diff options
| -rw-r--r-- | CHANGELOG | 1 | ||||
| -rw-r--r-- | cobbler.spec | 2 | ||||
| -rw-r--r-- | cobbler/remote.py | 42 | ||||
| -rw-r--r-- | cobbler/settings.py | 2 | ||||
| -rw-r--r-- | config/settings | 2 | ||||
| -rwxr-xr-x | scripts/change_profile.cgi | 86 | ||||
| -rwxr-xr-x | scripts/findks.cgi | 1 | ||||
| -rwxr-xr-x | scripts/register_mac.cgi | 22 |
8 files changed, 63 insertions, 95 deletions
@@ -5,6 +5,7 @@ Cobbler CHANGELOG - fix to webui to allow repos to be edited there on profile page - disable local socket XMLRPC as nothing is using it. - fixed findks.cgi so it supports multiple NICs +- import now supports both --path and --mirror as aliases, as before - added change_profile.cgi for changing profiles from CGI - added register_mac.cgi diff --git a/cobbler.spec b/cobbler.spec index 4b52cf6..e56d298 100644 --- a/cobbler.spec +++ b/cobbler.spec @@ -190,7 +190,7 @@ test "x$RPM_BUILD_ROOT" != "x" && rm -rf $RPM_BUILD_ROOT %changelog -* Fri Feb 22 2008 Michael DeHaan <mdehaan@redhat.com> - 0.8.2-1 +* Fri Mar 07 2008 Michael DeHaan <mdehaan@redhat.com> - 0.8.2-1 - Upstream changes (see CHANGELOG) * Wed Feb 20 2008 Michael DeHaan <mdehaan@redhat.com> - 0.8.1-1 diff --git a/cobbler/remote.py b/cobbler/remote.py index 57570aa..5131323 100644 --- a/cobbler/remote.py +++ b/cobbler/remote.py @@ -164,6 +164,48 @@ class CobblerXMLRPCInterface: """ self.log("get_settings",token=token) return self.__get_all("settings") + + def profile_change(self,mac,newprofile,token=None): + """ + If allow_cgi_profile_change is enabled in settings, this allows + kickstarts to set the profile of a machine to another profile + via a wget in %post. This has security implications. + READ: https://fedorahosted.org/cobbler/wiki/AutoProfileChange + """ + + if not self.api.settings().allow_cgi_profile_change: + return 1 + + system = self.api.find_system(mac_address=mac) + if system is None: + return 2 + + system.set_profile(newprofile) + self.api.add_system(system) + + + def register_mac(self,mac,token=None): + """ + If allow_cgi_register_mac is enabled in settings, this allows + kickstarts to add new system records for per-profile-provisioned + systems automatically via a wget in %post. This has security + implications. + READ: https://fedorahosted.org/cobbler/wiki/AutoRegistration + """ + + if not self.api.settings().allow_cgi_mac_registration: + return 1 + + system = self.api.find_system(mac_address=mac) + if system is not None: + return 2 + + obj = server.new_system(token) + obj.set_profile(profile) + obj.set_name(mac.replace(":","_")) + obj.set_mac_address(mac, "intf0") + systems.add(obj,save=True) + return 0 def disable_netboot(self,name,token=None): """ diff --git a/cobbler/settings.py b/cobbler/settings.py index 8cd7032..581403c 100644 --- a/cobbler/settings.py +++ b/cobbler/settings.py @@ -22,6 +22,8 @@ TESTMODE = False # we need. DEFAULTS = { + "allow_cgi_mac_registration" : 0, + "allow_cgi_profile_change" : 0, "bootloaders" : { "standard" : "/usr/lib/syslinux/pxelinux.0", "ia64" : "/var/lib/cobbler/elilo-3.6-ia64.efi" diff --git a/config/settings b/config/settings index c006cb3..9355e71 100644 --- a/config/settings +++ b/config/settings @@ -1,4 +1,6 @@ --- +allow_cgi_mac_registration: 0 +allow_cgi_profile_change: 0 bootloaders: ia64: /var/lib/cobbler/elilo-3.6-ia64.efi standard: /usr/lib/syslinux/pxelinux.0 diff --git a/scripts/change_profile.cgi b/scripts/change_profile.cgi index f2e5acd..f7330f1 100755 --- a/scripts/change_profile.cgi +++ b/scripts/change_profile.cgi @@ -24,12 +24,8 @@ import sys import socket import xmlrpclib -# FIXME: edit these two variables to match your webui configuration -USERNAME = "cobbler" -PASSWORD = "cobbler" - COBBLER_BASE = "/var/www/cobbler" -XMLRPC_SERVER = "http://127.0.0.1/cobbler_api_rw" +XMLRPC_SERVER = "http://127.0.0.1/cobbler_api" DEFAULT_PROFILE = "default" #---------------------------------------------------------------------- @@ -44,6 +40,12 @@ class ServerProxy(xmlrpclib.ServerProxy): def parse_query(): form = cgi.parse() + + mac = "-1" + if os.environ.has_key("HTTP_X_RHN_PROVISIONING_MAC_0"): + # FIXME: will not key off other NICs + devicepair = os.environ["HTTP_X_RHN_PROVISIONING_MAC_0"] + return devicepair.split()[1].strip() if