIpTool",
       'delete_finished_tasks' => "argonautDeleteFinished",
       'fetch_packages'        => "argonautFetchPackages",
@@ -729,6 +732,7 @@ sub argonaut_get_client_settings {
     'argonautClient',
     {
       'port'        => "argonautClientPort",
+      'protocol'    => "argonautClientProtocol",
       'interface'   => "argonautClientWakeOnLanInterface",
       'logdir'      => "argonautClientLogDir",
       'taskidfile'  => "argonautTaskIdFile"
diff --git a/argonaut-server/bin/argonaut-server b/argonaut-server/bin/argonaut-server
index 6f71710..5bc0b02 100644
--- a/argonaut-server/bin/argonaut-server
+++ b/argonaut-server/bin/argonaut-server
@@ -48,6 +48,8 @@ use JSON;
 use File::Path;
 use Log::Handler;
 use App::Daemon qw(daemonize);
+use MIME::Base64;
+use Digest::SHA;
 
 # where to look for modules files
 use Module::Pluggable search_path => 'Argonaut::Server::Modules', sub_name => 'modules', instantiate => 'new', except => 'Argonaut::Server::Modules::Argonaut';
@@ -62,7 +64,7 @@ use English qw(-no_match_vars);
 use Socket;
 
 our ($config,$protocol,$server_ip,$server_port);
-my ($sslkeyfile,$sslcertfile,$iptool,$delete_finished_tasks,
+my ($sslkeyfile,$sslcertfile,$sslcacertfile,$iptool,$delete_finished_tasks,
     $interface,$logdir,$packages_folder,$fetch_packages);
 my $logfile = "argonaut-server.log";
 my $piddir = "/var/run/argonaut";
@@ -105,6 +107,7 @@ sub readConfig {
   $logdir                 = $settings->{'logdir'};
   $sslkeyfile             = $settings->{'keyfile'};
   $sslcertfile            = $settings->{'certfile'};
+  $sslcacertfile          = $settings->{'cacertfile'};
 
   $packages_folder        = "/var/cache/argonaut/packages";
 }
@@ -246,6 +249,28 @@ sub ldap_authenticate {
   return 1;
 }
 
+sub token_authenticate {
+  my ($login, $hash) = @_;
+
+  if (!defined($hash)) {
+    return 0;
+  }
+
+  $hash = decode_base64(substr($hash, 6));
+  my $salt = substr($hash, 20);
+  $hash = substr($hash, 0, 20);
+
+  my $ctx = Digest::SHA->new(1);
+  $ctx->add($config->{'token'});
+  $ctx->add($salt);
+
+  if ($ctx->digest eq $hash) {
+    return 1;
+  } else {
+    return 0;
+  }
+}
+
 sub refresh_task {
   my ($kernel,$heap,$session,$id) = @_;
   if (defined $heap->{tasks}->{$id}->{'handler'}) {
@@ -286,7 +311,8 @@ POE::Session->create(
                 },
                 ($protocol eq 'https')  ? ( SslKey  => $sslkeyfile,
                                             SslCert => $sslcertfile,
-                                            Authenticate => \&ldap_authenticate,)
+                                            SslCaCert => $sslcacertfile,
+                                            Authenticate => \&token_authenticate,)
                                         : ()
             );
             $_[HEAP]{modulepool} = Argonaut::Server::ModulesPool->new(
-- 
1.7.10.4