From 57ef142ab094e156bb25b077ce16563dfde5a8ff Mon Sep 17 00:00:00 2001
From: Michael DeHaan <mdehaan@redhat.com>
Date: Mon, 3 Dec 2007 17:38:49 -0500
Subject: First start of pluggable authn/authz system for remote API + web
 interface, using Apache modules.

---
 MANIFEST.in         |  1 +
 Makefile            |  1 +
 cobbler.spec        |  2 ++
 config/cobbler.conf | 20 +++++++++++++--
 scripts/index.py    | 72 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 setup.py            |  7 +++---
 6 files changed, 98 insertions(+), 5 deletions(-)
 create mode 100755 scripts/index.py

diff --git a/MANIFEST.in b/MANIFEST.in
index 6af01ca..9cc1780 100644
--- a/MANIFEST.in
+++ b/MANIFEST.in
@@ -23,6 +23,7 @@ include scripts/cobblerd
 include scripts/findks.cgi
 include scripts/nopxe.cgi
 include scripts/webui.cgi
+include scripts/gateway.py
 include scripts/post_install_trigger.cgi
 include snippets/*
 recursive-include po *.pot
diff --git a/Makefile b/Makefile
index ca8f57c..6e8ac88 100644
--- a/Makefile
+++ b/Makefile
@@ -48,6 +48,7 @@ devinstall:
 	find /var/lib/cobbler/triggers | xargs chmod +x
 	chown -R apache /var/www/cobbler 
 	chown -R apache /var/www/cgi-bin/cobbler	
+	chmod -R +x /var/www/cobbler/web
 
 sdist: clean messages updatewui
 	python setup.py sdist
diff --git a/cobbler.spec b/cobbler.spec
index 1660c36..3fc9bb0 100644
--- a/cobbler.spec
+++ b/cobbler.spec
@@ -75,6 +75,8 @@ test "x$RPM_BUILD_ROOT" != "x" && rm -rf $RPM_BUILD_ROOT
 %files
 
 %defattr(755,apache,apache)
+%dir /var/www/cobbler/web/
+/var/www/cobbler/web/*.py
 %dir /var/www/cgi-bin/cobbler/
 /var/www/cgi-bin/cobbler/*.cgi
 %defattr(660,apache,apache)
diff --git a/config/cobbler.conf b/config/cobbler.conf
index 3ebc9e6..422420d 100644
--- a/config/cobbler.conf
+++ b/config/cobbler.conf
@@ -7,7 +7,6 @@ AliasMatch ^/cobbler(.*)?$ "/var/www/cobbler$1"
 
 <Directory "/var/www/cobbler">
     Options Indexes FollowSymLinks
-    AllowOverride None
     Order allow,deny
     Allow from all
 </Directory>
@@ -24,7 +23,7 @@ ProxyPassReverse /cobbler_api_rw http://localhost:25152/
 
 BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
 
-# For Web UI, see also: /var/www/cgi-bin/cobbler/.htaccess
+# For misc CGI scripts
 
 <Directory "/var/www/cgi-bin/cobbler">
     AllowOverride All
@@ -33,4 +32,21 @@ BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
     Allow from all
 </Directory>
 
+# mod_python WebUI/services
+
+<Directory "/var/www/cobbler/web/">
+   AuthType Basic
+   AuthName Cobbler
+   Require valid-user
+   SetHandler mod_python 
+   PythonAccessHandler index
+   PythonAuthenHandler index
+   PythonAuthZHandler  index
+   PythonHandler mod_python.publisher
+
+   # disable in production
+   PythonDebug on
+   PythonAutoReload on
+</Directory>
+
 
diff --git a/scripts/index.py b/scripts/index.py
new file mode 100755
index 0000000..9076d6d
--- /dev/null
+++ b/scripts/index.py
@@ -0,0 +1,72 @@
+"""
+mod_python gateway to all interesting cobbler web and web service
+functions.
+
+Copyright 2007, Red Hat, Inc
+Michael DeHaan <mdehaan@redhat.com>
+
+This software may be freely redistributed under the terms of the GNU
+general public license.
+
+You should have received a copy of the GNU General Public License
+along with this program; if not, write to the Free Software
+Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+"""
+
+# TO DO:
+# connect backend authn via cobbler XMLRPC (non-RW) API
+# connect backend authz via cobbler XMLRPC (RW) API
+# serve up Web UI through this interface, via tokens in headers
+# make REST interface for read/write commands (also?)
+
+from mod_python import apache
+
+def __get_user(req):
+    req.add_common_vars()
+    env_vars = req.subprocess_env.copy()
+    return env_vars["REMOTE_USER"]
+
+def index(req):
+    user = __get_user(req)
+    path = req.uri
+    return "Hello, %s, %s" % (user, path)
+
+def hello(req):
+    user = __get_user(req)
+    path = req.uri
+    return "We are in hello(%s)" % path
+
+def authenhandler(req):
+
+    pw = req.get_basic_auth_pw()
+    user = req.user
+
+    # FIXME: poll cobbler_api (not rw) here to check
+    # check_authn(user,pass) -> T/F
+
+    apache.log_error("authenticate handler called")
+
+    if user == "admin" and pw == "cobbler":
+        return apache.OK
+    else:
+        return apache.HTTP_UNAUTHORIZED
+
+def accesshandler(req):
+    uri = req.uri
+
+    apache.log_error("accesshandler uri: %s" % (uri))
+
+    # FIXME: poll cobbler_api (not rw) here to check
+    # check_access(user,uri) -> T/F
+
+    if uri.find("hello") != -1:
+        return apache.HTTP_FORBIDDEN
+    return apache.OK
+
+def authenzhandler(req):
+
+    # we really don't need this because of the accesshandler.
+    # add in later if we find we /DO/ need it
+    return apache.OK
+
+
diff --git a/setup.py b/setup.py
index 05bc079..d8d229f 100644
--- a/setup.py
+++ b/setup.py
@@ -45,6 +45,7 @@ if __name__ == "__main__":
         tftp_images   = "/tftpboot/images"
         rotpath       = "/etc/logrotate.d"
         cgipath       = "/var/www/cgi-bin/cobbler"
+        modpython     = "/var/www/cobbler/web"
         setup(
                 name="cobbler",
                 version = VERSION,
@@ -60,10 +61,10 @@ if __name__ == "__main__":
                 ],
                 scripts = ["scripts/cobbler", "scripts/cobblerd"],
                 data_files = [ 
-                                
+                                (modpython, ['scripts/index.py']),
                                 # cgi files
-                                (cgipath,  ['scripts/findks.cgi', 'scripts/nopxe.cgi']),
-                                (cgipath,  ['scripts/webui.cgi', 'scripts/post_install_trigger.cgi']),
+                                (cgipath,   ['scripts/findks.cgi', 'scripts/nopxe.cgi']),
+                                (cgipath,   ['scripts/webui.cgi', 'scripts/post_install_trigger.cgi']),
  
                                 # miscellaneous config files
                                 (cgipath,  ['config/.htaccess']),
-- 
cgit