# along with this program. If not, see <http://www.gnu.org/licenses/>.
from ipsilon.login.common import LoginPageBase, LoginManagerBase
+from ipsilon.login.common import FACILITY
+from ipsilon.util.plugin import PluginObject
import cherrypy
import pam
+import subprocess
class Pam(LoginPageBase):
return None
def GET(self, *args, **kwargs):
- return self._template('login/pam.html', title='Login',
- action='%s/login/pam' % self.basepath,
- service_name=self.lm.service_name,
- username_text=self.lm.username_text,
- password_text=self.lm.password_text)
+ context = self.create_tmpl_context()
+ # pylint: disable=star-args
+ return self._template('login/pam.html', **context)
def POST(self, *args, **kwargs):
- username = None
- password = None
+ username = kwargs.get("login_name")
+ password = kwargs.get("login_password")
user = None
- for key, value in kwargs.iteritems():
- if key == 'login_name':
- username = value
- elif key == 'login_password':
- password = value
- if username is not None and password is not None:
- user = self._authenticate(username, password)
- else:
- cherrypy.log.error("Error: Username or password is missing")
+ error = None
- if user:
- return self.lm.auth_successful(user)
+ if username and password:
+ user = self._authenticate(username, password)
+ if user:
+ return self.lm.auth_successful(user)
+ else:
+ error = "Authentication failed"
+ cherrypy.log.error(error)
else:
- return self.lm.auth_failed()
+ error = "Username or password is missing"
+ cherrypy.log.error("Error: " + error)
+
+ context = self.create_tmpl_context(
+ username=username,
+ error=error,
+ error_password=not password,
+ error_username=not username
+ )
+ # pylint: disable=star-args
+ return self._template('login/pam.html', **context)
def root(self, *args, **kwargs):
op = getattr(self, cherrypy.request.method, self.GET)
if callable(op):
return op(*args, **kwargs)
+ def create_tmpl_context(self, **kwargs):
+ next_url = None
+ if self.lm.next_login is not None:
+ next_url = self.lm.next_login.path
+
+ context = {
+ "title": 'Login',
+ "action": '%s/login/pam' % self.basepath,
+ "service_name": self.lm.service_name,
+ "username_text": self.lm.username_text,
+ "password_text": self.lm.password_text,
+ "description": self.lm.help_text,
+ "next_url": next_url,
+ }
+ context.update(kwargs)
+ return context
+
class LoginManager(LoginManagerBase):
'string',
'remote'
],
+ 'help text': [
+ """ The text shown to guide the user at login time. """,
+ 'string',
+ 'Insert your Username and Password and then submit.'
+ ],
'username text': [
""" The text shown to ask for the username in the form. """,
'string',
def service_name(self):
return self.get_config_value('service name')
+ @property
+ def help_text(self):
+ return self.get_config_value('help text')
+
@property
def username_text(self):
return self.get_config_value('username text')
def get_tree(self, site):
self.page = Pam(site, self)
return self.page
+
+
+class Installer(object):
+
+ def __init__(self):
+ self.name = 'pam'
+ self.ptype = 'login'
+
+ def install_args(self, group):
+ group.add_argument('--pam', choices=['yes', 'no'], default='no',
+ help='Configure PAM authentication')
+ group.add_argument('--pam-service', action='store', default='remote',
+ help='PAM service name to use for authentication')
+
+ def configure(self, opts):
+ if opts['pam'] != 'yes':
+ return
+
+ # Add configuration data to database
+ po = PluginObject()
+ po.name = 'pam'
+ po.wipe_data()
+
+ po.wipe_config_values(FACILITY)
+ config = {'service name': opts['pam_service']}
+ po.set_config(config)
+ po.save_plugin_config(FACILITY)
+
+ # Update global config to add login plugin
+ po = PluginObject()
+ po.name = 'global'
+ globalconf = po.get_plugin_config(FACILITY)
+ if 'order' in globalconf:
+ order = globalconf['order'].split(',')
+ else:
+ order = []
+ order.append('pam')
+ globalconf['order'] = ','.join(order)
+ po.set_config(globalconf)
+ po.save_plugin_config(FACILITY)
+
+ # for selinux enabled platforms, ignore if it fails just report
+ try:
+ subprocess.call(['/usr/sbin/setsebool', '-P',
+ 'httpd_mod_auth_pam=on',
+ 'httpd_tmp_exec=on'])
+ except Exception: # pylint: disable=broad-except
+ pass