3 # Copyright (C) 2014 Simo Sorce <simo@redhat.com>
5 # see file 'COPYING' for use and warranty information
7 # This program is free software; you can redistribute it and/or modify
8 # it under the terms of the GNU General Public License as published by
9 # the Free Software Foundation, either version 3 of the License, or
10 # (at your option) any later version.
12 # This program is distributed in the hope that it will be useful,
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 # GNU General Public License for more details.
17 # You should have received a copy of the GNU General Public License
18 # along with this program. If not, see <http://www.gnu.org/licenses/>.
20 from ipsilon.login.common import LoginFormBase, LoginManagerBase
21 from ipsilon.login.common import FACILITY
22 from ipsilon.util.plugin import PluginObject
23 from ipsilon.util.user import UserSession
24 from string import Template
29 class Form(LoginFormBase):
31 def POST(self, *args, **kwargs):
35 if not user.is_anonymous:
36 return self.lm.auth_successful(user.name)
39 error = cherrypy.request.headers['EXTERNAL_AUTH_ERROR']
41 error = "Unknown error using external authentication"
42 cherrypy.log.error("Error: %s" % error)
43 return self.lm.auth_failed()
46 class LoginManager(LoginManagerBase):
48 def __init__(self, *args, **kwargs):
49 super(LoginManager, self).__init__(*args, **kwargs)
53 self.description = """
54 Form based login Manager. Relies on mod_intercept_form_submit plugin for
55 actual authentication. """
58 """ The name of the PAM service used to authenticate. """,
63 """ The text shown to guide the user at login time. """,
65 'Insert your Username and Password and then submit.'
68 """ The text shown to ask for the username in the form. """,
73 """ The text shown to ask for the password in the form. """,
80 def service_name(self):
81 return self.get_config_value('service name')
85 return self.get_config_value('help text')
88 def username_text(self):
89 return self.get_config_value('username text')
92 def password_text(self):
93 return self.get_config_value('password text')
95 def get_tree(self, site):
96 self.page = Form(site, self, 'login/form')
101 LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so
102 LoadModule authnz_pam_module modules/mod_authnz_pam.so
104 <Location /${instance}/login/form>
105 InterceptFormPAMService ${service}
106 InterceptFormLogin login_name
107 InterceptFormPassword login_password
108 # InterceptFormLoginSkip admin
109 # InterceptFormClearRemoteUserForSkipped on
110 InterceptFormPasswordRedact on
115 class Installer(object):
121 def install_args(self, group):
122 group.add_argument('--form', choices=['yes', 'no'], default='no',
123 help='Configure External Form authentication')
124 group.add_argument('--form-service', action='store', default='remote',
125 help='PAM service name to use for authentication')
127 def configure(self, opts):
128 if opts['form'] != 'yes':
131 confopts = {'instance': opts['instance'],
132 'service': opts['form_service']}
134 tmpl = Template(CONF_TEMPLATE)
135 hunk = tmpl.substitute(**confopts) # pylint: disable=star-args
136 with open(opts['httpd_conf'], 'a') as httpd_conf:
137 httpd_conf.write(hunk)
139 # Add configuration data to database
143 po.wipe_config_values(FACILITY)
145 # Update global config, put 'krb' always first
147 globalconf = po.get_plugin_config(FACILITY)
148 if 'order' in globalconf:
149 order = globalconf['order'].split(',')
153 globalconf['order'] = ','.join(order)
154 po.set_config(globalconf)
155 po.save_plugin_config(FACILITY)
157 # for selinux enabled platforms, ignore if it fails just report
159 subprocess.call(['/usr/sbin/setsebool', '-P',
160 'httpd_mod_auth_pam=on'])
161 except Exception: # pylint: disable=broad-except