-#!/usr/bin/python
-#
-# Copyright (C) 2014 Simo Sorce <simo@redhat.com>
-#
-# see file 'COPYING' for use and warranty information
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-
-from ipsilon.login.common import LoginFormBase, LoginManagerBase
-from ipsilon.login.common import FACILITY
+# Copyright (C) 2014 Ipsilon project Contributors, for license see COPYING
+
+from ipsilon.login.common import LoginFormBase, LoginManagerBase, \
+ LoginManagerInstaller
from ipsilon.util.plugin import PluginObject
from ipsilon.util.user import UserSession
from ipsilon.util import config as pconfig
import cherrypy
import subprocess
+# Translate PAM errors into more human-digestible values and eventually
+# other languages.
+PAM_AUTH_ERRORS = {
+ "Authentication token is no longer valid; new one required":
+ "Password is expired",
+ "Authentication failure":
+ "Authentication failure",
+}
+
class Form(LoginFormBase):
if not user.is_anonymous:
return self.lm.auth_successful(self.trans, user.name, 'password')
else:
- try:
- error = cherrypy.request.headers['EXTERNAL_AUTH_ERROR']
- except KeyError:
- error = "Unknown error using external authentication"
- cherrypy.log.error("Error: %s" % error)
- return self.lm.auth_failed(self.trans)
+ error = cherrypy.request.wsgi_environ.get(
+ 'EXTERNAL_AUTH_ERROR',
+ 'Unknown error using external authentication'
+ )
+ error = PAM_AUTH_ERRORS.get(error, error)
+ cherrypy.log.error("Error: %s" % error)
+ return self.lm.auth_failed(self.trans, error)
class LoginManager(LoginManagerBase):
"""
-class Installer(object):
+class Installer(LoginManagerInstaller):
- def __init__(self):
+ def __init__(self, *pargs):
+ super(Installer, self).__init__()
self.name = 'form'
- self.ptype = 'login'
+ self.pargs = pargs
def install_args(self, group):
group.add_argument('--form', choices=['yes', 'no'], default='no',
group.add_argument('--form-service', action='store', default='remote',
help='PAM service name to use for authentication')
- def configure(self, opts):
+ def configure(self, opts, changes):
if opts['form'] != 'yes':
return
'service': opts['form_service']}
tmpl = Template(CONF_TEMPLATE)
- hunk = tmpl.substitute(**confopts) # pylint: disable=star-args
+ hunk = tmpl.substitute(**confopts)
with open(opts['httpd_conf'], 'a') as httpd_conf:
httpd_conf.write(hunk)
# Add configuration data to database
- po = PluginObject()
+ po = PluginObject(*self.pargs)
po.name = 'form'
po.wipe_data()
- po.wipe_config_values(FACILITY)
+ po.wipe_config_values()
- # Update global config, put 'krb' always first
- po.name = 'global'
- globalconf = po.get_plugin_config(FACILITY)
- if 'order' in globalconf:
- order = globalconf['order'].split(',')
- else:
- order = []
- order.append('form')
- globalconf['order'] = ','.join(order)
- po.save_plugin_config(FACILITY, globalconf)
+ # Update global config to add login plugin
+ po.is_enabled = True
+ po.save_enabled_state()
# for selinux enabled platforms, ignore if it fails just report
try:
projects / cascardo / ipsilon.git / blobdiff