From b0026c5190031fffd9d125ac73b9f8107e80ab9e Mon Sep 17 00:00:00 2001 From: "R.I.Pienaar" Date: Thu, 14 Feb 2019 20:38:16 +0100 Subject: [PATCH] (#578) improve security protocol disable feature --- lib/mcollective/security/choria.rb | 4 ++++ lib/mcollective/util/choria.rb | 2 ++ 2 files changed, 6 insertions(+) diff --git a/lib/mcollective/security/choria.rb b/lib/mcollective/security/choria.rb index 11dae8a..c2010b2 100644 --- a/lib/mcollective/security/choria.rb +++ b/lib/mcollective/security/choria.rb @@ -234,6 +234,8 @@ def decode_reply(secure_payload) # @return [Boolean] # @raise [SecurityValidationFailed] when the message cannot be decoded def validrequest?(secure_payload, request) + return true if $choria_unsafe_disable_protocol_security # rubocop:disable Style/GlobalVars + callerid = request["envelope"]["callerid"] if verify_signature(secure_payload["message"], secure_payload["signature"], callerid, true) @@ -439,6 +441,8 @@ def client_cache_mutex # @return [Boolean] true when the cert was cached, false when already cached # @raise [StandardError] when an invalid cert was received def cache_client_pubcert(envelope, pubcert) + return false if $choria_unsafe_disable_protocol_security # rubocop:disable Style/GlobalVars + client_cache_mutex.synchronize do callerid = envelope["callerid"] certfile = public_certfile(callerid) diff --git a/lib/mcollective/util/choria.rb b/lib/mcollective/util/choria.rb index 26edd8a..48e6210 100644 --- a/lib/mcollective/util/choria.rb +++ b/lib/mcollective/util/choria.rb @@ -434,6 +434,8 @@ def parse_pubcert(pubcert, log=true) # @return [Boolean] # @raise [StandardError] on failure def check_ssl_setup(log=true) + return true if $choria_unsafe_disable_protocol_security # rubocop:disable Style/GlobalVars + if Process.uid == 0 && PluginManager["security_plugin"].initiated_by == :client raise(UserError, "The Choria client cannot be run as root") end