From e500fa39883090005c0ba5a42647385054747ec1 Mon Sep 17 00:00:00 2001 From: Matt Bostock Date: Wed, 17 Sep 2014 14:15:08 +0100 Subject: [PATCH 1/2] Error if FOG_CREDENTIAL doesn't match session Currently, Fog will ignore the vCloud organisation specified by a `FOG_CREDENTIAL` environment variable if a vCloud authorization token is used to log in by specifying the `FOG_VCLOUD_TOKEN` environment variable. This happens because the organisation name is pulled from the response body of the login request call. If a `FOG_VCLOUD_TOKEN` environment variable is specified, the `get_current_session` API call is used and the organisation returned in the response body will correspond to the organisation specified when the vCloud token was first obtained using the `post_login_session` API call. It is therefore possible to specify a second `FOG_CREDENTIAL`, which points to the same vCloud Director instance and specifies a different organisation, but connect to the organisation used when creating the vCloud session token. The end-user may believe that Fog is connecting to the organisation specified by `FOG_CREDENTIAL`, but the effective organisation is the one that was specified when first obtaining the vCloud session token. This could be potentially very serious if your production and test organisations use the same vCloud Director instance (with the same username for both organisations). Raise an exception if the organisation or username implied by `FOG_CREDENTIAL` differs to the one returned in the response body of the `post_login_session` API call. This behaves correctly if the session has expired; this code won't be executed in that case. --- lib/fog/vcloud_director/compute.rb | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/lib/fog/vcloud_director/compute.rb b/lib/fog/vcloud_director/compute.rb index 9495faa40..5302e126c 100644 --- a/lib/fog/vcloud_director/compute.rb +++ b/lib/fog/vcloud_director/compute.rb @@ -461,6 +461,10 @@ module Fog def login if @vcloud_token = ENV['FOG_VCLOUD_TOKEN'] response = get_current_session + session_org = response.body[:org] + session_user = response.body[:user] + + check_session_matches_credentials(session_org, session_user) else response = post_login_session x_vcloud_authorization = response.headers.keys.find do |key| @@ -478,6 +482,21 @@ module Fog @vcloud_token = nil @org_name = nil end + + def check_session_matches_credentials(session_org, session_user) + fog_credential_org = @vcloud_director_username.split('@').last + fog_credential_user = @vcloud_director_username.split('@')[0...-1].join + + if session_org != fog_credential_org + raise Fog::Errors::Error.new "FOG_CREDENTIAL specified is for vCloud organisation '#{fog_credential_org}' but " + + "your current session is for '#{session_org}'. You should generate a new FOG_VCLOUD_TOKEN." + end + + if session_user != fog_credential_user + raise Fog::Errors::Error.new "FOG_CREDENTIAL specified is for user '#{fog_credential_user}' but " + + "your current session is for '#{session_user}'. You should generate a new FOG_VCLOUD_TOKEN." + end + end end class Mock From 4ae3d642101d1f8b8f187b4ff82ddaea1d21a42e Mon Sep 17 00:00:00 2001 From: Matt Bostock Date: Thu, 18 Sep 2014 10:48:01 +0100 Subject: [PATCH 2/2] Add vertical spacing for readability --- lib/fog/vcloud_director/compute.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/fog/vcloud_director/compute.rb b/lib/fog/vcloud_director/compute.rb index 5302e126c..e028eb673 100644 --- a/lib/fog/vcloud_director/compute.rb +++ b/lib/fog/vcloud_director/compute.rb @@ -472,6 +472,7 @@ module Fog end @vcloud_token = response.headers[x_vcloud_authorization] end + @org_name = response.body[:org] @user_name = response.body[:user] end