form.has_key("profile"): profile = form["profile"][0] @@ -57,68 +59,10 @@ def parse_query(): #---------------------------------------------------------------------- def autodetect(): + # get mac address, requires kssendmac on the kernel options line. + else: + return "-1" - # connect to cobblerd and get the list of systems - - try: - xmlrpc_server = ServerProxy(XMLRPC_SERVER) - systems = xmlrpc_server.get_systems() - except: - print "# could not contact cobblerd at %s" % XMLRPC_SERVER - sys.exit(1) - - # if kssendmac was in the kernel options line, see - # if a system can be found matching the MAC address. This - # is more specific than an IP match. - - if os.environ.has_key("HTTP_X_RHN_PROVISIONING_MAC_0"): - # FIXME: will not key off other NICs - devicepair = os.environ["HTTP_X_RHN_PROVISIONING_MAC_0"] - mac = devicepair.split()[1].strip() - # mac is the macaddress of the first nic reported by anaconda - candidates = [system['name'] for system in systems if system['mac_address'].lower() == mac.lower()] - if len(candidates) == 0: - print "# no system entries with MAC %s found" % mac - print "# trying IP lookup" - elif len(candidates) > 1: - print "# multiple system entries with MAC %s found" % mac - sys.exit(1) - elif len(candidates) == 1: - print "# kickstart matched by MAC: %s" % mac - return candidates[0] - - # attempt to match by the IP. - - try: - ip = os.environ["REMOTE_ADDR"] - except: - ip = "127.0.0.1" - - candidates = [] - for x in systems: - for y in x["interfaces"]: - if x["interfaces"][y]["ip_address"] == ip: - candidates.append(x) - - if len(candidates) == 0: - print "# no system entries with ip %s found" % ip - sys.exit(1) - elif len(candidates) > 1: - print "# multiple system entries with ip %s found" % ip - sys.exit(1) - elif len(candidates) == 1: - return candidates[0] - -#---------------------------------------------------------------------- - - -def make_change(server,system,profile,token): - print "# getting handle for: %s" % system - handle = server.get_system_handle(system,token) - print "# modifying system %s to %s" % (system,profile) - server.modify_system(handle,"profile",profile,token) - print "# saving system" - server.save_system(handle,token) #---------------------------------------------------------------------- @@ -132,15 +76,11 @@ if __name__ == "__main__": cgitb.enable(format='text') header() server = ServerProxy(XMLRPC_SERVER) - token = server.login(USERNAME,PASSWORD) - (system, profile) = parse_query() - print "# running for %s %s" % (system,profile) + (mac, profile) = parse_query() try: ip = os.environ["REMOTE_ADDR"] except: ip = "???" - print "# requestor ip = %s" % ip - print "# =============================" - print "# system name = %s" % system - make_change(server,system,profile,token) + print "# attempting to change system(mac=%s) to profile(%s)" % (mac,profile) + server.change_profile(mac,profile) diff --git a/scripts/findks.cgi b/scripts/findks.cgi index 6fad6dc..39adbcf 100755 --- a/scripts/findks.cgi +++ b/scripts/findks.cgi @@ -73,6 +73,7 @@ def autodetect(): candidates = [] for x in systems: + for y in x["interfaces"]: if x["interfaces"][y]["ip_address"] == ip: candidates.append(x) diff --git a/scripts/register_mac.cgi b/scripts/register_mac.cgi index b0eb587..5507525 100755 --- a/scripts/register_mac.cgi +++ b/scripts/register_mac.cgi @@ -84,27 +84,7 @@ def autodetect(): def make_change(server,mac,profile,token): - print "# getting handle for: %s" % mac - - systems = server.get_systems() - for s in systems: - for i in s["interfaces"]: - if s["interfaces"][i]["mac_address"].lower() == mac.lower(): - print "# found an existing record, will not continue" - return - - # good, no system found, so we can add a new one. - print "# creating new system record" - handle = server.new_system(token) - server.modify_system(handle,"profile",profile,token) - server.modify_system(handle,"name",mac.replace(":","_"),token) - intf_hash = { - # FIXME: also include IP info if we have it? - "macaddress-intf0" : mac - } - server.modify_system(handle,"modify-interface",intf_hash,token) - print "# saving system" - server.save_system(handle,token) + server.register_mac(mac,profile) #---------------------------------------------------------------------- |