Commit d8df1967 authored by Leigh Stoller's avatar Leigh Stoller

Initial cross domain login support for the datapository. When the

remote site (currently just www.datapository.net) wants to verify the
user (log the user in), it redirects the user to:

	https://www.emulab.net/login_redirect.php?redirect_to=http://www.datapository.net/login.rhtml

Emulab verifies the user, and then issues an ssh to the host in the
URL, giving it the uid and a freshly generated hash string. Emulab
then redirects the users browser back over to the redirect_to URL,
appending the user name and the hash.

	http://www.datapository.net/login.rhtml?user=$uid&auth='$hash'

What the remote site does with all of this is up to that site.
parent a86c1d62
......@@ -2312,7 +2312,7 @@ outfiles="$outfiles Makeconf GNUmakefile \
utils/grabwebcams utils/loghole utils/webcopy \
utils/setdest utils/websetdest utils/grabswitchconfig \
utils/backupswitches utils/setbuildinfo utils/checkquota \
utils/spewconlog utils/webspewconlog \
utils/spewconlog utils/webspewconlog utils/xlogin \
www/GNUmakefile www/defs.php3 www/dbdefs.php3 www/xmlrpc.php3 \
www/swish.conf www/websearch www/garcia-telemetry/GNUmakefile \
vis/GNUmakefile vis/webvistopology vis/dbvistopology \
......
......@@ -750,7 +750,7 @@ outfiles="$outfiles Makeconf GNUmakefile \
utils/grabwebcams utils/loghole utils/webcopy \
utils/setdest utils/websetdest utils/grabswitchconfig \
utils/backupswitches utils/setbuildinfo utils/checkquota \
utils/spewconlog utils/webspewconlog \
utils/spewconlog utils/webspewconlog utils/xlogin \
www/GNUmakefile www/defs.php3 www/dbdefs.php3 www/xmlrpc.php3 \
www/swish.conf www/websearch www/garcia-telemetry/GNUmakefile \
vis/GNUmakefile vis/webvistopology vis/dbvistopology \
......
......@@ -20,10 +20,10 @@ SBIN_SCRIPTS = vlandiff vlansync withadminprivs export_tables cvsupd.pl \
eventping grantnodetype import_commitlog dhcpd_wrapper \
opsreboot deletenode node_statewait grabwebcams \
grabswitchconfig backupswitches cvsinit checkquota \
spewconlog
spewconlog loadns
LIBEXEC_SCRIPTS = webcreateimage newnode webdeletenode spewleds webcopy \
websetdest spewsource weblinkmon_ctl webcvsweb \
webspewconlog
webspewconlog xlogin
#
# Force dependencies on the scripts so that they will be rerun through
......@@ -55,6 +55,8 @@ post-install:
chmod u+s $(INSTALL_SBINDIR)/checkquota
chown root $(INSTALL_SBINDIR)/spewconlog
chmod u+s $(INSTALL_SBINDIR)/spewconlog
chown root $(INSTALL_LIBEXECDIR)/xlogin
chmod u+s $(INSTALL_LIBEXECDIR)/xlogin
#
# Control node installation (okay, plastic)
......
#!/usr/bin/perl -wT
#
# EMULAB-COPYRIGHT
# Copyright (c) 2005 University of Utah and the Flux Group.
# All rights reserved.
#
use English;
use Getopt::Std;
#
# Cross domain login.
#
sub usage()
{
print STDOUT "Usage: xlogin <host> <uid> <key>\n";
exit(-1);
}
my $optlist = "d";
my $debug = 0;
#
# Configure variables
#
my $TB = "@prefix@";
my $TBOPS = "@TBOPSEMAIL@";
my $SSH = "/usr/bin/ssh";
my $XLOGINUSER = "authelab";
my $XLOGINCMD = "/usr/local/datapository/bin/xdomain_auth";
#
# Untaint the path
#
$ENV{'PATH'} = "/bin:/usr/bin";
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
#
# Turn off line buffering on output
#
$| = 1;
#
# Load the Testbed support stuff.
#
use lib "@prefix@/lib";
use libdb;
use libtestbed;
#
# We do not want to run this script unless its the real version.
#
if ($EUID != 0) {
die("*** $0:\n".
" Must be setuid! Maybe its a development version?\n");
}
#
# This script is setuid, so please do not run it as root. Hard to track
# what has happened.
#
if ($UID == 0) {
die("*** $0:\n".
" Please do not run this as root! Its already setuid!\n");
}
#
# Parse command arguments. Once we return from getopts, all that should be
# left are the required arguments.
#
%options = ();
if (! getopts($optlist, \%options)) {
usage();
}
if (defined($options{"d"})) {
$debug = 1;
}
if (@ARGV != 3) {
usage();
}
my $host = $ARGV[0];
my $user = $ARGV[1];
my $key = $ARGV[2];
#
# Untaint args.
#
if ($host =~ /^([-\w\.]+)$/) {
$host = $1;
}
else {
die("Bad data in host: $host");
}
if ($user =~ /^([-\w]+)$/) {
$user = $1;
}
else {
die("Bad data in user: $user.");
}
if ($key =~ /^([\w]+)$/) {
$key = $1;
}
else {
fatal("Bad data in secretkey!");
}
# Just nfs.emulab.net or www.datapository.net for now ...
if ($host ne "nfs.emulab.net" &&
$host ne "www.datapository.net") {
fatal("Bad host; must be one of nfs.emulab.net or www.datapository.net!");
}
#
# For ssh.
#
$UID = $EUID;
if (system("$SSH -l $XLOGINUSER $host $XLOGINCMD $user '$key'")) {
fatal("$XLOGINCMD failed on $host!");
}
exit(0);
sub fatal($)
{
my($mesg) = $_[0];
die("*** $0:\n".
" $mesg\n");
}
<?php
#
# EMULAB-COPYRIGHT
# Copyright (c) 2000-2005 University of Utah and the Flux Group.
# All rights reserved.
#
include("defs.php3");
# No Pageheader since we spit out a redirection below.
$uid = GETLOGIN();
#
# We must get the redirection target.
#
if (!isset($redirect_to) || $redirect_to == "") {
PAGEARGERROR("Must supply a redirection target!");
}
#
# Check format. Also figure out the target.
#
if (! preg_match("/^http[s]?:\/\/([-\w\.]*)\//", $redirect_to, $matches)) {
PAGEARGERROR("Invalid redirection argument!");
}
$redirect_host = $matches[1];
#
# Right now all we allow is www.datapository.net, and that is really
# nfs.emulab.net.
#
if ($redirect_host != "www.datapository.net" &&
$redirect_host != "nfs.emulab.net") {
PAGEARGERROR("Invalid redirection host '$redirect_host'");
}
#
# Okay, now see if the user is logged in. If not, the user will be
# be brought back here after logging in.
#
LOGGEDINORDIE($uid);
#
# Generate a cookie.
#
$authhash = GENHASH();
#
# Send it over to the server where it will save it.
#
SUEXEC("nobody", "nobody", "xlogin $redirect_host $uid $authhash",
SUEXEC_ACTION_DIE);
#
# Now redirect the user over, passing along the hash in the URL.
#
header("Location: ${redirect_to}?user=${uid}&auth=${authhash}");
?>
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment