Commit a4eacf3a authored by Leigh Stoller's avatar Leigh Stoller

More plone login changes. Almost there.

parent 4f391d6b
# #
# Copyright (c) 2005, 2006, 2007 University of Utah and the Flux Group. # Copyright (c) 2005-2013 University of Utah and the Flux Group.
# #
# {{{EMULAB-LICENSE # {{{EMULAB-LICENSE
# #
...@@ -25,10 +25,14 @@ SRCDIR = @srcdir@ ...@@ -25,10 +25,14 @@ SRCDIR = @srcdir@
TESTBED_SRCDIR = @top_srcdir@ TESTBED_SRCDIR = @top_srcdir@
OBJDIR = .. OBJDIR = ..
SUBDIR = collab SUBDIR = collab
ISMAINSITE = @TBMAINSITE@
include $(OBJDIR)/Makeconf include $(OBJDIR)/Makeconf
SUBDIRS = mailman cvstools jabber trac SUBDIRS = mailman cvstools jabber trac
ifeq ($(ISMAINSITE),1)
#SUBDIRS += plone
endif
ifeq ($(EXP_VIS_SUPPORT),1) ifeq ($(EXP_VIS_SUPPORT),1)
SUBDIRS += exp-vis SUBDIRS += exp-vis
endif endif
...@@ -41,6 +45,9 @@ control-install: ...@@ -41,6 +45,9 @@ control-install:
@$(MAKE) -C mailman control-install @$(MAKE) -C mailman control-install
@$(MAKE) -C cvstools control-install @$(MAKE) -C cvstools control-install
@$(MAKE) -C trac control-install @$(MAKE) -C trac control-install
ifeq ($(ISMAINSITE),1)
@$(MAKE) -C plone control-install
endif
install: install-subdirs install: install-subdirs
clean: clean-subdirs clean: clean-subdirs
...@@ -51,6 +58,9 @@ post-install: ...@@ -51,6 +58,9 @@ post-install:
@$(MAKE) -C cvstools post-install @$(MAKE) -C cvstools post-install
@$(MAKE) -C jabber post-install @$(MAKE) -C jabber post-install
@$(MAKE) -C trac post-install @$(MAKE) -C trac post-install
ifeq ($(ISMAINSITE),1)
@$(MAKE) -C plone post-install
endif
ifeq ($(EXP_VIS_SUPPORT),1) ifeq ($(EXP_VIS_SUPPORT),1)
@$(MAKE) -C exp-vis post-install @$(MAKE) -C exp-vis post-install
endif endif
......
#
# Copyright (c) 2000-2013 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
# This file is part of the Emulab network testbed software.
#
# This file is free software: you can redistribute it and/or modify it
# under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or (at
# your option) any later version.
#
# This file is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public
# License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this file. If not, see <http://www.gnu.org/licenses/>.
#
# }}}
#
SRCDIR = @srcdir@
TESTBED_SRCDIR = @top_srcdir@
OBJDIR = ../..
