diff options
Diffstat (limited to 'ipsilon/login/authform.py')
-rwxr-xr-x | ipsilon/login/authform.py | 189 |
1 files changed, 189 insertions, 0 deletions
diff --git a/ipsilon/login/authform.py b/ipsilon/login/authform.py new file mode 100755 index 0000000..bd06b60 --- /dev/null +++ b/ipsilon/login/authform.py @@ -0,0 +1,189 @@ +#!/usr/bin/python +# +# Copyright (C) 2014 Simo Sorce <simo@redhat.com> +# +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +from ipsilon.login.common import LoginPageBase, LoginManagerBase +from ipsilon.login.common import FACILITY +from ipsilon.util.plugin import PluginObject +from ipsilon.util.user import UserSession +from string import Template +import cherrypy +import subprocess + + +class Form(LoginPageBase): + + def GET(self, *args, **kwargs): + context = self.create_tmpl_context() + # pylint: disable=star-args + return self._template('login/pam.html', **context) + + def POST(self, *args, **kwargs): + us = UserSession() + us.remote_login() + user = us.get_user() + if not user.is_anonymous: + return self.lm.auth_successful(user.name) + else: + try: + error = cherrypy.request.headers['EXTERNAL_AUTH_ERROR'] + except KeyError: + error = "Unknown error using external authentication" + cherrypy.log.error("Error: %s" % error) + return self.lm.auth_failed() + + def root(self, *args, **kwargs): + op = getattr(self, cherrypy.request.method, self.GET) + if callable(op): + return op(*args, **kwargs) + + def create_tmpl_context(self, **kwargs): + next_url = None + if self.lm.next_login is not None: + next_url = self.lm.next_login.path + + context = { + "title": 'Login', + "action": '%s/login/form' % self.basepath, + "service_name": self.lm.service_name, + "username_text": self.lm.username_text, + "password_text": self.lm.password_text, + "description": self.lm.help_text, + "next_url": next_url, + } + context.update(kwargs) + return context + + +class LoginManager(LoginManagerBase): + + def __init__(self, *args, **kwargs): + super(LoginManager, self).__init__(*args, **kwargs) + self.name = 'form' + self.path = 'form' + self.page = None + self.description = """ +Form based login Manager. Relies on mod_intercept_form_submit plugin for + actual authentication. """ + self._options = { + 'service name': [ + """ The name of the PAM service used to authenticate. """, + 'string', + 'remote' + ], + 'help text': [ + """ The text shown to guide the user at login time. """, + 'string', + 'Insert your Username and Password and then submit.' + ], + 'username text': [ + """ The text shown to ask for the username in the form. """, + 'string', + 'Username' + ], + 'password text': [ + """ The text shown to ask for the password in the form. """, + 'string', + 'Password' + ], + } + + @property + def service_name(self): + return self.get_config_value('service name') + + @property + def help_text(self): + return self.get_config_value('help text') + + @property + def username_text(self): + return self.get_config_value('username text') + + @property + def password_text(self): + return self.get_config_value('password text') + + def get_tree(self, site): + self.page = Form(site, self) + return self.page + + +CONF_TEMPLATE = """ +LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so +LoadModule authnz_pam_module modules/mod_authnz_pam.so + +<Location /${instance}/login/form> + InterceptFormPAMService ${service} + InterceptFormLogin login_name + InterceptFormPassword login_password + # InterceptFormLoginSkip admin + # InterceptFormClearRemoteUserForSkipped on + InterceptFormPasswordRedact on +</Location> +""" + + +class Installer(object): + + def __init__(self): + self.name = 'form' + self.ptype = 'login' + + def install_args(self, group): + group.add_argument('--form', choices=['yes', 'no'], default='no', + help='Configure External Form authentication') + group.add_argument('--form-service', action='store', default='remote', + help='PAM service name to use for authentication') + + def configure(self, opts): + if opts['form'] != 'yes': + return + + confopts = {'instance': opts['instance'], + 'service': opts['form_service']} + + tmpl = Template(CONF_TEMPLATE) + hunk = tmpl.substitute(**confopts) # pylint: disable=star-args + with open(opts['httpd_conf'], 'a') as httpd_conf: + httpd_conf.write(hunk) + + # Add configuration data to database + po = PluginObject() + po.name = 'form' + po.wipe_data() + po.wipe_config_values(FACILITY) + + # Update global config, put 'krb' always first + po.name = 'global' + globalconf = po.get_plugin_config(FACILITY) + if 'order' in globalconf: + order = globalconf['order'].split(',') + else: + order = [] + order.append('form') + globalconf['order'] = ','.join(order) + po.set_config(globalconf) + po.save_plugin_config(FACILITY) + + # for selinux enabled platforms, ignore if it fails just report + try: + subprocess.call(['/usr/sbin/setsebool', '-P', + 'httpd_mod_auth_pam=on']) + except Exception: # pylint: disable=broad-except + pass |