Security Plugin

From user's Wiki!
Jump to: navigation, search

Security Plugin is a first version of a node manager in GIMIAS . It allows a security control of any connection node define under GIMIAS (XNat, PACS, SSH, Unicore...). Visit GIMIAS connection nodes to see the definitions of node connections within GIMIAS.

It also allows configuring a plugin license period.

Node security

Master Password

A Master Password is a key word that allows to store in a safety way the connection node information of each user. This information can be reused in other GIMIAS sessions just by introducing the master password.

When master password option is select, the password information associated to each connection is encrypted and store in the same way in the configuration file. Users have only access to the nodes define using their master passwords and also to the nodes that are define free (without master password)

User Interaction

Once the plugin is available in GIMIAS, the user can set the Master Password through the preferences menu (edit->preferences). A pop-up window is open with the preferences dialog, that contains the selected plugins, global variables manager, automatic updates, User node manager, and the nodes definition (XNAT, PACS, SSH...).

Edit & Preferences Menus
EditMenu.png
PreferencesMenu.png

Master Password is a simple window with only two controls, a checkbox that sets the enable-disable of master password and a button to control the Master password definition.

If the option is checked a pop- window appears and the button BtnMP.png enables. The pop-up window asks the user to introduce the master password twice, if it is correctly introduced then all passwords will be encrypted using this key (now only works with XNAT nodes)

Master Password dialog
MpV0.png

The BtnMP.png allows to change between Master Passwords of different user and also changes the master password of a given user.

If master password user is changed to a new one then passwords encrypted by this user are automatically updated using the new Master Password.

master password configuration dialog
MpV1.png
MpV2.png

When master password option is disable the nodes are save as they were defined (in the future this option will not save passwords decrypted for next sessions).


Development

Security plugin can be found in https://svncistib.upf.edu/repos/toolkit/gimias/extensions/branches/1_4_2. In this section We will used the example of XNat Plugin in order to understand how to manage and encrypt the nodes. In the case of XNat there are two ways for defining a node:

  • Directly from the configuration file. It was previously define in another session and it is loaded using a reader
  • Using a node configuration dialog in this case the node has to be stored (using a writer) in the configuration file for future sessions.

In order to use the security plugin the dependencies has to be included in the plugin that contains the node definition (XNAT Plugin)

FILE: plugin.xml
<?xml version="1.0" ?>
<plugin name="XNATPlugin">
    <depends>
		<plugin name="SecurityPlugin" />
    </depends>
</plugin>

FILE: csnXNATPlugin.py
projects = [
    securityPlugin,
    gmCore,
    xNAT
]

The idea of the security plugin is simple, each new node has to be registered in the SecurityPluginCryptoProcessor class to be encrypted. The access to this class is made through the preferences window (it is instantiate only once). The access to the SecurityPluginCryptoProcessor is simply done by using the next code.

//security
#include "SecurityPluginUtilities.h"

SecurityPluginCryptoProcessor::Pointer manager = SecurityPluginUtilities::GetMPManager();

Class SecurityPluginCryptoProcessor contains all funcionalities to register the nodes, encrypt, decrypt, find....

The node registration is done by defining an identifier, in this case we use the combination of nodeName + userName + siteURL. The next code allows to take the nodes corresponding to XNat from the configuration file (on which the passwords are supposed to be encrypted) and register them in the password manager.

properties = settings->GetPluginProperties( "XNATPlugin" );
it = properties->GetIteratorBegin();
bool enc;
blTag::Pointer ptrNode = tagNode->FindTagByName( "encripted" );//->GetValue(enc);
if(ptrNode.IsNotNull())
  ptrNode->GetValue(enc);
else enc = false;
//////////////////////////////////////////////////////////////////////////////
connection.SetEncripted( enc );
connection.SetName( tagNode->FindTagByName( "username" )->GetValueAsString() );
connection.SetURL( tagNode->FindTagByName( "url" )->GetValueAsString() );
connection.SetUser( tagNode->FindTagByName( "user" )->GetValueAsString() );
connection.SetPassword( tagNode->FindTagByName( "password" )->GetValueAsString() );
std::string registrationName = connection.GetName()+connection.GetUser()+connection.GetURL();
manager->RegisterPassword(registrationName, connection.GetPassword(),true);

In the case of XNat the variable "encripted" is used to know when it is necessary to decrypt the password node information.

The values that own to the node connection are encrypted and the manager (SecurityPluginCryptoProcessor Class) is in charge of decrypt them. It is only necessary to enter the correct master password and to seek the encrypted value in the manager using the registration name (nodeName + userName + siteURL).

XNATPluginDefineConetions connection;
std::string sel = m_ComboConnections->GetStringSelection().c_str();
connection = m_Connections[sel];
connection.SetPassword(manager->DecryptFromList(connection.GetName()+connection.GetUser()+connection.GetURL()));

Plugin security

User interface

Security plugin adds a new page in the preferences. The page shows all GIMIAS plugins and allows configuring the expiration date and creating the signature.

Plugins security

To configure the license for a specific plugin you should:

  1. Generate a public/private key pair: The public key should be used in the plugin constructor source code and the private key should be stored in a private place in your computer
  2. Configure plugin expiration date and compute signature: Select the plugin you want to create a license and introduce the expiration date. Then press "Sign" to generate the signature. Press apply to save the changes
  3. Verify the signature: Close GIMIAS and start again. Load the public key and press the button "Verify".

Next time GIMIAS starts, the plugin will check the expiration date using an internet time server.

Development

This block of code checks if a trial is expired and should be placed in the plugin constructor:

slTrial::Pointer trial = slTrial::New( );
trial->SetExpireTime( GetBasePlugin( )->GetExpireDate( ) );
trial->SetSignedData( GetBasePlugin( )->GetSignature( ) );
trial->SetDescription( "SecurityPlugin" );
trial->SetPublicKey( "-----BEGIN PUBLIC KEY-----\n\
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAO5BwGf14FBoAwrHfwmKYbqwwRizhcSQ\n\
VGkDXcm0caw7prtPOwAa+zv4GO8ou4Cw8gbFquQYPpBGSr3kprYtxM8CAwEAAQ==\n\
-----END PUBLIC KEY-----\n\
" );
trial->IsTrialExpired( );

The function GetBasePlugin() is defined in the class FrontEndPlugin and retrieves the information loaded from the plugin.xml located in the plugin folder.

The class slTrial is defined in the library SecurityLib in the extensions repository.

Go back to Users