SUBDIR = collab/plone
include $(OBJDIR)/Makeconf
SBIN_SCRIPTS =
LIBEXEC_SCRIPTS = plonexlogin
CTRL_LIBEXEC_SCRIPTS =
CTRL_LIB_FILES =
CTRL_SBIN_SCRIPTS = ploneproxy
# These scripts installed setuid, with sudo.
SETUID_BIN_SCRIPTS =
SETUID_SBIN_SCRIPTS =
SETUID_SUEXEC_SCRIPTS = plonexlogin
#
# Force dependencies on the scripts so that they will be rerun through
# configure if the .in file is changed.
#
all: $(SBIN_SCRIPTS) $(CTRL_SBIN_SCRIPTS) $(CTRL_LIBEXEC_SCRIPTS) \
$(CTRL_LIB_FILES) $(LIBEXEC_SCRIPTS)
include $(TESTBED_SRCDIR)/GNUmakerules
install: $(addprefix $(INSTALL_SBINDIR)/, $(SBIN_SCRIPTS)) \
$(addprefix $(INSTALL_LIBEXECDIR)/, $(LIBEXEC_SCRIPTS)) \
$(addprefix $(INSTALL_DIR)/opsdir/sbin/, $(CTRL_SBIN_SCRIPTS))
boss-install: install
post-install:
chown root $(INSTALL_LIBEXECDIR)/plonexlogin
chmod u+s $(INSTALL_LIBEXECDIR)/plonexlogin
#
# Control node installation (okay, plastic)
#
control-install: \
$(addprefix $(INSTALL_SBINDIR)/, $(CTRL_SBIN_SCRIPTS))
clean:
rm -f *.o core
$(INSTALL_DIR)/opsdir/sbin/ploneproxy: ploneproxy
@echo "Installing $<"
-mkdir -p $(INSTALL_DIR)/opsdir/sbin
$(INSTALL) $< $@
import logging import logging
import cgi import cgi
import urllib import urllib
import re
import os
from Products.PluggableAuthService.plugins.BasePlugin import BasePlugin from Products.PluggableAuthService.plugins.BasePlugin import BasePlugin
from AccessControl.SecurityInfo import ClassSecurityInfo from AccessControl.SecurityInfo import ClassSecurityInfo
from AccessControl.SecurityManagement import getSecurityManager
from Products.PluggableAuthService.utils import classImplements from Products.PluggableAuthService.utils import classImplements
from Globals import InitializeClass from Globals import InitializeClass
from Products.PluggableAuthService.interfaces.plugins import \ from Products.PluggableAuthService.interfaces.plugins import \
IAuthenticationPlugin, IUserEnumerationPlugin, IExtractionPlugin IAuthenticationPlugin, IExtractionPlugin, IRolesPlugin
from Products.PluggableAuthService.interfaces.plugins import \
IUserEnumerationPlugin, IGroupsPlugin
from Products.PageTemplates.PageTemplateFile import PageTemplateFile from Products.PageTemplates.PageTemplateFile import PageTemplateFile
from zope.component.hooks import getSite from zope.component.hooks import getSite
from Products.CMFCore.utils import getToolByName
logger = logging.getLogger('emulabpas') logger = logging.getLogger('emulabpas')
outfile = logging.FileHandler(filename='/tmp/emulabpas.log') outfile = logging.FileHandler(filename='/tmp/emulabpas.log')
...@@ -79,10 +85,10 @@ class EmulabPlugin(BasePlugin): ...@@ -79,10 +85,10 @@ class EmulabPlugin(BasePlugin):
# If there is a user with this id, we do not authenticate # If there is a user with this id, we do not authenticate
# on this path, they have to log in normally. # on this path, they have to log in normally.
user = self._getPAS().getUserById(user_id) #user = self._getPAS().getUserById(user_id)
if user is not None: #if user is not None:
logger.debug("User '%s' exists, not doing anything.", user_id) # logger.debug("User '%s' exists, not doing anything.", user_id)
return {} # return {}
result = {} result = {}
result['user_id'] = user_id result['user_id'] = user_id
...@@ -108,15 +114,57 @@ class EmulabPlugin(BasePlugin): ...@@ -108,15 +114,57 @@ class EmulabPlugin(BasePlugin):
user_id = credentials['user_id'] user_id = credentials['user_id']
# #
# Consult external somthing # Sanity check the user_id before we use it to open a file.
# #
verified = True if not re.match("^[-\w]*$", user_id):
logger.warn("Illegal characters in user_id: " + user_id)
if verified: return None
if True:
user = self._getPAS().getUserById(user_id)
if user:
current_group_ids = user.getGroupIds()
logger.debug("Groups for user_id: " + str(current_group_ids))
if "emulabusers" not in current_group_ids:
group_tool = getToolByName(self, 'portal_groups')
logger.debug("Adding user id %s to group emulabusers", user_id)
group_tool.addPrincipalToGroup(user_id, "emulabusers")
pass
pass
return (user_id, user_id) return (user_id, user_id)
#
# Consult external somthing
#
try:
fp = open("/var/db/plone/" + user_id)
user_secret = fp.readline()
user_admin = fp.readline()
except:
logger.warn("Could not open or read secret file for " + user_id)
return None
user_secret.rstrip("\r\n")
user_admin.rstrip("\r\n")
if secret != user_secret:
return None
return (user_id, user_id)
def enumerateUsers(self, id=None, login=None, exact_match=False,
sort_by=None, max_results=None, **kw):
key = id or login
if os.access("/var/db/plone/" + key, os.F_OK):
logger.debug("enumerateUsers: " + str(key))
return [{'id' : key,
'login' : key,
'pluginid' : self.getId()
}]
return None return None
pass pass
classImplements(EmulabPlugin, IAuthenticationPlugin, IExtractionPlugin) classImplements(EmulabPlugin, IAuthenticationPlugin, IUserEnumerationPlugin,
IExtractionPlugin)
InitializeClass(EmulabPlugin) InitializeClass(EmulabPlugin)
#!/usr/bin/perl -w
#
# Copyright (c) 2007-2013 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
# This file is part of the Emulab network testbed software.
#
# This file is free software: you can redistribute it and/or modify it
# under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or (at
# your option) any later version.
#
# This file is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public
# License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this file. If not, see <http://www.gnu.org/licenses/>.
#
# }}}
#
use English;
use Getopt::Std;
use Errno;
use strict;
#
# Set up cross browser login to Plone wikis.
#
sub usage()
{
print "Usage: ploneproxy xlogin [-w wiki] [-p] <uid> <ip>\n";
exit(-1);
}
my $optlist = "dw:";
my $debug = 0;
my $wiki;
#
# Configure variables
#
my $TB = "@prefix@";
my $TBOPS = "@TBOPSEMAIL@";
my $OURDOMAIN = "@OURDOMAIN@";
my $PLONEUSER = "plone";
my $PLONEGROUP = "plone";
my $COOKIEDIR = "/var/db/plone";
#
# Turn off line buffering on output
#
$| = 1;
#
# Untaint the path
#
$ENV{'PATH'} = "/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin";
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
#
# Only real root, cause the script has to read/write a pid file that
# cannot be accessed by the user.
#
if ($UID != 0) {
die("*** $0:\n".
" Must be root to run this script!\n");
}
#
# Testbed Support libraries
#
use lib "@prefix@/lib";
use libtestbed;
use libtbdb;
# Protos
sub xLogin(@);
sub fatal($);
#
# Parse command arguments. Once we return from getopts, all that should be
# left are the required arguments.
#
my %options = ();
if (! getopts($optlist, \%options)) {
usage();
}
if (defined($options{"d"})) {
$debug = 1;
}
if (defined($options{"w"})) {
$wiki = $options{"w"};
}
else {
$wiki = "emulab";
}
if (! @ARGV) {
usage();
}
exit(xLogin(@ARGV));
#
# Backdoor Login
#
sub xLogin(@)
{
my $priv = 0;
usage()
if (@_ < 2 || @_ > 3);
if ($_[0] eq "-p") {
$priv = 1;
shift(@_);
}
my ($user, $IP) = @_;
my $hash = TBGenSecretKey();
if (! -e $COOKIEDIR) {
system("/bin/mkdir -m 770 $COOKIEDIR") == 0
or fatal("Could not create $COOKIEDIR");
}
system("/usr/sbin/chown $PLONEUSER:$PLONEGROUP $COOKIEDIR") == 0
or fatal("Could not chown $COOKIEDIR");
#
# Create a little file that holds the secret key, named by the user.
# Use the key inside it to match against the key provided by the
# client browser.
#
open(KEY, ">${COOKIEDIR}/$user") or
fatal("Could not open ${COOKIEDIR}/$user for writing!");
print KEY "$hash\n";
print KEY "isadmin=$priv\n";
close(KEY);
# Return the hash to caller.
print "$hash\n";
return 0;
}
sub fatal($)
{
my($mesg) = $_[0];
die("*** $0:\n".
" $mesg\n");
}
#!/usr/bin/perl -wT
#
# Copyright (c) 2007-2013 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
# This file is part of the Emulab network testbed software.
#
# This file is free software: you can redistribute it and/or modify it
# under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or (at
# your option) any later version.
#
# This file is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public
# License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this file. If not, see <http://www.gnu.org/licenses/>.
#
# }}}
#
use English;
use Getopt::Std;
#
# Cross machine login for a user, to a list. The type is one of "user"
# or "admin". The admin tag lets the user into the admin interface.
#
sub usage()
{
print STDOUT "Usage: plonexlogin [-p] [-w wiki] <uid> <ipaddr>\n";
exit(-1);
}
my $optlist = "dw:p";
my $debug = 0;
my $wiki = "emulab";
my $privopt = "";
#
# Configure variables
#
my $TB = "@prefix@";
my $TBOPS = "@TBOPSEMAIL@";
my $TBAUDIT = "@TBAUDITEMAIL@";
my $CONTROL = "@USERNODE@";
my $BOSSNODE = "@BOSSNODE@";
my $TRACSUPPORT = @TRACSUPPORT@;
my $SSH = "$TB/bin/sshtb";
my $PLONEPROXY = "$TB/sbin/ploneproxy";
# Protos
sub fatal($);
#
# Untaint the path
#
$ENV{'PATH'} = "/bin:/usr/bin";
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
#
# Turn off line buffering on output
#
$| = 1;
#
# Load the Testbed support stuff.
#
use lib "@prefix@/lib";
use libdb;
use libtestbed;
use User;
#
# We don't want to run this script unless its the real version.
#
if ($EUID != 0) {
die("*** $0:\n".
" Must be setuid! Maybe its a development version?\n");
}
#
# This script is setuid, so please do not run it as root. Hard to track
# what has happened.
#
if ($UID == 0) {
die("*** $0:\n".
" Please do not run this as root! Its already setuid!\n");
}
#
# If no mailman support, just exit.
#
if (0) {
print "Trac support is not enabled. Exit ...\n";
exit(0);
}
#
# Parse command arguments. Once we return from getopts, all that should be
# left are the required arguments.
#
%options = ();
if (! getopts($optlist, \%options)) {
usage();
}
if (defined($options{"d"})) {
$debug = 1;
}
if (defined($options{"p"})) {
$privopt = "-p";
}
if (defined($options{"w"})) {
$wiki = $options{"w"};
if ($wiki =~ /^([-\w]+)$/) {
$wiki = $1;
}
else {
die("Bad data in wiki: $wiki");
}
}
usage()
if (@ARGV != 2);
my $user = $ARGV[0];
my $ipaddr = $ARGV[1];
#
# Untaint args.
#
if ($user =~ /^([-\w]+)$/) {
$user = $1;
}
else {
die("Bad data in user: $user.");
}
if ($ipaddr =~ /^([\d\.]+)$/) {
$ipaddr = $1;
}
else {
die("Bad data in ipaddr: $ipaddr");
}
# Map target user to object.
my $target_user = User->Lookup($user);
if (! defined($target_user)) {
fatal("$user does not exist!");
}
#
# For ssh.
#
$UID = $EUID;
open(COOKIE,
"$SSH -host $CONTROL $PLONEPROXY -w $wiki xlogin $privopt $user $ipaddr |")
or fatal("$PLONEPROXY failed on $CONTROL!");
my $cookie = <COOKIE>;
close(COOKIE) or
fatal("$PLONEPROXY failed on $CONTROL!");
exit(1)
if (!defined($cookie));
# Send back to PHP.
print $cookie;
exit(0);
sub fatal($)
{
my($mesg) = $_[0];
die("*** $0:\n".
" $mesg\n");
}
...@@ -7611,6 +7611,7 @@ outfiles="$outfiles Makeconf GNUmakefile \ ...@@ -7611,6 +7611,7 @@ outfiles="$outfiles Makeconf GNUmakefile \
protogeni/rspec-emulab/2/GNUmakefile \ protogeni/rspec-emulab/2/GNUmakefile \
collab/GNUmakefile \ collab/GNUmakefile \
collab/trac/GNUmakefile \ collab/trac/GNUmakefile \
collab/plone/GNUmakefile \
collab/jabber/GNUmakefile \ collab/jabber/GNUmakefile \
collab/mailman/GNUmakefile collab/cvstools/GNUmakefile \ collab/mailman/GNUmakefile collab/cvstools/GNUmakefile \
collab/mailman/mmlistmembership \ collab/mailman/mmlistmembership \
......
# #
# Copyright (c) 2000-2012 University of Utah and the Flux Group. # Copyright (c) 2000-2013 University of Utah and the Flux Group.
# #
# {{{EMULAB-LICENSE # {{{EMULAB-LICENSE
# #
...@@ -1226,6 +1226,7 @@ outfiles="$outfiles Makeconf GNUmakefile \ ...@@ -1226,6 +1226,7 @@ outfiles="$outfiles Makeconf GNUmakefile \
protogeni/rspec-emulab/2/GNUmakefile \ protogeni/rspec-emulab/2/GNUmakefile \
collab/GNUmakefile \ collab/GNUmakefile \
collab/trac/GNUmakefile \ collab/trac/GNUmakefile \
collab/plone/GNUmakefile \
collab/jabber/GNUmakefile \ collab/jabber/GNUmakefile \
collab/mailman/GNUmakefile collab/cvstools/GNUmakefile \ collab/mailman/GNUmakefile collab/cvstools/GNUmakefile \
collab/mailman/mmlistmembership \ collab/mailman/mmlistmembership \
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment